200-301 CCNA Exam Guide

Telegram Channel : @IRFaraExam

ImplementingandAdministeringCiscoSolutions:200-301CCNAExamGuideCopyright©2020PacktPublishing

Allrightsreserved.Nopartofthisbookmaybereproduced,storedinaretrievalsystem,ortransmittedinanyformorbyanymeans,withoutthepriorwrittenpermissionofthepublisher,exceptinthecaseofbriefquotationsembeddedincriticalarticlesorreviews.

Everyefforthasbeenmadeinthepreparationofthisbooktoensuretheaccuracyoftheinformationpresented.However,theinformationcontainedinthisbookissoldwithoutwarranty,eitherexpressorimplied.Neithertheauthor(s),norPacktPublishingoritsdealersanddistributors,willbeheldliableforanydamagescausedorallegedtohavebeencauseddirectlyorindirectlybythisbook.

PacktPublishinghasendeavoredtoprovidetrademarkinformationaboutallofthecompaniesandproductsmentionedinthisbookbytheappropriateuseofcapitals.However,PacktPublishingcannotguaranteetheaccuracyofthisinformation.

CommissioningEditor:VijinBoricha

SeniorEditor:RahulDsouza

ContentDevelopmentEditors:RonnKurienandNiharKapadia

TechnicalEditor:SarveshJaywant


CopyEditor:SafisEditing

ProjectCoordinator:NeilDmello

Proofreader:SafisEditing

Indexer:RekhaNair

ProductionDesigner:JyotiChauhan

Firstpublished:November2020

Productionreference:1151020

PublishedbyPacktPublishingLtd.

LiveryPlace

35LiveryStreet

Birmingham

B32PB,UK.

ISBN978-1-80020-809-4

www.packt.com

Packt.com


http://www.packt.com

http://Packt.com

Subscribetoouronlinedigitallibraryforfullaccesstoover7,000booksandvideos,aswellasindustryleadingtoolstohelpyouplanyourpersonaldevelopmentandadvanceyourcareer.Formoreinformation,pleasevisitourwebsite.

Whysubscribe?SpendlesstimelearningandmoretimecodingwithpracticaleBooksandVideosfromover4,000industryprofessionals

ImproveyourlearningwithSkillPlansbuiltespeciallyforyou

GetafreeeBookorvideoeverymonth

Fullysearchableforeasyaccesstovitalinformation

Copyandpaste,print,andbookmarkcontent

DidyouknowthatPacktofferseBookversionsofeverybookpublished,withPDFandePubfilesavailable?YoucanupgradetotheeBookversionatpackt.comandasaprintbookcustomer,youareentitledtoadiscountontheeBookcopy.Getintouchwithusatcustomercare@packtpub.comfor

moredetails.

Atwww.packt.com,youcanalsoreadacollectionoffreetechnicalarticles,signupforarangeoffreenewsletters,andreceiveexclusivediscountsandoffersonPacktbooksandeBooks.

Contributors


http://packt.com

http://www.packt.com

AbouttheauthorGlenD.Singhisacybersecurityandnetworkinginstructor,InfoSecauthor,andconsultant.Hisareasofexpertisearepenetrationtesting,digitalforensics,networksecurity,andenterprisenetworking.Hehasmanycertifications,includingCEH,CHFI,and3xCCNA(cyberops,security,androutingandswitching).Helovesteachingandmentoringothers,andsharinghiswealthofknowledgeandexperienceasanauthor.HehaswrittenbooksonKaliLinux,KaliNetHunter,andCCNASecurity.

GlenhastrainedmanyprofessionalsinvarioussectorsrangingfromISPstogovernmentagenciesinthefieldofcybersecurity.Asanaspiringgame-changer,Glenispassionateaboutincreasingcybersecurityawarenessinhishomeland,TrinidadandTobago.

IwouldliketothankRahulNair,SuzanneCoutinho,RonnKurien,andthewonderfulteamatPacktPublishing,whohaveprovidedamazingsupportandguidancethroughoutthisjourney.Tothetechnicalreviewers,AaronCaesarandJessieJamesAraneta,thankyouforyouroutstandingcontributiontomaking

thisanamazingbook.

AboutthereviewersAaronCaesarholdsaBSc.inComputingandInformationSystemsandotherprofessionalcertificationsinnetworkingandsecurity.Hiscareerintechnologyspans16years,includingtechnicalsupportandteachingatvariousprivateandpublicsectoragencies.Currently,heisemployedatamultinationalISP,providingspecialistsupporttoawidecross-sectionofthecompany'scorporate


customers.Aaronhasapassionforlearningaboutinformationandcommunicationtechnologiesthathecontinuestopursuedaily.

Aboveall,however,heisafather,husband,son,brother,andfriend.

Iwouldliketothankmybeautifulwife,Abbigail,forallthesupportshehasprovidedtomeduringthisprocess;andallthepeoplewhobelievedinmeandmygrowth.IwouldalsoexpressmygratitudetotheauthorandtheteamatPacktforgivingmethisgreatopportunitytocontributetothisexcellentbook.

JessieJamesisalicensedelectronicsengineerandaCiscoCertifiedNetworkAssociate.Hisexperienceandspecializationismobileandfixednetworkoperationfortelecommunications.Duringthedevelopmentofthisbook,hehasbeenworkingforEtisalatUAEasOperationsFieldSupport–FixedNetwork.

I'dliketothankGodfirst,forHisalmightyguidanceonwhateverdecisionsImade.I'dalsoliketothankPacktPublishingfortheopportunitytoreviewthiswonderfulbook.Tomyparents,siblings,relatives,friends,andmentors(youknowwhoyouare),thankyouforguidingandsupportingme.Lastly,I'dliketo

thankBoniefortheloveandsupportwhilereviewingthisbook.

PacktissearchingforauthorslikeyouIfyou'reinterestedinbecominganauthorforPackt,pleasevisitauthors.packtpub.comandapplytoday.Wehaveworkedwiththousands

ofdevelopersandtechprofessionals,justlikeyou,tohelpthemsharetheirinsightwiththeglobaltechcommunity.Youcanmakeageneralapplication,applyforaspecifichottopicthatwearerecruitinganauthorfor,orsubmityourownidea.


TableofContents

Preface


Section1:NetworkFundamentals


Chapter1:IntroductiontoNetworking

Understandingtheevolutionofnetworkingandtheinternet20

Understandingnetworksizes–SOHO,LAN,andWAN22

Learningaboutnetworkprotocolsuites25

OSIreferencemodel25

UnderstandingtheTCP/IPprotocolsuite41

Understandingthefunctionsofnetworkdevices42

Hubs42

Layer2switches45

Layer3switches50

Routers50

Next-generationfirewallsandIPS51


AccessPoints55

CiscoWirelessLANController(WLC)56

Endpointsandservers57

CiscoDNA58

Networktopologyarchitectures58

2Tier60

3Tier63

Summary65

Furtherreading68


Chapter2:GettingStartedwithCiscoIOSDevices

Technicalrequirements70

BuildingaCiscolabenvironment71

CiscoPacketTracer71

VirtualCCNALab77

Physicallabs89

GettingstartedwithCiscoIOSdevices90

Bootprocess90

AccessingaCiscoIOSdevice92

ConfiguringtheCiscoIOS96

SettingupasmallCisconetwork98

Performingtroubleshootingprocedures117


Summary118

Questions119

Furtherreading120


Chapter3:IPAddressingandSubnetting


TheneedforIPaddressing122

CharacteristicsofIPv4125

CompositionofanIPv4packet126

Convertingbinaryintodecimal129

Convertingdecimalintobinary132

Transmissiontypes137

ClassesofIPv4addresses140

PublicIPv4addressspace141

PrivateIPv4addressspace142

SpecialIPv4addresses144

Loopbackaddress145


Test-Net145

LinkLocal145

Subnetmask146

Networkprefix146

IdentifyingtheNetworkID148

Subnetting150

Step1–DeterminingtheappropriateIPaddress152

Step2–Creatingnewsubnets(subnetworks)154

Step3–Assigningsubnetstoeachnetwork157

Step4–PerformingVariable-LengthSubnetMasking(VLSM)159

IPv6162

TypesofIPv6addresses165

Lab–ConfiguringIPv6onaCiscoIOSrouter168


Lab–ConfiguringIPv6onaWindowscomputer170

Testingend-to-endconnectivity172

Summary172

Furtherreading173


Chapter4:DetectingPhysicalIssues,WirelessArchitectures,andVirtualization


Understandingnetworkswitchfunctions176

Detectingphysicalissues178

Wirelesstechnologies187

2.4GHzversus5GHz189

Wirelessbands192

SSID,BSSID,andESS193

Ciscowirelessarchitectures195

Autonomous196

Cloud-based197

Split-MAC198


APmodes199

Wirelesscomponentsandmanagement200

Lab–accessingaCiscoWLCGUI201

Lab–configuringawirelessnetworkusingaCiscoWLC203

Virtualizationfundamentals209

Type1hypervisor210

Type2hypervisor211

Cloudcomputing213

Cloudservices215

SaaS215

PaaS216

IaaS216

Clouddeliverymodels216


Summary217

Questions218

Furtherreading221


Section2:NetworkAccess


Chapter5:ImplementingVLANs,Layer2DiscoveryProtocols,andEtherChannels


UnderstandingVLANs226

VLANranges232

TypesofVLANs233

Trunkinterfaces236

Inter-VLANrouting239

Lab–implementingVLANs242

Lab–creatingtrunkinterfaces248

Lab–configuringinter-VLANrouting252

Layer2DiscoveryProtocols255

CiscoDiscoveryProtocol(CDP)255


Link-LayerDiscoveryProtocol(LLDP)257

UnderstandingandconfiguringEtherChannels259

Lab–implementingEtherChannels263

Summary265

Questions266

Furtherreading268


Chapter6:UnderstandingandConfiguringSpanning-Tree


WhatisSpanning-TreeProtocol?270

BridgeProtocolDataUnit273

Rootbridgeandsecondaryrootbridge274

Spanning-treestandards277

Portrolesandstates277

Determiningtherootbridgeandportroles278

PVST+281

Rapid-PVST+286

Lab–implementingRapid-PVST+onaCisconetwork288

Lab–configuringPortFastandBPDUguard291


Summary293

Questions293

Furtherreading295


Section3:IPConnectivity


Chapter7:InterpretingRoutingComponents


UnderstandingIProuting300

Componentsoftheroutingtable306

Routingprotocolcodes306

Prefixandnetworkmask309

Nexthop310

AdministrativeDistance311

Routingmetrics314

Gatewayoflastresort317

Summary318

Questions318


Furtherreading320


Chapter8:UnderstandingFirstHopRedundancy,StaticandDynamicRouting


Understandingstaticrouting322

Doweneedstaticrouting?324

Typesofstaticroutes325

Lab–configuringstaticroutingusingIPv4332

Lab–configuringanIPv4defaultroute337

Lab–configuringstaticroutingusingIPv6340

Understandingdynamicrouting345

Typesofdynamicroutingprotocols346

OpenShortestPathFirst349

Lab–configuringOSPFv2363


ValidatingOSPFconfigurations366

Understandingfirsthopredundancy370

VariousFHRPs372

Summary384

Questions384

Furtherreading386


Section4:IPServices


Chapter9:ConfiguringNetworkAddressTranslation(NAT)


ThechallengeofusingIPv4ontheinternet390

UnderstandingNAT391

UnderstandingNAToperationandterminology393

TypesofNAT395

StaticNAT395

DynamicNAT397

ConfiguringPAT399

Lab–implementingNAToverload(PAT)403

Lab–implementingstaticNATwithportforwarding406

Lab–implementingdynamicNAT409


Summary412

Questions413

Furtherreading415


Chapter10:ImplementingNetworkServicesandIPOperations


UnderstandingNTP418

Lab–configuringNTP421

UnderstandingDHCP426

DHCPoperations426

Cisco'sDHCPconfigurations429

DHCPrelay430

Lab–configuringDHCPandDHCPrelay432

DomainNameSystem435

DNSrootservers437

DNSrecordtypes438


Lab–configuringDNS439

UnderstandingthebenefitsofusingSyslog442

Syslogseveritylevels443

Lab–configuringSyslog445

SimpleNetworkManagementProtocol448

SNMPversions451

Managementinformationbase451

Lab–configuringSNMP453

QoStrafficclassification456

QoSterminologies458

Traffictypecharacteristics459

QoSqueuingalgorithms461

QoSpolicymodels462

QoSimplementationmethods464


Summary466

Questions467

Furtherreading469


Section5:SecurityFundamentals


Chapter11:ExploringNetworkSecurity


Securityconcepts474

TheCIAtriad475

Threats478

Vulnerabilities482

Exploits495

Attacks496

Authentication,Authorization,andAccounting503

Lab–ImplementingAAA506

Elementsofasecurityprogram509

Wireshark101509

Lab–Analyzingpackets514


Summary516

Questions516

Furtherreading518


Chapter12:ConfiguringDeviceAccessControlandVPNs


Deviceaccesscontrol520

Securingconsoleaccess520

SecuringanAUXline525

VTYlineaccess527

SecuringPrivilegeExecmode535

Encryptingallplaintextpasswords539

VirtualPrivateNetworks540

Site-to-SiteVPNs541

RemoteaccessVPNs543

IPsec544


Lab–Configuringasite-to-siteVPN545

Lab–ConfiguringaremoteaccessVPN551

Summary558

Questions558

Furtherreading560


Chapter13:ImplementingAccessControlLists


WhatareACLs?562

BenefitsofusingACLs563

ACLoperation564

ACLwildcardmasks568

Calculatingthewildcardmask569

ACLguidelinesandbestpractices571

WorkingwithstandardACLs573

CreatinganumberedstandardACL573

ImplementinganamedstandardACL575

DeletinganACL576


Lab–implementingastandardnumberedACL576

Lab–configuringastandardnamedACL580

Lab–securingVTYlinesusingACLs583

WorkingwithextendedACLs588

CreatinganumberedextendedACL588

ImplementinganamedextendedACL589

Lab–implementingextendedACLs591

Summary596

Questions596

Furtherreading598


Chapter14:ImplementingLayer2andWirelessSecurity


TypesofLayer2attacksonanetwork600

Networkattacks601

Defenseindepth603

Layer2threats606

ProtectingagainstLayer2threats621

Portsecurity621

DHCPsnooping634

DynamicARPinspection641

Wirelessnetworksecurity645

Authenticationmethods647


Lab–implementingwirelesssecurityusingaWLC649

Summary655

Questions656

Furtherreading658


Section6:AutomationandProgrammability


Chapter15:NetworkAutomationandProgrammabilityTechniques

Understandingautomation662

Understandingdataformats663

eXtensibleMarkupLanguage665

JavaScriptObjectNotation666

YAMLAin'tMarkupLanguage668

UnderstandingAPIs670

TypesofAPIs670

RESTfulAPIs671

Understandingnetworkconfigurationmanagement676

Fabric,overlay,andunderlay682

CiscoDNACenter685


Summary686

Questions687

Furtherreading689


Chapter16:MockExam1


Chapter17:MockExam2

Assessments

OtherBooksYouMayEnjoy


PrefaceImplementingandAdministeringCiscoSolutions:CCNA200-301ExamGuideisanexcellentbookthatfocusesonarangeofCiscotechnologiesthatwillhelpyougainafirmunderstandingofnetworking,IPconnectivity,IPservices,security,networkprogrammability,andautomation.

Throughoutthisbook,youwillbeexposedtovariousnetworkingcomponentsanddiscoverhowtheyallworktogetherinanenterprisenetwork.YouwillalsolearnhowtoconfigureCiscodevicesusingthecommand-lineinterface(CLI)toprovidenetworkaccess,services,security,connectivity,andmanagement.

Duringthecourseofthisbook,youwillcomeacrossdifferenthands-onlabswithreal-worldscenariosthataredesignedtohelpyougainessentialon-the-jobskillsandexperience.Furthermore,thisbookwillguideyouandteachyounetworkingtechnologiesandsolutionstoimplementandadministerenterprisenetworksandinfrastructureusingCiscosolutions.

Bytheendofthisbook,youwillhavegainedtheconfidencetopasstheCCNA200-301examinationandbewell-versedinavarietyofnetworkadministrationandsecurityengineeringsolutions.


WhothisbookisforThisguideistargetedateveryITprofessionallookingtoboosttheirnetworkengineeringandsecurityadministrationcareer.UsersinterestedincertifyinginCiscotechnologiesandstartingacareerasnetworksecurityprofessionalswillfindthisbookuseful.ReaderswithnoknowledgeaboutCiscotechnologiesbutsomeunderstandingofindustry-levelnetworkfundamentalswillhaveanaddedadvantage.


WhatthisbookcoversChapter1,IntroductiontoNetworking,introducesvariousnetworkprotocols,devices,andcomponents,andnetworktopologyarchitectures.

Chapter2,GettingStartedwithCiscoIOSDevices,introducesCiscoInternetworkOperatingSystem(CiscoIOS).Youwilllearnhowtoaccessthedevice,performinitialconfigurations,andlearnhowtoverifythedevice'ssettings.Additionally,youwilllearnhowtobuildyourpersonallearningenvironmenttoreduceyourexpenditureintermsofpurchasingexpensiveequipment.

Chapter3,IPAddressingandSubnetting,coversdifferentclassesofIPaddressesandtheirassignments.Thesecondhalfofthechapterwillteachyouhowtousesubnettingtobreakdownalargenetworkintosmallersubnetworks.

Chapter4,DetectingPhysicalIssues,WirelessArchitectures,andVirtualization,coversvariousLayer1issuesandtakesadeepdiveintounderstandingCiscoWirelessArchitecturesanddeploymentmodels.Additionally,thischaptercoverstheconceptofvirtualizationandvirtualmachines.

Chapter5,ImplementingVLANs,Layer2DiscoveryProtocols,andEtherChannels,introducesyoutoVirtualLocalAreaNetworks(VLANs),configuringandtroubleshootingVLANsonaCisconetwork,settingupinter-switchconnectivitybyconfiguringTrunklinks,andconfiguringinter-VLANroutingtoallowmultipleVLANstointer-communicate.Additionally,youwilllearnhowtousevariousLayer2discoveryprotocolstomapdevicesonanetworkanduseEtherChannelstoperformlinkaggregation.


Chapter6,UnderstandingandConfiguringSpanning-Tree,coverstheimportanceofdesigningaproperswitchnetworkshowingdevicesshouldbeinterconnectedtoensureredundancy.Furthermore,thechapterintroducesyoutoaLayer2looppreventionmechanismknownastheSpanning-TreeProtocol(STP).Youwilllearnabouttheoperations,configurations,andtroubleshootingofSTPinaCiscoenvironment.

Chapter7,InterpretingRoutingComponents,focusesontheimportanceofroutinganddiscusseshowroutersmaketheirforwardingdecisions.Youwilllearnallaboutthecomponentsoftheroutingtableandthefactorsthathelparoutertochooseapreferredpathforforwardingpacketstotheirdestination.

Chapter8,UnderstandingFirstHopRedundancy,StaticandDynamicRouting,continuesthediscussiononroutingbuttakesamoretechnicalapproach,suchasdemonstratinghowtoimplementstaticanddynamicroutingprotocolstoensureIPconnectivitybetweenmultiplenetworksinaCiscoenvironment.

Chapter9,ConfiguringNetworkAddressTranslation(NAT),focusesprimarilyonNetworkAddressTranslation(NAT).ThechapterwilltakeyoufromanintroductiontousecasesontotheconfigurationofvarioustypesofNATandtroubleshootingtechniques.

Chapter10,ImplementingNetworkServicesandIPOperations,introducesyoutovariousnetworkandIPservicesthatarerequiredonalmostallenterprisenetworksandarerequiredknowledgefornetworkengineers.ThischaptercoverstechnologiessuchasNTP,DHCP,DNS,Syslog,andQoS.

Chapter11,ExploringNetworkSecurity,discussesvarioustopics,suchascybersecuritythreatsandissuesmanyprofessionalsfaceeachday,suchasthreats,vulnerabilities,exploits,usertraining,securityawareness,and


countermeasures.

Chapter12,ConfiguringDeviceAccessControlandVPNs,focusesonsecuringyourCiscoswitchesandroutersandconfiguringsecuredeviceaccess.Additionally,thischapterintroducesyoutoremoteaccessandhowtoconfigureVirtualPrivateNetworks(VPNs).

Chapter13,ImplementingAccessControlLists,coversACLs,whichareamandatorytopicforeveryonewhoisstartingorisalreadyinthefieldofnetworksorsecurity.ACLsareLayer3securitycontrols.Whenimplementedonaroute,theycreateafirewall-centricdevicetofilterunwantedtraffic.

Chapter14,ImplementingLayer2andWirelessSecurity,introducesyoutovariousLayer2attacksonanenterprisenetworkandexplainshowtoimplementcountermeasurestocreateasecurenetworkenvironment.

Chapter15,NetworkAutomationandProgrammabilityTechniques,broachesthefactthattheworldofnetworkingismovingtowardautomationandnetworkengineerswillnowneedtolearnhowautomationcanimproveefficiencyinnetworkdeploymentandmanagement.Thischapterintroducesyoutonetworkautomationtechniquesandprogrammability.

Chapter16,MockExam1,includesasimplemocktestcontainingquestionsthatwillhelpyoutopreparefortheCiscoCCNA200-301examinationandwillhelpyouidentifyanytopicsyouneedtospendadditionaltimelearningaboutandpracticing.

Chapter17,MockExam2,includesanothermocktestcontainingquestionsthatwillhelpyoutopreparefortheCiscoCCNA200-301examinationandwillhelpyouidentifyanytopicsyouneedtospendadditionaltimelearningaboutand


practicing.

TogetthemostoutofthisbookAllconfigurationsweredoneusingaWindows10operatingsystemrunningCiscoPacketTracerversion7.3.0.

Ifyouareusingthedigitalversionofthisbook,weadviseyoutotypethecodeyourselforaccessthecodeviatheGitHubrepository(linkavailableinthenextsection).Doingsowillhelpyouavoidanypotentialerrorsrelatedto


thecopyingandpastingofcode.

Aftercompletingthisbook,usingyourimagination,attempttocreateadditionallabscenariosusingCiscoPacketTracer.Thiswillhelpyoutocontinuelearningandfurtherdevelopyourskillsasanaspiringnetworkengineer.

DownloadtheexamplecodefilesYoucandownloadtheexamplecodefilesforthisbookfromGitHubathttps://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions.Incasethere'sanupdatetothecode,itwillbeupdatedontheexistingGitHubrepository.

Wealsohaveothercodebundlesfromourrichcatalogofbooksandvideosavailableathttps://github.com/PacktPublishing/.Checkthemout!

CodeinActionCodeinActionvideosforthisbookcanbeviewedathttps://bit.ly/30fYz6L.

DownloadthecolorimagesWealsoprovideaPDFfilethathascolorimagesofthescreenshots/diagramsusedinthisbook.Youcandownloadithere:http://www.packtpub.com/sites/default/files/downloads/9781800208094_ColorImages.pdf.

Conventionsused


https://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions

https://github.com/PacktPublishing/

https://bit.ly/30fYz6L

Thereareanumberoftextconventionsusedthroughoutthisbook.

Codeintext:Indicatescodewordsintext,databasetablenames,folder

names,filenames,fileextensions,pathnames,dummyURLs,userinput,andTwitterhandles.Hereisanexample:"Ifyouusetheshowflash:command

inprivilegemodeonaCiscoIOSswitch,youwillseethevlan.datfile."

Whenwewishtodrawyourattentiontoaparticularpartofacodeblock,therelevantlinesoritemsaresetinbold:

Branch-B(config)#iproute10.1.1.0255.255.255.0

10.2.1.5


10.2.1.10


10.2.1.20

Anycommand-lineinputoroutputiswrittenasfollows:

SW1(config)#interfaceFastEthernet0/1

SW1(config-if)#switchportmodeaccess

SW1(config-if)#switchportaccessvlanvlan-ID

SW1(config-if)#noshutdown

SW1(config-if)#exit

Bold:Indicatesanewterm,animportantword,orwordsthatyouseeonscreen.Forexample,wordsinmenusordialogboxesappearinthetextlikethis.Hereisanexample:"SelectSysteminfofromtheAdministrationpanel."


Tipsorimportantnotes

Appearlikethis.

DisclaimerTheinformationwithinthisbookisintendedtobeusedonlyinanethicalmanner.Donotuseanyinformationfromthebookifyoudonothavewrittenpermissionfromtheowneroftheequipment.Ifyouperformillegalactions,youarelikelytobearrestedandprosecutedtothefullextentofthelaw.PacktPublishingdoesnottakeanyresponsibilityifyoumisuseanyoftheinformationcontainedwithinthebook.Theinformationhereinmustonlybeusedwhiletestingenvironmentswithproperwrittenauthorizationfromtheappropriatepersonsresponsible.

GetintouchFeedbackfromourreadersisalwayswelcome.

Generalfeedback:Ifyouhavequestionsaboutanyaspectofthisbook,mentionthebooktitleinthesubjectofyourmessageandemailusatcustomercare@packtpub.com.

Errata:Althoughwehavetakeneverycaretoensuretheaccuracyofourcontent,mistakesdohappen.Ifyouhavefoundamistakeinthisbook,wewouldbegratefulifyouwouldreportthistous.Pleasevisitwww.packtpub.com/support/errata,selectingyourbook,clickingontheErrataSubmissionFormlink,andenteringthedetails.


http://www.packtpub.com/support/errata

Piracy:IfyoucomeacrossanyillegalcopiesofourworksinanyformontheInternet,wewouldbegratefulifyouwouldprovideuswiththelocationaddressorwebsitename.Pleasecontactusatcopyright@packt.comwithalinkto

thematerial.

Ifyouareinterestedinbecominganauthor:Ifthereisatopicthatyouhaveexpertiseinandyouareinterestedineitherwritingorcontributingtoabook,pleasevisitauthors.packtpub.com.

ReviewsPleaseleaveareview.Onceyouhavereadandusedthisbook,whynotleaveareviewonthesitethatyoupurchaseditfrom?Potentialreaderscanthenseeanduseyourunbiasedopiniontomakepurchasedecisions,weatPacktcanunderstandwhatyouthinkaboutourproducts,andourauthorscanseeyourfeedbackontheirbook.Thankyou!

FormoreinformationaboutPackt,pleasevisitpackt.com.


http://packt.com

Section1:NetworkFundamentalsThissectionintroducesyoutotheworldofnetworking,startingwithhowdevicesintercommunicate.Itthendiscussesthevarioustypesofnetworkingdevicesalongwiththeirfunctionality.Thissectionalsocoverspopularnetworkingprotocolsandservicesthatallowanetworktosharearesourcewithotherdevices.Additionally,youwilllearnaboutIPv4andIPv6addressing,andsubnettingtechniques.

Thissectioncontainsthefollowingchapters:

Chapter1,IntroductiontoNetworking

Chapter2,GettingStartedwithCiscoIOSdevices

Chapter3,IPAddressingandSubnetting

Chapter4,DetectingPhysicalIssues,WirelessArchitectures,andVirtualization


Chapter1:IntroductiontoNetworkingBeginningajourneyinthefieldofnetworkingisanexcitingoneforeveryone.I'msureyouareinterestedinlearningabouttheoperationsofacomputerandespeciallyhowtheinternet,thelargestnetwork,functionsandgrows.Networkingisanever-demandingfieldinInformationTechnology(IT);eachday,organizationsfromhealthcareproviders,educationalinstitutions,governmentagencies,andotherindustriesarecontinuouslyexpandingandimprovingtheirnetworkinfrastructuretosupportnewerservicesandnetworktraffic.Almosteveryoneisconnectedtotheinternet.Educatorsandbusinessesareusingvariousonlinecollaborationplatformstoextendtheirreachtostudentsandpotentialcustomersinaglobalmarket.Alltheseamazingtechnologiesaremadepossiblebycomputernetworks.

TheCiscoCertifiedNetworkAssociate(CCNA)200-301certificationisdesignedtoprepareyouforassociate-levelnetworkingrolesintheITindustry.CCNAisoneofthemostpopularcertificationrequirementsforalmosteverynetworkengineeringjob,andthereisaverygoodreasonwhy.TheCCNAcertificationisafoundationallevelcertificationwithalotofessentialinformation;Iknowpartofthenamecontainstheword"associate",butthat'sjustintheCiscocertificationhierarchystructuresincethenextlevelisCiscoCertifiedNetworkProfessionalandsoon.TheCCNAisoneofthemostrecommendedcertificationsyoucanfollowtobeginyournetworkingjourney.

TheCCNAwillteachyouhowtodesign,implement,configure,andtroubleshootsmall-tomedium-sizedenterprisenetworks.Youwilllearntoefficientlyimplementnetworkaccess,IPconnectivity,IPservices,andsecuritythroughanenterprisenetwork.Additionally,gainingyourCCNAcertification


willopenupawholenewworldofcareeropportunitiesasthecertificationitselfiswell-respectedinthenetworkingfield.

Throughoutthischapter,youwilllearnabouttheimportanthistoryofhowcomputernetworksweredevelopedandtheerabeforetheinternet.Then,wewillcovertheearlyandcurrentgenerationoftheinternetandexplorehownetworkinghasbecomepartofourdailylives.Youwilllearnaboutcommunicationtechnologiesandnetworkingprotocolsthataredesignedtohelpusconnectwithourlovedones,friends,andcolleagues.Youwillalsolearnaboutthevarioussizesofnetworksandcomponentssuchasroutersandswitches,whichmovemessagesfromonedevice,acrossanetwork,toanotherperson.Lastly,you'lllearnaboutthevariousprotocolsuitesthatarebuiltintoeachoperatingsystemandnetworkdevicethatsetstheprotocolforexchangingmessages.

Inthischapter,wewillcoverthefollowingtopics:

Understandingtheevolutionofnetworkingandtheinternet

Understandingnetworksizes–SOHO,LAN,andWAN

Learningaboutnetworkprotocolsuites

Understandingthefunctionsofnetworkdevices

Networktopologyarchitectures

Understandingtheevolutionofnetworkingandtheinternet


Inthepre-internetage,scientists,institutions,andotherexpertswereworkingtocreateanetworkthatcouldallowthemtoconnectcomputersonaworldwidescale.Computerscientistsbeganworkingonamodel;theinitialprototypewasknownastheAdvancedResearchProjectsAgencyNetwork(ARPANET).

ARPANETwasdevelopedinthe1960s.ItwasfundedbytheUSDepartmentofDefense(DoD)withtheideaitwouldbeusedtoconnectuniversitiesandresearchcenters.Thenetworktechnologyusedonthisprototypewaspacketswitching.Thisallowedconnectedcomputerstosendandreceivedataonasinglenetwork.However,ARPANETwasnotresilientenoughtoallowmultiplechannelsofcommunicationonthenetwork.

TheUSDefenseAdvancedResearchProjectsAgency(DARPA)developedtheTransmissionControlProtocol/InternetProtocol(TCP/IP)suite,whichwasadoptedbyARPANETintheearly1980s.TheUSDODcalledittheofficialstandardcomputernetworking.WiththeadoptionofTCP/IP,ARPANETbegantoevolveintomuchlargernetworks,allowingotherorganizationstobeinterconnected,andbecamewhatwecommonlyrefertoastheinternettoday.

Theinternetisaworldwidecollectionofmanyinterconnectednetworks,suchasWideAreaNetworks(WANs)andLocalAreaNetworks(LANs).Eachorganizationorpersonwhoconnectsadevicetotheinternetsimplyextendsthenetwork(internet),sotheinternetiscontinuouslygrowingasmoredevicesaregoingonline.Laterinthischapter,wewilltakeadeeperdiveanddiscussvarioustypesandsizesofnetworktopologies.

Theinternetitselfisnotownedbyanyonepersonororganizationintheworld.However,therearemanygroupsandorganizationsthathelpmaintainthestabilityandsetstandardsforintercommunicatingontheinternetandprivate


networks.

Asanupcomingnetworkengineer,it'sgoodtoknowalittleaboutthefollowingorganizationsandgroups:

InternetEngineeringTaskForce(IETF).Itsmissionissimplytomaketheinternetworkbetterforall.YoucanfindmoreinformationaboutIETFontheirwebsiteatwww.ietf.org.

InternetAssignedNumbersAuthority(IANA)isresponsiblefortheassignment,coordination,andmanagementofinternetprotocol(IP)addressing,internetprotocolresources,andtheDomainNameSystem(DNS)RootZone.YoucanfindmoreinformationaboutIANAontheirofficialwebsiteatwww.iana.org.

InternetCorporationforAssignedNamesandNumbers(ICANN)contributestotheinternet'ssustainabilitybycoordinatingandmanagingtheinternet'snumericalspacesandnamespacestoensureitsstability.YoucanfindmoreinformationaboutICANNontheirofficialwebsiteatwww.icann.org.

Nowthatwehavecoveredthehistoryoftheinternet,we'lllookathowvariousnetworksizesdifferinthenextsection.

Understandingnetworksizes–SOHO,LAN,andWANLet'simaginewehaveafewdevicesthatareallinterconnectedinasinglenetwork,sharingfilesbetweenthemselveswithouthavingtheuser(human)


http://www.ietf.org

http://www.iana.org

http://www.icann.org

physicallywalkaroundwithaportablestoragedevicesuchasaflashdrivetocopyandpastefiles.Usersaccessacentralizedfileserverwithinthecompany'snetworkfromtheirlocalcomputer.

Thefollowingdiagramshowsasmallnetworkwithbothanetwork-sharedprinterandfileserver:

Figure1.1–DevicesinterconnectedtocreateasmallLAN

ThistypeofnetworkiscommonlyreferredtoasaLAN.ALANisdefinedasasmallcomputernetworkthatdoesnotexceedthephysicalspaceofahomeorasinglebuilding.Tohelpyouunderstandthis,we'regoingtouseasimple


analogy.Let'simagineyouworkforACME,afictional-basedorganizationthathasasinglebranch.Withinthebranch(thatis,thephysicalbuilding),ACMEhasaLANthatisusedtointerconnectalltheirdevices–computers,servers,printers,andsoon.ThisLANallowsemployeestositattheirworkstationsandsenddocumentstoprintviathenetworktothelocalprinterandaccessthefileservertostoreandcopyfilesfortheirprojects.Let'scallthisofficelocationHQ.

ThefollowingdiagramshowsatypicalLANwithinterconnecteddeviceswithintheHQbuilding:

Figure1.2–AbuildingcontainingaLAN

Oneday,ACMEwantstoopenanewbranchinanothercitytoprovideservicestonewandpotentialcustomers;however,thereisachallenge.WeshallrefertothenewbranchasBranchA.Thenewlocation,BranchA,ismanymilesawayandthestaffatBranchAneedtoaccessresourcessuchastheapplicationserver,


CustomerRelationshipManagement(CRM)database,andotherimportantresourcesthatarelocatedattheHQlocation.OnesolutionwouldbetocreateacloneoftheserversfromHQtothenewlocation,BranchA;however,thismeanseachtimenewrecordsanddataisupdatedattheHQlocation,itwilltakealongtimetoreplicatethedataontheserversatBranchA.Thismaycreateinconsistencyissueswhenemployeestrytoaccessthemostup-to-datefilesandrecordsatBranchA.

Importantnote

Inourscenario,BranchAistypicallyknownasaSmallOffice/HomeOffice(SOHO).Thistypeofnetworkisgenerallysmallerthanthemaincorporateofficeofacompany,butitenablestheuserstoconnectoraccesstheresourcesthatarecentrallysharedonthecorporatenetwork(HQ).

AbetterapproachistocreateaWAN.AWANisusedtosimplyextendaLANoveralargegeographicdistance.AcompanysuchasACMEwoulddefinitelybenefitfromusingthistechnologywithintheirorganization.ByimplementingaWANbetweentheirbranches,HQandBranchA,theserversandmainresourcescansimplystayatHQwhileemployeesarestillabletoaccesstheresources,files,andrecordsacrossthenetworkattheirBranchAlocation.

ThefollowingdiagramshowsadepictionofaWANconnectionbetweentheHQlocationandthenewbranchoffice:


Figure1.3–AWANconnectionbetweentwobuildings

Inmoderntimes,WANsaremanagedbyserviceproviders(SP)andInternetServiceProviders(ISPs).WANscanextendyourLANbeyondcities,countries,andevencontinents.ISPsofferarangeofWANservicestotheircustomers,suchasthefollowing:

MetroEthernet(MetroE)

VirtualPrivateLANService(VPLS)

MultiprotocolLabelSwitching(MPLS)

Asasimpleexample,MetroEenablescustomersofaserviceprovidertoestablishaWANbetweenbranches,functioninglikeaveryhugeLANwithintheserviceprovidernetwork.ThismeansacompanycaninterconnectmultiplebranchesusingaMetroEservicewithintheserviceprovidernetwork.Onthe


customer'send,thenetworkfunctionsasifitwereonalargeLAN.

AnothertypeofWANserviceisMPLS,whichprovidesuswiththefunctionalitytoextendanorganization'snetworkbeyondthelocalserviceprovider'snetwork.ImaginehavingaWANcircuitstartingfromtheHQlocationandpassingthroughmultipleISPnetworksuntiltheconnectionisterminatedataremotebranchinanothercountry.

Withthat,wehavecoveredthefundamentalsofSOHOs,LANs,andWANs.Inthenextsection,wewilllearnaboutthecomponentsthathelpusbuildandextendnetworks.

LearningaboutnetworkprotocolsuitesThankstovarioustechnologycompanies,wecanbreakdowncommunicationbarriersbetweenpeoplewhospeakdifferentnativelanguages.WecansimplyinstallanapponoursmartphonesuchasGoogleTranslateandtranslateaforeignlanguageintoourownandviceversa.

Foradevicetocommunicatewithanotheronanetwork,itrequiresasetofprotocolsoraprotocolsuite.Aprotocolsuiteisacommonformatthatdevicescanusebyfollowingasetofrulesforexchangingmessageswithotherdevicesonanetwork.Aprotocolsuiteenablesdevicestospeakacommon,universallanguagethatallowsallnetworkingdevicestounderstandeachother.

Yearsago,computermanufacturersmadetheirownprotocolsuites,which,inmostinstances,allowedonlysame-vendordevicestocommunicateandexchangedataonanetwork.SomeoftheseprotocolsuiteswereAppleTalkandNovelNetware(IPX/SPX),whichwereproprietarytothevendorandnot


suitableforconsumersonalargescale.

ThencametheOpenSystemsInterconnection(OSI)referencemodelandtheTransmissionControlProtocol/InternetProtocol(TCP/IP)suite.Inthefollowingsubsections,wewillfurtherdiscussandcompareboththeOSImodelandTCP/IPprotocolsuite.

OSIreferencemodelTheOSIreferencemodelisaseven(7)layermodelthatwasdevelopedbytheInternationalOrganizationforStandardization(ISO)inthe1970s.Itwasintendedtobeafullyoperationalprotocolsuitetoallowalldevicesonanetworktointercommunicateusingamutuallanguage.However,itwasneveractuallyimplementedinanysystems.

Youmaybewondering,ifit'snotimplementedinanyoperatingsystemsanddevices,whyisitimportantwelearnabouttheOSIreferencemodel?EachlayeroftheOSImodelhasauniquefunctionalityassociatedwithacomputernetwork.Thisallowsnetworkengineerstobetterunderstandwhathappensoneachlayerwhenperformingtroubleshootingtasks.

DuringthedevelopmentoftheOSImodel,itwasnotedthemodelconsistedofsevenlayers.Theseareasfollows:

Layer7:Application

Layer6:Presentation

Layer5:Session


Layer4:Transport

Layer3:Network

Layer2:Datalink

Layer1:Physical

Whyaretheresomanylayers?EachlayeroftheOSImodelhasaparticularresponsibilityforensuringadeviceisabletosuccessfullyexchangemessageswithotherdevicesonanetwork.Inthefollowingsections,wearegoingtolearntheessentialsofeachlayerandhowtheyhelpusunderstandnetworkoperations.Thisenablesustobetteridentifyandtroubleshootnetwork-relatedissuesintheindustry.

Tip

WecantakethefirstletterofeachlayeroftheOSImodeltocreateaneasy-to-rememberphrase:AllPeopleSeemToNeedDataProcessing.

Asanexample,whenadevicesuchasacomputerwantstosendamessage(data)toanotherdeviceeitheronalocalorremotenetwork,thedatahastoflowdownwardintheOSImodel,passingthrougheachlayer.Duringthisprocess,aspecificsetofrules,encoding,andformattingisapplied.Thisisknownasencapsulation.Wheneverarecipientisprocessingamessage,itgoesupward,passingeachlayer,andpartsofthemessagearestrippedaway.Thisisknownasde-encapsulation.

ThefollowingdiagramshowsthetypicalflowofamessagethroughtheOSImodelwhenonedeviceissendingamessageandanotherdeviceisaccepting


andprocessinganincomingmessage:

Figure1.4–VisualrepresentationoftrafficflowingthroughtheOSImodel

Inthefieldofnetworking,adevicesuchasacomputercreatesaProtocolDataUnit(PDU),sometimesreferredtoasadatagram.Thisistherawdatatobesentacrossanetworktoanotherdevice.AteachlayeroftheOSImodel,thePDUhasadifferentname.ThesenamesareusedtoreferencethecharacteristicsofthePDUataparticularlayer.Inyourexam,it'simportanttousethisterminology.ThefollowingdiagramshowsatablecontainingthelayersoftheOSImodeland


thenameofthePDUateachlayer:

Figure1.5–PDUsateachlayeroftheOSImodel

TogetabetterunderstandingabouteachlayeroftheOSImodelandthecharacteristicsofPDUsastheyarepassedbetweenlayers,wewilldiscusstheroleandfunctionofeachlayerinthefollowingsections.Let'stakeacloserlook.

Layer7–ApplicationlayerTheapplicationlayer(Layer7)istheclosestlayertotheuserwithintheprotocolsuite.Itprovidesaninterfaceforcommunicationbetweentheapplicationsrunninginalocalsystemandtheunderlyingnetworkprotocols.Tofurtherexplain,imagineyouwouldliketogetabitmoreinformationontheCiscoCertifiedNetworkAssociate(CCNA)certification.Intoday'sworld,internetaccessisreadilyavailabletous,eitheronmobiledataplansthatutilize4GandLTEtechnologiesorinternetcafesandcoffeeshopswithfreeinternetaccessvia


theirWi-Finetwork.Whichevermethodweusetoaccesstheinternet,wealwaysneedanimportantapplication:awebbrowsertoviewwebpagesinagraphicalinterface,whichhelpsusnavigatetheinterneteasily.

Let'scontinuewithouranalogy.OneactionyoumaywanttoperformistovisitCisco'swebsiteatwww.cisco.comtoresearchtheexaminationobjectivesandbetterprepareyourselfforthecertification.

Openingyourfavoritewebbrowser,youentertheURLwww.cisco.comandhitEnter.Withinacoupleofseconds,theCiscowebsiteisdisplayedwithinthebrowser'sinterface.Lookingcloselyattheaddressbarinthebrowser,wecanseethattheHypertextTransferProtocolSecure(HTTPS)protocolhasbeeninvolvedbythewebbrowser,asshowninthefollowingimage:

Figure1.6–HTTPSprotocolusedinwebbrowser

Keepinmindthatthewebbrowserissimplyanapplicationrunningonourcomputerorsmartdevicethatallowsus,theuser,touseanapplicationlayerprotocolsuchasHTTPStoexchangemessages(encodedinweblanguages)betweenourcomputerandawebserver.ThismakestheHTTPSprotocoloneofmanyapplicationlayerprotocols.

Thefollowingaresomecommonlyknownapplicationlayerprotocols:


http://www.cisco.com


FileTransferProtocol(FTP)

SimpleMailTransferProtocol(SMTP)

DomainNameSystem(DNS)

DynamicHostConfigurationProtocol(DHCP)

HyperTextTransferProtocol(HTTP)

InreferencetotheOSImodel,thewebbrowser(application)createstherawHTTPSmessage.Atthispoint,thePDUisknownasdata.Datahasnoadditionalencodingorformattingasitissimplytheraw(bare)messagetheapplicationhasgenerated.However,inthisstate,thePDUcanonlyberecognizedandinterpretedbyanothersimilarapplicationthatunderstandsHTTP/S.

Whentheapplicationlayerhasfinisheditsjob,itpassesthePDUontothelowerlayer,knownasthepresentationlayer.

Layer6–PresentationlayerAveryimportantfactorincommunicationishowcontentispresented.Wemustalwaystrytoensuretheformatinwhichthemessageiswrittenorspokencanbeinterpretedbytherecipientveryclearly.ImagineanambassadorwhoonlyspeaksEnglishistravelingtoaforeigncountryondiplomaticbusinesswheretheforeignnationalsdonotspeakEnglish.Thiswillbeachallengefortheambassador;itcannegativelyaffectsomeofthecommunicationthattheyhavewiththelocalsduringtheirvisit.Havingadedicatedpersonasatranslatorwillassisttheambassadorincommunicatingclearlywiththeforeignnationals.


Wecanapplythisanalogytoanetwork.Therearemanyprotocolsthatexistbothinsideandoutsideofacomputersystem;someareonthenetworkitself,whileothersareontheoperatingsystemsofaserverordesktopcomputer.Furthermore,aspreviouslymentioned,eachlayeroftheOSIreferencemodelhasitsownsetofprotocols,whichaidinthetransmissionofdatabetweendevices.

WhenanapplicationlayerprotocolsuchasHTTPSsendstherawdatatothenetwork,itpassesthroughthepresentationlayer(Layer6),whichhastoperformsometasksbeforesendingittothelowerlayers.Thepresentationlayerisresponsibleforthefollowingfunctions:

Dataformatting

Datacompression

Dataencryptionanddecryption

Mostimportantly,dataformattingensurestherawdataispresentedorformattedintoacompatibleformatforboththelowerlayersandtherecipient'sdevice(s)tounderstand.It'sabitlikecreatingauniversallanguageonadigitalnetwork.

Let'slookatasimpleanalogytofurtherexplainthisconcept.Imaginehavingtowritealettertoafriendwhoresidesinanothercountry.Afterwritingyourletter,yousecurelyencloseitwithinanenvelopeandinsertthecorrespondencedestinationaddressbeforedroppingitofftothelocalmailcourier.Sincetheletterisintendedforinternationalshipping,thelocalcourierwillattachaninternationalshippinglabelcontainingauniversalformatfortheaddressinginformation.Thismeansthelocalcouriercompanymayneedtopasstheletterontoanothercourieruntilitreachestheintendeddestination.Duringthis


process,eachcourierwillbeabletoreadandinterprettheinformationprintedontheuniversalshippinglabelbecauseitsformatisstandardized.ThesameappliestomessagespassingtothelowerlayersoftheOSImodel,hencetheimportanceofthepresentationlayer.

Anotherfunctionofthepresentationlayeriscompressingdatabeforeitisplacedonthenetworkanddecompressingitontherecipient'sdevice.Lastly,thepresentationlayerencryptsdatabeforetransportingitbetweenthesenderandreceiveroveranetwork.Onthereceivingdevice,thepresentationlayerisresponsibleforthedecryptionoftheencryptedmessage.

Atthepresentationlayer,thePDUisstillknownasdata.Next,thePDUispassedontothesessionlayer.

Layer5–SessionlayerThesessionlayer(Layer5)hasasimpleresponsibility.Atthislayer,therearethreemainfunctionsthatworktogetherwithadevicetoensuredatagrams(messages)canbeexchangedacrossanetwork.Theseareasfollows:

Createorbuildasessionbetweenasenderandreceiver.

Maintaintheestablishedsessionduringthetransmissionofmessagesbetweenthesenderandreceiverdevices.

Terminateasessionwhenbothpartiesindicatetheynolongerwanttocommunicatewitheachother.

Keepinmindthat,atthesessionlayer,thePDUmaintainsthesamenameastheupperlayers:data.


Layer4–TransportlayerThetransportlayer(Layer4)isresponsibleformovingdatagramsbetweentheupperlayers(applicationlayer)ontothenetworkitself.Atthetransportlayer,thePDUhasanewname,Segment.

Attheapplicationlayer,therearemanyapplications(programs)thatgeneratenetworktraffic,suchasHTTPorSMTP,atanytime.Wheneachapplicationlayerprotocolsendstheirdatagramtothenetwork,thetransportlayerhastheresponsibilityoftrackingtheseconversationsastheyoccur.

Wheneveradevicewantstosendamessageacrossanetwork,thetransportlayerpreparesthedatagram(message)andseparatesitintomanageablepiecesfordelivery.Thisisduetothefactthatnetworkingdevicessuchasswitchesandrouters,togetherwithclientmachinessuchasdesktopandserveroperatingsystems,havelimitationsregardingtheamountofdatathatcanbeputinanIPpacket.Therefore,thetransportlayerhandleshowtosegmentandreassemblethesemessagesbetweenthesenderandthereceiver.

Asmentionedpreviously,therearemanyprotocolsattheapplicationlayerthathandledataindifferentways.WebtrafficusesHTTPandHTTPS,whichisformatteddifferentlyfromemailtraffic,whichusestheSMTPapplicationprotocol.Eachprotocolisdesignedtointerpretitsowntypeoftrafficjustfine,butifforeigntrafficentersitsapplication,itwouldbemalformedandforeigninnatureandthereforebediscarded.Oneofthemostimportantrolesofatransportlayeristoensuredataispassedtothecorrespondingapplications.Inotherwords,ifawebbrowserissendingHTTP(S)traffictoadeviceonanetwork,therecipientapplicationprotocolonthedestinationdeviceisexpectedtoberunningHTTPorHTTPS,suchasawebserver.


ThetransportlayerensureseachdatagramissenttoitscorrespondingapplicationorapplicationlayerprotocolbyassigningauniqueportnumbertothePDU,thereforecreatingatransportlayerheader.Thisprocessisknownasencapsulation.

Togetabetterunderstandingofthisprocess,let'suseasimpleanalogyofacommercialtowerwhosetenantsarevariouscompaniessharingthesamephysicalinfrastructure:thebuilding.Typically,themainpublicareaisthelobby,displayingadirectorylistingofeachcompanyandtheirfloornumber.

Let'sthinkofthebuildingasanoperatingsystem(OS).AccordingtoRFC6335,thereare65,535logicalnetworkportswithinanOS.Theseportsare

categorizedasfollows:

Figure1.7–Networkportnumberranges

Thewell-knownportsarethosethatarecommonlyusedbyapplicationlayerprotocols,whichareasfollows:

FileTransferProtocol:20,21

SecureShell(SSH),SecureCopy(SCP):22


Telnet:23

SMTP:25

DNS:53

DHCP:68,69

HTTP:80

POP:110

IMAP:143

HTTPS:443

Eachapplicationlayerprotocol/serviceusesauniqueportthattheysendandreceivetheirtraffictypetoandfrom.Forexample,allHTTPtrafficwillbesenttoadevicerunningawebserverapplication(IIS,Apache,orNginx)withopenport80.ForHTTPStraffictoenterthewebserver,port443isthedefaultport

thatmustbeopen.

Registeredportsareusedbysoftwareandothervendorswhowanttouseaspecificportonlyfortheirapplication.Thesedynamicportsareusedtemporarilywhenadeviceissendingtrafficandaresometimesreferredtoasephemeralports.Forexample,ifaPCwantstosendtraffictoawebserver,weknowthewebserverwillhaveport80and/or443openbydefault.However,thePCmust

useasourceport.Thismeansadynamicallygeneratedport(ephemeral)between49152to65535willbeused.


Tip

Formoreinformationofservicenamesandportnumberassignment,pleaseseethefollowingURL:https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml.

Gettingbacktoouranalogy,eachperson(datagram)whoisenteringthebuilding(OS)hastheintentionofvisitingaspecificcompany(applicationprotocol/service).Theyareinstructedtotakeaspecificelevatororstaircase(transportlayer)toreachthedestinationcompanyinthebuilding.Whentheindividual(datagram)exitstheelevatororstaircase,theyarefacedwithafewdoors(networkports)todifferentcompaniesonthesamefloor.Walkingthroughadoor(port)willcarrytheindividualtoaspecificcompany.WithintheOSImodelandTCP/IPprotocolsuite,thetransportlayerinsertsitsownheader,whichcontainsthesourceportnumberofthesenderandthedestinationportnumberoftherecipienttoensurethedatagramgoesthroughthecorrectnetworkport(doorway).Thisway,itcanreachtherelevantapplicationlayerprotocoltobeprocessed.

Thefollowingdiagramrepresentstheencapsulationofdata.Thetransportlayerinsertsourheader,whichcontainsthesourceanddestinationportaddresses:


https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

Figure1.8–Transportheaderinformation

Withinthetransportlayer,therearetwoprotocolsthatareresponsibleforthedeliveryofmessagesbetweenasenderandareceiveroveranetwork.ThesearetheTransmissionControlProtocol(TCP)andtheUserDatagramProtocol(UDP).

TransmissionControlProtocol

TCPisoftenreferredtoasaconnection-orientedprotocolthatguaranteesthedeliveryofamessagebetweenasenderandareceiver.Beforemessagesareexchangedbetweentwodevices,aTCPthree-wayhandshakeisestablished.

ThefollowingdiagramshowstheTCPthree-wayhandshakeprocess:

Figure1.9–TCPthree-wayhandshake

ThefollowingisalivecaptureItookwhileusingWireshark.Lookcloselyandyou'llnoticethesender,172.16.17.14(ClientA),hassentaTCP

Synchronization(SYN)packettoadestinationaddressof172.16.17.18

(ClientB).Bydefault,ClientBrespondswithaTCPacknowledgementbutadditionallywithaTCPSYNbecauseitalsowantstocommunicatewithClient


A.Hence,aTCPSYN/ACKpacketgetsreturned.Finally,ClientAreceivestheTCPSYN/ACKpacketandrespondswithaTCPACKtoestablishtheTCPthree-wayhandshake,asshownhere:

Figure1.10–TCPthree-wayhandshakeshowninWireshark

Oncethisprocessiscomplete,whenevereachmessageisdeliveredtotherecipient,aTCPACKpacketissentbacktothesender,indicatingasuccessfuldelivery.However,ifasenderdoesnotreceiveaTCPACKresponsefromarecipientafteracertaintime,thesenderwillresendthemessageuntilaTCPACKisreceived.ThisishowTCPensuresthedeliveryofmessagesonanetwork.However,duetothehighoverheadofTCPACKpacketsonthenetwork,notallapplicationlayerprotocolsusesTCPastheirpreferredchoiceoftransportprotocol.SomeuseUDPinstead.

UserDatagramProtocol

TheUDPisaconnectionlessprotocol,knownforitsbest-effortdeliverymethods.Best-effortsimplymeanstheUDPprotocolwillsendthemessagebutwillnotprovidereassuranceduringdelivery.Thismeansthatifthemessageislostduringtransmission,UDPwillnotattempttoresendit.UnlikeTCP,itdoesnotprovideanymessagedeliveryguarantees.IfanapplicationlayerprotocolsuchasDNSusesUDPfortransportingitsmessages,thetransportlayerwill


senditofftoitsintendeddestinationwithoutanyprioritizationoranyreliabilityduringthemessage'stransmissiononthenetwork.

UnlikeTCP,UDPdoesnotprovideanydeliveryconfirmation,thoughsomeapplicationlayerprotocolspreferUDPforitslowoverheadandspeedonthenetwork.

Layer3–NetworklayerThenetworkLayer,(Layer3)isresponsibleforthelogicaladdressonthenetworkandtheencapsulationoftheIPheader,whichaddsboththesource(sender)anddestination(receiver)IPversion4(IPv4)and/orInternetProtocolversion6(IPv6)addressestothepacket.

Thislayerprovidesthefollowingfunctions:

Logicaladdressingofenddevices

Encapsulationandde-encapsulationofdatagrams

Routing(movingpacketsbetweennetworks)

TheInternetProtocol(IP)operatesatthislayer.IPisaconnectionlessprotocol,whichmeanstheprotocolitselfdoesnotestablishasessionwitharecipientbeforeattemptingtosendorreceivemessages.InasimilarwaytotheUDPoftheupperlayer(transportlayer),itisalsosentusingbest-effortmechanisms,thusprovidingnodeliveryguaranteeforIPpackets.Lastly,IPcanfunctionindependentlyfromthemediumonthenetwork(copper,fiberoptic,orevenwireless).SinceIPdoesnothaveanyreliability,theresponsibilityofensuringpacketdeliverydependsonthetransportlayer.


Furthermore,thenetworklayerprovidesthefunctionalityofdirectingtrafficflowsusingroutingprotocols,whichoperateusingtheIP.Atthislayer,routersoperateastheyhavetheabilitytoreadandunderstandIPaddressingandthecontentsofapacket.

WhenthePDUispasseddowntothenetworklayer,itisencapsulatedwithanIPv4oranIPv6headertoprovidelogicaladdressing,asshownhere:

Figure1.11–Packetheader

KeepinmindthatthesourceanddestinationIPaddressesdonotchangeduringtheirtransmissionbetweendevicesonanetwork.However,thereisoneexception:thesourceIPaddresschangeswhenitpassesaNAT-enabledrouter,whichisconfiguredtochangeaprivateIPv4addressintothepublicIPv4addressoftherouter'sinternet-facinginterface.WewillcoverNetworkAddressTranslation(NAT)inChapter9,ConfiguringNetworkAddressTranslation(NAT).

Atthisstate,thePDUiscalledaPacket.Inlaterchapters,we'lldiscussIPv4andIPv6ingreaterdetail.

Layer2–Datalinklayer


Thedatalinklayer(Layer2)oftheOSImodelisresponsibleforallowingthemessagesoftheupperlayerstoaccessthephysicalnetwork.Italsocontrolshowdataisplacedandreceivedonthephysicalnetwork(media),andithandleserrordetectionandflowcontrol.Withinthedatalinklayer,therearetwosublayers.ThesearetheLogicalLinkControl(LLC)andtheMediaAccessControl(MAC).

LogicalLinkControl

LLCencapsulatesthepacketthat'sreceivedfromthenetworklayerintoaframebyaddingaLayer2headercontainingthesource(sender)anddestination(receiver)MACaddresses.Attheendoftheframe,atrailerisadded.ThetrailerofaframecontainstheFileCheckSequence(FCS).Thedatalinklayercreatesahashvaluetorepresentthecontentsoftheframe;thisisknownastheCyclicRedundancyCheck(CRC)hashvalue.TheCRCvalueislocatedintheFCSfieldofthetrailer.Therecipientdevice(s)usethisvaluetodeterminewhethertheframewascorruptedormodifiedduringitstransmissionbetweenthesenderandthereceiver.

MediaAccessControl

Foradevicetoconnectandcommunicateonacomputernetwork,aNetworkInterfaceCard(NIC)isrequired.TheNICallowsthedevicetoestablishaconnectiontothephysicalnetwork,regardlessofwhetherthemediumiscopperorfiberopticcabling,orawirelessconnectionsuchasWi-Fi.TheNICenablesadevicetoexchangemessageswithanotherdevicewhileusingthemedia(ormedium)asthehighway.

TheMACaddressis48bits(6bytes)inlengthandispresentedintheformatof


hexadecimalvalues;thatis,0123456789ABCDEF.An

exampleofaMACaddressis12:34:56:78:9A:BC.Thefirst

24bitsoftheMACaddressareknownastheOrganizationUniqueIdentifier(OUI).TheOUIidentifiesthemanufactureroftheNetworkInterfaceCard(NIC)andthesecond24bitsareassignedbythemanufacturer.TheMACaddressisalsoknownasaburned-inaddress(BIA)sinceitishardcodedontothehardwareand,theoretically,can'tbechanged.

ThefollowingdiagramrepresentsadatagramknownastheFrame.ItcontainsbothaDataLinkHeaderandaTrailer:

Figure1.12–Frameheader

NoticethatanadditionalfieldinsertedcalledthePreamble.ThePreambleisa7-bytefieldusedonanEthernetframetoindicatethestartoftheframe,itssequencing,anditssynchronization.Beforethedatalinklayerplacesamessageonthephysicallayer,itneedstobreakitupintosmallerpiececalledbits.Eachbitwillcontaintheaddressingheaders,trailers,andthepreamble,whichcontainsasequenceforeachbit.

Thefollowingdiagramrepresentsadepictionoftwocomputers.PCAissendingsomemessagestoPCBandsincetheblocksrepresentthemessage,it


hasbeensegmentedintosmallbits.Thesearethensentacrossthenetworktotherecipient:

Figure1.13–Bitsmovingacrossthephysicallayer

Whenthebitsarereceivedonthedestinationdevice,thesequencenumbersofeachbitwillhelptherecipientreassemblethebitsintoamessage.

TochecktheMACaddressofyournetworkadaptersonaMicrosoftWindowsoperatingsystem,usethefollowinginstructions:

1. OnyourWindowscomputer,usethekeyboardcombinationWindowsKey+RtoopenRun.

2. EntercmdandclickOK.

3. TheWindowsCommandPromptwindowwillappear;enteripconfig

/alltodisplaythecurrentsettingsofallthenetworkadaptersonyour

device.

Thefollowingscreenshotshowstheoutputafterrunningtheipconfig

/allcommand:


Figure1.14–MACaddressonaWindowsdevice

OnMicrosoftWindows,thePhysicalAddressistheMACaddressoftheNIC.

Importantnote

Onsomeoperatingsystems,theMACaddressisshowninXX:XX:XX:XX:XX:XX,XXXX.XXXX.XXXX,orXX-XX-XX-XX-XX-XX

format.

Additionally,ifyouwouldliketodeterminethemanufacturerofthedevice,usethefollowingsteps:

1. Openyourwebbrowserandgotohttps://www.wireshark.org/tools/oui-lookup.html.Youcanenterthesearchtermmacvendorlookupto

discovermoreOUIlookupwebsitesontheinternet.

2. EntertheMACaddressoftheNICinthesearchfieldandstartthesearch.


https://www.wireshark.org/tools/oui-lookup.html

ThefollowingistheOUIsearchresults:

Figure1.15–MACvendorlookup

Nowthatyouknowaboutthedatalinklayer,howtodeterminetheMACaddress,andhowtoperformavendorlookup,let'stakealookatthephysicallayer.

Layer1–PhysicallayerThephysicallayer(Layer1)isusedtotransportthemessagesthatarecreatedbythehostdeviceusingnetworkmedia.Whenmessagesareplacedonthemedia,theyareconvertedintosignalssuchaselectrical,light,andradiofrequency,dependingonthemedium(copper,fiber,orwireless).Atthislayer,thePDUisknownasbits.


Networkcomponents

Inverynetworkthereissomeformofmediathat'susedtotransportmessages(signals)betweendevices.Ethernetistheunderlyingtechnologystandardthatdescribeshowmessages(signals)aretransmittedoveracableatadefinedspeed.EthernetispartofafamilyofcommunicationstandardsdevelopedbytheInstituteofElectricalandElectronicEngineers(IEEE).

Importantnote

Specifically,EthernetisdefinedbyIEEE802.3.

Furthermore,Ethernethasstandardsforbothcopperandfiberopticcablingandsupportsspeedsrangingfrom10Megabitspersecond(Mbps)to10Gigabits

persecond(Gbps).Keepinmindthatthesespeedsmayvarybasedonvariousvariables,suchasthelengthofthecable,thetypeofcable,andwhetherthesignalsaretransmittedthroughcopperorfiber.

TherearetwomaintypesofcablingthatareusedonanEthernetnetwork:copperandfiber.Inthefollowingsections,wewilloutlinethecharacteristicsofeachtypeandtheirusecases.

Coppercablingisverycheapandeasytoimplementinalmostallenvironments.Therearetwopopulartypesofcoppercables:UnshieldedTwistedPair(UTP)andShieldedTwistedPair(STP).

Importantnote

STPcablesprovideprotectionfromelectromagneticinterference(EMI)


comparedtotheUTPcable.However,duetothisaddedfeature,thecostofSTPcablesisabithigherbecauseametalshieldingisusedduringthemanufacturingprocessandthisneedstobegrounded.

Eachofthesecablescontainsatotalofeightcopperwires,eachofwhichhastheirowncolorcode,asfollows:

Green

Whiteandgreen

Orange

Whiteandorange

Blue

Whiteandblue

Brown

Whiteandbrown

Withcopper,thereareanumberofcablecategories.Thefollowingarethecharacteristicsofvariouscables:

Cat3:Containstwopairsoftwistedwiresandsupports10Mbpsata

maximumdistanceof100meters

Cat5:Containsfourpairsoftwistedwiresandsupportsupto100Mbps

atamaximumdistanceof100meters.


Cat5e:Containsfourpairsoftwistedwiresandsupportsupto1,000

Mbpsatamaximumdistanceof100meters.

Cat6:Supportsupto10Gbpsfromupto37to55meters.

Cat6a:Supportsupto10Gbpsfromupto100meters.

Cat7:Supportsupto10Gbpsfromupto100meters.

Coppercablesareallsusceptibletoattenuation.Attenuationisthelossofsignaloveragreatdistance.Inthefieldofnetworking,whenadeviceissendingasignaloverthewire,thelongerthedistancethesignalhastotravel,themorelikelythesignalwilldeteriorate(getweaker)asit'smovingalongthewire.

Nowadays,ISPsarerollingoutfiber-opticcablesbetweentheirheadofficesandtheircustomers'locationstoprovideincreasedbandwidthandotherservices.Youmaybewondering,whatisfiberoptic?Fiberuseslightpulsestoexchangemessagesintheformofbits.Theselightplusesaregeneratedusinglight-emittingdiodes(LEDs)ratherthanelectricalsignalsusedintheregularnetworkcablesweareaccustomedto.Sincefibercablesuseslightpulses,thiscreatesamajorbenefitfornetworkandtelecommunicationprofessionals.

Thecorematerialafibercableismadewithiseitherglassorplastic.Theplasticcoreischeapertomanufactureandthereforethefibercableitselfischeapertothecustomer.Additionally,itislessfragilecomparedtoacablewithaglasscore.Theglasscoreallowsforhigherthroughputduetoitslessdensematerial.Keepinmindthatneitheraglassorplasticcorecanbebent;bothcorescanbebrokeneasilywithverylightforce.

Fiberhassomebenefits;forexample,muchlargerthroughputsofnetworktraffic


canbesupported,signalscantravelalongafibercableformanykilometerswithoutexperiencingsignalloss,it'simmunetoEMIandRFI,anditallowsserviceproviderstotransportmoreservicesandbandwidthtocustomers.However,thereareacoupleofdisadvantages.Thecostoffiberisalothigherthanthecostofcoppercablesbecauseofthematerialcomposition.Also,thefragilenatureofthefiberopticcore(glassorplastic)makesthecablesusceptibletodamage.

Fiberopticcablescanoperateintwomodes:singlemodefiberandmulti-modefiber.Thefollowingarethecharacteristicsofthesetwomodes:

Single-modefiberhasthefollowingcharacteristics:

Smallcore

Suitedforlongdistances

Useslaserasthelightsource

Producesasinglestraightpathforlight

Commonlyusedtointerconnectcities

Multi-modefiberhasthefollowingcharacteristics:

Hasalargercore

Suitedforlongdistancebutshorterthansingle-modefiber

UsesLEDsasthelightsource

CommonlyusedonLANs


Allowsmultiplepathsforlight

Withthat,wehavecoveredallthelayersoftheOSIreferencemodelindetail.Now,let'stakealookattheTCP/IPprotocolwithreferencetoeachnetworklayer.

UnderstandingtheTCP/IPprotocolsuiteAsmentionedintheearliersectionsofthischapter,theTCP/IPwasdevelopedbytheUSDepartmentofDefenseandhasbeenimplementedinallnetworkingdevicessinceitsapproval.TheprotocolsuiteiscurrentlymaintainedbytheInternetEngineeringTaskForce(IETF).

UnliketheOSIreferencemodel,thenewupdatedTCP/IPprotocolsuitehasfivelayers.Thefollowingdiagramdisplaysthefivelayers,alongwiththeiralignmenttotheOSImodel:

Figure1.16–OSImodelandTCP/IPprotocolsuitecomparison


Tocompare,theupperlayersoftheOSImodel(application,presentation,andsession)areequivalenttotheapplicationlayer(Layer4)oftheTCP/IPprotocolsuite.ThetransportlayeroftheOSImodelremainsthesameforTCP/IP;however,thedatalinkandphysicallayersarealsoequivalenttoLayers1and2oftheTCP/IPsuite.

KeepinmindthatTCP/IPhasbeenimplementedinallnetwork-connecteddevices,rangingfromenddevicesandsmartphonestoserversandnetworkdevices.

UnderstandingthefunctionsofnetworkdevicesOnalmosteverynetwork,therearearangeofdifferentdevicesthatcanbefound,eachwithauniquefunctionandpurpose.Inthissection,wewilldiscussthefunctionsofvariousnetworkcomponents.Attheend,youwillunderstandtheroleseachnetworkdeviceplaystoensurewehaveend-to-endconnectivityoveranetwork.

Inthefollowingsubsections,wewilldiscussthefunctionsandfeaturesofaHub,Switch,Router,Firewall,IntrusionPreventionSystem(IPS),AccessPoint(AP),Cisco-basednetworkcontrollerssuchasCiscoDNAandWirelessLANController(WLC),andendpointsandservers.

HubsIntoday'sworld,youwon'treallyfindtoomanyHubsonenterprisenetworks.Hubsareaveryoldtypeofnetworkintermediarydevice,usedtointerconnect


computers,servers,printers,andotherenddevicestocreateanetwork.However,Hubsarenowobsoleteandarenolongerrecommendedtobeusedinanynetwork.

Let'stakealookathowHubsoperateonasmallnetwork.Firstly,Hubsaredevicesusedstrictlyforrepeatinganyincomingsignalstheymayreceiveonanyoftheirphysicalinterfaces.TogetabetterunderstandingofhowHubsforwardtrafficonanetwork,takealookatthefollowingdiagram:


Figure1.17–OperationsofaHub

Asshownintheprecedingdiagram,therearefourcomputersconnectedtoauniquephysicalinterface(port)onthehub.Inourscenario,PC1wantstosendamessagetoPC4.PC1sendsthemessagetothehubsinceit'stheintermediarynetworkdevice.Themessageissentasanelectricalsignalalongthenetworkandtothehub.Whenthehubreceivesthesignal,itrebroadcastsitoutofallotherports,excepttheincomingport.

Thismeansthemessageisalsosenttounintendeddevicesonthenetwork,whichisbothanetworkingandsecurityconcern.First,let'sunderstandtheperformanceissueswecanencounteriftherearetoomanyhubsaspartofthenetworkinfrastructure.Anysignalahubreceivesissimplyrebroadcastedoutitsotherphysicalinterfaces.Let'simaginetherearemultiplehubsbeingusedonasingleLANforabuilding,whereeachhubisusedtoextendthephysicalnetworkinordertointerconnectalldevices,suchasnetworkprinters,desktopcomputers,andservers.Eachtimeadevicesendsamessage(signal)inaHub'sinterface,itrebroadcastsitoutofalltheports.Thissamesignalwillpropagatetoalltheotherinterconnectedhubsanddothesameinthesamemanner,thuscausingunnecessarybroadcast(noise)traffic,which,inturn,willcreatenetworkcongestions.Thinkofitasaroadwaybeingfilledwithtoomanyvehicles,resultinginheavytraffic.

Thefollowingdiagramshowsthereplicationofthebroadcasttrafficthroughasmallnetwork:


Figure1.18–BroadcastmessagescreatedbyaHub

Here,wecanseethatNodeAsendsamessagetoNodeBbutthatthesignalisbeingrebroadcastthroughouttheentirenetwork.

Whatifyouhavetwoormoredevices(nodes)transmittingmessagesatthesametimeoveraHub-basednetwork?Theresultisthesameastwovehiclescolliding;


inanetwork,thisisknownaspacketscolliding,whichresultsinpacketsbeingcorrupted.Thismeanstoensurethereisalmostnocollision,onlyonedeviceshouldsendtheirmessageatatimeonthenetwork.Thiscreatesachallengebecausealltheenddevicesonthenetworkwillbefightingtousethemedium,thuscreatingacontention-basednetwork.

Toovercomesuchchallenges,Carrier-SenseMultipleAccesswithCollisionDetection(CSMA/CD)isusedtohelpenddevicessuchascomputerstodeterminewhetherthemediaisclear(available)totransmitdata(sendasignal).Let'suseareal-worldanalogytoexplainhowCSMA/CDworksonanetwork.Imaginethat,oneday,youareshoppinginthecityandyouwanttovisitvariousshopsandstores.Thereareroadwaysseparatingthem.Imaginetheroadwayisthemedia(wire)andyouhavetocrosstheroadtoreachtheotherstore.Beforecrossingtheroad,youlookbothways(leftandright)afewtimestoensuretherearenovehicles(signals)passingandthatit'ssafetocrossthestreet.Therefore,youarecheckingthemediatoensurenovehicles(signals)arepassing.Whenthemediaisclear,youproceedtowalkacrosstotheotherside(transmit).

CSMA/CDensuresadevicechecksthemediaforasignal.Ifasignalisfoundonthemedia,thedevicewaitsandtriesagainatalatertime.Ifthemediaisfree,thedeviceproceedstotransmititsmessageacrossthenetwork.

However,networkswitchesovercomethisissueanddevicesdonothavetocheckthemediabeforetransmittingtheirmessages.Inthenextsection,wewilllearnaboutthecharacteristicsofswitches.

Layer2switchesSwitchesareconsideredtobesmartdevicescomparedtohubs.Switchesare


devicesthatnetworkprofessionalsusetointerconnectenddevices(PCs,printers,servers,andsoon)andextendthenetworkinfrastructure,typicallyextendingaLANwithinabuilding.Asyoumayrecall,inahub,anyincomingsignalisrebroadcastedoutallotherports.However,withanetworkswitch,thisisnolongertheoperationalstate.Withaswitch,whenadevicewantstosendamessagetoanotherdevice,theswitchdirectlyforwardsthemessagetotheintendedrecipient.

ThefollowingdiagramshowsasmallLANwherePC1istransmittingamessagetoPC4andtheswitchforwardsthemessageonlytoPC4:


Figure1.19–Functionsofaswitch

Youmaybewondering,howisthispossible?Howdoesaswitchdeferfromahub?Howdoestheswitchdeterminewhichinterface(port)therecipientisconnectedto?Toputitsimply,switchesoperateatthedatalinklayer(Layer2)oftheOSIreferencemodel.Asyoumayrecall,atthedatalinklayer,theMACaddressesareinsertedintotheLayer2encapsulationheaderoftheframe.


SwitchesareabletoreadtheLayer2headerinformationfoundinframesandcreateatabletotemporarilystoretheMACaddressesitlearnedaboutonitsinterfaces.ThistableisknownastheContentAddressableMemory(CAM)tableinCiscoswitches.Wheneveraframeentersaswitch'sinterface,thesourceMACaddressoftheframeisstoredintheCAMtableandisassociatedwiththeincominginterface.

TofurtherunderstandhowaswitchpopulatestheCAMtable,let'simaginewehavethreePCs,allconnectedtoanetworkswitchtocreateasmallLAN,asshowninthefollowingdiagram:

Figure1.20–Devicesinterconnectedusingaswitch

Wheneveraswitchbootsup,theCAMtableisemptybecauseitscontentisstoredinRandomAccessMemory(RAM).Therefore,thecontentislostwheneverthedeviceispoweredofforrebooted.Tobegin,theCAMtableis


Figure1.21–ARPRequestmessage

EachdeviceontheLANwillreceivetheARPRequestmessageviaabroadcast(alldevicesontheLANreceivethesamemessage).Atthispoint,theswitchreceivestheARPRequestmessageonInterface1andpopulatesthesourceMACaddressontheCAMtable,asshownhere:

Figure1.22–CAMtable


OnlythedevicewhohastheIPaddressof192.168.1.30willrespondwith

anARPReply,asshownhere:

Figure1.23–ARPReply

TheARPReplymessageisaunicasttransmission(devicetodevice)andissentdirectlytoPC1.KeepinmindthattheswitchreadstheframeheaderandpopulatesthesourceMACaddressintoitsCAMtable,asshownhere:


Figure1.24–CAMtable

Additionally,theenddevicesalsohavetheirownARPcachethattemporarilyrecordsIP-to-MACbindinginformation.IftherearenomessagesbeingexchangedbetweenaMACaddressforapredefinedtimeinterval,theoperatingsystemremovesthemfromitsARPcache.OnCiscodevices,theCAMtablemaintainsadefaultinactivitytimerof300seconds(5minutes);thisvaluecan

bemodified.

Importantnote

ToviewthecontentsoftheCAMtableonaCiscoIOSswitch,usetheshow

macaddress-tablecommand.

ToviewtheARPcacheonaMicrosoftWindowsoperatingsystem,followthesesteps:

1. OpentheCommandPrompt.

2. Usethearp–acommandandpressEnter.

ThefollowingsnippetshowstheARPcache'scontentsonaWindowshostcomputeronmynetwork:


Figure1.25–ARPcacheonaWindowsmachine

ToviewtheARPcacheonaLinuxoperationsystem,usethefollowingsteps:

1. OpentheTerminal.

2. UsethearpcommandandpressEnter.

ThefollowingsnippetshowstheARPcache'scontentsonaLinux(Debian)hostcomputeronmynetwork:

Figure1.26–ARPcacheonaLinuxmachine

Inbothsnippets,wecanseethattheARPcachecontainsbothIP-to-MACaddressbindingsoftheotherdevicesthatexchangedmessages.

NowthatwehaveanunderstandingofhowLayer2switchesfunction,let'stakealookatLayer3switches.


Layer3switchesLayer3switcheshaveallthesamefunctionalitiesastheLayer2switches.However,thesedevicescomewithanadditionalfeature.TheycanreadtheinformationwithinanIPpacketheader,aswellasthesourceanddestinationIPaddresses.ThisenablestheLayer3switchtointerconnecttwoormorenetworkstogetherandallowsbasicroutingofIPpacketsbetweennetworks.

KeepinmindthatLayer3switchesdonothaveallthefeaturesofaCiscorouter.Inthenextsection,youwilllearnaboutthefeaturesandcharacteristicsofaCiscorouter.

RoutersArouterisadevicethatisusedtointerconnecttwoormoredifferentIPnetworks.ThesedevicesobservethedestinationIPaddresswithintheheaderofanIPpacket,thencheckitslocalroutingtableforanavailablepathtothedestination'snetworkwhenmakingitsdecisiontoforwardthepackettotherecipient.

SincerouterscanreadandunderstandIP.TheyareconsideredtobeLayer3devicesduetotheircapabilitiesofreadingIPinformationfrompackets.Withoutrouters,enddeviceswouldnotbeabletocommunicatewithdevicesresidingonanotherIPnetwork.ThefollowingdiagramshowstwoIPnetworks,192.168.1.0/24and172.16.1.0/16.Devicesonthe

192.168.1.0/24networkwillonlybeabletointercommunicatebetween

themselves;thesamegoesforthedevicesonthe172.16.1.0/24network:


Figure1.27–Routerinterconnectingdifferentnetworks

Toallowbothnetworkstoexchangemessages,aLayer3devicesuchasarouterisrequired.Therouterisusedtointerconnectthesetwodifferentnetworkstogether.Additionally,therouteractsatthedefaultgatewayforeachofthenetworks.ThismeansthatifPC1wantstosendamessagetoPC2,themessagemustbesenttothedoorwaythatleadstoanothernetwork.Thisistherouterinthisscenario.

Asareal-worldexample,yournetworkathomeisaprivatenetworkandusestechnologiesabitdifferentlythanthosethatareusedontheISPnetworkandtheinternet.Thefollowingdiagramshowsahomenetworkthatisconnectedtotheinternet:


Figure1.28–Internetconnectiontoahouse

Theprivatenetworkusesaverydifferentaddressspacethanwhatisusedontheinternet(publicnetwork).Toallowcommunicationbetweenthesenetworks,theISPprovidesyouwithamodem,whichhasthecapabilitiesofarouter.ThisallowstheISPnetworktointerconnecttoyourhome(private)network.Lastly,themodeminthisscenarioactsasthedefaultgatewayforallyourdevices,providingapathtotheinternet.

Nowthatyouhavelearnedaboutthefundamentalsofrouters,let'scovertheimportanceofimplementingafirewallonanenterprisenetwork.

Next-generationfirewallsandIPSAfirewallisanetworksecurityappliancethatisdesignedtofiltermalicioustraffic,bothinbound(enteringanetwork)andoutbound(leavinganetwork).Firewallshaveanimportantroletoplayinnetworksofdifferentsizes.These


appliancestypicallysitatthenetworkperimeterofanenterprisenetwork,carefullyinspectingallincomingandoutgoingtraffic,lookingforanysecuritythreatsandblockingthem.

Togetabetterunderstandingofthebenefitsofusingafirewall,let'suseasimpleanalogy.Avehiclesuchasacarhasaphysicalcomponentcalledafirewall,whichistheplacebetweenthecabinandtheengine.Thepurposeofthiscomponentisimportantintheeventoftheengineofthecarcatchingfire;thefirewallwillpreventmost(ifnotall)thefireorheatfromenteringthecabinwherethepassengersareseated.Anotheranalogyisacastlebeingsurroundedbyamoatandasingledrawbridgethatprovidespeoplewithasingleentryandexitpoint.Intheeventanopposingsidewantstoinvadethecastle,thedrawbridgecanberaised,andthemoatwillpreventtheenemyfromentering.

Itishighlyrecommendedtoimplementafirewallonyournetwork.Theinternetcontainsmillionsofusefulresources,fromtrainingvideostocookingrecipes.However,therearemanythreats,suchasmalwareandhackers,thatroamtheinternetandattempttoinfectandcompromisesystems.Thefirewallwillactasthefirstlineofdefenseagainstthesethreats.

Thefollowingdiagramshowsthetypicaldeploymentofafirewallonanetwork:


Figure1.29–Perimeterfirewalldeployment

Next-generationfirewalls(NGFW)aredesignedtobesuperiorinmanyways,suchasprotectingthenetworkandusersfromadvancedthreats,providingDeepPacketInspection(DPI),preventingransomwarefromenteringthenetwork,andhavingVirtualPrivateNetwork(VPN)features.

Afirewall,bydefault,willallowtrafficoriginatingfromtheinternalprivatenetworktogotoallothernetworks,suchastheinternet.However,anytrafficthatisinitiatedfromtheinternettotheinternalcorporatenetworkisblockedbydefault.Thefirewallusestheconceptofasecurityzonetohelpdeterminetheleveloftrustithasforalogicalnetwork.Whendeployingafirewall,thesecurityengineermustconfiguretheinterfacesofthefirewallasasecurityzonewithatrustlevel.

ThefollowingdiagramshowsthedefaultsecuritylevelforaCiscoAdaptiveSecurityAppliance(ASA)firewall:


Figure1.30–Securityzonesofafirewall

TheInsideZoneisusuallyyourprivate,internalnetwork,whichissupposedtobeafullytrustedandsafeenvironmentforalldevicesinthecorporatenetwork.Thiszonewillnormallyholdasecuritylevelof100toindicateit'safully

trustedsecurityzone.ThefirewallwillallowalltrafficoriginatingfromtheInsideZonewithasecuritylevelof100toallotherzonesthathavelower

securitylevels.Theinternetasweknowitisthemostunsafenetworkinexistence,beingfilledwithextremelymaliciousmalwareandhackers,sotheinternetisusuallyassignedasecuritylevelof0asaZeroTrustzone.Anytraffic

thathasbeeninitializedfromtheinternettotheInsideZonewillbeblockedbydefaultonthefirewall.However,keepinmindthatifauserontheInsideZonehasinitializedaconnectiontotheOutsideZone,thefirewallwillallowitbydefault,andifthereisanyreturningtraffic,thefirewallwillallowitaswell.For


example,asyouopenawebbrowsertovisitwww.google.com,thefirewallwillallowtheHTTPGETmessagetothewebserver,andthenthewebserverwillsendaresponsebacktheuser'scomputer.Inthiscase,thefirewallwillonlyallowthereturningtraffic.

Importantnote

Pleasenotethatthesecurity-levelschemesmentionedinthisbookarebasedontheCiscotechnologies.

TheDemilitarizedZone(DMZ)isasemi-trustedzonethat'sattachedtothefirewallonthecorporatenetwork.ThiszoneiscreatedtoplaceserversthatareaccessiblefromtheinternetandtheInsideZone.ThefollowingaresomeguidelinesforcreatingaDMZonyournetwork:

ThetrafficinitiatingfromtheDMZshouldnotbeallowedtoaccesstheInsideZone.

RulesshouldbecreatedonthefirewalltoallowspecifictraffictoflowtotheserverswithintheDMZonly.Ifthereisawebserver,thenincomingHTTPandHTTPStrafficshouldbesentonlytothewebserver.

EnsuretrafficinitiatingfromtheInsideZonecanaccesstheDMZ.

Lastly,thesecurityleveloftheDMZshouldbebetweenthevalueoftheInsideandOutsideZones.However,withinanorganization,theremanymultipletrustedzonesthathaveasecuritylevelcloserto100.Theremaybeadditional

trustedzones,sotheDMZshouldhaveasecuritylevelof50.


http://www.google.com

IntrusionPreventionSystemsAnIntrusionPreventionSystem(IPS)isacomponentthatisusedtodetectandblockmalicioustraffic.Inatraditionaldeployment,theIPSapplianceusuallysitsinlineofallincomingtrafficandbehindthefirewallonthenetwork.ThistypeofdeploymentensurestheIPScaninspectalltrafficasitpassesthroughtheappliance.

ThefollowingdiagramshowsthetraditionalIPSdeploymentmodelonanetwork:

Figure1.31–TraditionalIPSdeployment

TraditionalIPSappliancesaredeployedbehindthefirewallwithinthecorporatenetwork.Theirpurposeistoinspectanytrafficandcatchbothsuspiciousandmalicioustrafficthefirewallmayhavemissed.Yearsago,theIPSappliancewasaseparatephysicaldevice.However,withtheadvancementoftechnologiesandinnovation,CiscohasintegratedtheIPSintotheirnext-generationfirewall


appliancesasamodule.ThebenefitsofthisarealessphysicalapplianceandafirewallinterfacethatprovidesasinglemanagementdashboardforboththeCiscoIPSandfirewallall-in-oneappliance.ThisallowsafirewalladministratortoenabletheIPSfeaturewiththeuseofalicensekeyprovidedbyCiscosystems.

Next-generationIPS(NGIPS)inspectsandfilterstrafficabitdifferentlytoafirewall.TheIPSdownloadsadatabaseofmalwaresignaturesfromTALOS,Cisco'sSecurityIntelligenceandResearchGroup.Itusesthisinformationtocloselyinspectalltrafficflowingthroughittoidentifyanymalicioustraffic.Additionally,theIPScanbemanuallyconfiguredwithpredefinedrulescreatedbyasecurityengineer.Itcanalsoautomaticallylearnthebehaviorofthenetworktocatchabnormaltraffictypes.TheawesomebenefitofhavinganIPSonanetworkisthatifitdetectsanymalicioustraffic,itcanstopitinreal-time,preventingtheattack.

Tip

Ifyou'reinterestedinbuildingyourownIPSdevice,checkoutSnortatwww.snort.org.Snortisanopensourceintrusionpreventionsystemapplication.

Ontheotherhand,IDSesareconsideredtobereactivedevicescomparedtoIPSes.AnIDSisconfiguredtoreceiveacopyofthenetworktraffic,detectsecuritythreats,andsendalerts.IDSesarenotimplementedin-linewithnetworktraffic,sotheydonothavethecapabilitytostopanattackasithappensonanetwork.Furthermore,theIDSonlysendsanalertafteranattackhashappened,whichmakesitreactiveinnature.

NowthatwehavelearnedaboutthefunctionsoffirewallsandIPSes,let'stakea


http://www.snort.org

lookatadevicethatallowsustoextendawirednetworkintoawirelessone.

AccessPointsAnAccessPoint(AP)isadevicethatallowsyoutoextendawirednetworkintoawirelessfrequency,allowingwireless-compatibledevicestoconnectandaccesstheresourcesonthewirednetwork.

Thisprovidesmanybenefits,suchasthefollowing:

Increasesthemobilityofusersandroamingwithinacompound

Reducestheneedforphysicalcabling

Increaseseaseaccesstoanetwork

WirelessAPsuseawirelessradiofrequency,whichisbroadcastfromtheAPusingthe2.4GHzand/or5GHzchannels.ThisallowsmobiledeviceswithacompatiblewirelessNICtolistenonthesefrequenciesandconnecttoanAP.Mostcommonly,the2.4GHzAPsarefoundalmostoneverywirelessnetworkduetothefactitwasthefirsttypeofAPproducedandalotoforganizationsandhomeusersinvestedinthetechnology.

Importantnote

The2.4GHzchannelprovidesalowerfrequencyandgivesagreaterdistance.

Astherearesomanybuildingandhomesequippedwitha2.4GHzAP,the

radioairwaysof2.4GHzarenowaverysaturatedspace,whereeachdeviceis

tryingtotransmittheirdatatoclientswithoutcausinginterference.Thishas


becomealmostimpossiblenow.The2.4GHzbandusesatotalof11channels;

however,itisrecommendedtousechannels1,6,and11toensurethereisno

overlapping.

Thefollowingdiagramshowstherecommendedcleanchannelsofthe2.4GHz

channels:

Figure1.32–Wirelesschannelsrange

However,eventhisrecommendationisnolongerbeneficial.AnAPcanbeusingchannel2,4,oreven8,whichwillcreateanoverlap(interference)betweenthe

recommendchannels(1,6,and11).

The5GHzfrequencyprovidesalotmorechannels,thuscreatingless

interferenceamongnearbyAccessPointsthatareoperatingonthe5GHz

frequency.Thedownsideofusing5GHzistheshortdistancethesignalcan

travel.However,thismaybeabenefit.Let'simaginethatacompanywithmultiplefloorsintheirbuildingaredeployingthe5GHzfrequencyAccess

Points;becausethe5GHzfrequencytravelsmuchshorterdistances,thismeans


thepossibilityforoneAP'ssignaltointerfere(overlap)withanotherAPwhoisusingthesamefrequencyhasbeenreduced.

Importantnote

Inlaterchaptersofthisbook,wewilldiscusswirelessarchitecturesinmoredepth.

HavingcoveredthepurposeofusingAccessPoints,let'stakeourdiscussionabitfurtheranddescribehowtoimprovethemanagementofourcorporatewirelessnetwork.

CiscoWirelessLANController(WLC)WirelessLAN(WLAN)issimplydefinedasawirelessnetworkcontainingeitherasingleAccessPointathomeforpersonaluseoranorganizationcontainingmultipleAccessPointstoprovidewirelessconnectivitybetweenemployees'mobiledevices(smartphones,tablets,andlaptops)andthewirednetworkinfrastructure.Withtheincreaseofwirelessnetworking,alotofcompaniesareimplementingaBring-Your-Own-Device(BYOD)policytoensureanacceptablelevelofsecurityisestablishedandmaintained.However,fornetworkengineers,thismeansthewirelessnetworkneedstobeabletosupportthelargenumberofportabledevicesthatareconnectingandexchangingmessagesontheWLAN.

ThiswillresultinnetworkprofessionalshavingtoimplementarobustwirelessnetworkwithmultipleAPsthroughouttheorganization,oneachfloorandroomwhereawirelesssignalisneededorrequired.Let'simaginethatourfictionalcompany,ACMECorp,owna10-storeybuildingandthatthenetwork


administratorshavetoimplementAccessPoints.OnekeyaspectistomaintaintheconsistencyofeachAP'sfirmware,configurations,andsecuritysettings.Imaginethat,afterthedeploymentofthewirelessnetwork,thenetworkadministratorhastomakeachangeontheWLANthatwillaffectallAccessPoints.It'sdefinitelynotefficienttologintoeachAccessPointandmanuallymakethechangesinthedevice'sconfigurationasthisistime-consumingandpronetohumanerror.

AWLCallowsasinglemanagementinterfacefortheentirewirelessnetwork.ThisdeviceenablesyoutocontrolanynumberofAPsonanetwork.Therefore,youcansimplylogintoaWLCandconfiguretheentireWLAN,providingacentralizedmanagementplatformfornetworkprofessionals.Inlaterchapters,wewillcovervariousdeploymentmodelsforAccessPointsandwirelessLANcontrollersinmoredetail.

EndpointsandserversSofar,wehavebeentalkingaboutintermediarydevicesthatconnectustoanetworkandtheinternet.However,wemustnotforgetaboutthesimpleyetcooldevicesthatallowustocommunicateonanetworkandprovideresourcestoothers:endpointsandservers.

Serversaredevicesthatrunspecializedapplicationsthatenablethemtoprovideresourcestousersonanetwork.Togetabetterideaofthefunctionalityofaserver,let'simagineyouworkforasmallbusinesswithapproximately30employees,allresidinginasinglebuilding.Eachemployeehastheirowncompany-issuedlaptopordesktopcomputerfittedwithalltherelevantsoftwareapplicationsforeachpersontocompletetheirdutiesefficiently.Eachday,


employeesmaybecreatingnewdocumentsandfilesthathavetobesharedwithothersintheorganization;however,emailingeachfiletoauserorgroupmaynotalwaysbethebestwaytoefficientlycollaborateonaproject.

Inthiscase,acentralizedfileservercanbesetupwithinthecompany'snetworktoallowvariouspersonsorallemployeestocentrallystoretheirwork-relatedfilesonthefileserver,ratherthanstoringthemlocallyontheircomputers(endpoints).Inthisscenario,theserverishostingfilesfortheorganizationortheclient(endpoint)devicestoaccess.

Keepinmindthatclientdevices(endpoints)areusuallydevicesthatareconnectedtoanetworktoaccessaresource.Thesemightbelaptops,smartphones,tabletcomputers,desktopcomputers,andsoon.

CiscoDNATheCiscoDigitalNetworkArchitecture(DNA)isanIP-basedsoftwaresolutiondesignedbyCiscoSystemstoprovideengineerswithapplicationstheycanusetomanage,automate,andgatherintelligenceanalytics,aswellasmonitorsecurity,onaCisconetworkacrossmultipledevicesandplatforms.

NetworktopologyarchitecturesOneofthetasksyoumayhavetoperformasanetworkengineeristodesignanoptimalnetworkforacustomer.Howdowegetstartedwithplanninganddesigninganetwork?Togetstartedwithsuchatask,youneedtodeterminesomeimportantkeydetailsaboutthecustomer'sneeds.Thefollowingaresomekeyguidelinestohelpyouplanyournetwork:


Meetwiththecustomertodeterminetheirneedsandexpectations.

Understandthebudgetthecustomerhasplannedforthesolution.

Ensureyourteamhastherightskillsetandcertifiedprofessionalstoworkontheproject.

Determinethetypeandquantityofthenetworkingdevicesrequiredfortheimplementation.

Importantnote

Pleasenotethatthesearejustafewtypicalquestions;yourplanningphaseshouldnotbelimitedtothepointsmentionedhere.

Thefirstpointisveryimportant.Asaprofessionalinthefield,youdonotwanttoassumeanythingaboutthecustomer'sneeds.Ensureyouhaveaproperdiscussionandtakenoteofexactlywhatthecustomerneedsandtheirexpectations.Ifyouthinktheserviceorsolutionshouldbeaddedontowhatthecustomerneeds,suggestittothecustomer,providingitsprosandcons,andgathertheirfeedback.

Ensureyouunderstandthebudgetfortheprojectbeforechoosingthetypeorquantityofnetworkequipmenttopurchase.Todeterminetherightdevice(s)topurchase,usethefollowingstepsasaguide:

1. GotoCisco'swebsiteatwww.cisco.com.

2. NavigatetoProducts|Networking.Here,youwillseesubcategoriessuchasSwitches,Wireless,Routers,andsoon.



3. SelectSwitches.UnderProducts,youwillseethatCiscohasmadeitsimpleforustodeterminethetypeofnetworkswitchbasedonitspurposeonanetwork.You'llseethattherearenetworkswitchesforLANAccess,DistributionandCoreswitches,DataCenter,andevenSmall-businessswitches.

4. ClickonCatalyst1000Series.Whenthenewpageloadsup,clickonModels.Here,youwillseeanoveralldescriptionofeachmodelbelongingtotheCatalyst1000lineofproducts.However,yourresearchdoesnotstophere.

5. ScrolldownuntilyouseetheResourcesection.YouwillseetheDataSheetforthemodels;clickonit.TheDataSheetprovidestheexactspecificationsforavarietyofdeviceswithintheproductfamily.Itprovidesthetypeandnumberofphysicalinterfaces,unlinkcapacity,bandwidthcapacity,andthephysicaldimensionsandweightofthedevice.

Usingthesameconcept,otherdevicessuchaswireless,routers,andfirewallswillbeveryusefulasyoudeterminetherightmodelofdevice(s)neededforthedeploymentofaproject.

Youmaybewondering,whatabouttheactualnetworkdesign?Dowedesignallnetworksfromthegroundup?Whatmakesournetworkdesignoptimal?Toanswerallthesequestions,theexpertsatCiscoSystemshavecreatedaDesignZonecontainingtonsofDesignGuides.TheseareknownasCiscoValidatedDesign(CVD)guides.

Importantnote


CiscoValidatedDesigncanbefoundathttps://www.cisco.com/c/en/us/solutions/design-zone.html.

KeepinmindthatthereisaCVDforalmosteverytypeofnetworkanddeploymentforvarioustypeofindustries.Thesedesignguideswillprovideyouwithguidance,recommendeddevices,designmodels,andfulldescriptionsoftheirsolutions.Suchdesignguideseliminatetheneedtoreinventthewheelwhenthereareexpertswhohavealreadycreatedbothapprovedandaccrediteddesigns.

Ciscohascreatedbotha2Tierand3Tiernetworkarchitecture,whichisrecommendedforenterprisenetworks.Inthefollowingsections,wewilldiscusseachofthesearchitecturesingreaterdetail.

2TierWhendesigningaLANforabuildingoranorganizationthathasmultiplebuildingsneareachother,weareindeeddesigningacampusLAN.WithinacampusLAN,therearemultiplenetworkswitchesthatareallinterconnected.Sometimes,intheindustry,youmayseenetworkswitchesinterconnectedinafashionofchainingoneswitchtoanother.Thisisreferredtoasdaisychainordaisychaining.

Thefollowingdiagramshowsmultipleswitchesinadaisychainmodel:


https://www.cisco.com/c/en/us/solutions/design-zone.html

Figure1.33–Daisychaining

ForITprofessionals,thismaybeaworkableapproachtoextendtheirlocalareanetworkswithinabuilding.However,amajordisadvantagetousingsuchadesignisthatthereisnoredundancyintheeventacableordevicefails.Afaultcableorswitchwithinthedaisychaincancauseadisruptioninnetworkoperations,whichwillaffectallthedevicesthatareconnectedtothefaultysegment.Hence,suchpracticesarenotrecommendedwhendesigningacampusLAN.

Whendesigninganetwork,ensureitishierarchicalwhencreatingvarioustierstohelpyouunderstandtherolesofeachdeviceinthenetwork.Ensurethatthedesignismodularandimprovesthenetwork'sscalability,allowingyoutoexpandthenetworkanditsserviceseasily.Considerimplementingresiliencyandflexibilitytoensuretheuserhasagreatexperiencewhiletheyexecutetheirdailytasksintheorganization.Inotherwords,youdon'twantyouruserstoexperienceanetworkfailurethatwilldisruptdailytransactions.Lastly,flexibilitywillensuretrafficisdistributedbetweenpathsanddevicesefficiently.

Importantnote


InSection5,SecurityFundamentals,wewillcovervarioussecuritytopicsandtechniqueswecanusetoimprovethesecuritypostureofaCisconetwork.

ThisiswheretheCisco2TierarchitecturecomesintosavethedaywhendesigningaLANforabuilding–acampusLAN.Thisdesigncreatestwolayersofswitches:thedistributionlayerandtheaccesslayer.

Theaccesslayerprovidesameansofconnectingenddevices(computers,servers,printers,andsoon)tothenetwork.Attheaccesslayer,thereisnoformofredundancybetweentheenddeviceandtheaccesslayerswitch;thisisduetomostenddevicesusuallyhavingonlyasingleNICforLANconnectivity.However,eachaccesslayerswitchisconnectedtotwoormoredistributionlayerswitches,thusprovidingredundancytotheremainderofthenetwork.

Tip

ToseetheCiscoAccesslayerswitches,pleasevisitthefollowingURL:https://www.cisco.com/c/en/us/products/switches/campus-lan-switches-access/index.html.

ThefollowingdiagramshowstheCisco2Tierarchitecturewithinabuilding(campusLAN):


https://www.cisco.com/c/en/us/products/switches/campus-lan-switches-access/index.html

Figure1.34–Cisco2Tierarchitecture

InaCisco2Tierarchitecture,thedistributionlayerisknownastheCollapsedCore.Thedistributionlayerisresponsibleforthefollowingrolesandfunctions


onacampusLAN:

ProvidingQualityofService(QoS)toprioritizenetworktraffic

AccessControlLists(ACLs)tofilternetworktraffic

Basicroutingfunctions

ThedistributionlayeralsoprovidesredundancyforinterconnectingmultipleaccesslayerswitchestoexpandthecampusLAN.

Tip

TofindoutmoreabouttheCiscodistributionlayerswitch,pleasevisitthefollowingURL:https://www.cisco.com/c/en/us/products/switches/campus-lan-switches-core-distribution/index.html.

KeepinmindthattheCisco2Tierarchitectureistypicallyusedwithinabuilding.Thisbringsaboutthequestion,howdoweinterconnectmultiplebuildingsthateachhaveaCisco2Tierarchitecture?Onemethodistosimplyinterconnectthedistributionswitchesofonebuildingwithanother.

Thefollowingdiagramshowsmultiplebranchesinterconnectedusingthe2Tiermodel:


https://www.cisco.com/c/en/us/products/switches/campus-lan-switches-core-distribution/index.html

Figure1.35–MultiplecampusLANs

Asyoumayhavenoticed,eachdistributionlayerswitchisconnectedtoeachotherdistributionlayerswitchineachofthecampusLANs.Asthenetworkgrowsandmorebranchoffices(campusLANs)arecreated,therewillbetoomanyinter-branchconnectionsandthedesignwillnotbeefficient.


Tosolvethisissue,Ciscohavedesigneda3Tierhierarchicalmodel.

3TierIntheCisco3Tierarchitecture,therearethreelayers.Thereisnowacorelayer.Thecorelayerisdefinedasthehigh-speedbackboneofthenetwork.Thesecorelayerswitchesareusedtoforwardtrafficasquicklyaspossiblebetweennetworks,whicharegeographicallyseparated.Toputthissimply,thecorelayerswitchesareusedtointerconnecteachcampusLANtotheothersinamoreefficientway.

ThefollowingdiagramshowsasimplifiedversiontheCisco3Tiermodel:


Figure1.36–Cisco3Tierarchitecture

Thecorelayerplaysavitalroleinanenterprisenetwork.Togetabetterideaofhowtheconnectionsaremadeinareal-worldscenario,let'stakealookatthefollowingdiagram:


Figure1.37–Cisco3Tierarchitectureinterconnectingmultiplebranches

Asyoucansee,therearethreecampusLANs(branches).EachcampusLANhasitsownaccesslayerswitchesthatallowsenddevicestoaccessthenetwork.Thereisthedistributionlayer,whichprovidesredundancytotheaccesslayer,


viamultiplepathstoeachenddevice.

Importantnote

Inthe2Tierarchitecture,thecollapsedcoreplaystheroleofboththedistributionandcorelayersasone.

ThecorelayerensureseachcampusLAN(branch)isinterconnected.Ifabranchhastosendnetworktraffictoanotherbranchoffice,thetrafficgoesuptothedistributionlayerandthentothecorelayerforforwarding.Additionally,thecorelayerconnectstotheroutersoftheenterprisenetwork.TheseroutersprovideinternetandWANconnectivity.

TheCisco3Tierhierarchyhasthefollowingbenefits:

Improvesnetworkperformance

Improvesthescalabilityofthenetwork

Createsbetterredundancybetweenpaths

Improvesnetworkmanagement

ThefollowingisasummaryofthefunctionsandcharacteristicsofeachlayeroftheCisco3Tiermodel:

Thecorelayeristhehigh-speedbackboneofthenetwork.Theseswitchesareusedtoforwardtrafficasquicklyaspossiblebetweennetworks,whicharegeographicallyseparated.

Thedistributionlayerisresponsibleforprovidingaboundaryby


implementingaccesscontrollistsandothertypesofapplicationfiltersandpolicies.ThedistributionlayerismadeupofLayer3switches.

Theaccesslayerisusedtointerconnectenddevicessuchascomputers,printers,andservers.

Havingcompletedthissection,youarenowabletoidentifythefunctionsandpurposesofeachlayerofboththeCisco2Tier(collapsedcore)and3Tierarchitectures.

SummaryInthischapter,welearnedabouttheevolutionofnetworkingandhowtheinternetcameintoexistence.Then,welearnedabouttwoimportantprotocolmodels:theOSIreferencemodelandtheTCP/IPprotocolsuite.However,onlyTCP/IPisimplementedondevices,whichallowsmessagestobeexchangedacrossanetwork.Furthermore,welookedattherolesandfunctionsofvariousnetworkingcomponentsandhowtheyforwardmessagesbetweendevices.Lastly,wecoveredtheessentialsoftheCisco2Tierand3TierarchitecturesindetailtohelpyouunderstandhowtodesignacampusLANforanorganization.

IhopethischapterhasbeeninformativeforyouandthatitwillbehelpfulinyourjourneytowardlearninghowtoimplementandadministrateCiscosolutionsandpreparingfortheCCNA200-301certification.Inthenextchapter,GettingStartedwithCiscoIOSDevices,wewilllearnhowtoaccessandconfigureCiscoIOSdeviceswhilebuildingasmallnetwork.

Questions

Here'sashortlistofreviewquestionstohelpreinforceyourlearningandhelp


youidentifygapsinyourknowledge:

1. WhichlayeroftheOSIreferencemodelisresponsibleforencapsulatingthephysicaladdressofadevice?

A.Internet

B.Datalink

C.Network

D.Link

2. AnemployeeusesMicrosoftOutlookontheirclientPCtosendandreceiveemailsto/fromothers.WhichisthehighestlayeroftheOSImodel?

A.Presentation

B.Internet

C.Session

D.Application

3. Thephysicaladdressofadeviceismadeupofhowmanybits?

A.32

B.42

C.48


D.52

4. WhichlayeroftheTCP/IPprotocolsuiteisresponsibleforcomputingthechecksum(hash)anddeterminingwhetheraframeisdamaged?

A.Networkaccess

B.Datalink

C.Physical

D.LLC

5. InwhichlayeroftheTCP/IPprotocolsuitedoesroutingoccur?

A.Network

B.Internet

C.Router

D.Datalink

6. WhatdoesaCiscoswitchusetomakethedecisiontoforwardamessageacrossanetwork?

A.DestinationIPaddress

B.DestinationMACaddress

C.SourceMACaddress

D.SourceIPaddress


7. WhichnetworkprotocolisusedtoresolvetheMACaddresstotheIPaddressofahostonthesamelocalareanetwork?

A.ARP

B.HTTP

C.TCP

D.UDP

8. Whichdeviceisusedtoextendanetworktoanotherroomorfloorofabuilding?

A.Router

B.Firewall

C.Switch

D.Hub

9. WheredoesaCiscoswitchstoreMACaddresses?

A.RAM

B.HDD

C.ROM

D.CAM

10. WhichlayeroftheCiscoCampusLANarchitectureisresponsiblefor


interconnectingdifferentbranchoffices?

A.Router

B.Core

C.Distribution

D.Access

E.Alloftheabove

FurtherreadingThefollowinglinksarerecommendedforadditionalreading:

TCP/IPoverview:https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/linked/tcpip.htm

Cisco3Tierarchitecture:https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/campover.html

Understandingnetworkportnumbers:https://hub.packtpub.com/understanding-network-port-numbers-tcp-udp-and-icmp-on-an-operating-system/


https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/linked/tcpip.htm

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/campover.html

https://hub.packtpub.com/understanding-network-port-numbers-tcp-udp-and-icmp-on-an-operating-system/

Chapter2:GettingStartedwithCiscoIOSDevicesYoumustbethrilledtostartyourjourneyoflearningaboutCiscotechnologies,especiallylearninghowtoimplementandadministerCiscosolutionsinanenterpriseorganization.Oneofthekeycomponentstoensureyoursuccessisgainingalotofhands-onexperiencewithtechnologies.Thishands-onexperiencewillhelpyougrasptheconceptswe'llbetalkingabouteasily,whiledemonstratingtheeffectofconfigurationsduringtheimplementationphases.However,amajorchallengeformostbeginnersisgettinghands-onexperienceduringtheirlearningandexaminationpreparationphases.AnotherconcernisgettingaccesstoCiscoequipmentafterclassroomtraininghoursorevenwhenatrainingsessionhasended.

Tosolvethesechallenges,IamdedicatingthischaptertodemonstratehowtobuildaCiscolabenvironmenttogetthehands-onexperienceyouneed,atyourconvenience.


BuildingaCiscolabenvironment

GettingstartedwithCiscoIOSdevices

AccessingaCiscoIOSdevice

ConfiguringtheCiscoIOS

Performingtroubleshootingprocedures


TechnicalrequirementsTofollowalongwiththeexercisesinthischapter,pleaseensurethatyouhavemetthefollowinghardwareandsoftwarerequirements:

Core:

Acomputer

PuTTY

Virtuallabenvironment:

CiscoPacketTracer7.3.0

GNS32.2.5

GNS3VMserver2.2.5

VirtualBox6.1

VMwareWorkstation15Pro(optional)

CiscoIOSv

CiscoIOSvL2

CiscoCSR1000v(optional)

Physicallabenvironment:

Cisco2911routers


Cisco2960switches

1xCisco3560switchorCisco3650switch

1xCiscoconsolecable

1xRS-232toUSBconvertercable

Afewnetworkpatchcables(straight-throughandcrossover)

Thecodefilesforthischapterareavailablehere:https://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions/tree/master/Chapter%2002.

CheckoutthefollowingvideotoseetheCodeinAction:https://bit.ly/360Odeo

BuildingaCiscolabenvironmentIt'sveryimportanttogetalotofhands-onpracticewhenpursuingatechnicalCiscocertification.Youcandothisbylabbingupeverything,wherebyyoupracticebyputtingeverythingyou'velearnedforthecertificationinpracticelabsalongtheway.

Inthefollowingsections,youwilllearnaboutthevariousmethodsofbuildingaCiscoenvironmentusingbothvirtualandphysicalequipment.

CiscoPacketTracerYoumaybewondering,whatisCiscoPacketTracer?Yearsago,CiscoSystemscreatedtheirownonlinelearningplatformusingavarietyofe-learningand


https://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions/tree/master/Chapter%2002

https://bit.ly/360Odeo

collaborationtoolsforsomeoftheircertificationprograms.Indoingso,theyalsocreatedaverylightweightnetworksimulatortoolthatallowsuserstobuild,design,andtroubleshootaCiscoenterprisenetwork.ItspurposeistoallowstudentstosharpentheirskillsetwhilelearningandpreparingfortheCCNAcertification.

Justafewyearsago,theCiscoNetworkingAcademyreleasedCiscoPacketTracertotheinternet,allowingeveryonetoofficiallydownloadandinstalltheapplicationontheirpersonalcomputers.However,now,youmustenrollintheCiscoNetworkingAcademy'sIntrotoPacketTraceronlinecourse.

Tip

TheIntrotoPacketTracercourseisdesignedtoteachyouallaboutthefunctionalityandoperationsoftheapplicationasalearner.Enrollingisbeneficialasthecoursewillshowyouhowtosimulatereal-worldnetworkingenvironmentsusingCiscosolutions.

Isitbetterthanothernetworksimulators?CiscohasdesignedCiscoPacketTracerasalightweightnetworksimulationapplicationthatallowslearnerstosharpentheirskillsetattheCCNAlevel.ThesimulatorisnotperfectcomparedtoaphysicalCiscoIOSswitchorrouter,butitprovidestheenvironmentyouneedtoconfigureandtroubleshootnetworkswithinitsinterface,allowingyoutosavemoneyonpurchasingphysicalequipment.

WhyuseCiscoPacketTracerratherthanphysicalequipment?Whileit's,ofcourse,preferabletousephysicalequipment,wemustrememberthatphysicaldevicescostmoneyandnoteveryonehasabudgettosupportthiscost.YoucandefinitelygetusedandrefurbishedCiscodevicesfromvariousonlineretailers,


butwhenpurchasingsuchequipment,keepinmindthatyouwillnotabletoupdatetheInternetworkOperatingSystem(IOS)onthosedevicesinfuturewithouthavingaservicecontractorvalidlicensingdetailsfromCiscoSystems.CiscoIOS15hasmanynewerfeaturescomparedtoCiscoIOS12andprior.Therefore,CiscoPacketTraceristhemostefficientmethodingaininghands-onexperience,allowingyoutoputalmosteverythingattheCCNAlevelintolabs.

IfyouareconcernedwithwhethertheconfigurationsusedwithinthedevicesinCiscoPacketTracermaybedifferentfromthoseusedonthephysicalequipment,don'tworry–theconfigurationsareexactlythesame.

OneofthecoolthingsIlikeaboutCiscoPacketTracerisitsabilitytobuildanetworkandcopydeviceconfigurationsfromtheapplication,andthensimplypastethemontothecommand-lineofaphysicalCiscoIOSdevicethat'sthesamemodel.Thephysicaldevicewillaccepttheconfigurationsseamlessly.

TogetyourhandsontheCiscoPacketTracerapplication,usethefollowinginstructions:

1. Gotowww.netacad.com.

2. ClickonCoursestoexpandthedrop-downmenu.Then,selectPacketTracer.

3. Scrolldownuntilyouseetheonline,self-pacedcoursecalledIntrotoPacketTracer.Clickonit.

4. ClickonSignuptoday!.

Anewenrollmentpagewillopen.Besuretocompletetherequiredfieldstoregisterforthecourse.


http://www.netacad.com

5. Onceyouhaveenrolled,logintowww.netacad.comusingyournewlycreatedusernameandpassword.

6. ClickonResourcestoexpandthedrop-downmenu.Then,clickonDownloadPacketTracer,asshowninthefollowingdiagram:

Figure2.1–Drop-downmenuoftheResourcepage

7. Next,theCiscoPacketTracerdownloadpagewillopen.Downloadtheversionspecifictoyouroperatingsystemandinstallitusingallthedefaultsettings.

NowthatyouhaveCiscoPacketTracerinstalledonyourcomputer,gothroughtheIntrotoPacketTraceronlinecourseasitcontainsalotofhelptutorials,tips,andtrickssothatyoucangetthemostoutoftheapplicationasalearner.

TogetstartedquicklywithCiscoPacketTracer,usethefollowingsteps:


http://www.netacad.com

1. OpenCiscoPacketTracer.

2. Inthebottom-leftcorner,youwillseetwoshortrowsoficons.Theupperrowcontainstheparentcategoryofthenetworkcomponents,whilethelowerrowcontainsthesubcategories.Thefollowingimageshowstheparentcategory:

Figure2.2–CiscoPacketTracerdevicecategory

3. Clickoneachparentcategory,thusdisplayingthesubcategoryinthesecondrow,asshowninthefollowingimage:


Figure2.3–SubDeviceCategory

4. Uponselectingasubcategory,you'llseesomeCiscodevicesappear,asshowninthefollowingimage:

Figure2.4–NetworkdevicesinCiscoPacketTracer

5. Toaccessadevice,selectaCisco2911modelrouteranddragittothemainlayoutinCiscoPacketTracer.

6. Next,selecttheEndDevicescategoryanddragaPContothelayout.


7. SelecttheConnectioncategory(theonewiththelightningboltsymbol)andselecttheconsolecable.

8. ClickonthePC.Alistofavailableportswillappear.Fromhere,choosetheRS-232port.

Importantnote

WewilldiscusstheimportanceoftheconsolecableandtheRS-232portintheAccessingaCiscoIOSdevicesection.

9. Then,dragthecabletotherouter.After,clickandselecttheConsoleport.

ThefollowingdiagramshowsthetypicalconnectionthatwehaveestablishedwithinCiscoPacketTracer:

Figure2.5–PCtorouterwithinCiscoPacketTracer

10. ToaccessthecommandlineoftheCiscoIOSrouter,clickonPC.SelectDesktop|Terminal,asshownhere:


Figure2.6–TerminalwithinCiscoPacketTracer

11. TheTerminalapplicationwillopenlikeso.ClickonOKtoaccesstheCLI:

Figure2.7–Terminalsettings

Next,youwillseethattheCiscooperatingsystemisdecompressingandthatthe


deviceisbooting.

ThefollowingimageshowstheuserinterfaceforCiscoIOSdevices:


Figure2.8–Command-lineinterface(CLI)ofaCiscoIOSdevice


NowthatyouhaveanideaofsettingupCiscoPacketTraceronyourpersonalcomputer,let'slearnhowtouseamorerobustapplicationtoemulateCiscodevices,appliances,andenddevices.

VirtualCCNALabGraphicalNetworkSimulator3(GNS3)isanemulatorformanynetworkandsecurityappliances.Itusestheofficialoperatingsystemsandfirmwareofdevicesandcreatesavirtualizedenvironment.Thisallowsyoutoruntherealoperatingsystemsofvendordevicesonyourlaptopordesktopcomputerwithouthavingtopurchasephysicaldevices.Additionally,youcanhaveaportable,software-basednetworkinglabenvironmentonthego.

WhyisGNS3betterthanCiscoPacketTracerorphysicalequipment?It'sconvenienttohavevirtualizationnetworksandsecuritydevicesrightonyourdesktopcomputer.ThebenefitofusingGNS3isthatitallowsyoutoinstalltheofficialCiscooperatingsystemsintoitsapplication,whichmeansyouwillbeabletoaccessthefullfunctionalityofthevirtualCiscorouter,switch,andfirewalldevices.

Theonlydownsidetousingvirtualizationtechnologiesisyou'llneedtohaveagoodCPUthatsupportsvirtualizationandasufficientamountofRAM.Whenyoustartavirtualmachine,inourcase,it'llbeavirtualapplianceordevice.TheyusethesameamountofRAMasaphysicaldevice.ThismeansthatifaCiscoIOSrouteruses1GBofRAM,avirtualCiscorouterwithinGNS3will

mostlikelybethesame.

AnotherdownsideofusingGNS3isthatyouwillneedtouseofficialCiscoIOSimageswithinGNS3.UnlikeCiscoPacketTracer,whichisasimulated


environment,GNS3createsanemulatedworkingenvironmentforofficialoperatingsystems.

Importantnote

CiscoIOSimagescanbeobtainedfromCisco'swebsiteifyouhaveaservicecontractthatallowsimagedownloads,youhaveavalidlicenseagreementfromCiscoSystems,oryoupurchasethemdirectlyfromCisco.

However,thebenefitofusingGNS3isthatyougetveryclosetothereal-worldexperienceoftheactualCiscoIOSdevices.ThisincludesthetimeittakestoconvergethenetworkandhowalltheCiscocommandsworkwithoperatingsystems(theswitch,routers,firewalls,andsoon).

TosetupaGNS3environment,usethefollowinginstructions:

1. TodownloadGNS3clientandGNSVM,gotowww.gns3.comandclickonSignUptocreateauseraccountonthewebsite.

2. Aftercreatingyouruseraccount,logintothewebsite.

3. ClickonDownload.

YouwillseeaDownloadbuttonontheleft-handsideofthescreen.ClickittodownloadtheGNS3standaloneclient.Additionally,downloadtheGNS3VM(virtualmachine)byclickingtheDownloadVMforGNS3hyperlink,asshowninthefollowingimage:


http://www.gns3.com

Figure2.9–GNS3downloadlinks

TheGNS3VMisrecommendedwiththeGNS3clientasitimprovesperformance.

WhenyouclickDownloadVMforGNS3,you'llbeprovidedwithmultipleoptionstodownloadavirtualimagespecifictoyourhypervisorofchoice:VirtualBox,VMwareWorkstationandFusion,VMwareESXi,andMicrosoftHyper-Vplatforms.IwouldrecommendOracleVirtualBoxasit'sareallygoodhypervisorandit'sfree.However,I'lldemonstratehowtosetuptheenvironmentusingbothOracleVirtualBoxandVMwareWorkstation.


4. DownloadOracleVirtualBoxbygoingtowww.virtualbox.organdclickingonDownloads.ChoosetheVirtualBoxpackageforyouroperatingsystem.Oncethefilehasbeensuccessfullydownloadedontoyourcomputer,installitusingallthedefaultsettings.

5. ThisstepisoptionalasVMwareWorkstationisacommercial(paid)product.TogetVMwareWorkstationPro,gotohttps://www.vmware.com/products/workstation-pro.htmltomakeanofficialpurchaseoftheproduct.

6. InstalltheGNS3standaloneclientonyourcomputerusingallthedefaultsettingswithintheinstallationwizard.

7. Right-clickonGNS3VM,selectOpenwith,andchooseVirtualBoxorVMwareWorkstationtoimportthevirtualmachinesintothehypervisor,asshowninthefollowingimage:


http://www.virtualbox.org

https://www.vmware.com/products/workstation-pro.html

Figure2.10–GNS3VMimportoptions

8. IfyouareusingVMwareWorkstation,theImportVirtualMachinewizardwillopen.ClickImporttobegintheprocess.

ThefollowingscreenshotshowstheimportwindowonVMwareWorkstation:


Figure2.11–VMwareWorkstationimportwindow

9. WhentheimportingprocesshasbeencompletedonVMwareWorkstationPro,clicktheEditvirtualmachinesettinglinktoadjusttheCPUandRAMonGNS3VM,asshowninthefollowingimage:


Figure2.12–VMwareWorkstationoverview

IwouldrecommendusingthefollowingsettingsontheGNS3VM:

--Memory(RAM):8GB,

CPU:

--Numberofprocessors=1,

--Numberofcoresperprocessors=2.


EnableanyadditionalvirtualizationfeaturesfoundontheCPUtab.

Whenyou'refinished,clickonOKtosavethesettingonVMwareWorkstationPro.

10. IfyouareusingOracleVirtualBoxtoimportGNS3VM,youwillseethefollowingwindow;clickonImport:

Figure2.13–VirtualBoxImportVirtualAppliancewindow

11. AfterGNS3VMhasbeenimportedintoVirtualBox,selectthevirtual


machineandclickonSettingstoadjusttheCPUandRAMspecifications.

12. Next,opentheGNS3standaloneclientapplication.SelectEdittoexpandthedrop-downmenuandclickonPreferences,asshowninthefollowingscreenshot:

Figure2.14–GNS3Editmenu

13. ClickontheGNS3VMtab.Then,settheoptionsshowninthefollowingimagetoconnectGNS3clienttoGNSVM:


Figure2.15–GNS3VMconfiguration

IfyouareusingOracleVirtualBox,setVirtualizationEngine:VirtualBox.

14. ClickApplyandthenOKtosavethesesettings.

NowthatwehaveconfiguredtheGNS3VMsothatitworkswiththeGNS3


standaloneclient,ontheGNS3clientuserinterface,ontheright-side,underServersSummary,GNS3VMshouldappear,asshowninthefollowingscreenshot:

Figure2.16–GNS3ServersSummary

ToaddanofficialCiscoIOSimageinGNS3,usethefollowinginstructions:

1. EnsureboththeGNS3clientandGNS3VMareupandrunning.ToaddaCiscoIOSvrouterappliance,clickontheRoutericonandthenNewtemplate,asshowninthefollowingimage:


Figure2.17–GNS3interface

2. SelectInstallanappliancefromtheGNS3serverandclickNext,asshownhere:


Figure2.18–NewtemplatewindowinGNS3

3. SearchforCiscoIOSvtoquicklyfindthetemplateandclickInstall,as

shownhere:

Figure2.19–AppliancetemplatewindowinGNS3


4. SelectInstalltheapplianceontheGNS3VMandclickNext,asshownhere:

Figure2.20–InstallCiscoIOSvappliancewindowinGNS3

5. TheQemubinaryoptionswillbeautomaticallyselected.ClickNext,asshownhere:


Figure2.21–QemusettinginGNS3

SettherequiredIOSvversionbasedontheIOSvimageyougotfromCiscoandclickImport:

Figure2.22–InstallCiscoIOSvAppliancewindowonGNS3

AfterimportingtheCiscoIOSvintoGNS3VM,youshouldseethatthestatusshowsthattheimagehasbeenfound.

6. Next,selectIOSv_startup_config.imgandclickDownloadtoretrievethefilethat'srequiredtocompletetheinstallation:


Figure2.23–InstallCiscoIOSvmissingfilestatus

7. OnceboththeIOSvandstartup-configfileshavebeenuploadedtoGNS3VM,thestatusoftheIOSvrouterappliancewillchangetoReadytoinstall.ClickNext,asshowninthefollowingscreenshot:


Figure2.24–CiscoIOSvreadytoinstallwindowonGNS3

8. Whentheinstallationiscompleted,clickOKtoacceptthemessageofasuccessfulinstallationandclickFinishtoclosethewizard,asshowninthefollowingscreenshot:


Figure2.25–InstallationconfirmationwindowinGNS3

ToaddaCiscoIOSvL2switchtoGNS3VM,followthesameprocedure

mentionedpreviously.Don'tforgetthatwhenyouhavereachedstep3,searchforIOSvL2insteadasit'saCiscoswitchratherthanarouter.

ToaddandaccessdeviceswithinGNS3,pleaseusethefollowinginstructions:

1. InGNS3,clickFiletoopenthedrop-downmenuandselectNewBlankProject.

2. Createaprojectnameandchoosealocationtosavetheprojectfiles.Then,clickOK.


3. OntheleftoftheGNS3window,clicktheRoutericontoshowallavailabledevices.

4. DragthenewlycreatedrouterontothecenteroftheGNS3layout.

5. ClickthePlayicontostartthedeviceinGNS3.

ThefollowingimageshowsthePlay,Pause,andStopiconsforcontrollingthedevice:

Figure2.26–GNS3controls

Now,ontheright-handsideofGNS3,underTopologySummary,youshouldseethattheroutericonhasnowturnedgreentoindicateit'scurrentlyactive.

6. Toaccessthecommand-lineinterfaceofadevicewithinGNS3,simply


double-clickonthedevice'sicononthemainlayout.ThiswillopenPuTTYorthedefaultTerminalprogramonyourcomputer.

7. IfyouaddmoredevicestoGNS3,youcanclicktheCableicontousethesamemethodtointerconnectdevices.

Importantnote

DuringtheinstallationoftheGNS3standaloneclient,Puttywasincludedduringtheinstallationphase.

Whenyouarefinished,besuretoclicktheStopicontopowerdownallthevirtualdeviceswithinGNS3.Additionally,closingtheGNS3clientwillautomaticallypower-offtheGNS3VMaswell.

Now,youknowhowtocreateavirtualenvironmenttosharpenyourskillsfortheCCNAcertification.Let'stakeadiveintounderstandingtherequirementsforacquiringaphysicallab.

PhysicallabsAsIalwayssay,thereisnogreaterexperiencethanusingthereal,physicalequipment.Thebenefitofusingphysicalequipment,especiallyfornetworkengineering,isthefactyouseeeverythinginaction.PleasenotethatI'mnotsayingyouwon'tseeitinavirtualizedenvironment,butthereissomethingirreplaceableaboutusingphysicalequipment–perhapsit'sthethrill.

ThefollowingisalistofdevicesIrecommendusingifyouareinterestedinbuildingaphysicallab:


Cisco2911routers

Cisco2960switches

Cisco3560switchorCisco3650switch

1xCiscoconsolecable

1xRS-232toUSBconvertercable

Afewnetworkpatchcablesforinterconnectingdevices

Thequantityofthesedeviceswilldependonhowlargeyouwishtoscaleyourphysicallab.Ideally,havingtwodevices,suchastwolaptops,totestend-to-endconnectivityishighlyrecommended.Lastly,ensureeachCiscodeviceisrunningthelatestversionofitsoperatingsystem.Thisensurestheessentialfeaturesareavailabletoyouwhenneeded.

Havingcompletedthissection,youhavegainedtheessentialskillsyouneedtobuildyourveryownCiscolabenvironment.We'lltakeadeepdiveintolearningabouttheCiscooperatingsysteminthenextsection.

GettingstartedwithCiscoIOSdevicesNowadays,almostallelectronicdeviceshavesomeformoffirmwaretohelpthemexecutetasks.Inmostinstances,thereisanoperatingsystemthat'susedtoprovidetheuserwithalotoffunctionality.Similartoatypicallaptopcomputerorasmartphone,therearehardwarecomponentssuchasaCentralProcessingUnit(CPU),alsoreferredtoastheprocessor,thatareusedtoexecutearithmeticcalculationsandprovidecontroloverthecomputer.ThereisalsoRandom


AccessMemory(RAM),whichisusedtotemporarilystoredatawhiletheCPUaccessesit,andthereisastorageunitwhereyoucanstoretheoperatingsystemandothertypesofdatawhilethedeviceispoweredoff.

However,withoutanoperatingsystemsuchasWindows,MAC,orevenLinux,thecomponentsofthecomputerwillnotbeabletoworktogethertoexecutefunctionsdefinedbytheuser.Toputitsimply,theoperatingsystemprovidesaprocessforcontrollingthehardwarecomponentsofthedeviceandallowsyou,theuser,totellthecomputer/devicewhattodo.

CiscoSystemscreatedtheirownproprietarynetworkoperatingsystemfortheirswitchesandrouterscalledtheCiscoInternetworkOperatingSystem(CiscoIOS).TheCiscoIOSallowsyoutoconfigureandmanagetheirdevicesviaacommand-lineinterface(CLI).

Youreadthatcorrectly–its'acommandline.Don'tbeworried–I'llsharealittleinsightintomypersonalexperience.WhenIstartedmyjourneytogetmyfirstCCNAcertificationsomeyearsago,Iwasfeelingabitapprehensive.IwasaccustomedtoGraphicalUserInterfaces(GUI)onalldevicesandthethoughtoflearningcodewascool,butatthesametime,verynewtome.However,tothisday,IloveworkingondevicesystemsanddevicesusingcommandlinesasIhaverealizedhowpowerfulCLIscanbeinanydevice.

Throughoutthisbook,I'llensureyouwillbeabletounderstandthepurposeofeachcommandweusetoexecuteafunctionandbuildanoptimalCisconetwork.

BootprocessInanycomputerormobiledevice,theoperatingsystemneedstobestoredinan


areaofmemoryonthedevicewhenitispoweredoff.Incomputers,weuseeitheraharddiskdrive(HDD)orasolid-statedrive(SSD)toholdtheoperatingsystemandotherimportantdata(files).ThebenefitofhavinganHDD/SSDisthatwhenthedeviceisturnedofforrestarts,itscontentisnotlost.However,onaCiscoswitchorrouter,thereisnolocalharddiskdrivesorsolid-statedrives,sowhereistheCiscoIOSstored?

TheCiscoIOSisstoredinalocationcalledFlash.DatathatiswrittentoFlashmemoryisnotlostwhenthedeviceisturnedofforrebooted.

Importantnote

Thistypeofmemoryisreferredtoasnon-volatilerandomaccessmemory(NVRAM).

TogetaclearunderstandingoftheactualbootprocessofaCiscoIOSdevice,let'slookatthefollowingstages:

1. UponpoweringonaCiscodevice,aPower-onSelfTest(POST)isexecutedbythedevice'sfirmwaretocheckforthepossibilityofanyhardwarefailurepriortoloadingtheCiscoIOS.Ifeverythingseemsfine,thefirmwareloadstheBootstrap,whichislocatedinRead-onlyMemory(ROM).

2. TheBootstrapchecksintheFlashmemoryfortheCiscoIOSfile.Iffound,theCiscoIOSisloadedintoRAM.

3. IftheCiscoIOSisnotfoundintheFlashmemory,thedevicechecksforalocalTrivialFileTransferProtocol(TFTP)serveronthenetwork.Onecommonpracticeintheindustryisthatnetworkingprofessionalsremove


theCiscoIOSfilefromthedevicesandplacethemonalocalTFTPserver.Thiscreatestheeffectthateachtimeadevicebootsup,itwillpulltheCiscoIOSacrossthenetworkfromaTFTPserverandloaditintoitsRAM.

4. IftheCiscodeviceisunabletolocateaTFTPserveronthenetwork,itloadsascaled-downversionoftheCiscoIOSintotheRAM.Thescaled-downversionprovidestheessentialfunctionsthatallowsthedeviceadministratortotroubleshootandreloadtheCiscoIOSfileintoitsFlashmemory,thereforerestoringthedeviceintoaworkablestate.

5. OncetheCiscoIOSisloadedintotheRAM,thebootstrapwillcheckthecontentsofNVRAMforpreviouslysavedconfigurationfiles;thisfileisknownasstartup-config.Ifastartup-configfileisfound,it

isloadedintotheRAM.

6. Ifastartup-configfileisnotfound,thedeviceloadsitsdefault

configurationsintotheRAMasrunning-config.

ThecontentsoftheRAMareknownasrunning-config.Thisrunning-

configarethedevice'scurrentconfigurationasthedeviceispoweredon.

However,keepinmindthatifthedevicelosespowerorgetsrebooted,thecontentofitsRAMislost.

Importantnote

running-configdoesnotautomaticallysaveintoNVRAM.Thedevice's

configurationsneedtobesavedmanuallyasthiscreatesorupdatesthestartup-configfile.


ThefollowingisaflowcharttogiveyouabettervisualrepresentationofthebootprocessofaCiscoIOSdevice:

Figure2.27–CiscoIOSdevicebootprocess

NowthatwehavecoveredtheessentialsoftheCiscoIOSbootprocess,let'scoverthevariousmethodsapersoncanusetoaccessaCiscoIOSdevice.

AccessingaCiscoIOSdeviceUnlikeacomputerorsmartphone,anetworkintermediarydevicesuchasarouterorswitchdoesnothaveadisplayscreenthatshowsyoutheuserinterface


formanagingtheoperatingsystem.WheneveryoupurchaseanewCiscoIOSdevice,withinthepackagingofthebox,youwillusuallyfindabluecable;thisiscalledaconsolecableorrollovercable.

Thefollowingisanimageofaconsolecable:

Figure2.28–Ciscoconsolecable

Ononeend,there'saDB-9(RS-232)interface,whichisusedtoconnecttoa


computer'sDB-9(RS-232)port.However,modern-daycomputersand

laptopmanufacturersnolongermakedeviceswiththeseinterfaces.However,youcangetanRS-232toUSBconvertercablefromanonlineorlocal

computerstore.ThisconvertercableenablesyoutousetheconsolecableoveraUSBconnection.

ThefollowingisanimageoftheRS-232toUSBconvertercable:

Figure2.29–USBtoRS-232convertercable


Attheotherendoftheconsolecable,you'llseethecableterminatesusingaRJ-45(registeredjack).ThisendofthecableistobeinsertedonlyintotheconsoleportoftheCiscoIOSdevice.Theconsoleistypicallylocatedatthebackofadeviceorsometimesonthefront.Forustoquicklyidentifytheconsoleport,Ciscohasprintedalabelonit.

Importantnote

ThereareadditionalmethodsforaccessingaCiscoIOSdevice,suchasSecureShell(SSH)andTelnet.Thesewillbecoveredinlatersectionsonthisbook.

Theconsoleportprovidesphysicalmanagementofthedevice.However,theconsoleportistypicallyusedtoconfigurethedevicewithinitialconfigurationsuntilit'sdeployedonthenetworkforremoteaccessmanagement.Networkprofessionalscanalsousetheconsoleportasamanagementinterfacewhenperformingmaintenanceprocedures.

ThefollowingphotoshowstheconsoleportonthebackofaCiscoIOSdevice:


Figure2.30–ConsoleportonthebackofaCiscoIOSrouter

UponmakingtheconnectionbetweenthePCandtheCiscoIOSdeviceusingtheconsolecable,aserialconnectioniscreatedbetweenthePCandthedeviceviatheRS-232-to-USBcable.ToaccesstheCLIoftheCiscodevice,wewillneed

aterminalemulationapplicationonourcomputer.

Thefollowingisabrieflistofterminalemulationapplications:

PuTTY(free)


SecureCRT(commercial)

TeraTerm(free)

ToaccesstheCLI,pleaseusethefollowingsteps:

1. ConnecttheconsolecabletoyourlaptopandtheCiscoIOSdevice.Thiswillcreateaserialconnection.

2. OpenControlPanelandclickonDeviceManager.

3. ExpandthePort(COM&LPT)categorytoseetheCOMinterfacebeingused.

ThefollowingscreenshotshowsthedetailslistedunderthePortscategory:

Figure2.31–DeviceManageronWindows

Atthetimeofwriting,COM3wasusedfortheserialconnection.Thisinformationwillbeusefulforthenextfewsteps.PleasekeepinmindthattheCOMportisdependentonyourcomputerandavailability.BesuretoverifytheCOMportbeforemovingontothenextstep.

4. DownloadPutty(www.putty.org)andopenit.Usethefollowingsettingsontheterminalemulationapplication:


http://www.putty.org

--ConnectionType:Serial

--SerialLine:COM3

--Speed:9600

--Databits:8

--Parity:None

--Stopbit:1

--Flowcontrol:None

ThefollowingscreenshotsshowtheuserinterfacesforbothPuTTYandSecureCRT:


Figure2.32–PuTTYandSecureCRTinterfaces

5. ClickonOpenorConnectontheterminalemulatortoaccessthecommandlineofthedevice.

ThefollowingimageshowsthetypicalwelcomescreenwhenconnectingtotheIOS:


Figure2.33–CLIofaCiscoIOSrouter

NowthatweyouhavelearnedhowtoaccessaCiscoIOSdeviceusingtheconsolecable,let'stakealookathowtonavigatetheCiscoIOSandlearnsomeCiscocommands.

ConfiguringtheCiscoIOSTheCiscoInternetworkOperatingSystem(CiscoIOS)isafull-fledgedoperatingsystemthatprovidesyouwithaninterfacetocontrolthehardwareand


thedevice.TheCiscoIOShasmanysecurityfeaturestoensureyouareabletosecureanetworkenvironmentandthedeviceaswell.OnesuchsecurityfeatureisthattheCiscoIOShasmanycommandmodes.Thisseparatesthemanagementaccessinterfaceintothefollowingmodes:

UserExec

PrivilegeExec

Globalconfigurationmode

WhenyouestablishaconsoleconnectiontoaCiscoIOSdevice,youaretakendirectlyintotheUserExecmodebydefault.UserExecmodeprovidesverylimitedcapabilitiesforauserasitallowsforbasictroubleshootingandmonitoringcommandssuchaspingandtraceroute.

UserExecmodecanbeeasilyidentifiedwiththe>prompt,asshownhere:

Router>

PrivilegeExecmodeallowstheusertoperformmanymorecommandswithintheCiscoIOS.Inthismode,theusercanconfigurethesystemclock,performmanytroubleshootingor"show"commands,andaccesstheglobalconfiguration

mode.

ToaccessprivilegemodefromUserExecmode,simplyentertheenable

command.

PrivilegeExecmodecanbeeasilyidentifiedwiththe#prompt,asshownhere:

Router#


Toexitprivilegemode,usethedisablecommand.ThistakesyoubackUser

Execmode.

GlobalConfigurationmodeallowsausertomakechangestotheentireCiscoIOS.Anyconfigurationenteredinthismodeaffectstheoperationsoftheentiredeviceimmediately.Othercommandmodesareaccessiblefromglobalconfigsuchasinterfacemodes,lineconfigurationmodes,routermode,andmanymore.Intheremainingchaptersofthisbook,youwilllearnaboutothermodesandadvancedconfigurationstohelpyoubuildanddesignanenterprisenetwork.

FromPrivilegeExecmode,youcanusetheconfigureterminal

commandtoaccessGlobalConfig.

GlobalConfigmodecanbeeasilyidentified,asshownhere:

Router(config)#

ToexitGlobalConfig,usetheexitcommand.Thiswilltakeyoubackto

privilegeexecmode.

Tip

Inanymodethatisglobalconfigorhigher,youcanuseCtrl+Zonyourkeyboardasashortcuttotakeyoubackintoprivilegeexecmode.Additionally,youcanusetheTabbuttononyourkeyboardtoautomaticallyexpandyourtypingofacommand.CiscoIOSalsoacceptsshorttypingofcommands,suchasshowipinterfacebrief,whichcanbetypedasshipintbri;

bothareacceptable.

Thefollowingdiagramprovidesavisualrepresentationofthenavigationprocess


withintheCiscoIOS:

Figure2.34–CiscoIOSnavigationpath

NowthatyouhavelearnedhowtoperformbasicnavigationwithintheCiscoIOS,let'stakeitupanotchandbuildasmallnetworkusingCiscodevices.


SettingupasmallCisconetworkWhenbuildinganetwork,it'salwaysrecommendedtostartwithanetworkdiagramcalledanetworktopology.Atopologyisusedtoshowthelogicalandphysicalconnectionsbetweendevicesonanetwork,aswellasbasicIPaddressingassignments.

Forourexercise,wearegoingtobuildthefollowingnetworktopology:


Figure2.35–Lab1–networktopology

Asyoucansee,therearetwonetworks:192.168.1.0/24and

192.168.2.0/24.TheseareinterconnectedusingaCisco2911router.Each

ofthesenetworkshasaCisco2960switch(SW1andSW2)toextendtheirLAN.Additionally,eachLANhasasinglePCattachedwiththepurposeofcheckingend-to-endconnectivitywhenourlabisfullyconfiguredand


operational.

Youcanuseeitherphysicalequipment,GNS3,orCiscoPacketTracertocompletethistask.Simplyinterconnectthedevicesasshownintheprecedingdiagram.

Theobjectivesofthislabareasfollows:

LearninghowtonavigatetheCiscoIOS

ConfiguringIPaddressesonCiscodevices

Securingadministrativeandremoteaccess

Thefollowingarethesituationswhereyoushoulduseacopperstraight-throughcable:

PCtoswitch

Switchtorouter

Switchtoserver

Thefollowingarethesituationswhereyoushoulduseacoppercrossovercable:

PCtoPC

Switchtoswitch

Routertorouter

RoutertoPC


Routertoserver

IfyouareusingCiscoPacketTracer,yourtopologyshouldlookasfollows:

Figure2.36–Lab1–NetworktopologyinCiscoPacketTracer

Tohelpmakeyourlearningexperiencebetter,weshalldescribeanddemonstratehowtofindourwayaroundtheCiscoIOS.

Task1–LearninghowtonavigatetheCiscoIOSTolearnhowtousetheCiscoIOSandallitsfeaturesforCCNA,pleaseusethefollowinginstructions:


1. WhenyoubootupaCiscoIOSrouterforthefirsttime,you'llreceivethefollowinginteractivemessage:

---SystemConfigurationDialog---

Wouldyouliketoentertheinitial

configurationdialog?[yes/no]:

2. TypenoandhitEnteronyourkeyboardacoupleoftimesuntilyousee

theUserExecprompt.

Importantnote

Theinteractivedialogisdesignedtohelpnon-technicalusersconfigurethedevice.However,asanupcomingnetworkingprofessional,youshouldnotusetheinteractivewizardasit'sbettertoperformmanualconfigurationsonthedevicesothatitfitsyourexpectedoutcome.Inotherwords,asmuchastheinteractivedialogmaybehelpful,itmayalsoinstallconfigurationsontothedevicethatwemaynotwant.

3. Atthispoint,youshouldbeinUserExecmode(>).ToaccessPrivilege

Execmode,usetheenablecommand,asshownhere:

Router>enable

Router#

NoticethattheCommandPrompthaschangedtoapoundorhashsymbol(#).

4. TogobackintoUserExec,usedisabletorevertbacktotheprevious

commandmode,asshownhere:


Router#disable

Router>

TheCiscoIOSisabletotemporarilystorethemostrecentcommandsexecutedonthedevice.UsingtheUpandDownkeysonyourkeyboardwillallowyoutocyclethroughrecentlyusedcommandsforyourcurrentcommandmode.Therefore,ifyouareinPrivilegeExec,youwillonlybeabletoseethemostrecentcommandsthatareusedwithPrivilegeExec.

5. AnothercoolfeatureisthattheCiscoIOShastheabilitytorecognizeaCiscoIOScommandbysimplytypingthemodepartofthecommanditself.Tofurtherunderstandthisconcept,inUserExecmode,typethefollowingcommandandhitEnter:

Router>en

Router#

NoticethattheCiscoIOSacceptstheencommandasenableand

carriesyoutoPrivilegeExecmode.

6. Next,let'slearnhowtousebothcontext-sensitivehelpandthe

commandsyntaxcheckerfeature.Todeterminethecorrectsyntaxofacommand,typepartofthecommandandenteraquestionmark(?)right

after.

Thefollowingisanexampleofacontext-sensitivehelpthat'susedtodeterminewhatcommandsbeginwitheninUserExecmode:

Router>en?


enable

Router>

TheCiscoIOSprovidesalistofcommandsthatbeginwithenandreturn

youtoyourcurrentcommandmode.Inourexample,enableistheonly

CiscoIOSthatbeginswitheninUserExecmode.Thisishelpfulifyou

haveforgottenthespellingorthecorrectsyntaxtouseduringdeviceconfiguration.

Toexplorethisfurther,headonovertoPrivilegeExecmodeontherouter.Asmentionedpreviously,thismodeallowsustoexecutealotoftroubleshootingcommands.Thesecommandsusuallybeginwithshow,

followedbyadditionalcommands.

7. Toseealistofavailablesyntaxthatgoesaftertheshowcommand,place

a?aftershow.Thefollowingisanexampleoftheexpectedresults:

Router#show?

aaaShowAAAvalues

access-expressionListaccess

expression

access-listsListaccesslists

acircuitAccesscircuitinfo

adjacencyAdjacentnodes

aliasesDisplayalias

commands


ThefollowingaresomeguidelinesforconfiguringahostnameonaCiscoIOSdevice:

Ensuretherearenospacesintheactualhostname.

Thehostnameshouldnotbelongerthan64characters.

startwithaletter.

Hostnamescanendwithaletterornumber.

Let'schangethehostnameoneachdevicesothatitmatchesthenetworktopologyshowninFigures2.35and2.36.Usethehostnamecommand,shown

asfollows,tochangethedefaulthostnamesforeachofthecorrespondingdevices:

SW1

Switch>enable

Switch#configureterminal

Switch(config)#hostnameSW1

SW1(config)#

SW2

Switch>enable


Switch(config)#hostnameSW2

SW2(config)#


R1

Router>enable

Router#configureterminal

Router(config)#hostnameR1

R1(config)#

Asyoumayhavenoticed,anycommandenteredinglobalconfigurationmodetakeseffectimmediately.Inthisexercise,thechangetookeffectimmediatelyafterexecutingthehostnameconfigurationoneachdevice.

Task3–ConfiguringIPaddressesonCiscodevicesBeforeplacinganIPaddressonaninterface,it'srecommendedtocheckboththenumberandtypeofinterfacesavailableonadevice.Ontherouterandswitches,wecanverifythetypeandnumberofinterfacesavailableonthedevicebyusingtheshowipinterfacebriefcommand,asshownhere:

Figure2.37–SummaryofinterfacesonaCiscorouter

Theshowipinterfacebriefcommandprovidesuswithasummaryof

eachinterface'sstatusonthedevice:


TheInterfacecolumntellsustheinterface'stypeandportnumberonthedevice.

TheIP-AddresscolumntellsuswhethertheinterfacehasanIPaddressornot.

TheOK?andMethodcolumnstellsushowtheIPaddresswassetontheinterface,suchasDHCP,unset,andmanual.

TheStatuscolumntellsusthephysical(Layer1)statusoftheinterface.Thefollowingarealistofstatuses:

a)Up:Theinterfaceisactiveandisreceivinganincomingelectricalsignalontheinterface.

b)Down:Thenetworkcableismissingortheinterfaceisnotreceivinganincomingelectricalsignal.

c)Administrativelydown:Thedeviceadministratorhasmanuallyturnedoffthisinterface.

TheProtocolcolumndeterminestheLayer2statusoftheinterface.Therearetwostatustypes:upanddown.TheupstatustellsusthateverythingisworkingfineatLayer2.Thedownstatustellsusthereisanencapsulationissueonthelink.

Inthefieldofnetworking,youwillencountervarioustypesofphysicalinterfacesondevices.ThefollowingisabriefdescriptionofvariousinterfacesfoundonCiscodevices:

Ethernet:Operatesupto10Mbps


FastEthernet:Operatesupto100Mbps

GigabitEthernet:Operatesupto1000Mbps

ToconfiguretheIPaddressesontherouter,usethefollowingconfigurations:

R1

R1#configureterminal

R1(config)#interfaceGigabitEthernet0/0

R1(config-if)#descriptionConnectedtoLAN1-

192.168.1.0/24network

R1(config-if)#ipaddress192.168.1.1255.255.255.0

R1(config-if)#noshutdown

R1(config-if)#exit

R1(config)#

Variousinterfacemodesareaccessiblefromglobalconfig.Noticethatweusetheinterfacecommand,followedbytheinterfacetypeandnumber.The

CommandPromptchangedtoR1(config-if)#,whichindicatesany

commandsweenterherewillonlyaffectthisspecificinterface.

Next,usingthedescriptioncommandisusefulasitwillallowyouto

identifythepurposeofaninterface.Additionally,allinterfacestatusesaresettoadministrativelydownbydefault.Usingthenoshutdowncommandin

interfacemodewillturnuptheinterface.

Typingexitwillreturnyoutothepreviousmode,globalconfig.Typingexit


onemoretimewillcarryyoubackintoPrivilegemode.

Let'susetheshowipinterfacebriefcommandtoverifythattheIP

addresshasbeenassignedtotheinterfaceandthattheinterfacestatusisUp/Up.

Thefollowingscreenshotshowstheexpectedresults:

Figure2.38–showipinterfacebriefcommandoutput

NowthatyouarefamiliarwithconfiguringanIPaddressandasubnetmaskonarouter'sinterface,let'sconfiguretheinterfaceconnectedtothe192.168.2.0/24network.Thefollowingisalistofcommandsthatyou'll

needtocompletethistask:



R1(config-if)#descriptionConnectedtoLAN2-

192.168.2.0/24network

R1(config-if)#ipaddress192.168.2.1255.255.255.0



R1(config-if)#exit

R1(config)#

Oncecompleted,let'sverifythestatusofourinterfaces.ThefollowingscreenshotshowsthatwenowhavebothGigabitEthernet0/0and

GigabitEthernet0/1.EachhasanIPaddressontheircorresponding

network,andbothareintheUp/Upstatus:

Figure2.39–Verificationofsecondinterfacestatus

Furthermore,usingtheshowipinterfaceinterface-IDcommand

willprovideyouwithmoreIP-relateddetails,asshownhere:


Figure2.40–Outputoftheshowipinterfacecommand

Intheprecedingscreenshot,youcanverifytheIPaddress,thesubnetmask,interfacephysicalstatus,andwhetheranyAccessControlLists(ACLs)havebeenplacedontheinterface.

Ifyouprefertogetmorestatisticalinformationaboutaninterface,usetheshow

interfacesinterface-IDcommand.Theoutputwillprovideyouwith

theinterfacestatus,IPaddressandsubnetmask,interfacedescription,duplexandspeedoperatingmodes,andpacketflowstatistics,asshownhere:


Figure2.41–Outputoftheshowinterfacescommand

Lastly,youcanusetheshowrunning-configcommandtoviewthe

currentconfigurationsofthedevice.Byexpandingtheoutput,youwillseetheconfigurationsthatareexecutedundereachinterface,asshownhere:


Figure2.42–Therunning-configoutput

Task4–ConfiguringtheSwitchVirtualInterface(SVI)CiscoIOSLayer2switchesdonotallowyoutoplaceanIPaddressontheirphysicalinterfaces.So,howdoesauserremotelymanageoraccessaswitchacrossanetwork?WithintheCiscoIOSoftheLayer2switch,youcancreateaspeciallogicalinterfacethatallowsyoutosetanIPaddressontheswitchforremotemanagement.ThislogicalinterfaceisknownasaSwitchVirtualInterface(SVI).

TocreateanSVI,usetheinterfacevlan<vlan-ID>command.This

willbothcreatetheSVIandchangethecommandmodetointerfacemode.Forourtopology,weneedtosetanIPaddressoneachofourswitches.


Tocompletethisexercise,usethefollowingcommandstoachievethistask:

SW1

SW1(config)#interfacevlan1

SW1(config-if)#ipaddress192.168.1.10255.255.255.0


SW1(config-if)#exit

SW1(config)#

Let'snotforgettoconfiguretheSVIswitch2withthefollowingcommands:

SW2


SW2(config-if)#ipaddress192.168.2.10255.255.255.0


SW2(config-if)#exit

SW2(config)#

NowthatyouhavelearnedhowtocreateanSVIonaCiscoIOSLayer2switch,let'stakealookatsecuringadministrativeaccessonalldevices.

Task5–SecuringadministrativeaccessBydefault,anyonecanuseaconsolecabletoaccesstheUserExecmodewithintheCiscoIOSviatheconsoleport.IfthepersonisfamiliarwithCiscoIOS


syntax,thismaybeasecurityconcern.Thismeansthatanyonewhohasaconsolecableandphysicalaccesstothedevicewillbeabletoaccessvariousmodesandmakeunauthorizedchangestothedevice'sconfigurations.

Tosolvethissecuritychallenge,theCiscoIOShassecurityfeaturesthatallowthedeviceadministratortogainsecureaccesstotheconsoleport,VirtualTerminal(VTY)lines(remoteaccess),andPrivilegeExecmode.

Tosecureaccesstotheconsoleportonalldevices,usethefollowinginstructions:

1. AccessGlobalConfigurationmodebyusingtheconfigure

terminalcommand.

2. Toaccesstheconsoleline,usethelineconsole0commandandhit

Enter.

3. Usethepasswordactual-passwordcommandtosetapassword

undertheconsoleport.

4. Usethelogincommandtoenabletheauthenticationfeature.Without

usinglogin,apersoncanstillaccesstheconsolewithoutbeing

promptedforapassword.

Thefollowingscreenshotshowshowthecommandsshouldbeexecuted:


Figure2.43–Securingtheconsole

TheeffectoftheconfigurationswemadeintheprecedingscreenshotwillprompttheusertoenteravalidpasswordtoaccessUserExecmodeviatheconsoleport.Thepasswordwehaveconfigurediscisco123.

Importantnote

Inareal-worldnetwork,ensureyouusemorecomplexpasswords.WhentypingapasswordwithintheCiscoIOS,it'susuallyinvisibleasasecurityfeaturetopreventanyonewithpryingeyes.

Nowthatwehavesecuredconsoleaccesstoeachdevice,let'ssecureaccesstoPrivilegeExecmodeonalldevices.

Tosecureadministrativeaccessonalldevices,usethefollowinginstructions:

1. AccessGlobalConfigurationmodebyusingtheconfigure

terminalcommand.

2. Entertheenablepasswordactual-passwordsyntaxandhit

Enter.

3. IfyougobacktoUserExecandtrytoenterPrivilegeExec,theCisco


IOSwillpromptyouforapassword.Onceyouenterthepassword,whichyousetusingtheenablepasswordcommand,theCiscowillgrant

youaccess.

Thefollowingsnippetshowshowthecommandsshouldbeexecuted:

Figure2.44–Usingtheenablepasswordcommand

However,usingtheenablepasswordcommandisanunsecuremethod

that'susedtosecureadministrativeaccessontheCiscoIOS.Let'sseewhythisisanunsecuremethod.InPrivilegeExecmode,usetheshowrunning-

configcommandtoviewthecurrentconfigurationsonthedevice.

Thefollowingsnippetshowsthattheenablepasswordcommandsetsan

unencryptedpassword:


Figure2.45–Unencryptedpasswordshownintherunning-configfile

It'snotrecommendedtouseenablepasswordduetothissecurity

vulnerability.However,CiscohasimplementedamoresecuremethodtorestrictaccesstoPrivilegeExecmode.Thismethodusestheenablesecret

command.

ToconfiguretheenablesecretcommandontheCiscoIOSforalldevices,

usethefollowingcommands:

R1(config)#enablesecretcisco789

Let'sverifyourconfigurationsbyviewingrunning-configonthedevice:


Figure2.46–running-configcontainingencryptedandunencryptedpasswords

YoumaybewonderingwhichofthesepasswordswillworkwhenmovingfromUserExecmodetoPrivilegeExecmode.Wouldeitherpasswordworkorjustone?Theanswerissimple:enablesecrettakesprecedenceinthis

situation,andthereforeenablepasswordisobsoleteonthedevice.

It'sgoodpracticetoalwaysuseenablesecretwhensecuring

administrativeaccess.However,inasituationwheretherearebothenable

secretandenablepassword,suchasisthecasehere,it'srecommended

toremovethelesssecureconfigurationsfromrunning-config.

ImportantNote

Toremoveacommandfromrunning-config,usethenegatedformofthe

command,suchasusingno,followedbytheremainderofthecommand.

Toremoveenablepasswordfromrunning-config,usethefollowing

command:

R1(config)#noenablepassword

Ifyoucheckrunning-config,you'llnoticeenablepasswordhasbeen


removed.Ensureyouhavesecuredadministrativeaccesstoeachdevicebeforemovingontothenexttask.

Task6–SettingabannerHavingalegalnotificationsuchasawarningbannerthat'sdisplayedwheneveranyoneadministrativelyconnectstoyournetworkdevicesisrecommended.Suchlegalnotificationscanbeusedasanofficiallegalwarningforanyonewhoisattemptingorgainingunauthorizedaccesstoadeviceonacorporatenetwork.

Tosetalegalnotification,wecanusethebannermotdcommand,followed

bythelegalnotice.Tosetabannertobedisplayedwheneveranyoneestablishesaconnectiontothedeviceviaanyaccessmethods,usebannermotd,as

shownhere:

R1(config)#bannermotd%OnlyAuthorizedAccessis

permitted!!!%

Whenusingthebannercommand,youneedtoinsertbothopeningandclosing

delimiters,suchasspecialcharacters(@,#,$,%,^,&),beforeandafterthe

actualbannermessage,whichareusedtoindicateeverythingbetweenthedelimitersistheactualbannermessagetobedisplayedonalogonscreen.

Thefollowingsnippetindicatesthatthebannerisdisplayedwhenestablishinganewconsoleconnection:


Figure2.47–Warningbanner

Nowthatyouhavelearnedhowtoconfigureawarningdisclaimer(banner)onaCiscoIOSdevice,let'stakealookatsettingupremoteaccess.

Task7–SettingupsecureremoteaccessAfterperformingyourinitialconfigurationsonyourdevice,it'stimetoplaceitonyournetwork.Whenadeviceisonthenetwork,itmaynotalwaysbeconvenienttomanagethedeviceviatheconsoleport.Attimes,asanetworkingprofessional,youmaynotbeclosetoyourdevice;perhapsthedeviceislocatedinanothercountry.Remoteaccessallowstheadministratortoremotelyconnectandmanagethedevicewhilebeingatanotherlocation.

TherearetwomainmethodstoremotelyaccessaCiscoIOSdevice:

Telnet

SecureShell(SSH)

BothTelnetandSSHallowyoutoremotelyaccessadeviceviaaTerminal,allowingyoutogainshellaccess.However,Telnetisanunsecuremethodusedtoremotelyaccessandmanageadeviceastrafficcanbeseeninplaintext(unencrypted).SSHistherecommendedmethodforremoteaccessasallSSH


trafficisencryptedbydefault.IfahackerisinterceptingSSHtrafficoveranetwork,theywillnotbeableseetheactualcontentsofthetrafficflowingbetweentheSSHclientandtheSSHserver(device).

SettingupTelnet

ToconfigureTelnetaccessontheVTYlines,usethefollowingcommands:


R1(config)#linevty015

R1(config-line)#passwordclass123

R1(config-line)#login

R1(config-line)#exit

R1(config)#

Thelinevty015commandspecifiesthatweconfigureall16virtual

terminal(VTY)linesonthedevice,wherethefirstlineisVTY0.Then,weset

theTelnetpasswordasclass123andusethelogincommandtoenable

authenticationwheneverauserattemptstologin.

Next,ensureeachPCisusingthefollowingIPconfigurations:

PC1:

IPaddress:192.168.1.20

Subnetmask:255.255.255.0

Defaultgateway:192.168.1.1


PC2:

IPaddress:192.168.2.20

Subnetmask:255.255.255.0

Defaultgateway:192.168.2.1

TotesttheTelnetconnectionwithinCiscoPacketTracer,usethefollowinginstructions:

1. ClickonPC1andselecttheDesktoptab.

2. OpentheCommandPromptandusethepingcommandtotestend-to-

endconnectivitybetweenPC1andtherouter.Then,usetheping

192.168.1.1command.

Youshouldgetthefollowingresponsefromtherouter:

C:\>ping192.168.1.1

Pinging192.168.1.1with32bytesofdata:

Replyfrom192.168.1.1–bytes=32time<1ms

TTL=255

Replyfrom192.168.1.1–bytes=32time=3ms

TTL=255


TTL=255


TTL=255


Pingstatisticsfor192.168.1.1–

Packets:Sent=4,Received=4,Lost=0(0%

loss),

Approximateroundtriptimesinmilli-seconds:

Minimum=0ms,Maximum=3ms,Average=0ms

Onceyouareabletogetasuccessfulreplyfromthetargetdevice(192.168.1.1),youhaveconnectivity.

3. ClosetheCommandPromptandopentheTelnet/SSHclientonPC1.

4. ChangetheconnectiontypetoTelnet,entertheIPaddressoftherouter(192.168.1.1),andclickonConnect.

YoushouldseethebannermessagefromTask6withanauthenticationpromptrequestingtheVTYTelnetpassword.

ConfiguringSecureShell(SSH)

Asmentionedpreviously,weshouldalwaysuseSSHwhenit'savailable.Inthefollowingsteps,IwilldemonstratehowtodisableTelnet,enableSSH,andcreatealocaluseraccount:

1. ChangethedefaulthostnameontheCiscoIOSdevice.

2. Joinalocaldomainbyusingtheipdomain-name<domain>

commandinglobalconfigmode:

R1(config)#ipdomain-nameccna.local


3. GenerateencryptionkeysfortheSSHsessionsusingthefollowingcommands:

R1(config)#cryptokeygeneratersa

Theinteractivemenuwillaskforamoduluskeysize.Theminimumis512,butit'srecommendedtouse1024orhigher.Thelargerthekeysize,

thestrongertheencryption.However,averylargekeysizecanusealotofCPUresourcesonthenetworkdevicewhenperformingencryptionanddecryptiontasks.

4. Createalocaluseraccountwithasecretpasswordusingthefollowingcommands:

R1(config)#usernameAdminsecretclass456

5. ConfiguretheVTYlinestoonlyallowSSHconnections(disablingTelnet),removetheTelnetpassword,andusethelocaluseraccountasthelogincredentials.Tocompletethisstep,usethefollowingcommands:


R1(config-line)#transportinputssh

R1(config-line)#nopassword

R1(config-line)#loginlocal


R1(config)#

Thetransportinputcommandcanbeusedwithall,none,ssh,or

telnettospecifythetypeofincomingtrafficontheVTYlines.


Thefollowingisanadditionalcommandthat'srequiredwhenconfiguringremoteaccess(TelnetandSSH)onCiscoswitches.Switchesrequireadefaultgatewaythatenablesthemtohavebi-directionalcommunicationoverdifferentnetworks.Accordingtoourlabtopology,adeviceonthe192.168.1.0/24network

willnotbeabletoremoteaccessSW2andviceversa.

Tosetthedefaultgatewayontheswitchesinourtopology,usethefollowingcommands:

SW1

SW1(config)#ipdefault-gateway192.168.1.1

SW2


Task8–ConfiguringtheconsoletousethelocaluseraccountsIntheprevioustask,youlearnedhowtocreateauseraccountandenabletheVTYlinestoqueryitduringtheloginprocess.Additionally,thesamecanbedonetotheconsolelinebyusingthefollowingcommands:

R1(config)#lineconsole0





Task9–DisablingdomainlookupandencryptingallplaintextpasswordsAttimes,whenyouenteranameorwordwithintheCiscoIOS,itattemptstoperformadomainnamelookup.Toabortthetranslation,usetheCtrl+Shift+^keycombinationonyourkeyboard.Additionally,youshoulddisablethedomainlookupfeaturewithintheCiscoIOSbyexecutingthefollowingcommand:

R1(config)#noipdomain-lookup

WhensettingpasswordsontheCiscoIOS,youmaynothavetheoptiontousethesecretcommandtocreateanencryptedformoftheactualpassword.This

meansyoumayhavetoresorttosettingaplaintextpassword.Toaddanadditionallayerofsecurity,usethefollowingcommandtoencryptallcurrentandfutureplaintextpasswordsautomatically:

R1(config)#servicepassword-encryption

Task10–CheckingIOSversionandsavingconfigurationsAsaCisconetworkingprofessional,it'simportanttodeterminethecurrentversionofyouroperatingsystem.Tocheckthedevice'soperatingsystemversion,usetheshowversioncommand,asshownhere:

R1#showversion

CiscoIOSSoftware,C2900Software(C2900-

UNIVERSALK9-M),Version15.1(4)M4,RELEASESOFTWARE


(fc2)

TechnicalSupport:http://www.cisco.com/techsupport

Copyright(c)1986-2012byCiscoSystems,Inc.

CompiledThurs5-Jan-1215–41bypt_team

ROM:SystemBootstrap,Version15.1(4)M4,RELEASE

SOFTWARE(fc1)

cisco2911uptimeis5hours,23minutes,55seconds

SystemreturnedtoROMbypower-on

Systemimagefileis"flash0–c2900-universalk9-

mz.SPA.151-1.M4.bin"

--More--

Asshownintheprecedingoutput,thedeviceisusingaCiscoIOSversion15.1(4)oftheoperatingsystem.ThisinformationisusefulifyouareplanningonupgradingtoanewerversionoftheIOS.Theshowversioncommand

providesuswiththeuptimeofthedevicesinceithasbeenpoweredon.

Lastly,rememberthatalltheconfigurationchangesthataremadetoeachdevicearestoredinrunning-config.Ifanydeviceshouldlosepowerorreboot,all

theconfigurationswillbelost.Tosaverunning-configinstartup-

config,usethefollowingcommands:

R1#copyrunning-configstartup-config

Destinationfilename[startup-config]?

Buildingconfiguration...


[OK]

R1#showstartup-config

HitEnterwhenitasksforthedestinationfilename.Thedefaultfilenameisshowninbrackets([startup-config]);there'snoneedtotypeanew

filename.Oncetheconfigurationshavebeensaved,usetheshowstartup-

configcommandtoviewitscontents.Additionally,youcanusethereload

commandinPrivilegeExecmodetorebootthedeviceandseethatstartup-

configretainstheconfigurations.

PerformingtroubleshootingproceduresAfterperformingconfigurationsonadevice,it'sgoodpracticetoexecutetherelevantshowcommandtoverifywhatyouhavedoneiscorrectandisworking

asexpected.Throughoutthisbook,wewilllearnaboutadditionalmethodsfordesigningandoptimizinganetworkusingCiscodevices,whereyouwilllearnaboutnewconfigurationsandtroubleshootingcommandstohelpyoualongtheway.

Therearetwomaintoolsthathelpustroubleshootanetworkfromtheclientside(PC):

Ping

Traceroute

Pingissimplyusedtotestend-to-endconnectivitybetweenthedevicesonanetwork.Thistoolusesthepingipaddressoftargetsyntax.The

followingisanexampleofasuccessfulconnectivitytest:


Figure2.48–PingtestonaWindowsCommandPrompt

However,theCiscoIOSdoesnotprovideanoutputsimilartotheoneshownintheprecedingoutput.Thefollowingarethesymbolsandtheirdescriptions:

!:Successful

.:Requesttimeout

U:Destinationunreachable

ThefollowingisanexamplewhereaconnectivitytestwasdonefromR1toPC1inthelabtopology:


Figure2.49–PingtestusingtheCiscoIOS

YounowhavetheessentialskillstoimplementCisconetworkingsolutionsforasmallnetwork.

SummaryHavingcompletedthischapter,youhavelearnedsomeamazingskillsandgottobuildyourveryownCiscolabenvironment.Mostimportantly,yougothandsonwithCiscoswitchesandrouters.Therearemanywaysyoucangetthepracticalexperienceyoudesire,byeitherpurchasingphysicalequipmentorevenbuildingafullyvirtualizedlabenvironment.KeepinmindthatCiscoPacketTracerisupdatedquiteoftenandnewfeaturesarealwaysbeingadded,alongwithmanyimprovements.

Mypersonaladviceisthatyoushouldn'tbeafraidoftryingnewthingsinyourlabenvironment.Ifyoubreakormisconfiguresomething,trytofigureoutwhatwentwrongandhowtoresolvetheissue.Networkengineeringisacontinuousprocessofdesigning,configuring,andtroubleshooting,butmostimportantly,it'saboutproblemsolvingandcriticalthinking.So,don'tbeafraid–usethehelp(?)

command,andeventrytoemulateyourhomeorofficenetworkinyourCiscolab.

IhopethischapterhasbeeninformativeforyouandishelpfulinyourjourneytowardlearninghowtoimplementandadministrateCiscosolutionsandpreparefortheCCNA200-301certification.Inthenextchapter,IPAddressingandSubnetting,wewilllearnallaboutIPaddressing,subnetting,andunderstandingVariable-LengthSubnetMasks(VLSMs).


QuestionsThefollowingareashortlistofreviewquestionstohelpreinforceyourlearningandhelpyouidentifyareasthatrequiresomeimprovement:

1. Ifyouarecurrentlyinlineconsolemode,whichshortcutwillcarryyoubacktoPrivilegeExecmode?

A.CTRL+C

B.CTRL+X

C.CTRL+V

D.CTRL+Z

2. Whichmodeallowsyoutoexecutetheenablesecretcommand?

A.PrivilegeExec

B.UserExec

C.Globalconfig

D.Line

3. Aninterfaceisshowingasadministrativelydown.Howdoyouactivatetheinterface?

A.Noshutdown

B.Up


C.Start

D.Noneoftheabove

4. Youaretaskedwithsettingupremoteaccessonvariousnetworkingdevices.Whichofthefollowingmethodsisbestsuited?

A.Console

B.SSH

C.Telnet

D.VTY

5. Whichofthefollowingcommandswilldisplaythebannermessage"keepout"?

A.banner#keepout#

B.bannermotdkeepout

C.bannermotd#keepout%

D.bannermotd&keepout&

6. WhichofthefollowingcommandswillsetasecurepasswordontheCiscoIOS?

A.enablepassword

B.enable


C.enablesecret

D.secret


Initialdeviceconfiguration:https://www.cisco.com/c/en/us/td/docs/routers/access/800/hardware/installation/guide/800HIG/initalconfig.html

Basicrouterconfiguration:https://www.cisco.com/c/en/us/td/docs/routers/access/800M/software/800MSCG/routconf.html


https://www.cisco.com/c/en/us/td/docs/routers/access/800/hardware/installation/guide/800HIG/initalconfig.html

https://www.cisco.com/c/en/us/td/docs/routers/access/800M/software/800MSCG/routconf.html

Chapter3:IPAddressingandSubnettingTheinternetactsasanenormousdigitalworld,andit'scontinuouslyexpandingwithnewusersandinternet-connecteddevicescomingonlineeveryday.Everydeviceonanetworkrequiressometypeofaddresstobeabletocommunicateandexchangemessages.Tomeetthisneed,InternetProtocol(IP)addressesarecommonlyused.

Throughoutthischapter,youwilllearnaboutthecharacteristicsofbothIPv4andIPv6addressingschemes,whilediscoveringthevarioustypesoftransmissionsthatoccuronanetwork,aswellastheimportanceofsubnetmasksandtheroletheyplayinanetwork.


TheneedforIPaddressing

CharacteristicsofIPv4

ClassesofIPv4addresses

SpecialIPv4addresses

Subnetmask

Subnetting

IPv6

Lab–ConfiguringIPv6addressesonaCiscodevice


Lab–ConfiguringIPv6addressesonaWindowscomputer

Testingend-to-endconnectivity

TechnicalrequirementsTofollowalongwiththeexercisesinthischapter,pleaseensurethatyoumeetthefollowinghardwareandsoftwarerequirements:

CiscoPacketTracer

GNS3

GNS3VM

Configurationfiles:https://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions/tree/master/Chapter%2003

CheckoutthefollowingvideotoseetheCodeinAction:https://bit.ly/3iQDXZT

TheneedforIPaddressingAcomputernetworkisabitlikeaneighborhoodorcommunity.Communitiesconsistofmanypeople,houses,schools,andbusinesses.Eachofthesehousesandbuildingshasapostal(mailing)addressthatallowsotherstosendlettersandpackagesviaacourierservicetotherecipients.Withoutamailingorpostaladdress,it'sabitchallengingforotherstosendaphysicalletterorpackagetoyou.Similarly,onacomputernetwork,eachdevicehasauniqueaddressthatisusedforsendingandreceivingmessages(signals)betweenthem.TheseaddressesareknownasInternetProtocoladdressesandaremostcommonly



https://bit.ly/3iQDXZT

referredtoasIPaddresses.

HowdoweknowwhichIPaddressescanbeusedontheinternetandonprivatenetworks?ThereisaspecialorganizationthatmanagesbothIPv4andIPv6addresses.ThisorganizationisknownastheInternetAssignedNumbersAuthority(IANA).TheIANAisalsoresponsibleforgoverningtheusageoftheDomainNameSystem(DNS)rootdirectoriesandservicesviatheInternetCorporationforAssignedNamesandNumbers(ICANN).

Sometimearound1983,theIPv4schemewasmadeavailableforusageoncomputernetworksandtheinternet.MostoftheinternettodayisdominatedbytheIPv4addressingschemesasthepreferredmethodofcommunication.Onmanyprivatenetworks(suchashomenetworks),IPv4isstillverymuchcommonlyusedtothisday.

WhenitcomestoIPaddresses,IANAhascreatedtwoaddressspacesforIPv4.Thesearethepublicandprivateaddressspaces.Thepublicspaceisdesignedtobeusedontheinternetandonalldevicesthataredirectlyconnectedtotheinternet.Ontheinternet,eachIPaddressmustalwaysbeuniquetoensuremessages(packets)aredeliveredtothecorrectrecipientasexpected.ImagineiftwodevicesontheinternetsharedasinglepublicIPv4address;somemessagesmaybedeliveredtoonedevicewhiletheothermessagesmaybesenttotheseconddevice.Thiswouldcausemanyproblems.Tohelppreventtheseproblems,thereareRegionalInternetRegistries(RIRs)aroundtheworld.

Importantnote

TofurtherunderstandtheassignmentofIPv4networkblocks,youcanrefertotheofficialIANAdocumentationatthefollowingURL:


https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml.

TheIANAdoesnotdirectlydistributeIPnetworkblockstoanyorganizationwhowantsinternetconnectivity.Instead,therearecurrentlyfiveRIRsintheworld,andeachRIRresponsiblefordistributingIPnetworkblockstoInternetServiceProviders(ISPs).ThefollowingisalistofeachRIRandtheirgeolocationalresponsibility:

AFRINIC:SupportsthecontinentofAfrica

APNIC:SupportstheregionsofAsiaandthePacific

ARIN:SupportstheregionsofCanada,USA,andpartoftheCaribbean

LACNIC:SupportsLatinAmericaandpartoftheCaribbean

RIPENCC:SupportsEurope,theMiddleEast,andCentralAsia

ThefollowingdiagramillustrateshowIPaddressesaredistributedacrosstheinternet:


https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml

Figure3.1–DelegationofIPnetworkblocks

AnAutonomousSystem(AS)isaverylargecollectionofinternetroutingnetworkprefixesthataremanagedbyasingleorganization,knownasanoperator.AnISPisanexampleofanAS.EachISPhasauniqueASnumber(ASN)thatisusedtointerconnectoneAStoanother.ThisallowseachAutonomousSystemtouseBorderGatewayProtocol(BGP)toexchangeroutingupdates,aswellasnetworkwithoneanotherovertheinternet.


Importantnote

ToviewtheASNsforeachcountry,usethefollowingURL:https://ipinfo.io/countries.

ThefollowingdiagramshowsarepresentationofmultipleASNsinterconnectedviaBGP:

Figure3.2–NetworkrepresentationofAutonomousSystemsusingBGP

EachAutonomousSystemexchangesroutingupdatesandsharestheirpublic(internet)networkswiththeirdirectlyconnectedneighbors.AsmoredevicesandAutonomousSystemsconnecttothebackboneoftheinternet,theinternetitselfcontinuestogrow.


https://ipinfo.io/countries

Importantnote

Toviewthesubmarinecablesthatconnectustotheinternet,pleasevisitwww.submarinecablemap.com.CheckingoutacablewithinthemapwillprovideyouwiththenecessaryISPsandnamesoforganizationsthatown/leaseit.

NowthatwehavecoveredtheglobalarchitectureoftheIPaddressinglandscapecomputernetworkandtheinternet,aswellasunderstoodthetwotypesofIPaddresses,let'stakeamoredetailedlookatthecharacteristicsofthefirsttype:IPv4.

CharacteristicsofIPv4Learningaboutcomputernetworkingisalwaysafascinatingtopicasitalsointroducesyoutohowcomputingdevicesinterpretdataandpresentinformation.Usingacomputerorsmartdevice,weusuallyseeaverywell-polishedgraphicaluserinterface(GUI).InMicrosoftWindows,forexample,thereisWindowsExplorer,whichhelpsusnavigatethevariousareas(locations)ofacomputereasily.Whenopeningfiles,suchaspictures,thephotoviewerapplicationpresentsuswithapictureourmindscaninterpret.However,bydefault,computersandnetworkingdevicesareunabletointerprettheobjectswithinapicture.

Whendataiswrittenontoaharddiskdrive(HDD),there'sanactuatorarmthatcontainsaread/writehead(pin),whichisusedtomagnetizeandde-magnetizeareasontheplatterstorepresentdata.Thismeansthatwhatweseeasapictureofacaronthecomputerscreenis,tothedevice,aportionoftheHDDbeingmagnetizedandde-magnetized,representingabunchof1sand0s.


http://www.submarinecablemap.com

Importantnote

Nowadays,manyapplicationsusemachinelearning(ML)toactuallydetectobjectswithinapicture.OnesuchMLalgorithmisYOLO–RealTimeObjectionDetection.

Rememberthatwhenadeviceissendingamessageonanetwork,aseriesofelectricalsignalsaresentacrossthewire.Therecipientinterpretstheincomingsignalsandpresentsthemasdata.Ahighelectricalsignal(voltage)iscommonlyrepresentedasa1,whilealowvoltageisrepresentedasa0.Similarly,when

dataisbeingwrittentoanHDD,electricalsignalsareusedtomagnetizeandde-magnetizethesurfaceareasoftheplatters.Whendataisread,theread/writeheadinterpretsthemagnetizedandde-magnetizedareasthatrepresentdata,andthusthedevice(suchasacomputer)presentsinformationtoushumans.

Youareprobablywonderingwhatthe1sand0shavetodowithcomputernetworking.Justlikeeverythinginthecomputingworld,IPaddressesarewritteninbinarynotation(1sand0s).However,wehumansusuallywriteIPaddressesindecimalformatusingbase10,withnumbersintherange0–9.

AsoutlinedbyIANA,anIPv4addressis32bitsinlength,comprisedof1sand0s.ThereisatotaloffouroctetsperIPv4address.Eachoctetismadeupof8

bitsandisseparatedbyaperiodordot(.).Thisresultsin8bitsperoctetx4

octets=32bitsintotal.

TheneedtounderstandIPaddressingandsubnettingplaysavitalroleinnetworkengineering.IncorrectlyassigninganIPaddressand/orasubnetmaskwillresultinnoconnectivitybetweendevices.Inthenextsection,wewilldiveintounderstandingthecompositionofanIPv4packetandthepurposeofeach


field.

CompositionofanIPv4packetBecominganetworkingengineeroradvancingyourskillswithinthenetworkingfieldisn'tonlyaboutlearninghowtoconfiguredevicestomovetrafficbetweennetworksmoreefficiently;understandingthecompositionandthecharacteristicsofanIPv4packetwillalsobeverybeneficialinthetroubleshootingphasesofyourcareer.

ThefollowingdiagramshowsallthefieldswithinanIPv4packet:

Figure3.3–IPv4packet

EachfieldwithintheIPv4packetplaysanimportantroleduringthetransmission


ofamessagefromonedevicetoanother.Thefollowingarethenamesofeachfield,alongwithdescriptionsoftheirpurpose:

Version:ThisfieldisgenerallyusedtoidentifytheversionoftheInternetProtocol(IP),suchasIPv4andIPv6.Thesizeofthisfieldis4

bits.

InternetHeaderLength(IHL):ThisfieldindicateswheretheheaderendsandthedatabeginswithintheIPv4packet.Thisfieldis4bits.

DifferentiatedServicesorDiffServ(DS):ThisfieldplaysanimportantrolewhenusingQualityofService(QoS)toolsonanetwork.ThisfieldwasformerlyknownasTypeofService(ToS).Thelengthofthisfieldis8bits.

TotalLength:Thisfieldensurestheentiredatagramisnomorethan65,535bytes.Thisfieldis16bits.

Identification:AswementionedinChapter1,IntroductiontoNetworking,beforeadevicesendsadatagramtothenetwork,thedevicecreatessmallerfragmentscalledbits.Eachbitcontainsthesameaddressingdetailswithintheheader,butthepayload(data)ismadeintosmallerpieces.Thisfieldisusedtoassignavaluetoeachbitastheyaresenttothephysicalnetwork.Thevalueisusedtoassistinplacingasequencenumbertoeachbitleavingthesender.Thisallowstherecipienttousethesequencenumberduringtheprocessforreassemblingthedatagram.Thisfieldis16bits.

Flags:FlagsareusedforvariousoptionswithinanIPv4packet.TheseoptionsmayincludewhetherapacketisaSYN,ACK,FIN,orRST


packet.Thisfieldis3bits.

FragmentOffset:Thisfieldisusedtoidentifythepositionofafragmenteddatagram.Thisfieldis13bits.

TimeToLive(TTL):Thisfieldisfoundonlyinpackets.Devicessendingpacketsonanetworkusethisfieldtosetthelifespanofthemessageasittravelsacrossanetwork.Asthepacketpassesahop(aLayer3device)alongapath,theTTLvaluedecreasesby1.Ifadevicerendersapacket's

TTLvalueto0,thatdevicediscardsthepacket.TheTTLfieldis8bitsin

length.

AsimpleexercisetoillustratehowtheTTLvalueaffectsamessageistosendamessagetoapublicIPaddress,whileusingthe-iparametertosetaTTLvalue

fortheInternetControlMessageProtocol(ICMP)message.Inthiscase,we'lluseGoogle'spublicDNSserver(8.8.8.8),asshownhere:

Figure3.4–TTLvalueexpiredinICMPpackets

Asshownintheprecedingsnippet,noneoftheICMPpacketswereabletoreach


thedestination;thatis,8.8.8.8.ThisisbecausetheTTLvaluesofeachICMP

packetweresetto2,soeachpacketexpiredandwasdiscardedbeforetheywere

abletoreachtheintendeddestination.

Protocol:This8-bitfieldisusedtoidentifythenetworkprotocolthatadatagrambelongstoatthedestinationhost.

HeaderChecksum:Thisfieldcontainsthehashvalue(checksum)oftheheaderandis16bitsinlength.

SourceIPaddress:This32-bitfieldcontainsthesender'sIPv4address.

DestinationIPaddress:This32-bitfieldcontainsthedestination'sIPv4address.

Options:Thisfieldrangesbetween0–40bytesinlengthandisused

formanypurposes,suchasrecordroutingandsourceroutingdetails.

Havingcompletedthissection,youarenowabletoidentifyanddescribeeachfieldwithinanIPv4packet.

Inthenextsection,youwilllearntheessentialskillsinvolvedforunderstandingIPassignmentandsubnetting,byfirstlearninghowtoperformconversionsbetweenbinaryanddecimalformat.

ConvertingbinaryintodecimalLet'sstartbytakingalookatanIPv4addressinitsbinaryformat.WealreadylearnedthatanIPv4addressismadeupof32bits,consistingof1sand0s.Let's

lookatanexampleofonewritteninbinary:


11000000.10101000.00000001.10000001

AllbinarynumbersarewritteninBase2witharadixof2.Aradixisaunique

numberusedinapositioningsystem,wherethefirstposition'svalueis0.Iknowthismaysoundabitconfusing,butoverthenextfewparagraphs,you'llfindtheconceptabitcleareraswe'llbeprovidingexamples.

Inmathematics,welearnthatA =1,whereArepresentstheradixorbase.

Let'susetheradixof2aspartofapositioningsystem,startingwith0asthefirst

position:

2 =1

2 =2x1=2

2 =2x2=4

2 =2x2x2=8

2 =2x2x2x2=16

2 =2x2x2x2x2=32

2 =2x2x2x2x2x2=64

2 =2x2x2x2x2x2x2=128

Whenitcomestounderstandingbinaryanddecimalconversionsinthefieldofnetworking,weconvertonlyoneoctetatatime,nottheentire32-bitIPv4address.Thisisthereasonourpositioningsystemstoppedattheeighthpositioninthesequence,2 .Tofurtherunderstandthepositionsystemusingbinary,thefollowingtableshowsthecalculationforeachbitwithinanoctet:

0

0

1

2

3

4

5

6

7

7


Figure3.5–Base2table

Whenperformingconversions,alwaysrememberthatthefirstpositionisalways2 andthattheeighthpositionis2 .Thefullbinaryformatofeachpositioncanbeexpressedfurther,asfollows:

2 =00000001=1

2 =00000010=2

2 =00000100=4

2 =00001000=8

2 =00010000=16

2 =00100000=32

2 =01000000=64

2 =10000000=128

Now,let'suseourIPv4addressof11000000.10101000.00000001.10000001andconvertitintoa

decimalnumber.Toperformthisexercise,usethefollowinginstructions:

1. Placethevaluesofthefirstoctet,11000000,withinthetable,asshown

0 7

0

1

2

3

4

5

6

7


here:

Figure3.6–Conversion–binarytodecimal(firstoctet)

Whereverthere'sabinaryvaluethat=1intheprecedingtable,theradix

valueisON.Inourtable,2 and2 areON.Thiswillprovideuswiththe

followingresults:

2 +2 =128+64=192

2. Let'srepeatthesameprocedureforthesecondoctet,10101000,to

determineitsdecimalvalue:

Figure3.7–Conversion–binarytodecimal(secondoctet)

Usingthesameprincipleof1=ONand0=OFFfortheradix,wegetthefollowingresults:

2 +2 +2 =128+32+8=168

7 6

7 6

7 5 3


3. Let'sconvertthethirdoctet,00000001,intodecimalformatbyplacingit

intothefollowingtable:

Figure3.8–Conversion–binarytodecimal(thirdoctet)

Converting00000001intodecimal,wegetthefollowingresult:

2 =1

4. Now,convertthefourthoctetbyplacing10000001intothefollowing

table:

Figure3.9–Conversion–binarytodecimal(fourthoctet)

Wewillgetthefollowingresults:

2 +2 =128+1=129

5. Thelaststageissimplyplacingallthedecimalvaluestogether,asshown

0

7 0


here:

11000000.10101000.00000001.10000001=

192.168.1.129

Ifalleightbitswere1swithinanoctet,whatwouldbethedecimalequivalent?We'dneedtoaddallthepowersof2rangingfrom20to27,asshownhere:

2 +2 +2 +2 +2 +2 +2 +2

Toprovideafurtherbreakdown,wegetthefollowingvaluewhenweaddallthepowersof2:

128+64+32+16+8+4+2+1=255

Thismeansthatanoctethasarangeof0–255.ThereisnoIPv4address

whosevalueisgreaterthan255inanyofitsfouroctets.Nowthatyouhave

learnedhowtoconvertbinaryintodecimal,let'stakealookatconvertingdecimalintobinary.

ConvertingdecimalintobinaryLet'sgetstartedbyconvertingtheIPaddress172.19.43.67intobinary.We

aregoingtouseasimpleeight-stepmethodthatwillguaranteetheaccuracyofthefinalresult.Intheprevioussection,Convertingbinaryintodecimal,weusedvariousradixvaluesrangingfrom20to27,andwithinoureight-stepprocess,wewillbeleveragingthesevaluesonceagain,butusingaslightlydifferentapproach:themethodofsubtraction.

Toensuretheresultsareaccurate,pleaseadheretothefollowingrules:

7 6 5 4 3 2 1 0


Convertonlyoneoctetatatime.

Startbysubtractingthedecimalvaluefromthehighestpowerof2(2 )whileworkingyourwaydownto2 .

IfyoucansubtractadecimalvaluefromaRadixvalue,placea1to

representyes.

IfyouareunabletosubtractadecimalvaluefromaRadixvalue,placea0

torepresentyes.

Ifyougeta0,attempttosubtractthedecimalvaluefromthenext(lower)

Radixvalue.

Let'sbeginbyconvertingthefirstoctet,172,intobinaryformat:

1. Canwecarryout172–128(2 )?Yes,givingusaremainderof44.

Therefore,wegeta1.

2. Isitpossibletocarryout44–64(2 )?No;therefore,wecarry44forward

tobesubtractedfromthenextpowerof2(2 ).Therefore,wegeta0.

3. Canwecarryout44-32(2 )?Yes,givingusaremainderof12.

Therefore,wegeta1.

4. Could12–16(2 )?No;therefore,carry44forwardtobesubtractedfrom

thenextpowerof2(2 ).Therefore,wegeta0.

5. Isitpossiblefor12–8(2 )?Yes,givingusaremainderof4.Therefore,

wegeta1.

7

0

7

6

5

5

4

3

3

2


6. Could4–4(2 )?Yes,givingusaremainderof0.Therefore,wegeta1.

7. Itispossiblefor0–2(2 )?No;therefore,wegeta0.

8. Could0–1(2 ?No;therefore,ourlastvalueis0sincethisisthelast

powerof2inthesequence.

Thefinalanswerinbinaryistakingallthe1sand0sstartingfromstep1andplacingtheminsequentialorderfromstep1to8.Therefore,thebinaryvalueof172is10101100.

Thefollowingisavisualrepresentationofall8stepsdemonstratingtheprocessweusetoconvertthedecimalvalue172intobinary:

2

1

0)


Figure3.10–Calculationfordecimalvalue172intobinary

Let'sconvertoursecondoctet,19,intobinaryusingthesameprocedure:

1. Could19–128(2 )?No;therefore,wecarry19forwardtobesubtracted

fromthenextpowerof2(2 ).Therefore,wegeta0.

7

6

6)


2. Isitpossiblefor19–64(2 ?No;therefore,wecarry19forwardtobe

subtractedfromthenextpowerof2(2 ).Therefore,wegeta0.



4. Could19–16(2 )?Yes,givingusaremainderof3.Therefore,wegeta

1.

5. Isitpossiblefor3–8(2 )?No;therefore,wecarry3forwardtobe


6. Could3–4(2 )?No;therefore,wecarry3forwardtobesubtractedfrom


7. Itispossiblefor3–2(2 )?Yes,givingusaremainderof1.Therefore,we

geta1.

8. Could1–1(2 )?Yes,witharemainderof0.Therefore,wegeta1to

concludeourprocess.


Thefollowingisavisualrepresentationofalleightstepsdemonstratingtheprocessweusetoconvertthedecimalvalue19intobinary:

6)

5

5

4

4

3

2

2

1

1

0



Let'sconvertourthirdoctet,43,intobinaryusingthesameprocedure:



7

6

6




3. Could43–32(2 )?Yes,givingusaremainderof11.Therefore,wegeta

1.



5. Isitpossiblefor11–8(2 )?Yes,givingusaremainderof3.Therefore,

wegeta1.



7. Itispossiblefor3–2(2 )?Yes,givingusaremainderof1.Therefore,wegeta1.


concludeourprocess.



6

5

5

4

2

3

2

1

1

0



Forourlastoctet,let'sconvert67intobinaryusingthesameprocedure:



7

6

6





fromthenextpowerof2(25).Therefore,wegeta0.







7. Itispossiblefor3–2(2 )?Yes,givingusaremainderof1.Therefore,we

geta1.


concludeourprocess.



6

5

5

4

2

3

5

2

1

1

0



Havingconvertedeachoctet,let'sputeverythingtogethertoseethebinarynumbers:


Figure3.14–Binaryanddecimalequivalents

Wecanconcludethat172.19.43.67hasabinaryvalueof

10101100.00010011.00101011.01000011.

ImportantNote

Theconversionmethodsusedwithinthischaptercanonlybeappliedtovaluesrangingbetween0–255.

LearningtoperformdecimaltobinaryconversionsisanessentialskillwhenlearningCCNAasitplaysaveryimportantroleinthelatersectionsofthischapter.Nowthatyouhavelearnedabouttheessentialsofperformingbinaryanddecimalconversions,let'stakeadiveintolearningaboutthevarioustransmissiontypesonanIPv4network.

TransmissiontypesWhenlearningaboutIPaddressing,therearemanytypesofIPv4andIPv6addressestoknowabout.Inthissection,wewilldiscussthevarioustypesofIPv4networktransmissionsandlookathowtheyareappliedtocomputernetworks.

Unicast


Imagineyouarestandingwithinacrowdofpeoplepriortothestartofabusinessconference.Youmeetafellowcolleagueandyoustartaconversationwiththem.Thisisaunicasttypeofcommunicationasit'sonlybetweenyourselfandyourcolleague(nottheentirecrowdormultiplepeople).Similarly,onacomputernetwork,thistypeoftransmissionoccurswhereonedeviceisexchangingmessages(packets)withonlyoneotherdevice.

Onanetwork,aPCmaybesendingdatatoalocalnetworkprinterorevenuploading/downloadingfilesfromthelocalnetworkstorageserver.Thisisaone-to-onetransmission,commonlyreferredtoasaunicasttransmission.

Thefollowingdiagramshowsagraphicalrepresentationofaunicasttransmission:

Figure3.15–Unicasttransmission

MulticastUsingthesameanalogy,imaginethat,whilestandingwithyourcolleagueandhavingamutualdiscussion,threeotherpeoplejointheconversation.Now,you


arespeakingwithfivepeopleintotalfromtheentirecrowdpresentatthebusinessconference.Atthispoint,youarehavingamulticasttypeoftransmissionasyouaresendingdatatoselectedpersons(yourcolleagueandthreeothers)fromtheentirecrowdofpeople.Inthisanalogy,wecanseethatwhenonepersonspeakstoanother,itisdefinedasatransmission.Theconceptofatransmissionisalsoappliedtoacomputernetworkwhereonedevicemaycommunicatewithoneormoredevicesatthesametime.

Thistypeofcommunicationisanexampleofaone-to-manytransmission(multicast).ThefollowingisagraphicalrepresentationofamulticasttransmissiononaPCnetwork:

Figure3.16–Multicasttransmission

MulticastIPv4addressesrangefrom224.0.0.0–239.255.255.255.

Theseaddressesaretypicallyusedbynetworkapplicationsoveranetwork.Forexample,theOpenShortestPathFirst(OSPF)version2routingprotocolusesaddresses224.0.0.6and224.0.0.5whenexchangingOSPFpackets

betweenOSPF-enabledroutersonanetwork.


BroadcastContinuingwithouranalogy,theconferenceisabouttostart,andtheattendeesarebeingseated.However,youareoneofthespeakersduringtheconference.Whenit'syourturntospeak,youheadonovertothepodiumtoaddresstheaudience.Whilespeaking,themicrophoneandspeakersareusedtoensureyourvoiceisaudibleacrossawidespacetoensureeveryonecanhearyouatthesametime.Inthistypeofcommunication,youarespeakingonce,andyourmessageisbeingsenttoalltheattendeeswithintheconferenceroom.

Thisisknownasbroadcastonacomputernetwork,wherebyadevicesendsamessagetoallotherdevicesonthesameIPnetwork.

Thistypeofcommunicationisaone-to-alltypeoftransmission.Thefollowingdiagramshowsagraphicalrepresentationofabroadcasttransmission:

Figure3.17–Broadcasttransmission

Applicationsanddevicestakeadvantageofusingbroadcasttransmissionsto


easilysendsignals(messages)toallotherdevicesonthesamenetwork.However,thiscanbeproblematicfornetworkperformanceifthereisahighvolumeofbroadcastmessagespropagatingthenetwork.

Additionally,trafficstormsorbroadcaststormscanoccuronanetwork.ThisiswhenahighvolumeofbroadcastmessagesarebeingsenttheLayer2broadcastMACaddress,FF:FF:FF:FF:FF:FF,eitherfromasingledeviceormultiple

devices.

DuringmytimeasanengineerwithinaregionalTelco,I'veseenbothsmallandlargeorganizationsgenerateenormousamountsofunexpectedbroadcasttraffic.Investigationsshowthesestormsariseduetomanydifferentreasons,frommaliciousapplicationsrunningontheirenddevices,tofaultyNICscreatingcorruptedframesandpackets.

ToconfigurebroadcaststormcontrolsonaCiscoIOSdevice,usethefollowingcommands:


Router(config)#interfacegigabitethernet1/0

Router(config-if)#storm-controlbroadcastlevel1.0

Router(config-if)#storm-controlactionshutdown

Router(config-if)#exit

Theconfigurationsareplacedwithininterfacemodeandlevelranges

between0.0–100.0asapercentagevalue.Therefore,1.0means1%of

theinterface'sbandwidthsothatwhenthethresholdisreached,theinterfaceisshutdown.


Intheprecedingconfigurations,1%oftheGigabitEthernetbandwidthis

1000MBx1%=10MB.Additionally,usingthestorm-control

actionshutdowncommandchangesthedevice'sinterfacetoerror-disable

whenthetrafficstormthreshold(1%bandwidth)isreached.

ImportantNote

Error-disable(err-disabled)meansaviolationhasoccurredontheinterfaceandthatIOShaslogicallyshutdowntheport.Thisstateisnotadministrativelydown.Administrativelyshutdownmeansaninterfacehasbeenmanuallydisabledorturnedoff.

ToconfiguremulticaststormcontrolsonaCiscoIOSswitch,usethefollowingcommands:


Router(config)#interfacegigabitethernet0/1

Router(config-if)#storm-controlmulticastlevel1.0

Router(config-if)#storm-controlactionshutdown


HavingcoveredthemostcommontypesoftransmissionsinIPv4,let'stakealookattheonlyonethatisuniquetoIPv6:Anycast.

AnycastAnycastisanIPv6technologythatfunctionsasaone-to-closesttypeoftransmission.Anycastallowsmultipleservers(ordevices)tosharethesame


IPv6address.Theseserverscanbephysicallylocatedatdifferentgeographicallocationsaroundtheworld.Thisallowsaclient(user)toaccesstheclosestserverusingtheAnycastaddress.

Tounderstandhowthisworks,let'suseareal-worldscenario.TheDomainNameSystem(DNS)isanimportantserviceontheinternetasitspurposeistoresolvehostnamesforIPaddresses.GooglehaspublicDNSserversforbothIPv4andIPv6.TheIPv6primaryaddressforGoogle'sDNSserveris2001:4860:4860::8888.Thisisasingleaddressbutisaccessibletoany

deviceconnectedtotheinternet.However,2001:4860:4860::8888isnot

onlysetonasingledeviceontheinternet;rather,itissharedbetweenmultipleDNSserversaroundtheworldthatareownedbyGoogle.Asauser,whenyourdevicesendsamessagetotheIPv6address2001:4860:4860::8888,the

routingprotocolsandtechnologiesoftheinternetwillsendyourtraffictotheclosetGoogleDNSserverthathasthedestinationIPv6address.Hence,Anycastisaone-to-closesttransmission.

NowthatwehavecoveredtheessentialsofthefourtypesoftransmissionswithinanIPnetwork,let'stakealookatthevariousIPv4addressclassesandspaces.

ClassesofIPv4addressesWhodetermineswhichIPv4addresscanbeassignedtoourinternaldevices,andthosethataredirectlyconnectedto,orfacing,theinternet?WhentheInternetAssignedNumbersAuthority(IANA)becameentrustedwiththemanagementofIPaddresses,aportionofIPv4addressesweremadetobeusedontheinternetandonthedevicesthataredirectlyconnectedtotheinternet.Meanwhile,


anotherportionwasassignedtobestrictlyusableonlyoninternalnetworks,suchasahomenetworkorwithinanorganization.

InIPv4,therearetwoaddressspaces.Theseareasfollows:

PublicIPv4addressspace

PrivateIPv4addressspace

Inthefollowingsections,wewilldiscusseachaddressspacesinfurtherdetail,describingthecharacteristicsandusesofbothpublicandprivateIPaddresses.

PublicIPv4addressspaceWewillfirstdiscussthecharacteristicsofthepublicIPv4space.IANAhasdividedIPaddressesintofiveclasses.EachclassofaddressescanbeassignedtoaLayer3device,suchasarouter,modem,oranydevicethatisdirectlyconnectedtotheinternet,includingafirewallappliance.

ThefollowingtableshowseachclassandtheirIPv4addressrangesforthepublicspace:


Figure3.18–IPv4publicaddressspace

ClassesA,B,andCcanbeassignedtoanydevicethatisdirectlyconnectedtotheinternet,whileClassDisreservedformulticastcommunications.ClassEisreversedforexperimentalusage.

Importantnote

FurtherinformationontheIPv4addressspacecanbefoundathttps://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml.

Additionally,withintheClassA,B,andCnetworkranges,therearecertainnetworkblocksmissing.Thesemissingnetworkblocksfromthepublicspacearereservedfortheprivateaddressspace.

Importantnote

IPv4ClassDandClassEaddressescan'tbeassignedtoanydevices.



EachdeviceontheinternetmusthaveauniqueIPv4publicaddress.ThisaddressisprovidedbythelocalISPandthecustomerisresponsibleforassigningittotheircompany'srouterorfirewallappliance.

Thefollowingdiagramshowsanorganizationthathasaroutertointerconnecttheirprivate,internalnetworktotheinternet–thepublicnetwork:

Figure3.19–Internetconnectivity

Asyoucansee,thepublicIPaddressisassignedtothepublic/internet-facinginterface.Inareal-worldscenario,thepublicIPaddressisprovidedbytheISPtothecustomer.Intheprecedingdiagram,CompanyXisthecustomer.TheISPusuallyprovidestheorganizationwithadefaultgateway.ThisisanIPaddresswithintheISPnetworkthatallowsCompanyXtoforwardalltheirtrafficdestinedfortheinternetviatheISP.However,residentialcustomers(homeusers)areusuallyprovidedwithamodemthatisalreadypre-configuredtoreceiveapublicIPaddressfromtheISPandthedefaultgatewayconfigurationsautomatically.


Thesepublicaddressesareusuallysaidtoberoutableonthe

internetcomparedtoprivateIPaddresses.Inthenextsection,wewill

discusstheusageofprivateIPv4addresses.

PrivateIPv4addressspaceThereareapproximatelyfourbillionpublicIPv4addressesintheworld.Tobeexact,thisis2 thenumberofaddressesthatexistinthepublicspace.Fourbillionprobablyseemslikealot,butintoday'sworld,thisnumberofpublicIPv4addresseshasalmostcompletelybeenexhausted.Atthetimeofwritingofthisbook,almostallRIRshaveexhaustedtheirpublicIPv4addressblocks.

Overthepastdecade,therehasbeenahugeriseinmanufacturingsmarttechnologiessuchasmobiledevicesandinternet-connectedsensors.EachofthesedevicesrequiresanIPtocommunicateovertheinternet.Furthermore,cloudcomputinghasbeenskyrocketing,allowingorganizationsandindividualstodeployvirtualmachinesonthecloudeasily.ThesevirtualmachinesrequireauniqueIPaddressaswell.

So,fourbillionisn'tahugeamountofpublicIPv4addressesconsideringthattherearesomanydevices.Additionally,ifeachdeviceonaprivatenetwork(computers,servers,printers,andsoon)wereassignedauniquepublicIPv4address,eachRIRwouldhaveexhaustedtheirIPv4poolslongbefore2013.

IfdeviceswithinaprivatenetworksuchasahomeorwithinanorganizationarenotusingapublicIPv4address,whattypeofaddressaretheyusingtocommunicateontheinternet?RFC1918definesthreeclassesofIPv4

addressesthataredesignatedtobeassignedonlywithinaprivatenetwork.

32


ThefollowingaretheprivateIPv4addressspaces:

Figure3.20–PrivateIPv4addressspace

PrivateIPv4addresses,asdefinedinRFC1918,arenon-routableonthe

internet.ThismeansanydevicethatisdirectlyconnectedtotheinternetcanonlyuseapublicIPaddress.ISPsusuallyplaceafilteronthelinkbetweentheISPnetworkandtheircustomertofilteranyIPaddressthatisnon-routableontheinternet,whicharethoseoutlinedinRFC1918.

Importantnote

FurtherdetailsonRFC1918canbefoundat

https://tools.ietf.org/html/rfc1918.

Typically,whenaresidentialorbusinesscustomersubscribestointernetservicesfortheirhomesororganizations,theISPusuallyassignsasinglepublicIPv4addresstothecustomer.Forresidentialcustomers,apre-configuredfibermodemisusuallyprovidedthatisautomaticallyassignedapublicIPv4addressfromtheISPnetwork.Ontheotherhand,forbusinesscustomers,theISPsometimesprovidethecustomerwiththepublicIPv4settingsthataretobeplacedonthe


https://tools.ietf.org/html/rfc1918

public-facinginterfaceofthecustomer'srouter.

IfprivateIPv4addressesarenon-routableontheinternet,howareinternaldevicesabletocommunicateontheinternet?ThereisanIPservicethatallowstherouterormodemtotranslateaprivateIPv4addressintoapublicIPv4address.ThisserviceisknownasNetworkAddressTranslation(NAT).

ThefollowingdiagramshowsaNAT-enabledrouterinterconnectingbothaprivateandpublicnetwork:

Figure3.21–NetworksegmentationofprivateandpublicIPaddressspaces

InChapter9,ConfiguringNetworkAddressTranslation(NAT),wewilldiscussthefunctionalityofvarioustypesofNATinmoredetail,aswellashowtoimplementeachvariationonaCiscoIOSrouter.


Havingcompletedthissection,youarenowabletoidentifyIPv4addressesthatbelongtoboththepublicandprivateaddressspaces.Inthenextsection,wearegoingtodiscusstheimportanceofthesubnetmaskandhowithelpsusintheworldofcomputernetworking.

SpecialIPv4addressesIntheIPv4addressspace,therearethreespecialnetworkblocksthatarereservedforspecialusage.ThesespecialIPv4addressesareasfollows:

Loopbackaddress

Test-Net

LinkLocal

Inthissection,wewilllookateachoftheircharacteristicsandusecases.

LoopbackaddressTheloopbackrangeofanaddressisbuiltintotheTCP/IPprotocolsuite.Thisrangeofaddressesallowsanapplicationrunningonahostmachinetocommunicatewithanapplicationonthesamemachine.Toputitmoresimply,loopbackaddressesallowahostoperatingsystemtosendnetworktraffictoitself.

Thenetworkblockisreservedforloopbackandhastherange127.0.0.1/8

to127.255.255.254/8.Therefore,totestthefunctionalityoftheTCP/IP

protocolsuite,youpinganyaddressfromtheloopbackrange.Mostcommonly,networkprofessionalspingthe127.0.0.1address.


Test-NetAccordingtoRFC3330,theblockofaddresses192.0.2.0/24to

192.0.2.255/24arecreatedforusagewithinprotocolandvendor

documentation.Assuch,theseaddressesshouldnotbeusedontheinternetviaanydevice.TheTest-Netnetworkblockisdesignedforeducationalpurposes.

LinkLocalMostcommonly,wheneveryouconnectadevicesuchasmartphoneorcomputertoanetwork,thedeviceseeksoutaDynamicHostConfigurationProtocol(DHCP),whichprovidesautomaticassignmentofIPconfigurationstothedevice.WithoutanIPaddress,asubnetmask,andadefaultgateway,yourdevicewillnotbeabletocommunicateonthelocalnetwork,andwithoutadefaultgateway,thereisnoconnectivitytotheinternet.

IntheeventthatadeviceconnectstoanetworkwherethereisnoactiveDHCPservertoprovideautomaticIPconfigurations,thedevicewillautomaticallyassignitselfaspecialaddress.ThisisknownastheAutomaticPrivateIPAddressing(APIPA)scheme.Ithasanetworkblockof169.254.0.0/16,

andtheAPIPAnetworkhastherangeof169.254.0.1/16to

169.254.255.254/16.

ThepurposeofAPIPAistoenabledeviceswithinthesameLANtoestablishatleastabasicformofcommunicationbetweenthemselvesuntilanactiveDHCPserverismadeavailable.

HavingcompletedthissectionandlearnedaboutthevarioustypesofIPv4


addresses,let'stakealookatunderstandingthepurposeofthesubnetmask.

SubnetmaskAnIPaddressisnotcompletewithoutbeingassociatedwithasubnet(work)mask.Thesubnetmaskhasthefollowingcharacteristicsandresponsibilitiesonanetwork:

IPv4subnetmasksare32bitsinlength,whileIPv6subnetmasksare128

bits.

AsubnetmaskisusedtoidentifyboththenetworkandhostportionsofanIPaddress.

Asubnetmaskisusedtoassistusandnetworkdevicesindeterminingthetotalnumberofnetworks,aswellasthetotalusableIPaddressesthatexistonanIPsubnet.

Thesubnetmaskisusedtohelpahostdevicedeterminewhetherapacketshouldbesenttothedefaultgatewayiftheintendeddestinationisbeyondthelocalnetwork.

Aswehavelearnedintheprevioussections,therearetypicallythreeclasses(A,B,andC)ofassignableIPaddressesforbothpublicandprivateaddressspaces.Similarly,therearethreedefaultsubnetmasksforeachclassofIPv4address.

Thefollowingarethethreedefaultsubnetmasksforclass:

ClassA:255.0.0.0

ClassB:255.255.0.0


ClassC:255.255.255.0

IfyouareusinganIPaddressfromaClassAnetworksuchas10.1.2.3,the

associateddefaultsubnetmaskwillbe255.0.0.0.AClassBIPv4address

suchas172.15.5.6willbeassociatedwiththeClassBsubnetmask

255.255.0.0,andsoonforaClassCaddressaswell.However,inalotof

situations,thecustomsubnetmasksareassignedIPaddresses.Inthenextsection,Subnetting,wewillcoverthetopicsofsubnettingandVLSM,whereyouwilllearnaboutcustomsubnetmasks.

NetworkprefixPriortostartingyourjourneyingainingyourCCNAcertification,youmayhaveseenanIPaddresssuchas10.10.1.2/8andwonderedwhatthe/8partwas

allabout.Thisisknownasthenetworkprefix.Thenetworkprefixisanotherformatthatiscommonlyusedwithinthecomputernetworkingworldtorepresentasubnetmaskinasimplifiedform.

Youareprobablywonderinghow/8isequalto255.0.0.0.Toanswerthis

question,let'stakealookatthebinaryformatofthesubnetmask:

Decimalformat:255.0.0.0

Binaryformat:11111111.00000000.00000000.00000000

Whenwritingasubnetmaskinbinary,it'salwayswrittenwithacontinuouslengthof1s.Thereareno0sbetweenany1swithinasubnetmask;the0sareplacedafterthestreamof1shasended.Lookingatthepreviousexample,thereareeight1swithinthe255.0.0.0subnetmask.


Therefore,thenetworkprefixcanbewrittenas/8torepresentadefaultClassA

subnetmask.

Let'sdeterminethenetworkprefixforaClassBsubnetmask:


Binaryformat:11111111.11111111.00000000.00000000

Inthisexample,thereareatotalof161swithinthesubnetmask.Therefore,thenetworkprefixcanbedenotedas/16.

Lastly,incalculatingthenetworkprefixforthedefaultClassCsubnetmask,wegetthefollowing:


Binaryformat:11111111.11111111.11111111.00000000

Asexpected,thereare241swithinthedefaultClassCsubnetmask,sowegeta/24networkprefix.

Whenattemptingtodeterminethenetworkprefixofacustomsubnetmask,weconverteachoctetofthecustomsubnetmaskintobinary.Yourresultsshouldprovideyouwithacontinuousstreamof1s.Calculatingthetotalnumberof1swillgiveyouthe/xvalue,wherexisthenumberof1sinthesubnetmask.

Let'simagineyouhavetodeterminethenetworkprefixforthefollowing:

IPaddress:192.1.2.3

Subnet:255.255.224.0


Performthefollowingstepstoquicklygainouranswer:

1. Convertthefirstoctetintobinary.Wewillget255=11111111.

2. Convertthesecondoctetintobinary.Wewillalsoget255=

11111111.

3. Convertingthethirdoctet,weget224=11100000.

4. Forthelastoctet,0=00000000.

5. Puttingtheentirebinarysubnettogether,weget11111111.11111111.11100000.00000000.Thereare191sin

thesubnetmask255.255.224.0,sowecansimplydenotethenetwork

prefixas/19andtheIPaddressas192.1.2.3/19.

Nowthatyouhavetheskillstocalculatethenetworkprefix,let'stakeadeeperlookatidentifyingtheNetworkID.

IdentifyingtheNetworkIDConfiguringIPaddressesandsubnetmaskstodevicesisasimpletask.However,ifeitheranIPaddressorsubnetmaskisincorrectlyassignedtoadeviceonthenetwork,thedevicewillnotbeabletocommunicatewithothers.Toillustratethistheory,thefollowingdiagramshowsacomputerthatisunabletocommunicatewiththerouter:


Figure3.22–Smallnetwork

Consideringallthedevicesarepoweredonandtherightcablesarebeingusedtoconnecteachdevicetoanother,whatcouldbetheissue?Aswecansee,theIPaddressesandsubnetmaskseemtobecorrectastheyarejustafewIPaddressapart,butisthisreallyaccurate?Let'sdetermineifthePCandrouterbothexistonthesamelogicalnetwork.Visually,bothdevicesexistonthesamephysicalnetwork,butinthefieldofnetworks,wecanlogicallysegmentaphysicalnetworkintomultiplelogicalIPnetworks.

Inthisscenario,let'sperformsomecalculationstodetermineifthePCisonthesamelogicalnetworkastherouter,thusdeterminingtheNetworkIDforeachdevice.TheNetworkIDissimplythecommunityaddress,similartoaneighborhoodwhereeachhomesharesthesamecommunityaddresswithdifferinghouseormailboxnumbers.

TodeterminetheNetworkID,youneedtoperformalogicaloperationknownasANDingbetweentheIPaddressandsubnetmaskofadevice.


ThefollowingarethelawsofAND:

0AND0=0

0AND1=0

1AND0=0

1AND1=1

Wecandeterminewhethertwodevicesareonthesamelogicalnetworkasfollows:

1. Convertthecomputer'sIPaddressandsubnetmaskintobinaryformatusingtheLawsofAND.WhentheIPaddressisANDagainstthesubnet

mask,theresultisknownastheNetworkID.

ThefollowingsnippetshowstheANDingprocessforPC1:

Figure3.23–NetworkIDforPC1

2. ConvertPC1'sNetworkIDintodecimal,whichdeterminesthatPC1belongstothe192.168.1.0/25network.

3. Let'sperformtheANDingoperatingontherouter'sIPaddressandsubnetmask.


ThefollowingsnippetshowstheANDingprocessfortherouter:

Figure3.24–NetworkIDfortherouter

4. Convertingrouter'sNetworkIDintodecimal,wecandeterminethattherouterbelongstothe192.168.1.128/25network.

Inconclusion,eventhoughtheprecedingdiagramshowsthatthedevicesarephysicallyinterconnected,thisdoesnotmeanthateachdevicehasend-to-endconnectivitywiththeothers.Inourcalculation,wehaveprovedthatboththecomputerandtherouterwereondifferentlogicalnetworks,hencetheywon'tbeabletointercommunicate.Tosolvesuchissues,it'samatterofassigningthePCanIPaddressfromtherouter'snetworkorviceversa.

NowthatyouhavetheskillstodetermineNetworkIDsandhelpsolveinterconnectivityissuesonanetwork,let'slearnhowtoperformsubnetting.

SubnettingHearingthewordsubnettingcanbeabitintimidatingwhenlearninganetworking-relatedcertification.However,learningsubnettingisunavoidableonyourjourneytobecominganawesomenetworkengineer.Youmaybewondering,whatissubnettingandwhydoweneedtolearnhowtoperformthis


taskasanetworkingprofessional?Togetabetterunderstandingoftheanswertothisquestion,let'suseasimpleanalogy.Let'simagineyouarethenetworkadministratoratacompanythathas6networks,andeachofthesenetworkshas

nomorethan50devicesthatrequireanIPaddress.

ItwouldbeeasytosimplytakeaClassCnetworkblocksuchas192.168.1.0/24andassignittothenetwork,thenchooseanotherClassC

addressblocktoassigntothenextnetwork,andsoon.Thefollowingisatypicalworkablesolutionforassigningnetworkblockstothe6networks:

Network1:192.168.1.0/24

Network2:192.168.2.0/24

Network3:192.168.3.0/24

Network4:192.168.4.0/24

Network5:192.168.5.0/24

Network6:192.168.6.0/24

Usingsuchanaddressingschemeisworkablebutitisdefinitelynotefficient.Let'stakealookatwhy.Inourscenario,eachnetworkhas50devicesorless.Todeterminewhythisisn'tasuitablesolution,let'sfirstdeterminethenumberofusableIPaddressesperClassCnetworkblockusingthefollowingformula:

UsableIPaddresses=2 -2

ImportantNote

H


OnanIPv4network,boththeNetwork-IDandBroadcastIPaddressescan'tbeassignedtoanydevice.Therefore,wesubtract2fromthetotalnumberofIP

addressestogettheusableamountonanetwork.

SincethereareeighthostbitsinanyoftheClassCnetworks,wegetthefollowingresults:

UsableIPaddresses=2 –2

=2 –2

=256–2

=254usableIPaddressesper

ClassCnetwork

Ineffect,eachnetworkwillhaveawastageofapproximately204IPaddresses

(254–50hosts).Imagineifeveryoneassignedhugenetworkblockstotheir

networkinfrastructurewithoutbeingconcernedaboutthewastageofaddresses.Onalargerscale,ifISPsdistributedlargenetworkblockstoorganizationswhodonotrequiremorethanjustafewIPaddresses,thepublicIPv4networkblockswouldhavebeenexhausteddecadesago.

Thisbringusbacktounderstandingthereasonswhyweneedtosubnet.Theprocessofsubnettinghasthefollowingbenefits:

ToefficientlydistributeIPaddresseswiththeleastwastage

Tocreatemorenetworkswithsmallerbroadcastdomains

Whyishavingalargebroadcastdomainabadthing?Imaginethatanetworkhasapproximately300devices,andafewhostsaregeneratingunnecessary

H

8


broadcastpackets.Alltheotherdeviceswillreceivethebroadcastmessageandprocessit.Alargebroadcastdomainwithmanyhostdevicescan,ineffect,slownetworkoperationsifthereisasignificantamountofnetworktraffic,suchasbroadcaststorms.Toputthissimply,it'slikerush-hourinthemorningorevening,wheretherearetoomanyvehiclesontheroad.Thisresultsintrafficcongestionandcommuterstakinglongertoreachtheirdestination.

Bycreatingsubnets,youcanreducethesizeofabroadcastdomain.UsingaLayer3switchorarouter,thesesubnetscanbeinterconnected,thusallowingusersanddevicestocommunicate.Subnetscanbedeterminedbythelocationofbranchesanddepartmentswithinabuilding,suchasHumanResources,Accounting,Sales,Administration,andsoon.

Tofurtherhelpyouunderstandsubnetting,let'stakeadiveintosomehands-onexercises.Togetstarted,let'screateasimplescenario.ImagineyouarethenetworkadministratorforCompanyX,afictional-basedcompanywithfourofficelocations.EachbranchhastheirownLAN,andeachbranchisconnectedtotheHQlocation.

Thefollowingdiagramshowsavisualrepresentationofthenetworktopology:


Figure3.25–Networkdiagram

YourobjectiveistodesignanIPschemetoensuretheleastwastageandthateachbranchlocationhastheirownsubnet.Togetstartedwiththisassignment,thefollowingsectionswillguideyouthroughhowtocreateanefficientdesignforthenetworktopology.

Step1–DeterminingtheappropriateIPaddressTobegin,let'sdeterminewhichclassofIPaddressingismostsuitableforour


networktopology.Asyoumayrecall,therearethreeaddressclasses:A,B,andC.EachclasshasauniquenumberofavailableIPaddressesbasedontheirdefaultsubnetmasks.

Tohelpusfigureoutwhichisthebestclass,let'susethefollowingformulatodeterminethetotalnumberofIPaddressesofeachclass:

TotalnumberofIPaddresses=2

Here,HrepresentsthenumberofhostbitsinanetworkID,whichis4.

Inthisstep,weareusingthesubnetmasktohelpusdeterminethenumberofIPaddressavailableinanetwork.The1sinthesubnetmasksidentifythenetworkportionofanIPaddress,whilethe0sidentifythehostportionofanIPaddress.

Thefollowingtableillustratesthedefaultsubnetsforeachclassandtheirbinaryequivalent:

Figure3.26–Subnetmasks

Let'useourformula,adjustto2 ,todeterminethetotalnumberofIPv4

addressesperclass:

ClassA=adjustto2 =16,777,216totalIPaddresses

H

H

24

16


ClassB=adjustto2 =65,536totalIPaddresses

ClassC=adjustto2 =256totalIPaddresses

Furthermore,whenassigningIPv4addressesonanetwork,therearetwoaddressesthatcan'tbeassigned.ThesearetheNetworkIDandbroadcastaddresses.Therefore,todeterminethenumberofusableIPaddresses,youneedtosubtracttwoaddressesfromthetotalnumberofIPaddressesforanetworkblockorsubnet.

TocalculatethenumberofusableIPaddresses,usethefollowingformula:

NumberofUsableIPaddresses=adjustto2 -2

Thefollowingarethenumberofusable(assignable)IPv4addressesforthefollowingclass:

ClassA=Adjustto2 –2=16,777,214usableIPaddresses

ClassB=Adjustto2 –2=65,534usableIPaddresses

ClassC=Adjustto2 –2=254usableIPaddresses

Next,weneedtoidentifythetotalnumberofnetworkswithinthetopologyandthesizeofeachnetwork.Wehavethefollowingsevennetworks:

HQLAN:28hosts

BranchALAN:26hosts

BranchBLAN:25hosts

16

8

H

24

16

8


BranchCLAN:15hosts

WAN1(R1-R2):2IPsareneeded



UsingaClassAisnotsuitableastherewillbeover16millionIPaddressesbeingwasted.UsingaClassBwillresultinappropriately65,000addresses

beingwasted.ThisleavesuswithusingaClassCnetworkblock(asit'sthesmallestnetworkblockavailable),with254usableIPaddresses.

ImportantNote

Keepinmindthatwhencreatingsubnets,eachnewlycreatedsubnetworkmustbeabletofitthelargestnetworkinyourtopology.

Overthefollowingsteps,wewillbeusingthesubnetmasktohelpusdeterminewhatportionofthenetworkIDorIPaddressisthenetworkportion,andwhatpartisthehostportion.

Step2–Creatingnewsubnets(subnetworks)Whencreatingsubnetworks(subnets),weneedtoconvertthebitsonthehostportionoftheaddressintonewnetworkbits.Thisprocessallowsustocreatenewnetworks(subnets)whilereducingthenumberofIPspernetwork.


Togetstarted,let'susetheClassCnetworkblock192.168.1.0/24.When

weconvertboththeIPaddressandsubnetmask,thefollowingresultswillbeobtained:

Figure3.27–NetworkIDanddefaultsubnetmask

The1sinthesubnetmasktellsustheportionoftheIPaddressthatbelongstothenetwork,whilethe0sinthesubnetmaskindicatethehostportionoftheIPaddress.Asyoucansee,thenetworkportionoftheaddressisthefirst24bits,

whilethelast8bitsrepresentthehostportion.Remember,allthehostsona

subnetwillhavethesamenetworkportionfortheirIPaddress,whileeachhostwillhaveauniquevalueinthehostportion.

Wecanusethefollowingformulatodeterminethenumberofnetworks:

Numberofsubnets=Adjustto2

Nrepresentsthenumberofhostswearegoingtoconvertintonewnetworkbits.

Inthepreviousimage,wherethe1sstopinthesubnetmask,wecanbegintakinghoststoconvert.Let'staketwohostsandsubstituteinourformulatodeterminethenumberofnetworkswecancreate:

N


Figure3.28–Usingtwohostbits

Whenwetakebitsofthehostportionoftheaddress,thesubnetbitsarechangedto1storepresentthenetworkportionoftheaddress.

Tocalculatethenumberofsubnets,usethefollowingformula:


adjustto2 =2x2=4subnets

Using2bitsisn'tsufficientasitonlygivesus4subnets.However,ourgoalisto

create7subnets,witheachsubnethavingthecapacitytosupportourlargest

networkof28hosts.Let'stakeanadditionalhostbitandperformour

calculationsonemoretime:

Figure3.29–Usingthreehostbits

Wedothisusingourformula,whereN=3:


N

2

N

3


Adjustto2 =2x2x2=8subnets

Usingthe3bits,weget8subnets.Keepinmindthatwereallyneed7subnets

butusing2bitsfromthehostportionwasnotsufficient.Therefore,weneedto

usethe3bitsandmakethemintonetworkbits.Theadditionaleighthnetwork

canbereservedforfurtherusage.

Havingestablishedthat3bitsarebeingtakenfromthehostportionofthe

address,weareleftwith5hostbits.Weneedtoensurethishost'sbitsare

sufficienttocreateenoughIPaddressestofitourlargestnetworkinthetopology.Therefore,wecanusethefollowingformulatodeterminethetotalnumberofIPaddressespernetwork:

TotalnumberofIPaddress=adjustto2

adjustto2 =2x2x2x2x2=32totalIP

address

These5hostbitsgivesusatotalof32IPaddressespersubnet.However,wecannotassigntwospecificIPv4addressestoanydevice:theNetworkIDaddressandthebroadcastIPaddress.Therefore,wecanusethefollowingformulatocalculatethenumberofusableIPaddresses:

NumberofusableIPaddress=Adjustto2 –2

adjustto2 –2=32–2=30usableIPaddresses

Thismeansthat,basedonourcalculations,wewillbeabletotakethreehostsfromtheaddressandcreateatotalof8subnets.Eachoftheseeightsubnetworks

willhave30usableIPaddresses.Wenowhaveaworkablesolution.Lastly,

3

H

5

N

5


whentakingbitsfromthehostportion,thesubnetbitsmustalsobechangedfrom0sto1s.The1srepresentthenetworkportionoftheaddress.Sincewetook3hostbits,wehaveanewsubnetmaskforeachofthenewsubnetsweareabout

tocreate.Therefore,ournewsubnetforeachofthe8networksis

255.255.255.224,withanetworkprefixof/27.

Importantnote

Keepinmindthateachtimeweperformasubnettingprocess,theoriginalnetworkisbrokendownandeachnewnetworkwecreateissmallerthantheoriginal.However,eachsubnetworkthat'screatedisofequalsize.

Beforewebegintocreatetheactualsubnetworks,pleasebesuretousethefollowingguidelines:

DonotmodifytheoriginalnetworkportionoftheIPaddress(thefirst24

bits).

DonotmodifythenewhostportionoftheIPaddress(thelast5hostbits).

Onlymodifythenewnetworkbits(the3hostbitsthatweareconverting

intonetworkbits).

Whenmodifyingthenewnetworkbits,wesimplychangethe0sinto1stocreateallthedifferentpossibilities.Thefollowingarethecalculationsusedtocreatethe8newsubnets:


Figure3.30–Creatingeightsubnets

AlwaysremembertostartwiththeoriginalNetworkIDwhenperformingsubnetting.Inourcalculations,thefirstsubnetisthe192.168.1.0/27

network.Eachofoursubnetsisanincrementof32,andthisvalueisderived

fromourformula,whichisusedtocalculatethenumberoftotalIPaddresses.

Tip

Attimes,calculatingthebinarymaybechallenging.However,eachsubnetisequalinsize.Thismeansusingtheformula2x(xrepresentsthenumberofbits)

willprovideyouwiththeincrementalvalueforeachNetworkID.ThistechniquewillhelpyouincalculatingthenewNetworkIDs(subnets)quickly.Additionally,thelastsubnet(NetworkID)inyourcalculationalwaysendswiththelastpartofthenewsubnetmask.


NowthatwehavecalculatedallourNetworkIDs(subnets),inthenextstep,youwilllearnhowtocalculatethenetworkrangeforasubnet.

Step3–AssigningsubnetstoeachnetworkInthisstep,wearegoingtoperformafewtasks,suchascalculatingthenetworkranges(suchasthefirstandlastusableIPaddresswiththebroadcastIPforeachnetwork).Toperformyourcalculationsefficiently,usethefollowingguidelines:

Calculateallsubnets(NetworkIDs)asyourfirsttask.

TocalculatethefirstusableIPaddress,usetheNetworkID+1

formula.Inbinary,thefirstbitfromtherightissetto1.

TocalculatethebroadcastIPaddress,usetheNextNetworkID–1

formula.Inbinary,allhostbitsarechangedto1s.

TocalculatethelastusableIPaddress,usetheBroadcastIP

address–1formula.Inbinary,allhostbitsare1sexceptforthelast

bitintheaddress.

Now,let'sapplyourguidelines,calculatethefirstsubnetrange,andassignittotheHQLANnetwork:


Figure3.31–Subnet1range

Next,let'scalculatethesecondsubnetandassignittotheBranchALAN:


Next,let'scalculatethethirdsubnetandassignittotheBranchBLAN:


Next,let'scalculatethefourthsubnetandassignittotheBranchCLAN:



Wecansuccessfullyassignthefirst4subnetstoeachoftheLANsineachrespectivelocation.However,westillneedtoassignsubnetstotheWANlinksthatareinterconnectingeachbranchtotheheadofficenetwork.Therearefoursubnetsremaining.WecantakeanythreeoftheremainingsubnetsandassignthemtoeachoftheWANlinks,butthiswillnotbeefficientaseachoftheWANlinksinthetopologyonlyrequirestwoIPaddressesontherouter'sinterfaces,asfollows:

WAN1(R1-R2):2IPsareneeded.



TakinganyoneofthesubnetstoassigntoanyoftheWANlinkswillresultinthefollowingwastage:

UsableIPaddresspersubnet=Adjustto2 –2

Adjustto2 –2=32–2=30usableIPaddress

ThefollowingiswhatwegetwhenusingonlytwoIPsfromasubnet:

H

5


30–2=28IPaddresswillbewasted

WecanuseaslightlymoreadvancedtechniqueknownasVariable-LengthSubnetMasking(VLSM)tobreakasubnetdownintosmallsubnetworks.Sincewehavefourremainingsubnetsfromouroriginalcalculations,let'sreservethefollowingsubnetforfutureusage:

Figure3.35–Reservesubnets

Inthenextstep,wewillcoverhowtouseVLSMtobreaktheeighthsubnet,192.168.1.224/27,downintosmallernetworkstofitourWANlinks.

Step4–PerformingVariable-LengthSubnetMasking(VLSM)PerformingVLSMcalculationsissimplysubnettingasubnet.ForeachofourWANlinks,weonlyrequiretwousableIPaddressesoneachlink.TodeterminethenumberofhostbitsrequiredtogiveustwousableIPaddresses,usethefollowingformula:

NumberofusableIPaddresses=Adjustto2 –2

Here,Histhenumberofhostbitstakenfromtheright.

H


Forabettervisual,let'sconverttheeighthsubnetintobinary:

Figure3.36–Binary

Ifweusethe32ndbit(1bit)onthenetworkID,192.168.1.224/27,within

ourformula–Adjustto2 –2,–theresultis0usableIPaddresses.

Therefore,1hostbitisnotsufficient.Let'suseanadditionalhostbit;thatis,adjustto2 –2=2usableIPaddresses.Nowthatwehaveaworkable

solution,wesimplyneedtopermanentlymakethelast2bits(00)fromthe

NetworkID192.168.1.224theonlyhostbits,whiletheremaininghostsare

convertedintonetworkbits.ThisisalittlebitofreverseengineeringwherewestartcalculatingthehostIPaddressfirst,followedbythenumberofnetworks.

Furthermore,wewillhavethreenewnetworkbits,whichprovideusthefollowingformula:


Adjustto2 =2x2x2=8subnets

Additionally,wecanflipthenewnetworkbitsinthesubnetmask,asshownhere:

H

2

N

3


Figure3.37–Newsubnetmask

Hence,eachofthe8newlycreatedsubnetswillhaveasubnetmaskof

255.255.255.252,oranetworkprefixof/30.

Let'scalculatethetotalnumberofIPaddressespersubnetandournetworkincrementalvalue:

TotalnumberofIPaddress=Adjustto2

Adjustto2 =4totalIPaddresses

Here,eachnumberwillhaveonlytwousableIPaddresses,adjustto2 –2=

4–2=2.

Beforewebegintocreatethenewsubnetworksfromthe192.168.1.224/27

networkblock,pleasebesuretousethefollowingguidelines:

DonotmodifytheoriginalnetworkportionoftheIPaddress(thefirst27

bits).

DonotmodifythenewhostportionoftheIPaddress(thelast2hostbits).

Onlymodifythenewnetworkbits(the3hostbitsthatweareconverting

intonetworkbits).

Whenmodifyingthenewnetworkbits,wesimplychangethe0sinto1stocreateallthedifferentpossibilities.Thefollowingarethecalculationstocreatethe8

newsubnets:

H

2

H


Figure3.38–NetworkscreatedviatheVLSMnetwork

Now,wehave8newnetworksthatcanbeusedforpoint-to-pointWANlinks.

Let'scalculateandassignthesubnetsaccordingly.

Let'scalculatethefirstsubnetandassignittoWAN1(R1-R2):

Figure3.39–WAN1allocation

Next,let'scalculatethesecondsubnetandassignittoWAN2(R2-R3):



Next,let'scalculatethethirdsubnetandassignittoWAN3(R3-R4):


Havingallocatedthefirstthreesubnetsofthe/30networks,weareleftwith

fiveadditionalnetworks,asshownhere:


connectedappliancestohomesecuritysystems.Theneedforinternetconnectivityisanever-increasingdemand,hencethecreationofanewaddressspace.

ThefollowingisabriefsummaryofIPv4exhaustionstatistics:

APNIC:ExhaustedinApril2011

RIPENCC:ExhaustedinSeptember2012

LACNIC:ExhaustedinJune2014

ARIN:ExhaustedinJuly2015

AfriNIC:Expectedtobeexhaustedin2019

ThisiswhereIPversion6comesin.BackinDecember1995(circa),theIANAwasentrustedtomanagetheIPv6addressingscheme(RFC1881).ThismeansthatIPv6wasdevelopedandreadyfordistributionalongtimeago.IANA,RIRs,andASwerewaitingforthelastsetofpublicIPv4addressestobeexhaustedbeforedistributingandassigningIPv6addressestocustomersandinternet-connecteddevices.

UnlikeIPv4–whichis32bitsinlengthwithapproximatelyfourbillionpublic

IPv4addresses–anIPv6addressis128bitsinlength,whichprovides

approximatelyoneundecillion(10 )addresses.EachIPv6addresshaseighthextets,eachofwhicharemadeupof16bits.Thismeans8hextetsx16bitsperhextet=128bits.

Additionally,IPv6iswrittenusinghexadecimalvaluesandnotdecimal,aswithIPv4.Hexadecimalvalueshavethefollowingrange:

36


0123456789ABCDEF

Eachhextethastherange0000–FFFF.

TogetabetterideaofIPv6addressing,let'stakealookatthefollowingaddress:

2001:0DB8:0000:1111:0000:0000:0000:0200

Noticeeachhextetisseparatedwithacolon(:).

ThecoolthingaboutwritinganIPv6addressisthatthealphabeticalcharacters(A-F)arenotcase-sensitive.Thismeansthatregardlessofwhetheryouusealowercaseoruppercasecharacterwithintheaddress,thedevicewillacceptit.

Additionally,wewritetheprecedingIPv6addressinashortenedformat.Theleadingzeros(0s)inahextetcanberemovedastheyhavenovalue.Therefore,ifanIPv6addresshasahextetof0000,wecanuseasingle0torepresentthe

entirehextet,asshownhere:

2001:DB8:0:1111:0:0:0:200

Additionally,whentherearetwo(2)ormorehextetswithacontinuousstreamofzeros,youcansubstitutetwoormorehextetswithadoublecolon(::),as

shownhere:

2001:DB8:0:1111::200

ThisistheshortestformoftheoriginalIPv6address.Lastly,thedoublecolon(::)canbeusedonlyoncewithinanIPv6address.

ImportantNote


ThedefaultsubnetmaskofanIPv6addressis/64.Thismeansthatthefirsthalf

ofanIPv6addressisknownastheprefix,whilethesecondhalfisreferredtoastheInterface-ID.IncomparisontoIPv4,PrefixisthenetworkaddresswhileInterface-IDisthehostaddress.

Natively,devicesassignedIPv4addresseswon'tbeabletoexchangemessageswithadevicethathasanIPv6address.ToallowintercommunicationbetweenthesetwoversionsofIP,thefollowingmethodsareused:

Dualstacking

NAT64

Tunneling:6to4and4to6

DualstackingallowsasingleNetworkInterfaceCard(NIC)tobeconfiguredwithbothIPv4andIPv6addresses.ThisallowsthedevicetousetheIPv4addresstocommunicatewithdevicesonanIPv4network,whiletheIPv6addressisusedtocommunicatewithdevicesonanIPv6network.

ThisispossiblebecausetheinternetlayerofTCP/IPisresponsibleforencapsulatingthedatagramintheappropriateIPversionbeforepassingitdowntothelowerlayeroftheTCP/IP.

ImportantNote

FurtherinformationaboutIPv6addressmanagementcanbefoundathttps://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml.

ThefollowingdiagramshowseachfieldwithinanIPv6packet:



Figure3.43–CompositionofanIPv6packet

EachfieldwithintheIPv6packetplaysanimportantrolewhentransmittingamessagefromonedevicetoanother.Thefollowingarethenamesanddescriptionsofeachfield:

Version:ThisfieldisgenerallyusedtoidentifytheversionoftheIP,suchasIPv4andIPv6.

TrafficControl:ThisfieldplaysanimportantrolewhenusingQualityofService(QoS)toolsonanetworkandhasthesamefunctionalityastheDifferentiatedServices(DS)fieldofanIPv4packet.

FlowControl:Thisfieldisusedtoinstructareceivingroutertoprocessallpacketsthathavethesameflowlabelinthesameexactway.

PayloadLength:Thisfieldcontainsthesizeofthedataportion.

NextHeader:Thisfieldidentifiesthenetworkprotocolthatthedatagrambelongstoonthedestinationhost.


HopLimit:ThisfieldisequivalenttotheTTLfieldwithinanIPv4packet.

SourceIPv6Address:Specifiesthesender'sIPv6address.

DestinationIPv6Address:Specifiesthedestination'sIPv6address.

Next,let'stakealookatvarioustypesofIPv6address.

TypesofIPv6addressesSimilartoIPv4,therearevarioustypesofIPv6addresseswithuniquepurposesonanIPv6network.Inthissection,wewilllookatthefollowingtypesofIPv6address:

Globalunicast

Loopback

Link-Local

Uniquelocal

Anycast

Multicast

ModifiedEUI64

Inthissection,wewillunderstandthecharacteristics,functionality,andpurposeofeachtypeofIPv6address.


GlobalunicastSimilartousingterm"public"todescribeaninternetassignableIPv4address,intheIPv6world,thepublicaddressisreferredtoasaglobalunicastaddressandbelongstothe2000::/3networkblockofaddresses.

LoopbackThereisalsoalookbackaddressintheIPv6addressspace,whichisknownas::1/128.TheloopbackIPv6addresshasthesamefunctionalityastheIPv4

version,asmentionedintheprevious,SpecialIPv4addresssectioninthischapter.However,theloopbackaddressinIPv6isasingleaddressonly,unlikeIPv4,whichhasanetworkblock.

Link-LocalWithinanIPv6network,aninterfaceusuallyhastwoIPv6addresses:aglobalunicastaddressandaLink-Localaddress.Theglobalunicastaddressisusedwhencommunicatingbeyondthelocalnetwork.However,whenadevicewantstoexchangemessageswithanotherdeviceonthesamelocalnetwork,theLink-LocalIPv6addresstakeeffect.

Importantnote

OnaLAN,whendeviceswanttoexchangemessages,theyusesourceanddestinationMACaddressesbecauseswitchesareonlyabletoreadLayer2headerinformationsuchassourceanddestinationMACaddresses.Therefore,whenadevicewantstosendamessagebeyondtheLAN,thesenderdevicewill


setthedestinationMACaddressofthedefaultgatewayonthemessage,andusethedestinationIPaddressastheactualdestinationdevice,suchasthewebserver.

TheIPv6Link-LocaladdressplaysthesameroleforLANcommunicationbetweendevicesthatarelogicallyconnectedtothesamenetworksegment.TheIPv6link-localaddressbelongstotheFE80::/10networkblock.Keepin

mindthatthelink-localaddressisusedforlocalcommunicationonly.

UniquelocalTheuniquelocaladdressfunctionssimilarlytoprivateIPv4addresses,whichonlyallowcommunicationonalocal(private)network.TheuniquelocaladdressblockisFC00::/7.

AnycastAsmentionedintheTransmissiontypessection,AnycastisanIPv6technologythatfunctionsasaone-to-closesttypeoftransmission.Anycastallowsmultipleservers(ordevices)tosharethesameIPv6address.

MulticastThistypeofcommunicationcanbeseenasaone-to-manytypeoftransmission.ThefollowingaretheassociatednetworkblocksforIPv6multicastaddresses:

Assigned:FF0s::/8

Solicitednode:FF02::1:FF00:0000/104


ModifiedEUI64TheremaybeatimewhenthenetworkisusinganIPv6technologyknownasStatelessAddressAutoconfiguration(SLAAC)toprovideIPv6globalunicastaddresseswithouttheuseofaDHCPv6server.SLAACisastatelessservice,whichmeansthereisnoserver(suchasaDHCPserver)tomaintainnetworkaddressingdetails.Inotherservices,whenaDHCPserverprovidesIPaddressingdetailstoaclient,theserverkeepsarecordofthetransactionsandallocationsofIPaddresses.However,withSLAAC,thereisn'tsuchafunctionality.

Therefore,onlytheprefixportionoftheIPv6addressisprovidedtoaclient.TheInterface-IDusestheEUI-64processtocreatea64-bitaddressfromthe48-bit

MACaddressoftheclient'sphysicalinterface.

Togetabetterideaofthisoperation,let'staketheMACaddressFC-99-47-

75-CE-E0andrunitthroughtheEUI-64process:

1. SplittheMACaddressinhalfbyseparatingtheOUIportionfromthedeviceportionandconvertitintobinary:

Figure3.44–MACintobinary

2. InsertFFFEin-betweentheOUIanddeviceportion:


Figure3.45–FFFEinsertedbetweentheMACaddress

3. FliptheUniversally/Locally(U/L)bit.Ifthebitis0,changeitto1andviceversa.TheU/Lbitistheseventhbitinthisexercise:

Figure3.46–FlippingtheU/Lbit

4. ConvertthebinarybackintohexadecimaltogettheEUI-64address:

Figure3.47–EUI-64address

Therefore,allEUI-64generatedaddresseswillalwayshaveFFFEinthe

middlesectionoftheInterface-IDofanIPv6address.PleasenotethattheEUI-

64addressisautomaticallygeneratedbythedevicewhenIPv6routingis

enabled.

Importantnote

OnCiscodevices,usetheipv6unicast-routingcommandinglobal


3. Usetheipv6addresscommand,followedbytheIPv6addresswith

thenetworkprefix:

R1(config-if)#ipv6address2001:DB8:1:1::1/64

4. (Optional)TomanuallyconfigureaLink-LocalIPv6addressontheinterface,usethelink-localcommandaftertheIPv6address,as

shownhere:

R1(config-if)#ipv6addressFE80::1link-local

5. Enabletheinterfaceusingthenoshutdowncommand:


NowthatyouhavelearnedhowtoconfigureIPv6globalandLink-Localaddresses,let'stakealookathowtoverifyourconfigurationsusingCiscoIOScommands.

Usingtheshowipv6interfacebriefcommand,wecanviewa

summaryofourIPv6interfaces,alongwiththeirassignedIPv6addresses,asshownhere:


Figure3.49-Outputoftheshowipv6interfacebriefcommand

Anothercommandwecanusetoverifythestatusofaninterfaceistheshow

ipv6interface<interface-ID>command.Thefollowingsnippet

showstheexpectedoutput:

Figure3.50-Outputoftheshowipv6interfacecommand

Furthermore,wecanverifytheconfigurationsundereachinterfacebyusingtheshowrunning-configcommand,butusingthepipe(|)parameter

followedbythesectioncommandandthesection'sname,asshownhere:

Figure3.51–Outputoftheshowrunning-configcommand

Havingcompletedthissection,youarenowabletoperformverificationon


CiscoIOSdevicestodetermineIPv6configurations.Inthenextsection,youwilllearnhowtoassignastaticIPv6addresstoaMicrosoftWindowscomputer.

Lab–ConfiguringIPv6onaWindowscomputerNowthatyouhavelearnedhowtomanuallyconfigureanIPv6addressonaCiscorouter,let'stakealookathowtomanuallyconfigureanIPv6addressonaMicrosoftWindowscomputer.

Togetstartedwiththistask,usethefollowingsteps:

1. OpentheWindowsControlPanelandgotoNetworkandSharingCenter.

2. Ontheleft,clickonChangeadaptersettings.

3. Right-clickonyourcorrespondingnetworkadapterandselectProperties.

4. ClickonInternetProtocolversion6(TCP/IPv6)andthenclickonProperties:


Figure3.52–Networkadapterproperties

5. UsethefollowingsettingtoassigntheIPv6address,networkprefix,anddefaultgatewayconfigurationstothePC:


Figure3.53–IPv6settingsonPC

TheDNSserversettingscanbeadjustedtoyourpreference.IamusingaCloudflareIPv6DNSserverasmyDNSserver.

6. ClickOKtosaveyoursettings.

7. Tocheckyourconfigurations,opentheCommandPromptandusetheipconfigandipconfig/allcommandstoverifyyourIPsettings

onyournetworkadapters.


Testingend-to-endconnectivityAfterconfiguringandverifyingyourIPv6configurations,thelastthingaprofessionalmustalwaysdoistestend-to-endnetworkconnectivitybetweendevices.

Onourrouter,let'stesttheconnectionbetweentherouterandthecomputeronourtopologyusingthepingcommand:

Figure3.54–PingresultsonCiscoIOS

Asyoucansee,wegotfiveexclamationmarks(!).Thismeanswehave

successfulrepliesfromthePC.Receivingadot(.)meansRequestTimeout,

whileUmeansdestinationunreachableontheCiscoIOS.Ifyouarenotgetting

asuccessfulconnection,double-checkyourconfigurationsandensurethecablesareconnectedtotheconfiguredinterfacesoneachdevice.

SummaryThroughoutthischapter,wehavecoveredtheessentialsforunderstandingboththeIPv4andIPv6addressspaces,demonstratedhowtoconvertanIPaddress


intobinary,determinedtheNetworkIDofdevices,andlearnedaboutthevarioustypesofnetworktransmissions.

YoualsolearnedhowtoidentifyeachclassofIPaddress,howtoperformsubnetting,howtodescribethecharacteristicsofbothIPv4andIPv6,andhowtoconfigureandverifyinterfacesonaCiscodevice.

IhopethischapterhasbeeninformativeforyouandhasbeenhelpfulinyourjourneytowardlearninghowtoimplementandadministerCiscosolutions,inpreparationfortheCCNA200-301certification.Inthenextchapter,WirelessArchitecturesandVirtualization,wewilllearnaboutCiscowirelessarchitecturesandvirtualizationtechnologies.


IPaddressingandsubnetting:https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13788-3.html

ConfiguringIPv4:https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_ipv4/configuration/xe-3s/ipv4-xe-3s-book/configuring_ipv4_addresses.html

IPv6addressingandconnectivity:https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_basic/configuration/xe-3s/ip6b-xe-3s-book/ip6-add-basic-conn-xe.html


https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13788-3.html

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_ipv4/configuration/xe-3s/ipv4-xe-3s-book/configuring_ipv4_addresses.html

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_basic/configuration/xe-3s/ip6b-xe-3s-book/ip6-add-basic-conn-xe.html

ImplementingIPv6addressing:https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-2mt/ipv6-15-2mt-book/ip6-addrg-bsc-con.html


https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-2mt/ipv6-15-2mt-book/ip6-addrg-bsc-con.html

Chapter4:DetectingPhysicalIssues,WirelessArchitectures,andVirtualizationComputernetworkinghasevolvedtremendouslyoverthepastdecade.Today,inorderfornetworkingtoadapttotheever-changinglandscapeoftheinternet,companiessuchasCisconotonlyproducephysicalnetworkdevicesandsecurityappliancesbutalsoworkwithvirtualizationandcloudtechnologies.

Weliveinanagewheresmarttechnologiesallowpeopletobemoreconnecteddigitallythanever.Wirelessnetworksneedtobeabletosupportthevastnumberofconnectedwirelessdevicesand,mostimportantly,beabletoefficientlytransportdatabetweenawirednetworkandawirelessone,andviceversa.

Throughoutthischapter,youwilllearnaboutphysicalissuesonanetwork,principlesofwirelesstechnologies,andhowtotransmitmessagesbetweendevices.Additionally,youwilllearnhowtoaccessanddeployaCiscoWirelessLANController(WLC)onanetworkandimplementbasicconfigurations.Lastly,youwillbeabletodescribevirtualizationandcloudcomputingtechnologies.

Hereisabreakdownofthetopicswewillcoverinthischapter:

Understandingnetworkswitchfunctionsandphysicalissues

Wirelessprinciples

Ciscowirelessarchitectures

Accesspointmodes


Wirelesscomponentsandmanagement

Virtualizationfundamentals

Cloudcomputing


CiscoPacketTracer:https://www.netacad.com

Wi-FiAnalyzer:https://www.microsoft.com/en-us/p/wifi-analyzer/9nblggh33n0n

UnderstandingnetworkswitchfunctionsWithnetworkengineeringcomesgreatresponsibilityandcriticalthinking.Notonlydoyouhavetoperformdeviceconfigurations,butalotofyourtimemaygointoproblem-solvingandperformingextensivetroubleshootingtechniques.Onanetwork,attimesyoumayencounterusersreportingtheyareexperiencingpoornetworkperformancesuchashighlatency.Suchissuesmaybecausedbyinterfacemisconfigurationsoraphysicalissue.

Asyouhavelearned,switchesplayavitalroleinalmostallnetworksofanysize;fromthesmall-officehomeoffice(SOHO)toalargeenterprisenetworkwithhundredsofconnecteddevices,theyarethemainnetworkintermediarydevicesthatphysicallyconnecteverythingtogether.Inthissection,wearegoingtodiscussvariousnetwork-relatedissuesthatcanaffecttheperformanceofa


https://www.netacad.com

https://www.microsoft.com/en-us/p/wifi-analyzer/9nblggh33n0n

networkandhowtoresolvethem.

Inanidealenvironment,weshouldconnectonlyoneenddevicetoasinglephysicalinterfaceonaswitch.Eachphysicalinterfaceonaswitchisknownasacollisiondomain.Acollisiondomainistheareaorsegmentinwhichadevicecangenerateasignalandisheardbyallotherdevicesonthesameareaorsegment.Asimpleexampleisalldevicesconnectedtoahub;ifonedevicesendsasignaltothehub,itisbroadcastedoutofallotherports.Therefore,alldevicesconnectedtothehubmakeupasinglecollisiondomain.Layer2switchesaresmartdevicesandaredesignedtoovercomesuchissues.Switchesareabletoisolatethesignalsontheirindividualports,thereforeeachphysicalinterfacerepresentsauniquecollisiondomain.

Importantnote

Eachinterfaceonaswitchisacollisiondomain,andeachinterfaceonarouterisalsoacollisiondomain.Ifaswitchisconnectedarouter,thesharedlinkisrecognizedasacollisiondomain.

Toensuretherearenoaccidentsorcollisions,thereshouldbeonlyonedeviceconnectedtoaswitch'sphysicalport.Therefore,whenanenddevicesuchasaPCgeneratesasignal,onlytheswitch'sinterfacewillbetherecipientofthatsignal.

Thefollowingdiagramshowstheidealphysicalsetupwhenconnectingenddevicestoaswitch:


Figure4.1–Switchinterfaces

Intheprecedingdiagram,thereareatotaloffivecollisiondomains.IfPC1generatesasignal,itisisolatedbyinterfaceFa0/1ontheswitch.WhentheframeentersFa0/1,itanalyzesthedestinationMACaddressandforwardsitonlyitsdestination.

DetectingphysicalissuesYou'reprobablythinkingthatifswitchesareabletoisolateacollisiondomaintoaninterfacelevel,thencancollisionsoccuronanetwork?Thesimpleansweriscollisionscanstilloccur,andCiscoIOSswitchesandroutersareabletogathernetworkstatistics,whichhelpsusidentifywhetherthere'sanissueinthephysicallayer.

Whatarephysicalerrorsandwhydoweneedtoidentifythem?Tohelpyou


understandtheimportanceoffindingandeliminatingacollisionsnetwork,we'lluseasimpleanalogy.Let'simagineeachday,therearehundredsofcommuterswithinacity.Somearetravelingusingpublicservices,whileothersaredrivingavehicle.Apartfromcommuters,therearealsootherswhoaretransportingitemssuchasbuildingmaterialstoaworksite.Toensurepeopledonotdrivedangerouslyontheroadways,therearelaws,drivingregulations,andvarioustrafficsignsandlightsalongeachstreet.Therearetimeswhenanunfortunateeventmayoccur,suchastwoormorevehiclescolliding,causinganaccidentonthestreet.Thiscollisiondoesnotonlyaffectthepeoplewithinthecollisionbutalsotheotherpeoplewhohavetousethatroutetoreachtheirdestination.Sometimes,withinavehicularcollisionthevehicleisbeyondrepairandtheownerhastodiscardit.Asimilarseriesofeventstakesplaceonacomputernetwork.

Todeterminewhetherthereareanyphysicalerrorsonacollisiondomain,suchasonaswitchorarouter'sinterface,usetheshowinterfaces

interface-IDcommand.Theoutputwillprovideyouwithdetailsofboth

incomingandoutgoingtraffic.You'llbeabletoseethetypesoferrorsthatareoccurringonthephysicalinterface,thetransmittingandreceivingloadontheinterface(txloadandrxload),theencapsulationtype,andothertraffic

counters.

Importantnote

Bothtxload(transmitting)andrxload(receiving)valuesaregivenin

x/255format.Ahighxvalueintxloadsimplyindicatesthepercentageof

theinterface'sbandwidththatiscurrentlybeingusedtosendtrafficinrealtime.Forrxload,thepercentageindicatestheamountoftrafficbeingreceivedon


theinterface.Iftxloadandrxloadare255/255,thismeanstheinterface

has100%saturationforbothinboundandoutboundtraffic.

Thefollowingsnippetshowstheoutputoftheshowinterfacescommands

onaCisco2960switch:

Figure4.2–showinterfacesoutput

Asanascentnetworkprofessional,itisimportanttounderstandtheinformationprovidedintheprecedingfigure.WeareabletodeterminethefollowingdetailsandstatusofFastEthernet0/1:

BothLayer1andLayer2(protocol)statusesareup,andthecableisconnectedtothephysicalinterface.


Theburned-inaddress(BIA)orMACaddressoftheinterfaceis00d0.ff55.dc01.

Youareabletoseethebandwidth(BW),delay(DLY),reliability,currenttransmittingload(txload),andreceivingload(rxload)ontheinterface.

Bothspeedandduplexmodes.

Inputandoutputflowcontrol.

Thelowersectionintheoutputistheareathatprovidesuswithspecificdetailsaboutthetrafficenteringandleavingthephysicalinterface.Itisherethatyou'llbeabletodeterminewhetherthereareanyerrors,collisions,orissuesonthephysicallayer.

Commonmisconfigurationsthatcreateissuesonanetworksegmentarethematchsettingsofspeedandduplex.Speeddefinesthemaximumbandwidthsupportedonaninterface.Additionally,speedisusedtoindicatehowquicklyadeviceisabletoexchangemessageswithanotherdevice.Thinkofitasspeakingwithafriend:ifthepersonspeakstooquickly,youmaynotquiteunderstandeachword.Ifthepersonspeaksmoreslowly(intermsofwordspersecond),youwillbeabletounderstandtheconversationproperly.

Inveryolddevices,theinterfaceswereregularEthernet,whichoperatedat10

MB/s.Inmorerecentdevices,thereareFastEthernetinterfaces,suchaCisco2960switchthatoperatedat100MB/sandinnewerandcurrentdevices,we

haveGigabitEthernet,whichoperatesat1,000MB/s.

Importantnote


Indevicespecificationsheets,youmayseethedescriptionofinterfacesas10/100/1000.ThisformatindicatesthedifferentEthernetstandardsthatare

supportedonthephysicalinterfaceofthedevice.Therefore,ifaninterfacespeedis10/100/1000,themaximumsupportbandwidthis1,000MB/s.

Howdoesspeedaffectthenetworkperformance?Ifthere'samismatchinspeedbetweentwodevices,thiswillcreatetheeffectofonedevicesendingamessagefasterthantherecipientisabletoprocess.Additionally,whenconnectingtwodevices(AandB)usingacable(copperorfiber),theirnetworkinterfacecards(NICs)needtonegotiatecommonspeedexchangemessagesbetweeneachother.TheCiscoIOSallowsyoutoconfigureoneoffouravailablesettingsontheinterface.Theseareasfollows:

10:Force10Mbpsoperation.

100:Force100Mbpsoperation.

1000:Force1,000Mbpsoperation.

auto:Enableautospeedconfiguration.

Bydefault,eachinterfaceissettoauto.Thisallowstheinterfacetodetectthe

signalsincomingfromthedeviceontheotherendofthecableandadjustthelocalinterfacewithasuitablespeed.However,therearemanytimeswhentheauto-negotiationmechanismdoesnotsetthespeedcorrectly.Let'stakealookatthefollowingdiagram,whereSW1isusingautoandSW2ismanually

configuredas1000:


Figure4.3–Speedsettings

TheexpectedresultisSW1willauto-negotiateandadjustitsinterfaceto1,000

MB/s,butthisdoesnotalwayshappen.Sometimes,itsetsto10MB/sor100

Mb/s.Thereforeit'shighlyrecommendedtomanuallysetthespeedonallinterfacesonyourCiscodevicestopreventamismatch.

Toconfigureaninterfacetooperateataparticularspeed,usethefollowinginstructions:

1. Enterinterfacemode:

SW1(config)#interfaceGigabitEthernet0/1

2. Usetheshutdowncommandtoadministrativelyshutdowntheinterface

beforemakingadjustmentstothespeed.

3. Usethespeedcommandfollowedbytheactualspeedvalue(10,100,

1000,orauto):


SW1(config-if)#descriptionConnectedtoSW2

SW1(config-if)#speed?

10Force10Mbpsoperation



autoEnableAUTOspeedconfiguration

Let'ssayyouwanttomanuallysetthespeedto100MB/s,usethespeed

100command,asshownhere:

SW1(config-if)#speed1000

4. Thenusethenoshutdowncommandtoenabletheinterface.

5. Toverifythespeedonaninterface,usetheshowinterfaces

statuscommandtoverifythespeedsettingsontheinterface,asshown

here:

Figure4.4–InterfacestatusonSW1

Noticethespeedishardsetto1000,comparedtoallotherinterfaces,

whichareusingthedefaultsetting,auto.


6. Additionally,let'stakealookatthecurrentoperatingstatusofSW2:

Figure4.5–InterfacestatusonSW2

Asexpected,SW2isusingallthedefaultconfigurationsoneachofitsinterfaces.ThisisindicatedwiththeautokeywordasseenintheSpeed

column.Anotherusefultroubleshootingcommandthatprovidesthecurrentoperatingstatusofaninterfaceistheshowinterfacescommand:

Figure4.6–showinterfacesoutput

Couplingtheshowinterfacescommandwithaninterfacetypeand

identifierwillprovidespecificresultstotheinterfaceonly.Intheprecedingoutput,noticethecurrentoperatingspeedis1000Mbpsonthelink.Lastly,

usingtheshowrunning-configcommandwillprovideyouwiththe

configurationsmadeforeachinterface.Toviewtheconfigurationsforaspecificinterface,youcanusethecommandsshowninthefollowingsnippet:


Figure4.7–showrunning-configoutputfortheinterface

Anothercommonissueisamismatchinduplexsettingsbetweendevices.Whatisduplex?Duplexisacommonmethodbywhichtwodevicesexchangemessages.Inthefieldofdigitalcommunication,therearethreeformsofduplex.TheseareSimplex,Half-duplex,andFull-duplex.Simplexissimplyaone-waymethodofcommunication,suchastuningintoaradiostationonyourdailycommute.

Half-duplexiswhereonlyonedeviceisabletocommunicateatatimeoveranetwork.Anexampleofhalf-duplexcommunicationisusingwalkie-talkies,whichonlyallowonepersontospeakatatime.Anotherexampleisonacomputernetworkwhereenddevicesareconnectedtoahub.Onceagain,onlyonedeviceisabletousethemediumtoexchangemessages.

Importantnote

PleaserefertoChapter1,IntroductiontoNetworking,wherewediscussedCarrier-SenseMultipleAccesswithCollisionDetection(CSMA/CD)infurtherdetail.


Full-duplexisthepreferredmethodthatdevicesshouldusetooperateandexchangemessageswitheachother.Full-duplexallowstwodevicestosimultaneouslyexchangemessages,unlikehalf-duplex.

TheinterfacesonCiscodevicessuchasswitchesandroutershavethefollowingduplexmodes:

Auto:Enablesautoduplexnegotiation.

Full:Forcesfull-duplexmode.

Half:Forceshalf-duplexmode.

Bydefault,theinterfacesonCiscodevicesaresettousetheautoduplexmode.

Theideaofusingautoistoallowtwodevicestonegotiatehowtheywantto

exchangemessagesbetweeneachother(half-duplexorfull-duplex).Ideally,ifyouconnecttwodevicestogetherwithdefaultconfigurations,theyaresupposedtonegotiatetheirinterfacestobothbeingfull-duplex.Therearetimeswhenthenegotiationprocessdoesnotworkproperly.Forexample,onedevice'sinterfacemaybeoperatingathalf-duplexandtheotherdeviceissettofull-duplex.Additionally,iftherearemisconfigurationsontheinterfacethatdonotallowbothdevicestooperateusingthesameduplexmode,thiswillresultinlatencyissuesandcollisionsofpacketsonthenetwork.

Thefollowingdiagramshowstwoswitcheswithamismatchinduplexsettings:


Figure4.8–Duplexmismatch

Asanetworkprofessional,itishighlyrecommendedtostaticallyconfiguretheinterfacesonyourCiscodevicestooperateinfull-duplexmode.However,half-duplexisrecommendedwhenconnectingtoahub.

Toconfigureaninterfacetooperateinaspecificduplexmode,usethefollowinginstructions:

1. Enterinterfacemodeandadministrativelyshutdowntheinterface:

SW1(config)#interfacegigabitEthernet0/1

SW1(config-if)#shutdown

2. Usetheduplexcommandfollowedbytheduplexmode(auto,full,

orhalf):

SW1(config-if)#duplex?

autoEnableAUTOduplexconfiguration


fullForcefullduplexoperation

halfForcehalf-duplexoperation

Let'ssayyouwanttomanuallysettheduplextofull,usetheduplex

fullcommandasshownhere:

SW1(config-if)#duplexfull

3. Thenusethenoshutdowncommandtoenabletheinterfaceandexit

interfacemode:


SW1(config-if)#exit

4. Toverifytheduplexoperationmodeonaninterface,usetheshow

interfacesstatustoverifytheduplexsettingsontheinterface,as

shownhere:

Figure4.9–Duplexmodeonphysicalinterface

Ifyoulookcarefully,youshouldseethattheduplexmodeissettofull,

asperourconfigurations.Theotherinterfacesareusingthedefaultconfigurations,asindicatedbythea-fullstatusshownintheoutput.

a-fullindicatestheinterfaceisauto-negotiatedasfull-duplex.


Importantnote

Theshowinterfacescommandallowsyoutoalsoverifytheduplex

modeonaninterface.

5. Additionally,usingtheshowrunning-configinterface

GigabitEthernet0/1commandallowsustoviewthe

configurationsappliedtospecificallytheGigiabitEthernet0/1

interfaceoftheswitch,asshownhere:

Figure4.10–ConfigurationsmadeontheGigabitEthernet0/1interface

Let'simagineauserreportsthattheyareexperiencinglatencyissuessuchasslowloadingtimeswiththeircomputerandthelocalapplicationserver.TheCiscoIOSprovidessomeveryniceanddetailedstatisticsofalltheerrorsandcollisionsthataninterfaceisexperiencing.

Usingtheshowinterfacescommand,youwillbeabletoseewhetheran

interfaceisencounteringanyerrors,collisions,orphysicalissues.Thefollowingsnippetshowsthesecondhalfoftheshowinterfacecommandfora


physicalinterface:

Figure4.11–Checkingforphysicalerrors

Thefollowingisabriefdescriptionofeachtypeofcounteronaninterface:

Inputerrors:ThiscounterprovidesthetotalnumberoffaultypacketsthathasenteredtheinterfaceoftheCiscodevice.Thevalueisthesumofrunts,giants,nobuffer,CRC,frame,overrun,andignoredcountsontheinterface.

Runts:Thesepacketsarediscardedbecausetheyarelessthan64bytesin

sizeandaresmallerthantheminimumpacketsize.

Giants:Thesepacketsarediscardedbecausetheyexceedthemaximumpacketsize.Theyareusuallygreaterthan1,518bytesinsize.


CRC:Cyclicredundancycheck(CRC)errorsoccurwhenthechecksumwithintheframetrailerdoesnotmatchthechecksumreceived.TheCRCvalueisstoredwithintheFileCheckSequence(FCS).

Outputerrors:Theseareasumofthetotalerrorsthathavepreventedthetransmissionofamessagefromleavingtheinterface.

Collisions:Thesearethenumberofmessagesthathavebeenretransmittedduetoacollisiononthenetwork.

Latecollisions:Thesecollisionsoccurafter512bitsor64bytesofa

framehavebeentransmitted.

Ifthesecountersareincreasing,it'sasignthatinterfaceerrorsornetworkcollisionsareoccurring.Toresolvetheseissues,usethefollowingasaguide:

Checktheduplexandspeedsettingsonbothdevicesthataresendingandreceivingmessages.

Iftheduplexandspeedconfigurationsaregood,changethenetworkcableandcheckwhetherthecountersarestillincreasing.

Ifchangingthecabledoesnotresolvetheissue,connectthenetworktoanotherinterfaceonthedeviceandcheckthecountersagain.

Attimes,afaultynetworkcableornetworkinterfacecard(NIC)cangeneratealotoferrorsandcollisions,whichthenresultsinpoornetworkperformance,suchashighlatencyandpacketloss.

Havingcompletedthissection,youhaveacquiredtheskillsrequiredtoidentifyerrorsandcollisionsinthephysicallayeroftheOSIreferencemodel.


Additionally,youhavelearnedhowtousetroubleshootingtechniquestoresolveerrorsandcollisionsonanetwork.Inthenextsection,wewilldiscussenterprisewirelessarchitecturesanddeploymentmodels.

Wirelessprinciples

Nowadays,almostanywhereyouvisit,whetherit'sthemallorthelocalcoffeeshop,therearewirelessnetworkseverywhere.Manyorganizationshaveinvestedagreatdealinimplementingarobustwirelessinfrastructuretoensureemployees,customers,andguestshavethebestexperienceattheirestablishment.

Agreatdealofworkgoesintoensuringawirelessnetworkisabletosupportallusersandtheirtrafficloadatanytime.Thisinvolvesvarioustechnologiesandcomponents,aswellascomplicatedplansanddesigns,configurations,andtroubleshooting.Throughoutthissection,youwilllearnaboutthebackendtechnologiesusedtocreateawirelessnetworkandhowtoefficientlyconfigureourcomponentstoprovideoptimalperformanceforanenterpriseorganization.

So,whatexactlyisawirelessnetworkconnection?Inatypicallocalareanetwork(LAN),weusuallyinterconnectcomputers,IPphones,servers,andprintersusingacoppercablesuchasCat5,Cat5e,orevenCat6totherestofthenetwork.Havingawiredconnectionisadvantageousbecausetheoutercoatingofthosecoppercablesprovidesaprotectiveshieldaroundtheactualwires.However,usingphysicalwireshasitslimitationsasitdoesnotallowausertoroambetweenroomsorofficespaces.Thisiswherewirelessnetworkingprovidesuswiththeconvenienceofmobility.

AswelearnedinChapter1,IntroductiontoNetworking,weusewirelessaccesspoints(APs),whichconnecttoawirednetworktoprovideuswithawireless


signal.Forahomenetwork,yousimplyhavetoconnectawirelessrouterorAPtoyourmodemwithsomebasicconfigurations,suchasthewirelessnetwork'sname,andsomesecuritymeasures.Inanorganization,however,itisnotassimple.ConnectingmultipleAPsrandomlywithoutconsideringanyphysicalconstraints,suchassignallevels,channelassignments,security,andcentralmanagement,cancreateaninefficientwirelessnetworktopology.

WirelesstechnologiesWeknowthatacopperorfibercablesuseelectricalorlightsignalstoexchangemessagesacrossanetwork.Wirelessnetworksoperatedifferently,however.Wirelessnetworkcomponents,suchasanAP,taketheelectricalsignal(1sand0s)receivedontheEthernetNICandconvertitintoaradiosignal,whichcompatibledevicessuchaslaptopsandsmartdevicesareabletounderstand.Thewirelesssignalisstillthesame1sand0sthataretransmittedacrossawirednetwork,butit'ssimplyencapsulatedintoanotherformat.

Withawirelesssignal,thesignalisnotdirectlyprotectedlikeitiswithacopperorfibercable.Therearelimitationstowirelesssignals,suchassecurityrisks,signalstrength,andtheoperatingfrequencies.

Weneedtounderstandthecharacteristicsofawirelesssignal.Therearealotofwirelesssignalsoperatingatdifferentfrequenciesallaroundus.Whetherit'sradiostations,walkie-talkies,householdwirelessrouters,orthesignalsgeneratedbywirelessnetworks,eachtypeofwirelesstechnologyusesadifferentradiofrequency.

Importantnote


TheFederalCommunicationsCommission(FCC)isresponsibleforregulatingtheusageofvariousradiofrequenciesforcommunication.

TheFCCallocatedmanyunlicensedradiofrequencybands,allowingpeopleandorganizationstouseacertainradiofrequencywithoutneedingtoregisterit.Assuch,theFCCallocatedtworadiofrequencybandsforWi-Fi:the2.4GHzand

5.0GHzbands.Wecanuseeitherofthesetwofrequencies,orboth.Oneofthe

firstquestionstoaskyourselfasanascentnetworkengineeris,whichfrequencyshouldIuseandwhy?

Eachfrequencyoperatesatdifferentsignalstrengths,sometimesreferredtoasamplitude.TheamplitudedetermineshowpowerfulorweakasignalmightbeasittravelsawayfromadevicesuchasanAP.UsingasignalthathasalowamplitudewillprovideadegradednetworkperformancebetweentheAPandtheassociatedclients.Usingasignalthatprovidesaveryhighamplitudemaynotalwaysbegoodforawirelessnetworkasitcanbetoonoisyontheairwave,thuscreatingdistortion.

However,theReceiveSignalStrengthIndicator(RSSI)canbeusedtohelpusdetermineasuitableamplitudeforourwirelessnetworks.TheRSSIislikethesignalbarsshowninthecornerofoursmartphonescreens,butonacomputerornetworkdevice.TheRSSIisrepresentedusingavalueindBm,theunitusedto

measurethepowerratioindecibels(dBm)toonemilliwatt.

UsingtheWi-FiAnalyzerappfromMicrosoft,youwillbeabletoseetheRSSIvalueforyourwirelessnetwork,asshownhere:


Figure4.12–RSSIvalue

TheRSSIvalueisalwaysgivenasanegativevalue.Whenthevalueiscloseto


zerothesignalstrengthisgood,butasyoumovefurtherawayfromanAPtheRSSIvaluewilldecrease,whichisbadfortransmittingdataassomemessagesmaybedroppedduetosignalloss.

2.4GHzversus5GHzAtthispoint,weknowtherearetwofrequenciestochoosefrom:2.4GHzand

5GHz.Weneedtodecidewhichofthesetwofrequenciesisthebestchoiceto

implementinanenterprisenetwork.Togetabetterunderstandingofthem,let'sdissectthembothtofurtherunderstandtheircharacteristics.

Whenradiofrequenciesaretransmitting,therearewavesintheformofpeaksandvalleysmovinginacontinuousstream.The5GHzfrequencyhasashorter

wavelengthandoperatesatahigherfrequencythanthe2.4GHzfrequency.

Thismeansthatusingthe5GHzfrequencyonawirelessnetworkwillprovidemuchgreaterbandwidthcapacity;however,duetotheshortwavelengths,thesignalcannottravelveryfar.

Importantnote

Wirelessfrequenciessuchas2.4GHzand5GHzaresusceptibleto

deteriorationwhenpassingthroughobjectssuchaswallsandmetal.Inotherwords,havingalotofwallsbetweenanAPandaclient'sdevicewilldrasticallyreducethewirelesssignaland,asaresult,thewirelessnetwork'sperformance.

Thefollowingdiagramisavisualrepresentationofthe5GHzfrequency:


Figure4.13–5.0GHzwavelength

Comparedtothe5GHzfrequency,the2.4GHzfrequencyhasamuchlonger

wavelengthbetweenpeaks,thusallowingthesignaltotravelagreaterdistancefromtheAP.However,onemajordownsideofusingthe2.4GHzfrequencyis

itsshorteramplitude,meaningitsupportsamuchlowerbandwidthcapacity.

Thefollowingdiagramisavisualrepresentationofthe2.4GHzfrequency:


Figure4.14–2.4GHzwavelength

So,thelongerwavelengthisoneofthebenefitsofusingthe2.4GHz

frequency;however,itisalsoadisadvantageinthewirelessnetworkingworld.Let'simagineyouhavejustsetupyourhomewirelessnetworkandarereadytoconnecttotheWi-Fi.Whenyouchecktheavailablewirelessnetworks,you'reseeingyourneighbors'wirelessnetworksaswell.Thisiswheretheissuelieswiththe2.4GHzfrequency;itisverypowerfulandwillgiveyouagreatsignal

reach,butwhenthereareothernearbywirelessAPsoperatingonthesame2.4

GHzfrequencyitcreatesinterferencewithotherwirelessnetworks.

Thefollowingdiagramshowsthesignalsoftwowirelessnetworks:


Figure4.15–Wirelesssignalsoverlapping

Tohelppreventsignaloverlaponawirelessnetwork,channelsallowustosetarangeoneitherthe2.4GHzor5GHzfrequencies.

Importantnote

ThecoverageareaofawirelesssignalisknownastheBasicServiceArea(BSA).

Therefore,ourAPcanuseafrequencyandaspecificchannelforoperation.Inthe2.4GHzworld,thereare14channelstochoosefrom,butmostofthe

channelsoverlapeachother.However,ifyouchoosechannels1,6,and11,they

willnotoverlapwitheachother.


Importantnote

Eachchannelisbetween20–22MHzwide.Channel1inthe2.4GHz

frequencyis2.412GHz,channel2is2.417GHz,andchannel3is2.422

GHz,andsoon.

Thenon-overlappingchannelsinthe2.4GHzfrequencyarechannels1,6,and

11asshownhere:

Figure4.16–Non-overlapping2.4GHzchannels

DuetothehighnumberofAPsonlineandwithincloseproximitytoeachother,thereishighpossibilityaneighbormaybeusingthesamechannelasyouareforyourorganizationorhomewirelessnetwork.

The5GHzfrequencyintroducedfarmorechannelsthantheolder2.4GHz

frequency.Additionally,the5GHzfrequencyhasthetechnologytoperform

channelbonding,whichallows2ormore5GHzchannelstohavealarge

channelcapacity.Thefollowingpointsfurtherbreakdownhowchannelbondingworks:


Eachchannelis20MHzinsize.

Usingchannelbonding,wecancombinetwo20MHzchannelstoforma

40MHzchannel.

Usingchannelbondingagain,wecancombinetwo40MHzchannelsto

forman80MHzchannel.

Finally,wecancombinetwo80MHzchannelsusingchannelbondingtoforma160MHzchannel.

Thebenefitofusingchannelbondingisthatitprovidesagreaterbandwidthcapacityingigabitspersecond(Gbps)onawirelessnetwork.Thisiswhyitismoreefficienttousethe5GHzfrequencywithinanorganizationwherealarge

numberofwirelessclientsneedtobesupported.

Whendesigningyourwirelessnetworkinfrastructure,ensuretherearealmostzerooverlappingfrequencies(channels)betweentheAPsinyourorganization.Additionally,betweeneachAP,ensurethereisalittleoverlapbetweensignalstoensuretherearenodeadzonesinyourwirelessnetwork.Deadzonesareplaceswhereclientswillnotbeabletodetectasignalandwillbedroppedfromthewirelessnetwork.

WirelessbandsSofar,wehavediscussedtheneedtouseanappropriatewirelessfrequencywhenimplementingawirelessnetworkandthechoicesinvolved.Nowweneedtoaddresssomeotherquestions:whomanagesthestandardofwirelessnetworkcommunication,andwhatstandardsareavailable?


TheInstituteofElectricalandElectronicsEngineers(IEEE)introducedtheIEEE802.11standardin1997.Thisallowsvendorstodevelopwirelessinterfacecards(WICs)ondevicessuchasAPs,wirelessrouters,laptops,andmobiledevices.However,theIEEEhascreatedmultiplevariationsofthe802.11standardovertheyearswithmanyimprovements.

ThefollowingchartisasummaryofthevariousWi-Fistandardsovertheyears:

Figure4.17–Wi-Fistandards

ThemostrecentisIEEE802.11ax,sometimesreferredtoasWi-Fi6.WiththeotherversionsofIEEE802.11,theAPisonlyabletotransmitmessagestoonedeviceatatime.Thismeansifthereare50laptopsallconnectedtoandcommunicatingwithasingleAP,theAPcanonlysendtraffictoonedeviceatatimewhiletryingtodistributemessagesquicklytoeveryone.Thinkofitasamailcourierdriverwhohasmultiplepackagesforpeopleacrossthecity;theycanonlydropoffpackagestoonepersonattime.ThisissimilartohowWi-Finetworksoperate;however,IEEE802.11axfixesthisissue.


Importantnote

FurtherinformationaboutWi-Fi6canbefoundathttps://www.cisco.com/c/en/us/products/wireless/what-is-wi-fi-6.html.

IEEE802.11axallowsanAPtoallocateadedicatedchanneltoeachclientdevice,thereforeimprovingnetworkperformancebetweenthewirelessclientsandtheAP.

SSID,BSSID,andESSWhetheryou'resettingupanAPforyourhomeoranenterprisenetwork,typicallythefirstthingtodoistochangethedefaultnetworknametosomethinguserswillbefamiliarwith.ThenameofthenetworkisknownastheServiceSetIdentifier(SSID).

WhenanAPbootsup,itbeginstosendbeaconsatpredefinedintervals.ThebeaconsareatypeofadvertisementmessagefromanAPthatcontainstheSSIDandotherparameters.Whenaclientsuchasalaptoporsmartdeviceenablestheirwirelesssettings,theyareabletoseethedetailsfromthesebeacons,suchastheSSID.IftherearemultiplenearbyAPsadvertisingtheirSSID,theywillallappearinthewirelessnetworksettingsonaclientdevice.

Whenaclientconnectstoawirelessnetwork,thisisknownasanassociation.Mostcommonly,whenweconnectoursmartdevicesorcomputerstoawirelessnetwork,thesettingsaresavedautomatically.Thisallowsustoreconnecttothesavedwirelessnetworkinthefuturewithouthavingtore-enternetworkconfigurationssuchasapassword.However,whenaclientdevicebootsup,itbeginstosendprobes.Theprobesaredesignedtosearchandestablishan


https://www.cisco.com/c/en/us/products/wireless/what-is-wi-fi-6.html

associationwithasavedwirelessnetworkthatmaybewithinrangeoftheclientdevice.

Thefollowingdiagramshowstheprobeandbeaconadvertisements:

Figure4.18–Probesandbeacons

WhenaclientisassociatedwithanAP,itacceptsandbecomespartofeverythingtheAPisproviding.ThisisknownastheBasicServiceSet(BSS).Usingareal-worldexample,ifyourlocalcoffeeshoponlyhasoneAPprovidingwirelessnetworkcoveragefortheircustomersandapersonconnectstheirdevicetothenetwork,theirdevicenowbecomespartoftheBSS.

Inmanyorganizations,therearemultipleAPsconnectedtothesamewirednetwork,whereeachAPisusingthesameSSIDandisprovidingwirelesssignalallowinguserstoconnect.ThistypeofinfrastructureisreferredtoasanExtendedServiceSet(ESS).Ontheclient'sside,thedevicedoesnotseeindividualSSIDswiththesamename,theyseeonlyoneSSID.

TofurtherunderstandhowanESSworkslet'simaginethat,withinabuilding,therearefiveAPsandtheyareallconnectedtothesamewirednetwork,forming


anESSforasmallorganization.EachAPisbroadcastingtheSSIDasCompany_X.AllWi-Fi-enabledclientsareseeingasingleSSID,Company_X,

insteadofseeingthesameSSIDlistedfivetimes.Whenaclientconnectstothewirelessnetwork,Company_X,itisassociatedtoanAP.Theclientknows

whichAPitisassociatedwithbyrecordingtheBasicServiceSetIdentifer(BSSID)oftheAP.

Importantnote

TheBSSIDistheMACaddressofanAP.

Inthefollowingsnippet,theBSSIDisshownfortheassociatedwirelessnetworkonaWindowsmachine:


Figure4.19–BSSIDforawirelessnetwork

TheclienthasthechoicetoassociateitselftoaspecificAPbyusingtheBSSIDinformation.Lastly,whenaclientdeviceismovingbetweenAPswithinanESS,theclientdevicewilldisassociatefromanAPthathasaweakersignalandattempttoassociatewithanearbyAPthathasastrongersignal.Thisisknownasroaming.

Duringthedisassociationandre-associationprocess,there'satinydropinnetworkconnectivityastheclientdevicehastore-exchangenetworkingandsecurityinformationwiththeAP.


Havingcompletedthissection,youhaveacquiredthenecessaryknowledgetounderstandanddescribehowdevicesonawirelessnetworkoperate.Inthenextsection,wewillmoveontolearningaboutvariousCiscowirelessarchitecturemodels.

CiscowirelessarchitecturesWhendesigningawirelessnetwork,oneofthemainobjectivesistoensurethenetworkisdesignedtoperformatoptimalcapacityforallusers.AcquiringAPsisassimpleaspurchasingthemfromalocalretailer.However,whenitcomestoimplementingtheAPsinanetwork,thereareafewCiscowirelessarchitecturesweneedtounderstand,aseachonehasdifferentusagescenarios,advantages,anddisadvantages.

Inthefollowingsections,wewillcovertheessentialsofthefollowingwirelessarchitectures:

Autonomous

Cloud-based

Split-MAC

Let'sgetstarted!

AutonomousInanautonomousarchitecture,eachAPisstaticallyassignedamanagementIPaddress,whichallowsthenetworkadministratortologinandconfigurethedeviceacrossthenetwork.Thisdeploymentmodelisgoodifyouhaveacouple


ofAPstomanage.

However,inthistypeofarchitecture,eachAPisindependentlymanaged.Thismeansifyouhavetomakeauniversalchangetotheconfigurationsofthewirelessnetwork,you'llneedtologintoeachdeviceindependentlytomakethechanges.

Thefollowingdiagramshowsthetypicaldeploymentmodelfortheautonomousarchitecture:


Figure4.20–Ciscoautonomouswirelessarchitecture

Inthenextsection,wewilllearnaboutCisco'scloud-basedwirelessnetworkarchitecture.


Cloud-basedAsmoreAPsaredeployedonanenterprisenetwork,themanagementtaskbecomesabitchallenging.Let'simagineyouarethenetworkadministratoratacompanywithalargewirelessnetworkcontainingabout50APs.Oneday,youhavetomakeanadjustmenttothewirelessnetworkconfigurations;loggingontoeachAPindividuallyistime-consumingandinefficient.

Inacloud-basedarchitecture,aWLCsuchasCiscoMerakiisdeployedinthecloud.ThismodelallowseachAPtoreceiveamanagementIPaddress,similarlytotheautonomousarchitecture.However,theCiscoMerakicloudmodelallowstheWLCtogathernetworkandWi-Fistatistics,detectroguedevices,findradiofrequency(RF)interference,andgeneratereportseasily.Inaddition,thismodelprovidesasingledashboardthatallowsyoutocentrallymanagementallAPs.

Thefollowingdiagramshowsthetypicaldeploymentmodelforthecloud-basedarchitecture:


Figure4.21–Ciscocloud-basedwirelessarchitecture

Inthenextsection,wewillcovertheessentialsoftheSplit-MACwirelessnetworkarchitecture.

Split-MAC


Inthisarchitecture,bothalocalWLCandLight-weightAccessPoints(LAPs)areimplemented.ThelinkbetweenaWLCandaLAPisknownasaControlandProvisioningofWirelessAccessPoints(CAPWAP)tunnel.TheCAPWAPtunnelhandlestheencapsulationofdatabetweendevices.

TheCAPWAPtunnelallowsanAPandaWLCtobeseparatedgeographicallyandlogically,allowingdifferentvirtualLAN(VLAN)traffictobedeliveredtoaspecificAPwithouttheneedtocreateatrunkportontheswitch.TheWLChandlestheRFmanagement,clientauthentication,securitymanagement,qualityofservice(QoS),andassociationandroamingmanagementofeachLAPontheenterprisenetwork.Additionally,eachLAPmanagestheRFtransmission,MACmanagement,anddataencryption.

ThefollowingdiagramshowsarepresentationoftheCAPWAPtunnelbetweenaWLCandaLAP:


Figure4.22–CAPWAPtunnel

TheCAPWAPtunnelrequirestwonetworkports.TheseareUDPport5246,

whichallowstheWLCtomanageeachLAP,andtheUDPport5247,whichis

usedforencapsulatingdatabetweenthecontrollerandtheAP.

Inthenextsection,wewillcoverthevariousmodesofoperatingforaCiscoAP.

APmodesCiscoAPsaredesignedtooperateineitherautonomous(independent)orlightweight(centrallymanaged)mode.UsingaWLC,youcanconfigureaLAPtooperateinthefollowingmodes:


Local:ThisisthedefaultmodeforaLAP,whichallowstheAPtoprovideoneormoreBSSusingaspecificchannel.WhentheAPisnottransmitting,itwillscanotherwirelesschannelstodeterminethelevelofnoiseandinterferenceanddetectanynearbyrogueAPs.

Monitor:Inmonitormode,theAPdoesnottransmitanytrafficatall;however,itisabletoreceiveincomingtransmissionsfromnearbywireless-enableddevicessuchasotherAPsandclientdevices(laptops,smartphones,andsoon).ThismodeallowstheAPtofunctionasadedicatedsensorforcheckingintrusiondetectionsystem(IDS)securityevents,suchasrogueAPs,anddeterminingthepositionsofstations(clients)usinglocation-basedservices.

FlexConnect:InFlexConnectmode,theAPhasthecapabilitytoswitchtrafficbetweenanSSIDandaVLANiftheCAPWAPtunnelisdown.However,theAPneedstobeconfiguredtodoso.

Sniffer:Insniffermode,theAPdedicatesitsradiostocaptureIEEE802.11trafficfromnearbysourcesandforwardsittoacomputerrunningaprotocolanalyzersoftwaresuchasWiresharkforofflinepacketanalysis.

Roguedetector:RoguedetectormodeallowstheAPtodetectroguedevicesbycorrelatingMACaddressesfoundonthewiredIEEE802.3networkwiththosefoundonthewirelessIEEE802.11airways.

Bridge:Inbridgemode,theAPcanbeconfiguredtooperateasabridgebetweentwonetworks.Inthisconfiguration,twoormoreAPsmustbeusedinbridgemodetolink(bridge)multiplelocationstogether.

Flex+Bridge:CiscoAPscanbeconfiguredtooperateinameshnetwork.


Inamesh,eachdeviceisconnectedtoallotherdevices.Thebenefitofusingameshnetworkisthefactthatithasfullredundancy.However,thedownsideisthatbecausethemeshgrowsasmoredevicesareadded,itbecomeschallengingtomanageandtroubleshoot.TheFlex-BridgemodeallowstheAPstooperateinthismethod.

SE-Connect:TheAPdedicatesitsradiostoenablespectrumanalysisonallwirelesschannels.ThedataissenttoacomputerrunningspectrumanalysissuchasMetaGeekChanalyzerorCiscoSpectrumExperttodiscoverthesourcesofinterference.

Inthenextsection,wewilldiscusswirelesscomponentsandmanagementtechniques.

WirelesscomponentsandmanagementAsmentionedintheprevioussection,Ciscowirelessarchitectures,autonomousdeploymentisgoodenoughiftherearejustafewAPsonthenetwork,butasthewirelessnetworkgrowsandmoreAPsareadded,managementbecomesmorechallenging.ThisiswhereLAPscomeintohelpusasnetworkprofessionals.

LAPsaredesignedtobemanagedbyaWLC.Inalargenetwork,asingleWLCisusuallyphysicallyconnectedtoanetworkswitch,whichallowstheLAPstoreachtheWLConthenetwork.Keepinmind,though,theLAPsdonothaveanyconfigurationswhenconnectedtothephysical(wired)network,thustheyaremadeavailabletotheWLCformanagement.

Importantnote


ALAPcansupportmultipleVLANsbyusingtheCAPWAPtunnelbetweentheWLCandtheLAP.ThismeanstheAPonlyrequiresanaccesslinktoconnecttothenetworkinfrastructure.

ForyourCCNAcertification,itisimportanttounderstandthevariousinterfacessupportedbytheCiscoWLCdevice.Theseinterfacesarevirtualinterfacesthatexistwithintheoperatingsystemofthedevice.However,thesevirtualinterfacesareusuallymappedtoaphysicalportontheWLC.

Thereareseveraldifferenttypesofcontrollerportsthatcanbeconnectedtoyournetwork:

Serviceport:Thisportisusedforout-of-bandmanagementtothedevice,systemrecovery,andinitialbootfunctions.Furthermore,thisportisconnectedtoanaccessportonaswitch.

Distributionsystemport:ThisportisusedforallnormalAPandmanagementtrafficandisconnectedtoanIEEE802.1Qtrunkportonaswitch.ThisportisusuallyreferredtoasaLinkAggregationGroup(LAG)interface.LAGallowsyoutoconfiguremultipledistributionsystemportsintoasinglelogicalgroup,suchasanEtherChannelorport-grouponaswitch.LAGprovidesresiliencesuchthatifonedistributionsystemportfails,thetrafficcanberedirectedtotheremainingworkingports.

Consoleport:Thisportisusedforout-of-bandmanagementtothedevice,systemrecovery,andinitialbootfunctions.Aconsolecableisrequired.

Redundancyport:Thisportisusedwhenconfiguringanothercontroller


toestablishhighavailability(HA).

Managementinterface:ThisinterfaceisusedformanagementtrafficsuchastrafficbetweentheAAAserver(RADIUSorTACACS+),WLC-to-WLCcommunications,andSSHandSNMPconnections.

Inthenextsection,wewillwalkthroughtheprocessofaccessingaCiscoWLC.

Lab–accessingaCiscoWLCGUIInthissection,youwilllearnhowtosetupaCiscoWLCforthefirsttimeandaccessitsgraphicaluserinterface(GUI).Tocompletethisexercise,useCiscoPacketTracertobuildthefollowingtopology:


Figure4.23–WLCtopology

ToconfigureaCiscoWLC,usethefollowingsteps:

1. Usingaconsolecable,connectthePCtotheWLC(WLC2504)andpoweronthedevice.

2. UsingPuTTYoranotherterminalapplication,establishaterminalsessionwiththeWLC.

3. IfthereareexistingconfigurationsontheWLC,enter5–ClearConfigurationstoclearthememory.Thedevicewillrebootautomaticallyafterthecontentsarecleared.

4. Afterthedeviceisrebooted,theinteractivewizardwillaskwhetheryouwanttoterminateautoinstall.TypeyesandhitEnter.

5. TypeahostnameforthedeviceandhitEnter.

6. Next,setanAdministrativeusernameandhitEnter.

7. Next,setanAdministrativepasswordandhitEnter.

8. Next,setaManagementinterfaceIPaddressandhitEnter.ThisIPaddresswillallowyoutoremotelyconnecttothedeviceviaTelnet,SSH,andHTTPS.Use10.0.0.2/24astheIPaddressandsubnetmaskforthe

device,asshownthetopology.

9. Next,settheInterfacenetmask(subnetmask)andhitEnter.

10. Next,settheInterfacedefaultrouter(gateway)IPaddressandhitEnter.


11. IfthereisaVLANassignedtotheswitchport,setitatthisstage.IftherearenoVLANs,simplyhitEntertoleavethedefaultsandcontinue.

12. Next,thewizardwillaskwhichofthephysicalportsontheWLCshouldassumetheroleofthemanagementinterface.Choosetheportthatisconnectedtotheswitch.

13. Next,thewizardmayaskforaDHCPserverIPaddress.IfthereisaDHCPserveravailableonthenetwork,inserttheserver'sIPaddresshere.

14. Next,theWLCwillaskyoutosetanAPmanagerIPaddress.ThisIPaddressisusedbytheWLCtomanagetheAPs.ThisaddressshouldbedifferentfromthemanagementinterfaceIPaddress.

15. TheVirtualgatewayIPaddressshouldbesetto192.0.2.1,as

recommendedbyCisco.

16. Next,setaMobility/RFgroupname.ThisisusedtoallowyoutomovebetweenAPsonthenetwork.

17. ThewizardwillthenasktoyousetanSSID,DHCPmode,staticIPaddressforclients,RADIUSserver,countrycode,IEEE802.11standards,NTPserver,andsoon.

18. Thefinalstepwillaskwhethertheconfigurationsarecorrect.Typeyes

tosaveandreboot.Additionally,youcanuseshowsysinfotoverify

theconfigurationsontheCiscoWLCdevice.

AftertheCiscoWLChasrebooted,it'snowaccessibleviathebrowseronaPCattachedonthenetwork,thusprovidingitsGUI.Inthenextsection,wewillcoverhowtoconfigureaCiscoWLCwithLAPsonanetwork.


Lab–configuringawirelessnetworkusingaCiscoWLCInthissection,youwilllearnhowtocreateWLANs,implementsecurefeatures,configureinterfaces,andadjusttheQoSfeaturesonaCiscoWLC.

Tip

TheWLCtopologycanbebuiltwithintheCiscoPacketTracerapplication.However,you'llneedtoenabletheDHCPserviceontheservertoprovideautomaticIPaddressconfigurationstotheAPs.AssignedstaticIPaddressesareshowninthetopology.

TogetstartedsettinguptheWLCwiththeLAP,usethefollowinginstructions:

1. OnPC1,openyourwebbrowserandgototheURLoftheWLC,https://10.0.0.2orhttp://10.0.0.2.

2. Loginwiththeusernameandpasswordsetinthepreviousexercise.Onthemaindashboard,youwillseeasimilarviewshowingthephysicalportsthatarecurrentlyinusebytheWLC:


Figure4.24–CiscoWLCdashboard

3. Ifyouscrolldownabit,you'llnoticetheWLChasauto-detectedanyavailableLAPsonthenetwork:

Figure4.25–AccessPointSummary


4. Furthermore,ifyouclicktheWIRELESStabatthetop,you'llbeabletogetmoredetailsabouteachassociatedLAP.

5. ToconfigureinterfacesontheCiscoWLC,clickonCONTROLLER|Interfaces|Newasfollows:

Figure4.26–CreatinginterfacesonaCiscoWLC

6. WhenyouclickonNew,you'llhavetheoptiontosetanamefortheinterfaceandassignaVLANID,asshownhere:

Figure4.27–NaminganinterfaceonaCiscoWLC

7. AfterclickingonApplytocreatetheinterface,thewizardwillpresentanewscreenallowingyoutoconfiguretheVLANIdentifier,IPaddress,


Netmask,Gateway,Primary,andSecondaryDHCPserver,asshownhere:

Figure4.28–Interfaceoptions

8. ClickApplytofinishsettingupthevirtualinterfaceontheCiscoWLC.

9. Tocreateawirelessnetwork,gototheWLANstab,settheoptiontoCreateNew,andclickonGoasfollows:


Figure4.29–CreatingaWLAN

10. Next,setProfileNameandtheSSIDtoyourpreference,asshownhere:

Figure4.30–SettingtheSSIDname

11. ClickApplytocontinue.

12. Next,you'llbepresentedwiththeprofilemenufortheSSID.OntheGeneraltab,enabletheSSID,asshownhere:


Figure4.31–Generaltab

13. ClickontheSecuritytabtoadjustthesecurityconfigurationsforthewirelessnetwork,asshownhere:


Figure4.32–Securitytab

Here,youcanconfigurelayersecurityoptionsandenable802.1XauthenticationifthereisaRADIUSserveronthenetwork.

Importantnote

TheRADIUSserverhandlestheauthentication,authorization,andaccountingservicesofnetworkdevicesandusers.Onthisserver,useraccountsarecreatedandcentrallymanaged.Additionally,theRADIUSserverremovestheneedtocreateuseraccountsdirectlyontheAPsonthe


networkastheAPswillquerytheRADIUSserverwhenauserisattemptingtologontothenetwork.

14. ToaddaRADIUSserverwithintheCiscoWLC,gotoSECURITY|AAA|RADIUS|AuthenticationandclickonNew.Anewpagewillopen,andyoucansimplysettheIPaddressoftheRADIUSserverandasecretkeyforauthentication:

Figure4.33–AddingaRADIUSserver

15. Ifthere'saRADIUSserveronthenetwork,clickontheAAAServerstabtosetaRADIUSserver,asshownhere:


Figure4.34–RADIUSsettings

16. ToadjusttheQoSconfigurationsontheWLAN,clickontheQoStab.You'llbeabletochoosePlatinum,Gold,Silver,orBronze.

17. ClickApplytosavethesettingsforthenewlycreatedWLANnetwork.

Havingcompletedthissection,younowhavetheskillsrequiredtoconfigurevariousCiscowirelessarchitecturesandimplementaCiscoWLConanetwork.Inthenextsection,wewillcoverthefundamentalsofvirtualizationtechnologies.


VirtualizationfundamentalsTobeginthissection,wewillstartwithasimpleanalogytohelpyouunderstandtheimportantroleandbenefitsofimplementingvirtualizationtechnologies.Let'simagineyouhaveasinglecomputerrunningMicrosoftWindows10.UponlearningmoreaboutIT-relatedtopics,youhaverealizedthathavingsomeLinuxskillsmaybeimportanttoyourcareer,butyouhaveonlyonecomputer.OneoptionistocreateapartitiononthelocaldiskdriveandinstalltheLinuxoperatingsystemonthenewpartition,creatingadual-bootsystem.Thedownsidetothisisthatonlyoneoperatingsystemwillbeabletoboot.

Itwouldbehighlyadvantageousifyoucouldhavemultipleoperatingsystemsrunningsimultaneouslyonasinglesystem,suchasyourMicrosoftWindows10andLinux,asthiswouldallowyoutoworkbetweendifferentoperatingsystemsquicklyandefficiently.Thetechnologytomakethisarealityisknownasvirtualization.

Virtualizationallowsyoutoemulatethehardwarerequirementstorunanoperatingsystem.ThinkofitascreatingacontainerandplacingLinuxinside.Thevirtualizationapplication,knownasahypervisor,isthekeycomponenttocreatethenecessaryvirtualhardwarerequirementssuchasCPU,RAM,diskdrives,I/O,andothercomponentstoemulateaphysicalcomputer.Thehypervisorallowsyoutoinstallsupportedoperatingsystemsontothevirtualenvironment.Theseoperatingsystemsarereferredtoasvirtualmachinesorguestoperatingsystems.

Importantnote


Aguestoperatingsystemisinstalledonahypervisorapplication,whileahostoperatingsystemisinstalleddirectlyonthephysicaldevice.

Therearetwotypesofhypervisor:

Type1hypervisor

Type2hypervisor

Wewilldiscusstheminthefollowingsubsections.

Type1hypervisorAType1hypervisorismostcommonlyreferredtoasabare-metalhypervisorsimplybecauseit'sinstalleddirectlyontothehardware.Youmightbewondering,"Whatdoyoumean,directlyonthehardware?".Toagetabetteridea,let'simagineyouaregoingtobuildadesktopcomputer,soyoubuytheessentialcomponentssuchasCPU,RAM,motherboard,HDD/SSD,NIC,case,andsoon,andyouassembleallthecomponentstogethertocreateacomputer.Nowyouneedanoperatingsystemtocontrolallofthecomponents.InsteadofinstallingWindowsorLinuxonthehardware(HDD/SDD),youinstallaType1hypervisorastheoperatingsystem,whichwillstillallowyoutocommunicatewithallthephysicalhardwarecomponents.

ThefollowingdiagramshowsavisualrepresentationofaType1hypervisoranditsvirtualmachines:


Figure4.35–Type1hypervisor

ThebenefitofusingaType1hypervisoristhateachvirtualmachinehasdirectaccesstothehardwareresourcesonthephysicalsystem.

ThefollowingisalistofType1hypervisorapplications:


VMwareESXi(free)

Proxmox(free)

XCP-ng(free)

NowthatyouhavereadabouttheType1hypervisor,let'stakealookatthefunctionalityoftheType2hypervisor.

Type2hypervisorTheType2hypervisorisinstalledontopofahostoperatingsystem.ThistypeofhypervisorprovidesallthesameessentialfunctionsandcapabilitiesasaType1hypervisor,butitisinstalledonyourexistingoperatingsystem.ThevirtualmachinesinstalledonaType2hypervisordonothavedirectaccesstoalltheavailablehardwareresources,incontrastwithType1hypervisors.

ThefollowingdiagramshowsavisualrepresentationofaType2hypervisoranditsvirtualmachines:


Figure4.36–Type2hypervisor

Thehostoperatingsystemhasfullaccesstothephysicalhardwareresources,whilesomeoftheresourcesaresharedwiththevirtualmachinesviathehypervisorapplication.Thistypeofhypervisorisbeneficialifyouhaveasinglecomputerandwouldliketocreatevirtualmachinesonit.

ThefollowingisalistofType2hypervisorapplications:


OracleVMVirtualBox(free)

VMwarePlayer(free)

VMwareWorkstationPro(commercial)

VMwareFusion(commercial)

ParallelsDesktopforMac(commercial)

ImagineasystemsuchasMicrosoftWindowsServer2019onaphysicalrackserverwitha12-coreCPU,128GBofRAM,and12TBofstorage,andthe

roleoftheserveristoprovideActiveDirectory(AD)andDHCPservices.Thoseserverrolescombinedwillnotusemorethanhalfoftheavailablecomputingpower.Thus,whereasingleoperatingsystemisinstalledonaphysicaldeviceandtheoperatingsystemisnotmaximizingthefullpotentialoftheavailablehardwareresources,theCPUandRAMarehugelyunderutilized.Thisisknownasserversprawlandisamajorissueinthecomputingindustry.Usingvirtualizationtechnologieshelpssolvethisproblem.

Thefollowingscreenshotisanexampleofamachineexperiencingserversprawl:


Figure4.37–UnderutilizedhardwareonaWindowsmachine

Thehypervisorapplicationallowsustoallocatevirtualresourcestoeachvirtualmachineasweseefit.Therefore,wecanassignvariousamountsofRAMto


differentvirtualmachines,andlikewiseforCPUcoresandothervirtualhardwarecomponents.

ThefollowingscreenshotshowsavirtualmachinesettingswindowinVMwareWorkstationPro:

Figure4.38–VirtualMachineSettings

Asyoucanseeintheprecedingscreenshot,thehypervisorapplicationallowsyoutocustomizetheentirevirtualenvironment,allowingyoutoadd,modify,


andremovevirtualhardwarecomponentsonavirtualmachine.

Virtualizationtechnologyhasbeenaroundinthecomputingindustryforoveradecade.Withinthelast10years,therehasbeenagrowingneedforprofessionalswhocanimplementandsupportdatacenterenvironmentstocreatecloudcomputingtechnologies.Inthenextsection,wewillexplorevariouscloudcomputingarchitectures.

CloudcomputingWhatiscloudcomputing?Cloudcomputingallowsustousecomputingresourcesthatarelocatedinsomeoneelse'sdatacenterviatheinternet.Intoday'sworld,theneedtohavephysicalserversinanorganizationisslowlydisappearing.

Havingphysicalserverswithinanorganizationhasthefollowingdownsides:

AnITteamisrequiredtoalwaysbeavailabletomanagetheservers.

Serversrequirephysicalstoragespaceinabuilding.

Theyusealotofpower(electricity).

Theygeneratealotofheatbecausethedevicesarealwayspoweredon.

Ifahardwarefailureoccursonaserver,thismaycauseadisruptioninnetworkservices.

Withcloudcomputing,anorganizationcaneliminatetheneedforphysicalserversandsimplypayforonlytheresourcesitusesfromacloudcomputingserviceprovidersuchasMicrosoftAzure,Amazon'sAWS,orGoogle'sGCP.On


thebackendofcloudproviders,theyusealotofvirtualizationandautomationtechnologiestoquicklyspinupresourcesfortheircustomerswithinamatterofminutes.Eachapplicationandserverdeployedonacloudplatformisavirtualmachineontheprovider'sbackend.

OnesuchexampleistheemailservicesprovidedbyMicrosoftandGoogle.MicrosoftoffersOffice365andGoogleoffersGSuite;eachproviderhasaplanthatcostsaboutUSD5-6peruserpermonth.Thisallowsanorganizationtosimplypayforthenumberofemployeesthatrequireanemail.Ifanemployeerequiresadditionalservicesorstorage,theplanallowstheorganizationtosimplypayfortheadditionalserviceorfeaturesforthatuser.Thisprovidesgreaterflexibilityforemployersandorganizations.

Thefollowingarebenefitsofusingcloudcomputingtechnologies:

Cloudcomputingserviceprovidersusuallyguaranteeover99%uptimeannually.

Cloudcomputingservicesareaccessibleanywhereandanytime.

Itreducesthenumberofphysicalserviceswithinanorganization.

Cloudcomputingprovidersareresponsibleforallhardwaremaintenanceonthevirtualserversandservices.

Organizationsonlypayforwhattheyusefromaserviceprovider.

Serviceprovidersallowthecustomertoscaletheirplatformorservices.

Thoughtherearemanybenefitstousingcloudcomputing,therearealsosomedisadvantages:


Whenusingacloudcomputingplatform,youdonothavefullcontrolofthebackendplatformasitismanagedbytheserviceprovider.

Youneedtosecureyourcloudplatformjustasyouwouldhavetosecurelocalserversinyourorganization.

Aninternetconnectionisrequiredfromtheuser'sendtoaccessresourcesonline.

Overtheyears,Ciscohasadaptedtocloudcomputingtechnologies.MostofthetimewhenwethinkofaCiscorouter,switch,orevenafirewall,wethinkofaphysicaldevice.However,therearemanyvirtualappliancessoldbyCiscothatenableyoutodeployahypervisorwithinyourorganization,yourpersonalcloudplatform,oronareputablecloudserviceproviderinfrastructure.

Tip

CheckouttheCiscoDevNetwebsitetolearnmoreabouttheircloudtechnologiesathttps://developer.cisco.com/.

Inthenextsection,youwilllearnaboutthevariouscloudcomputingservicearchitecturesanddeliverymodels.

CloudservicesAcloudcomputingproviderhasmanyservices,allofwhichusuallybelongtooneofthreeparentcategories:

Software-as-a-Service(SaaS)


https://developer.cisco.com/

Platform-as-a-Service(PaaS)

Infrastructure-as-a-Service(IaaS)

Inthefollowingsections,wewilldescribeeachoftheseinfurtherdetail.

SaaSInaSaaSmodel,theuserisonlyprovidedwiththeapplication'suserinterfaceonthefrontend.AnexampleofaSaaSserviceisOffice365ortheGSuiteapplications,wheretheuseraccessestheapplicationstheyusesuchastheiremailinbox–SharePoint,GoogleDocs,orMicrosoftOffice365–usingawebbrowser.Theapplicationisnotinstalledontheuser'sdevice.

InaSaaSenvironment,theuserdoesnothavetobeconcernedwiththehardwareortheunderlyinginfrastructurerequiredtodelivertheapplication.Thecloudserviceproviderisresponsibleforallthetechnicalrequirements,suchasapplicationupdatesandpatchingandhardwareresources,whichensuretheapplicationisworkingproperlyfortheuser.

PaaSThePaaSmodelisdesignedtoallowtheuseraccesstoanyunderlyingapplicationssuchasprogrammingframeworksandapplicationdevelopmentenvironments.Withthismodel,theuserhasabitmorecontrolovertheworkingenvironmentthantheydowithSaaS.SomeexamplesofPaaSareAWSElasticBeanstalk,GoogleAppEngine,andMicrosoftAzure.WithPaaS,theserviceprovidersuppliestheuserordeveloperwithsoftwaretools.


IaaSIaaSprovidestheuserwithmorecontroloverthephysicalhardwareandsoftwareresourcesonthecloudplatform,allowingtheusertomodifystoragecontainers,networkingconfigurations,andsoon.Additionally,theuserisabletodeployvirtualappliancessuchasvirtualfirewalls,routers,switches,andotherappliancesonthecloudprovider'splatform.ExamplesofIaaSprovidersareMicrosoftAzure,AWS,andGCP.

Inthenextsection,wewilltakealookatclouddeliverymodels.

ClouddeliverymodelsIntheworldofcloudcomputing,therearefourmaintypesofdeploymentmodelsforacloudinfrastructure.Theseareprivate,public,hybrid,andcommunitycloudmodels.Inthissection,wewilltakealookateachofthemtounderstandhowauserororganizationisabletoaccessresourcesacrossanetworkandtheinternet.

PrivatecloudInaprivatecloud,theorganizationownsthedatacenterandtheinfrastructurethatisusedtomanageit.Alotofcompaniesbuildtheirownlocal/internalhostdatacenter,runningalltheircriticalapplicationsfortheiremployeesandusers.Inthistypeofcloud,theorganizationisresponsibleforthemaintenanceandsupportoftheircloudplatform.

Publiccloud


Inapubliccloud,thecloudinfrastructureisownedbyanotherorganization,whorentspartoforanentiredatacentertootherorganizationsorindividuals.ExamplesofgeneralcloudsareMicrosoftAzureandAmazon'sAWS.IfyouwanttocreateavirtualMicrosoftWindowsServer2019onthecloud,it'sassimpleasaccessingtheAzureplatform,choosingtherighthardwareconfigurationsforthevirtualmachine(CPU,RAM,SSD/HDD),andpayingforonlytheresourcesyouuse.Somecloudproviderschargeyoubytheminute,whilesomechargeperhour.

Hybridcloud

Thehybridcloudmodelconsistsofaprivateandpubliccloud.Organizationsusuallyhaveaprivatecloudhostingtheirapplicationsanddata.Theprivatecloudprovidesfasterdatatransferratesbetweentheuserswithintheorganizationasitislocallyhosted.However,theorganizationalsopaysforapubliccloudservice.Thisallowsthemtoensuretheycontinuouslyreplicatetheprivatecloudontothepubliccloudforredundancyandavailability.

Communitycloud

Thecommunitycloudmodelisatypeofdeploymentthatallowsseveralorganizationstoshareresourcesonasinglecloudprovider.Thiscanbeagrouporpartnershipofcompaniessimplysharingresourceswitheachother.

Havingcompletedthissection,younowhavetheskillstodescribeandidentifyvarioustypesofcloudtechnology.

SummaryThroughoutthecourseofthischapter,wehavediscussedtheimportanceof


discoveringphysicalissuesthatmaycauseerrorsandcollisionsonanetwork.Havinglearnedaboutspeedandduplexconfigurationsandhowtheyaffecttrafficflow,younowhavetheessentialskillstoperformtroubleshootingatlayer1oftheOSIreferencemodel.

Additionally,wehavecoveredtheessentialprinciplesofwirelesscommunicationonanIEEE802.11network.Wehavelookedindepthathowchannelsandfrequenciesallworktogethertodelivermessagesbetweendevices.Additionally,wehavediscussedvariousCiscowirelessarchitecturesandseenthebenefitsofusingonedeploymentmodeloveranotherbasedonthesizeofthewirelessnetwork.WehavealsocoveredthestepsrequiredtoaccessanddeployaCiscoWLConanetwork.

Nowthatyouhavecompletedthischapter,youshouldbeabletodescribevariouswirelessprinciplessuchastheoperationofchannels,RFs,andSSIDs.YoualsonowhavetheskillstoimplementaCiscoWLConanetworkandconfigureWLANs,security,andQoSfeatures.Lastly,youhavelearnedabouttheimportanceofvirtualizationandtheroleitplaysincloudcomputing.

IhopethischapterhasbeeninformativeforyouandhelpsyouinyourjourneytowardlearninghowtoimplementandadministerCiscosolutionsandpreparefortheCCNA200-301certification.Inthenextchapter,Chapter5,ImplementingVLANs,Layer2DiscoveryProtocols,andEtherChannels,wewilllearnhowtosegmentyournetworktoimproveperformanceandsecurity,andimplementlinkaggregationtechnologiesanddiscoveryprotocols.

QuestionsThefollowingareashortlistofreviewquestionstohelpreinforceyourlearning


andhelpyouidentifyareasthatrequiresomeimprovement:

1. Whatisthestandardusedtodefineawirelessnetwork?

A.IEEE802.3

B.IEEE802.15

C.IEEE802.11

D.IEEE802.16

2. Onawirelessnetwork,whatmeasurementisusedtodeterminesignalstrength?

A.Amps

B.Gbps

C.dBm

D.RSSI

3. WhichofthefollowingfrequenciesdoesanAPuses?

A.5GHz

B.6GHz

C.2GHz

D.4GHz

4. The________isknownasthecoverageareaofwirelesssignal.


A.SSID

B.BSA

C.ESSID

D.BSSID

5. WhichofthefollowingisusedbyawirelessclienttoidentifyanAP?

A.SSID

B.BSA

C.ESSID

D.BSSID

6. WhichCiscowirelessarchitectureallowsanAPtobeindependentlymanaged?

A.Autonomous

B.Meraki

C.Split-MAC

D.Flex+Connect

7. WhatportsareusedinaCAPWAPtunnel?

A.TCP5246

B.UDP5246


C.TCP5247

D.UDP5248

8. WhichmodedoestheAPusetocapturetraffic?

A.Flex+Connect

B.Monitor

C.Sniffer

D.SE-Connect

9. A_________isrequiredtoemulateavirtualenvironment.

A.Linux

B.MicrosoftWindowsServer

C.CPU

D.Hypervisor

10. Whichcloudserviceprovidesonlytheapplicationuserinterface?

A.IaaS

B.SaaS

C.PaaS

D.Privatecloud


11. Whichcommandallowsyoutoseethephysicalissuesonaninterface?

A.showversion

B.showipinterface

C.showinterface

D.showinterfacefa0/1switchport

12. Whatisthedefaultoperatingspeedofaninterface?

A.1000

B.Auto

C.100

D.10

13. Whichcommandsquicklyallowyoutochecktheduplexmodeonaninterface?(Choosetwo)

A.showinterfacestatus

B.showipinterfacebrief

C.showinterfacetrunk

D.showinterfaces

14. Whichofthefollowingdescribesaframewithlessthan64bytesinsize?


A.Giant

B.CRC

C.Runt

D.Collision


TheRoadtoWi-Fi6:https://www.cisco.com/c/en/us/products/collateral/wireless/e-nb-06-preparing-for-wifi-6-ebook-cte-en.html

CiscoWLCconfigurationguide:https://www.cisco.com/c/en/us/support/wireless/wireless-lan-controller-software/products-installation-and-configuration-guides-list.html

CiscoWirelessArchitecture:https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob41dg/emob41dg-wrapper/ch2_Arch.html


https://www.cisco.com/c/en/us/products/collateral/wireless/e-nb-06-preparing-for-wifi-6-ebook-cte-en.html

https://www.cisco.com/c/en/us/support/wireless/wireless-lan-controller-software/products-installation-and-configuration-guides-list.html

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob41dg/emob41dg-wrapper/ch2_Arch.html

ThissectionteachesyouhowtologicallysegmentanetworkbyimplementingVirtualLocalAreaNetwork(VLAN)practices,allowingmultipleVLANstoexchangedata,anddesigninganenterpriseswitchednetworkusingtheSpanning-TreeProtocol(STP).


Chapter5,ImplementingVLANs,Layer2DiscoveryProtocols,andEtherChannels

Chapter6,UnderstandingandConfiguringSpanning-Tree


Section2:NetworkAccess


Chapter5:ImplementingVLANs,Layer2DiscoveryProtocols,andEtherChannelsAsyou'rebuildingyournetwork,youwillbelearningalotaboutconfigurationsandtechniquestoensureyouhaveanoptimallyperformingnetwork.However,let'snotforgetabouttheactualengineeringaspectofcomputernetworking.TherearemanytechnologiesatalllayersoftheOSIreferencemodel,andaTCP/IPprotocolsuitethathelpsustocreateanefficientnetwork.

Throughoutthischapter,youwilllearnabouttheimportanceofsegmentingaflatphysicalnetworkintosmallerbroadcastdomainstoimprovebothnetworksecurityandtheefficiencyofnetworkperformance,usingalayer2technologyknownasVirtualLocalAreaNetwork(VLAN).YouwillalsolearnaboutthevarioustypesofVLANsanduseablerangeswithinanorganization,andhowtoimplementandestablishend-to-endconnectivitybetweendevicesanddifferentVLANsonanetwork.

Additionally,you'lldiscoverhowtomapanetworktopologybyutilizingvariouslayer2discoveryprotocols,suchasCiscoDiscoveryProtocol(CDP)andLink-LayerDiscoveryProtocol(LLDP).Lastly,you'lllearnhowtobundlemultiplephysicalportsonaswitchtoactasasinglelogicalinterfacetoprovidehigh-bandwidthlinksbetweenswitches.


UnderstandingVLANs

TypesofVLANs


ConfiguringVLANsandtrunks

Implementinginter-VLANrouting

Enablingdiscoveryprotocols

UnderstandingandconfiguringEtherChannels

TechnicalrequirementsTofollowalongwiththeexercisesinthischapter,pleaseensurethatyouhavemetthefollowinghardwareandsoftwarerequirement:


Thecodefilesforthischapterareavailableathttps://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions/tree/master/Chapter%2005.

CheckoutthefollowingvideotoseetheCodeinAction:https://bit.ly/33WlzIG

UnderstandingVLANsInasmallLANoperatingatoptimalperformance,therearetypicallyafewdevicesexchangingmessagessimultaneously.Asanorganizationgrowstosupportmorebusinessservices,sodoesanetworktosupportmoreconnectedusersandnetworkapplications.Physically,expandinganetworkseemssimple,butwealsoneedtoconsiderthelogicaltrafficflowanditscapacitybetweendevices.Forushumans,wedon'tseetheactualtrafficflowingacrossanetworkwithoutusingtoolssuchasWireshark.




https://bit.ly/33WlzIG

Importantnote

Wiresharkisanetworkprotocolanalyzerthathastheabilitytodisplaytherawdetailswithinapacket.

Let'simaginethatwithinanorganization,therearehundredsofdevicesallconnectedtothesamephysicalnetwork.Ifonedevicesendsabroadcast(shoutsonthenetwork),allotherconnecteddeviceswillreceiveandprocesseachbroadcastmessage.Whatifalotmoredevicesaregeneratingbroadcastmessagessimultaneously?Thehighamountofbroadcastmessageswillbegintofloodthenetwork,causingnetworktrafficcongestion.

Additionally,withthehighlevelofbroadcastmessagespropagatingthenetwork,allotherdeviceswillbeusingunnecessarycomputingresourcestoconstantlyprocesseachbroadcastmessageadevicereceives.Havingtoomuchunnecessarytrafficonanetworkcancausedeteriorationinthenetworkperformanceandadverselyaffecttheuserexperience.Thinkofthenetworkasanation'sroadways–duringcertaintimesoftheday/night,therearefewervehicles,allowingyoutoreachyourdestinationquickly.Duringpeaktimes,ontheotherhand,suchasafter-workhours,thereismoretraffic,andittakeslongertoarriveatyourdestination.

Thefollowingaresomeimportantconcernsforanorganization:

Howdowereducetheamountofunnecessarymessages(traffic)onanetwork?

Howdoweimprovethenetworkperformance?

Thereisvoice,video,anddatatrafficthatneedstobeseparated.Howcan


thisbedonewithoutspendingmoneyonnewequipment?

Howcanwecreateaseparatenetworkfordevicesanduserswithsimilarjobroles?

TheanswertoallthesequestionsisVLAN.WhatdowemeanbyVLAN?Howcanaphysicalnetworkbevirtualandstillsupportallconnectedusersanddevices?Thisiswherewebeginourjourneyoflearninghowtomovefromaflatlayer2networkintoamorestructuredandhierarchicalnetworkusingCiscoIOSswitches.

AVLANisavirtuallayer2networkthatprovidestheabilitytoreducethesizeofabroadcastdomain.Imagineanenterprisenetworkwithover100devicesallinterconnectedusingswitches.Whenanenddevicesendsabroadcastmessage,allotherdevicesreceiveandprocessit.Thisisreferredtoasalayer2broadcastdomain.Itissimplyalogicalsegmentthatallowsallconnecteddevicestoreachothersviathedatalinklayer.Togetabetterunderstandingofhowtoidentifybroadcastdomains,let'stakealookatthefollowingtopology:


Figure5.1–Broadcastdomains

Whenanenddevicesendsabroadcastmessage,theswitchthatreceivesthemessagechecksthedestinationMACaddresswithintheframetomakeaforwardingdecision.Inalayer2broadcastmessage,thedestinationMACaddressisFF-FF-FF-FF-FF-FF.Therefore,theswitchwillsendtheframe

outallotherports,andifthereareotherswitchesonthesamenetwork,theytoowilldothesame.Alayer2broadcastisstoppedbyalayer3device,suchasarouter.

Reviewingthepreviousdiagram,ifPC1sendsalayer2broadcastmessage,only


PC2,PC3,andtherouter'sconnectedinterfacewillreceiveit.Therefore,thisisonebroadcastdomain.IfR1sendsabroadcastmessageoverthelink,connectingbothR1andR2,onlyR2willreceivethebroadcastmessage,hencethisisanotherbroadcastdomain.Lastly,ifPC4sendsabroadcast,onlyPC5,PC6,andtheR2LANinterfacewillreceiveit,meaninganotherbroadcastdomain.Overall,thetopologyhasatotalofthreebroadcastdomains.

Tip

Eachportonaswitchcanbeidentifiedasacollisiondomain.Additionally,eachportonaroutercanbeidentifiedasbothacollisiondomainandabroadcastdomain.

Ratherthanusingmultipleroutersonanetworktocreatephysicalsegmentation,VLANsallowsustoperformlogicalsegmentationthroughtheCiscoIOSswitchesviasoftware.

Thefollowingdiagramshowsasinglephysicalnetworkwherealldevicesareonthesamebroadcastdomain:


Figure5.2–Physicalnetworkinabuilding

Let'ssaytheorganizationhasthreedepartments(Sales,HR,andIT)whereacomputer/deviceofeachdepartmentresidesateachfloorofthebuilding.WecanconfigureourswitcheswithVLANstoprovidethefollowing:


Figure5.3–NetworkwithVLANs

ApartfromimplementingVLANsusingswitches,wealsoneedtoassigneachVLANauniquesubnet,asintheprecedingdiagram.Remember,aVLANisalogicalnetworkandtherefore,eachdeviceonaVLANwillneedanIPaddresstocommunicatewithotherdevices.


IftherearemultipleVLANsonaphysicalnetwork,howdoesthetrafficremainlogicallyseparatedfromotherVLANtraffictransferringonthesameswitches?Firstly,VLANsareassignedontheswitch'sinterfaceandanytraffic(frame)thatentersaswitch'sinterfacebecomestaggedwithanIEEE802.1Qtag,

containingtheVLANID.Theseinterfacesareknownasaccessports.OnlyoneVLANisallowedtobeassignedtoanaccessport;theonlyexceptionforhavingtwoVLANsonthesameaccessportiswhenoneVLANisadataVLANandtheotherisavoiceVLAN.Togetabetterunderstandingofhowtheswitchisolatestraffic,let'stakealookatthefollowingdiagram:

Figure5.4–VLANassignmentperinterface

IfPC1sendstraffictoFa0/1,theswitchwillinsertanIEEE802.1Qtagthat


containsVLAN10onalltrafficenteringthatinterface.Similarly,anytrafficenteringFa0/2willbetaggedwithVLAN20.

Thefollowingdiagramisarepresentationofan802.1Qtagwithinaframe:

Figure5.5–Taggedframe

WhilethereisdifferentVLANtrafficmovingwithinandbetweenswitchesonaphysicalnetwork,theswitcheswillkeepeachVLANtrafficseparatedfromotherVLANs,hencethetermvirtuallocalareanetwork.Beforetrafficexitsanaccessport,theswitchremovestheIEEE802.1Qtaggingfromtheframe

becausetheenddeviceisnotconcernedabouttheVLANID,butratherthedatastoredintheframeitself.

TocreateaVLANonaCiscoIOSswitch,usethefollowingcommands:

SW1(config)#vlan10

SW1(config-vlan)#nameSales

SW1(config-vlan)#exit

TodeleteaVLAN,usethefollowingcommand:

SW1(config)#novlan10

Alwaysremembertoremoveaconfigurationfromrunning-config;usethe


negatedformoftheoriginalconfiguration,suchasnofollowedbythe

remainingportionsofthecommand.

Importantnote

VLANsarenotabletocommunicatewithoneanotherbydefault.ThismeansdevicesonVLAN10arenotabletocommunicatewiththosethatareonVLAN20oranotherVLAN.Aroutercanbeusedtoperformatechniquecalledinter-VLANroutingtomovetrafficbetweenVLANsonanenterprisenetwork.

NotonlydoVLANsallowyoutocreatesmallerbroadcastdomainswhileimprovingnetworkperformance,buttherearealsoadditionalbenefits,suchasthefollowing:

Reducedcosts

Improvedsecurity

BothimprovedITefficiencyandmanagement

HowdoVLANsreducecostsonanetwork?Let'simaginethattheorganizationhasaVoice-over-IP(VoIP)network,containingalltheirIP-basedphonesandaunifiedcommunicationserver.Allvoice(andvideo)trafficusesUDPasthepreferredtransportlayerprotocolforitslowoverheadinanetwork.It'sagoodideatoensureallvoicetrafficremainsseparatefromdatatraffic.ThisisbecausedatatrafficusuallyusesTCP,whichisconnection-oriented;therefore,theroutersandswitcheswillprioritizeTCPoverUDPbydefault,andadditionally,UDPtraffichasahighchanceofbeingdiscardedoverTCPifthereisanycongestiononasegmentalonganetwork.Ratherthanimplementingaphysicallyseparatenetworkforadifferenttraffictype,agoodstrategyistoimplementaVLANfor


allvoicetraffic.Asaresult,allvoice-relateddevices,suchasIPphones,willbeonthevoiceVLANandthevoicetrafficwillbeseparatefromalldatatraffictypes.

HowdoVLANsimprovesecurityonanetwork?Let'sthinkofanetworkwithoutVLANs.Alldevicesconnectedtoanyofthelayer2switcheswillbeabletoexchangemessageswithallotherconnecteddevicesaswell.Fromanetworkingpointofview,thisagoodthing,right?Butfromasecuritypointofview,thisisbadasthereisnosegmentationoftrafficanddevices.Thus,amalicioususercaninserttheirdeviceintothenetworkandreachallotherdeviceseasily.VLANshelpustocreatelogicallyseparatednetworksandallowustoapplyalayer3technologyontheCiscoIOSroutersknownasAccessControlLists(ACLs)tofiltertrafficbetweenVLANs.

HowcanITefficiencyandmanagementbeimprovedbyaddingVLANstoanetwork?Let'simaginethatrecentlysomeorganizationalchangestookplacewhereuserswererelocatedtootherareaswithinabuilding.Withouthavingtophysicallymoveacomputerfromoneareaofanetworktoanother,thenetworkadministrator/engineercansimplyreassigntheVLANIDontheswitch'sphysicalinterface.ReconfiguringaVLANIDtakesafewseconds,andtheconnecteddevicewillbeonanentirelydifferentnetworkoncethereconfigurationisdone.

VLANrangesVLANsareidentifiedbyanumericalvaluewithintheirconfigurationsandtheframe.However,asnetworkprofessionals,therearetwodifferentrangesofVLANsthatareavailabletous.Theseareasfollows:


Normalrange

Extendedrange

ThefollowingarethecharacteristicsforthenormalrangeofVLANs:

TheseareVLANIDsthatrangefrom1–1005.

VLANs1002to1005arereservedforvariouslayer2technologies,such

astokenringandFiberDistributedDataInterface(FDDI)technologies.

VLANs1and1002–1005areautomaticallycreatedonCiscoIOS

switchesandcannotbedeleted.

VLANsarestoredinaspecialdatabasefileknownasvlan.datinflash

memory.

Ifyouusetheshowflash:commandinprivilegemodeonaCisco

IOSswitch,youwillseethevlan.datfile.Ifyouarefactoryrestoringa

switch,besuretousethedeletevlan.datcommandtodeletethe

VLANdatabasefile.

ThefollowingarethecharacteristicsoftheextendedrangeofVLANs:

TheseVLANsrangefrom1006to4094.

Theconfigurationsarenotstoredinthevlan.datfileascomparedto

thenormalrange.

Theconfigurationsarestoredintherunning-configfilebydefault.


TherearefewerVLANfeaturesintheextendedrangescomparedtothenormalrange.

Let'snowhavealookatthetypesofVLANs.

TypesofVLANsTherearefivemaintypesofVLANsthatexistwithinswitches.Inthissection,wewilllearnabouteachofthesetypesofVLANsandhowtheyareusedwithinanenterprisenetwork.

Default:WhenyoubuyanewCiscoIOSswitch,itworksstraightoutofthebox.ThismeansifyoupluganydevicewithasuitableIPschemeintophysicalinterfaces,theyareabletoexchangemessagesbydefaultwithoutanyconfigurationsontheswitch.CiscoIOSswitchescontaindefaultconfigurations,butmostimportantly,allportsareassignedtothedefaultVLAN.Hence,allconnecteddevicesareabletoexchangemessages.

ThefollowingarethecharacteristicsofthedefaultVLAN:

ThedefaultVLANisVLAN1.

AllportsonaCiscoIOSswitchareassignedtoVLAN1bydefault.

ThemanagementVLANisVLAN1bydefault.

ThenativeVLANisVLAN1bydefault.

VLAN1cannotberenamed.

SinceVLAN1isthedefaultVLAN,itshouldnotbeusedatallonanetworkfor


securityreasons.

Data:WhenyoucreateaVLANonaCiscoIOSswitch,itcanbeusedforanypurposeyouchoose.TheseVLANsareassignedtoaphysicalinterfaceontheswitch;theseinterfacesareknownasaccessports.Theswitchtagsallinboundtrafficenteringtheswitchanditremainstaggeduntilitexitsanaccessport.DataVLANsallowalltypesofframestotransversetothenetwork.OnlyonedataVLANcanbeassignedtoaswitchinterface.

ToassignaVLANtointerface,usethefollowingcommandwithininterface

mode:



SW1(config-if)#switchportaccessvlanvlan-ID


SW1(config-if)#exit

Theswitchportmodeaccesscommandstaticallysetstheinterfaceasan

accessportandtheswitchportaccessvlanvlan-IDcommand

assignsaVLANtotheinterface.

Additionally,toresettheinterfacetoitsdefaultsettings,usethefollowingcommands:


SW1(config-if)#noswitchportmodeaccess

SW1(config-if)#noswitchportaccessvlan


SW1(config-if)#exit

Onceagain,wehaveusedthenegatedformoftheoriginalconfigurationstoresettheinterfacetoitsoriginalstate.

Voice:ThevoiceVLANisself-explanatory.ItisusedtotransportvoicemessageswhilekeepingthemseparatefromotherVLANsonthenetwork.EnsuringthevoicenetworkislogicallyseparatedfromthedatanetworkwillresultinasignificantimprovementforVoIP.

ToassignavoiceVLANonaninterface,usethefollowingcommandwithininterfacemode:

Switch(config)#interfaceFastEthernet0/1

Switch(config-if)#switchportmodeaccess

Switch(config-if)#switchportvoicevlanvlan-ID

Bydefault,therecanonlybeoneVLANonaninterface.However,theexceptionforhavingtwoVLANsassignedonasingleinterfaceiswhereoneisadataVLANandtheotherisavoiceVLAN.

Management:ThemanagementVLANisusedtoremotelyaccesstheswitchoveranetworkformanagementpurposes.Toputitsimply,itistheSwitchVirtualInterface(SVI),whichisconfiguredwithanIPaddressandsubnetmask.AnetworkadministratorcanuseHTTP,HTTPS,Telnet,orSSHtoremotelyconnecttoandmanagethedevice.

TocreateamanagementVLANorSVI,usethefollowingconfigurations:



Switch(config)#vlan99

Switch(config)#nameManagement

Switch(config-vlan)#exit

Switch(config)#interfacevlan99

Switch(config-if)#ipaddress10.0.0.2255.255.255.0

Switch(config-if)#noshutdown

Switch(config-if)#exit

PleasekeepinmindthatthemanagementVLANshouldbeonaseparateIPsubnetfromtheremainderofthenetwork.Thiswillhelpimprovesecurityandaccessmanagementtodevices.DonotcombinethemanagementVLANwithanotherVLANonthenetwork;itisbadpracticetodoso.

Native:ThenativeVLANisusedtotransportuntaggedtrafficacrossanIEEE

802.1Qtrunklink.Wheneveranenddevicesuchasacomputersendstraffic

intoaswitch,thereceivingswitchportinsertsIEEE802.1Qtag(VLAN

ID)intotheframe;thisisknownastaggedtraffic.However,untaggedtrafficdoesnotoriginatefromaswitchport,sowheredoesitcomefrom?Anexampleofuntaggedtrafficissimplytrafficthatisgeneratedbyswitchesandroutersthemselves,suchasCDPmessages.

ToassignanativeVLANtoatrunkinterface,usethefollowingconfigurations:


SW1(config-if)#switchportmodetrunk

SW1(config-if)#switchporttrunknativevlannative-


vlan-ID

Ensureyoustaticallysettheinterfaceintotrunkmodeusingtheswitchport

modetrunkcommand,thenusetheswitchporttrunknative

vlancommandtochangethenativeVLANfromitsdefaultsettings.

Importantnote

ThenativeVLANmustmatchbetweentrunkinterfaces.IfthenativeVLANdoesnotmatch,youwillexperienceconnectivityissuesonthetrunklink.

Inthenextsection,wewilldescribehowswitchesallowmultipleVLANstospanacrosstheentirelocalareanetworkusingtrunks.

TrunkinterfacesImplementingtrunkshelpsussolvemajorissueswhenspanningVLANsacrossmultipleswitchesonanetwork.TrunksallowustotransportVLANtrafficsimultaneouslybetweenswitchesasopposedtousinganaccessport,whichonlyallowsasingleVLAN.Togetabetterunderstanding,let'stakealookatthefollowingdiagramwhereanaccesslinkisconfiguredbetweentheswitches:


Figure5.6–Accesslinkbetweenswitches

Intheprecedingtopology,anaccesslinkisconfiguredbetweenbothswitches.However,VLANID10isassignedonbothphysicalinterfaces.ThismeansPC1isabletoexchangemessageswithPC3,astheyarebothonVLAN10,butnoneoftheVLAN20trafficisallowedbetweentheswitches.Thisisbecausetheaccessportsareconfiguredbetweentheswitches,whichallowsonlyoneVLAN.

Importantnote

Thelinkbetweenaswitchtoanotherswitchisknownasatrunkandthelinkbetweenaswitchtotherouterisalsoknownasatrunk.

TrunksallowswitchestocarrymultipleVLANtrafficbetweenthem.Thefollowingdiagramshowstheeffectofconvertingthelinkbetweentwoswitches


intoatrunk:

Figure5.7–Trunklinkbetweenswitches

Asexpected,bothVLAN10andVLAN20trafficisallowedtoflowbi-directionally,thereforeallowingdevicesPC2toexchangemessageswithPC4.

Tocreateatrunkinterface,usethefollowingcommands:

Switch(config)#interfaceFastEthernet0/1

Switch(config-if)#switchportmodetrunk

Switch(config-if)#switchporttrunkallowedvlan

10,20,30

Switch(config-if)#switchporttrunknativevlanvlan-

ID




Thefollowingisabreakdownoftheconfigurationsusedtocreateatrunk:

1. (Optional)InolderCiscoswitches,youmayneedtoexecutetheswitchporttrunkencapsulationdot1qcommandbefore

settingthemodetoTrunkontheinterface.OlderCiscoswitchessupport802.1QandInter-SwitchLink(ISL).CiscoISLisanolderCiscoproprietaryencapsulationprotocolthatisnolongerbeingusedonnewerdevices;therefore,youwouldneedtochoosetheencapsulationtypebeforeenablingtrunking.

2. Theswitchportmodetrunkcommandisusedtostatic-setthe

interfaceintoTrunkmode.

3. Theswitchporttrunkallowedvlancommandisusedtoset

whichVLANsareallowedacrossthetrunklink.

4. Lastly,usingtheswitchporttrunknativevlancommandsets

thenativeVLANontothetrunkinterface.

5. ToremovetheallowedlistofVLANsonatrunkinterface,usetheno

switchporttrunkallowedvlancommand.

6. ToresetthenativeVLANtoitsdefault,usethenoswitchport

trunknativevlancommand.

Nowthatyouhavecompletedthissection,youwilllearnaboutanauto-negotiationfeatureonCiscoIOSswitchinterfaces,theDynamicTrunking


Protocol(DTP).

DynamicTrunkingProtocolSofar,wehavelearnedthatswitchportscanbeeitheranaccessportoratrunkport.However,aswitchporthasafewothermodesthatallowittonegotiatewhethertoestablishanaccessortrunklinkbetweentwoswitches.ThisprotocolisknownasDTP.

Importantnote

Bydefault,DTPisenabledonCiscoIOSswitcheswhileapplyingthedefaultmode:dynamicauto.

ThefollowingarethevariousDTPmodesonaswitchinterface:

switchportmodeaccess:Putstheinterface(accessport)intoapermanentnon-trunkingmodeandconvertsthelinkintoanon-trunklink.

switchportmodedynamicauto:Makestheinterfaceabletoconvertthelinktoatrunklink.ThisisthedefaultmodesetonCiscoswitches.

switchportmodedynamicdesirable:Theinterfaceactivelyattemptstoconvertthelinktoatrunklink.

switchportmodetrunk:Putstheinterfaceintopermanenttrunkingmodeandconvertstheneighboringlinkintoatrunklink.

Additionally,applyingtheswitchportnonegotiatecommandprevents

theinterfacefromgeneratingDTPframes.WithoutDTPmessagesbeingsent


out,theinterfacewillturn-upfaster,asitdoesnothavetonegotiateitsstatus.Youcanusethiscommandonlywhentheinterfaceisstaticallyconfiguredasanaccessportortrunkinterface.Furthermore,youmustmanuallyconfiguretheneighboringinterfaceasatrunkinterfaceinordertoestablishatrunklinkbetweentheswitches.

Importantnote

Theshowdtpinterfaceinterface-idcommandcanbeusedto

determinethecurrentDTPmodeonaswitchport.Alternatively,youcanusetheshowinterfaceinterface-idswitchportcommandtovalidate

boththeadministrativeandoperationalmodesoftheinterface,aswellasDTPmode.

ThefollowingchartprovidesallthepossibleoutcomeswhentwoswitchinterfacesareconfiguredwithaDTPmode:

Figure5.8–DTPnegotiationchart


Togetabetterunderstandingofthis,let'simaginetwoswitches,AandB,areinterconnectedusingacable.Ifbothswitcheshavedefaultconfigurations,whatisthetypeoflinkformedbetweenthem?SincethedefaultinterfacemodeonaCiscoIOSswitchisswitchportmodedynamicauto,accordingtothe

chart,theirportswillnegotiateintobeingaccessports.However,ifswitchAisconfiguredasswitchportmodedynamicdesirableandswitchBis

usingitsdefaultconfiguration,theresultwillbeatrunklinkbetweenAandB.

Nowthatyouhavecompletedthissection,let'slearnhowadeviceononeVLANisabletoexchangemessageswithanotherlocatedonaseparateVLAN.

Inter-VLANroutingInter-VLANroutingisthemethodusedtoallowdevicesononeVLANtocommunicatewithotherdevicesonanotherVLAN.Tomakethishappen,youwillneedasingleCiscoIOSrouterwithanavailablephysicalinterface.Nowadays,weuseatechniqueknownasrouter-on-a-stick,whichallowsustocreatemultiplesub-interfacesonasinglephysicalinterfaceonarouter.

Typically,eachportonarouterisusuallyconnectedtoauniquenetworkorsubnet.Let'simaginetherearefiveVLANsonanetwork,andeachVLANisalsoauniqueIPsubnet.Thismeansthatforeachsubnettocommunicateoutsideitsownnetwork,adefaultgatewayisrequired.Mostcommonly,networkprofessionalsconfigurethedefaultgateway'sIPaddressontherouter'sinterface,butinasituationwheretherearefiveVLANs,weneed5interfacesonthe

router.

WhenyoupurchaseaphysicalCiscoIOSrouter,itusuallycomeswith2–4

built-ininterfaces.Ifyourequireadditionalportsonthesamerouter,you'llneed


topurchasemoduleswith4networkportsthatcanbeinstalledinavailableslots

ontherouter.Overall,thismethodwillcostyoumoney.HowcanweconnectmultipleVLANsontoasinglerouter?

RatherthanconnectingeachVLANfromaswitchtoauniquephysicalinterface(therouter),wecancreatesub-interfaceswithinarouter'sphysicalport.Eachsub-interfacewillbeconfiguredtocarryspecificVLANtrafficandassignedthedefaultgatewayIPaddress.

Thefollowingdiagramisarepresentationofsub-interfacesonarouter:

Figure5.9–Sub-interfacesonarouter

TohaveabetterunderstandingoftrafficflowsbetweenVLANs,let'sexamine


thefollowingtopology:

Figure5.10–Inter-VLANrouting

Inthetopology,eachcomputerisonadifferentVLAN(Layer2)andonadifferentIPsubnet(Layer3).IfPC1sendsamessagetoPC2,thefollowingactionstakeplace:


1. PC1willdeterminethedestinationof(PC2)onadifferentIPsubnet.Therefore,PC1sendsthemessagetoitsdefaultgateway,10.0.0.1.

2. TheswitchreceivestheincomingmessagefromPC1onFastEthernet0/1andinsertsanIEEE802.1QtagwithVLAN10.

3. TheswitchchecksthedestinationMACaddressandforwardstheframeoutofitstrunkinterfacetotherouter.

4. TherouterreceivestheincomingmessagewithVLANID10initsGigabitEthernet0/1.10sub-interface.

5. Therouterchecksthedestination'sIPaddresswithintheinboundpacketandforasuitablerouteinitsroutingtable.TherouternoticesthedestinationnetworkisconnectedtoitsGigabitEthernet0/1.20sub-interface.

6. Therouterforwardsthemessageoutofthesub-interface,GigabitEthernet0/1.20,andtheswitchwillreceiveitonitstrunk.

7. TheswitchchecksthedestinationMACaddressandforwardsamessageoutoftheFastEthernet0/2interfacewithIEEE802.1Qremoved.

Thistechniqueallowsustocreatemanysub-interfacestosupporteachVLANwithinanenterprisenetwork.

Toconfigureasub-interfaceonarouter,usethefollowingsteps:

1. Createasub-interfaceusingthefollowingcommands:

R1(config)#interfaceGigabitEthernet0/1.10


2. AssociatetheVLANforthissub-interface:

R1(config-subif)#encapsulationdot1Q10

3. AssignthedefaultgatewayIPaddressontothesub-interface:

R1(config-subif)#ipaddress10.0.0.1

255.255.255.0

4. Exitthesub-interfacemodeusingtheexitcommand.

5. Toenableallsub-interfaceswithinaphysicalportontherouter,usethefollowingcommands:



R1(config-if)#exit

Whenyouapplynoshutdowntoaphysicalinterface,allsub-interfacesare

enabledautomatically.

Nowthatyouhavecompletedthissection,let'stakeahands-onapproachandstartimplementingVLANs.

Lab–implementingVLANsIt'stimetogetourhandsdirtywithsomehands-onexperienceofimplementingVLANsonanetwork.Togetstarted,we'llbeusingtheCiscoPacketTracerapplication,whichallowsustosimulateaCiscoenvironment.Withintheapplication,pleasedesignthefollowingnetworktopology:


Figure–5.11Networktopology

Besuretousethefollowingrecommendeddevicesandcomponents:

3Cisco2960switches.

1Cisco2911router.


6PCs.

Usecrossovercoppercablesbetweenswitches.

Useastraight-throughcoppercabletoconnectdifferentdevicestogether–forexample,PCtoswitchandroutertoswitch.

Usetheloggingsynchronouscommandunderlineconsole0to

preventanysyslogmessagesfrombreakingintoyourCLIwhileenteringconfigurations.

Onceyou'refinishedbuildingthetopology,usethefollowinginstructionstobothcreateandconfigureVLANsonaCiscoIOSswitch:

1. OnSW1,usethefollowingcommandstocreateeachVLANandassignaname:

SW1(config)#vlan10



SW1(config)#vlan20

SW1(config-vlan)#nameHR


SW1(config)#vlan30

SW1(config-vlan)#nameIT


SW1(config)#vlan99


SW1(config-vlan)#nameNative


2. EnsureyoucreatethesameVLANsonallotherswitcheswithinthetopology.IfaVLANdoesnotexistonaswitch,thatVLANtrafficwillnotbeallowedtopass.Toperformthistask,usethefollowingconfigurations:

SW2Configurations

SW2(config)#vlan10



SW2(config)#vlan20



SW2(config)#vlan30



SW2(config)#vlan99



SW3Configurations


SW3(config)#vlan10



SW3(config)#vlan20



SW3(config)#vlan30



SW3(config)#vlan99



3. Next,usetheshowvlanbriefcommandtoverifythattheVLANs

arecreatedandnamedproperly,asshown:


Figure5.12–VerifyingVLANs

Intheprecedingsnippet,alltheportsareassignedtoVLAN1bydefault.Inourlaterconfiguration,we'llreassignportsasshowninournetworktopology.

4. Let'sassigneachVLANtotheirrespectiveinterfacesusingthefollowingconfigurations:


SW1VLANAssignmentConfigurations



SW1(config-if)#switchportaccessvlan10

SW1(config-if)#switchportnonegotiate


SW1(config-if)#exit






SW1(config-if)#exit






SW1(config-if)#exit

SW2VLANAssignmentConfigurations







SW2(config-if)#exit






SW2(config-if)#exit






SW2(config-if)#exit

SincetherearenoenddevicesconnectedtoSW3,wedonothavetocreateaccessports.


5. Usetheshowvlanbriefcommandtoverifythattheinterfaceshave

beenreassignedonbothSW1andSW2.ThefollowingsnippetshowstheresultsonSW1:

Figure5.13–Interfaceassignments

Additionally,youcanusethefollowingcommandstogainspecificinformationaboutaVLAN:

--Useshowvlanidvlan-IDtoviewdetailsaboutaVLANifyou

knowtheVLANID.


--Useshowvlannamevlan-nametoviewdetailsaboutaVLAN

ifyouknowthenameoftheVLAN.

--Theshowvlansummarycommandprovidesaquicksummaryof

alltheVLANsontheswitch.

6. Usetheshowinterfaceinterface-idswitchport

commandtoviewtheadministrativeandoperationalstatusandtheVLANassignmentsonaspecificinterface,asshown:


Figure5.14–Verifyingtheinterfacestatus

Additionally,showrunning-configwillprovideyouwiththe

configurationslistedundereachinterface.

NowthatwehaveimplementedVLANsonallswitchesandmadeourassignmentstotheinterfaceaccordingly,let'snowmakethetrunkinterfaces


carryVLAN10,20,30,and99trafficbetweentheswitchesinourtopology.

Lab–creatingtrunkinterfacesInthissection,wewillbeusingthesametopologyfromtheprevioussectionandsimplycontinuingtheconfigurations.Togiveyouanideaofourobjective,we'llbeconfiguringthelinksshowninthefollowingdiagramastrunks:


Figure5.15–Trunkinterfaces

Tostartcreatingandconfiguringtrunkinterfaces,usethefollowingconfigurations:

1. ConfigurethetrunkinterfaceonSW1usingthefollowingconfigurations:

SW1TrunkInterfaceConfigurations



SW1(config-if)#switchporttrunkallowedvlan

10,20,30

SW1(config-if)#switchporttrunknativevlan99



SW1(config-if)#exit

AfterchangingthedefaultnativeVLANsettingfrom1to99,youwill

seeaSyslogmessage,asfollows:

%CDP-4-NATIVE_VLAN_MISMATCH:NativeVLANmismatch

discoveredonFastEthernet0/24(1),withSW3

FastEthernet0/24(99)

ThismessageisgeneratedbecausethenativeVLANsmustmatchbetweenswitchesthataresharingatrunk.Currently,wehavethenativeVLANsetto99onSW1butthenativeVLANremainsas1(default)on


SW3asithasn'tbeenadjustedyet.Theloggingsynchronous

commandwillpreventthismessagefrombreakingintoyourcommandlinewhileyouwork.

2. ConfigurethetrunkinterfaceonSW2usingthefollowingconfigurations:

SW2TrunkInterfaceConfigurations




10,20,30




SW2(config-if)#exit

3. ConfigurethetrunkinterfacesonSW3toshareVLANswithbothSW1andSW2,respectively,usingthefollowingconfigurations:

SW3Configuration–InterfaceconnectingSW1




10,20,30





SW3(config-if)#exit

SW3Configuration–InterfaceconnectingSW2




10,20,30




SW3(config-if)#exit

ThenativeVLANmismatchlogmessagesshouldstopasalltrunkinterfacesarenowusingnativeVLANID99.

4. Usetheshowinterfacestrunkcommandoneachswitchto

verifythateachtrunkhasthesameallowedlistofVLANsandnativeVLANsasthefollowing:


Figure5.16–Verifyingthetrunkinterfaces

Ensurethattheswitchporttrunkallowedvlancommandcontains

alltheVLANsthatarerequiredtoallowinter-switchconnectivity.IfVLANtrafficisnotabletogoacrosstootherswitches,checkthefollowing:

CheckwhethertheVLANhasbeencreatedonallswitchesusingtheshowvlanbriefcommand.

CheckwhethertheVLANisallowedonthetrunkinterfacesonallswitchesusingtheshowinterfacestrunkcommand.

Checktheadministrativeandoperationalstatusofinterfacesusingtheshowinterfacesinterface-IDswitchportcommand.

Checkthephysicalconnectionsbetweendevicesonthetopology.


Additionally,usetheshowrunning-configcommandtocheckthe

configurationsappliedtoeachinterface,asshown:

Figure5.17–Configurationsontrunkinterfaces

Tocompletethelab,usethefollowingIPconfigurationsforeachPConthetopology:


Figure5.18–IPaddressingschemeforPCsonthetopology

Onceyou'refinishedassigningtheIPaddresses,opentheCommandPromptoneachPCandattempttotestconnectivitytoanotherdeviceonthesameVLAN.

ThefollowingshowsPC1hasconnectivitytoPC4:


Figure5.19–PingresultsbetweenPC1andPC4

Ifyourecall,youcanonlycommunicatewithdevicesonthesameVLANasyourdevice;therefore,PC1willnotbeabletoreachdevicesonVLAN20and30.ToenabletwoormoreVLANstoexchangemessages,wewillneedthehelpofarouter.Inthenextsection,youwilllearnhowtoconfiguretheCiscoIOSroutertoperforminter-VLANrouting.

Lab–configuringinter-VLANroutingToperforminter-VLANroutingbetweenVLANs,wesimplyneedonerouterandonlyoneofitsinterfaces;thisphysicallayoutisknownasrouter-on-a-stick:




SW3(config-if)#exit

Forthistrunkconfigurationontheswitch,youarenotrequiredtouseeithertheswitchporttrunkallowedvlanorswitchport

trunknativevlancommandsontheinterface.Usingonlythe

switchportmodetrunkcommandwillallowallVLANsonthe

interfacebydefault.

2. Createasub-interfaceontheroutertocarrytraffictoandfromVLAN10:




255.255.255.0

R1(config-subif)#exit





255.255.255.0

R1(config-subif)#exit



Figure5.21–ConnectivitybetweenPC1andPC2

Additionally,wecanperformatraceroutebetweenPC1andPC2toseethepaththatthepacketisusing:

Figure5.22–TraceroutebetweenPC1andPC2

Asyoucansee,PC1sendsitspackettoitsdefaultgateway,10.0.0.1,which

isasub-interface–GigabitEthernet0/1.10–ontherouter.Then,the

routerforwardsthepackettotheintendeddestination,PC2–172.16.0.10.


Lastly,usethefollowingpointsasguidelinesfortroubleshootingbothVLANsandtrunkinterfaces:

ChecktheIPaddressingonalldevices.

VerifytheVLANassignmentontheswitchports.

CheckfornativeVLANmismatch.

CheckforallowedVLANsonthetrunkinterface.

Checkfortrunkmodemismatch.

UsetheshowipinterfacebriefcommandtoverifytheIP

addressesoneachsub-interface.

Usetheshowinterfacetrunkcommandtoverifytheport,mode,

andallowedandnativeVLANs.

Usetheshowinterfaceinterface-IDswitchport

commandtochecktheadministrativeandoperatingmodeofaninterface.

Usetheshowinterfacesub-interface-IDcommandonthe

routertoverifytheencapsulationmodeandVLANIDonthesub-interface.

Usetheshowrunning-configcommandtoverifyconfigurations

appliedtointerfaces.

Havingcompletedthissection,you'velearnedallaboutVLANs,trunking,inter-VLANrouting,andmuchmore.Inthenextsection,wewilllearnhowtodiscoverconnecteddevicesusingvariouslayer2discoveryprotocols.


Layer2DiscoveryProtocolsInthissection,wewilldiscusstwopopularlayer2protocolsthathelpusasnetworkingprofessionalstomapanetworktopologywithoutseeinganetworkdiagram.Attheendofthistopic,you'llbeabletodeterminetheroles,localinterfaces,modelnumbers,andevenIPaddressesofdirectlyconnectedneighbordeviceswhilehavingaclearideaoftheactualnetworktopology.

ThefollowingexercisesareexecutedinourexistingVLANtopologylab.

CiscoDiscoveryProtocol(CDP)CDPisaCiscoproprietaryprotocolthatoperatesatlayer2,thedatalinklayer.CDPisusedtoassistCiscodevicestolearnabouttheirdirectlyconnectedneighbors,suchasotherswitchesandrouters.CDPisenabledbydefaultonCiscoswitchesandrouters.

Importantnote

Devicesexchangeadvertisements(messages)usingamulticastaddress,01:00:0C:CC:CC:CC.

ACDPmessagecontainsthefollowing:

TheIOSversion

Thedevicemodelandtype

Connectedinterfacesforbothlocalandremotedevices


Hostnames

Thishelpsotherdevicesonthenetworktohaveanideaofwhattypeofdevicestheyaredirectlyconnectedto.

ToenableCDPgloballyonaCiscoIOSswitch,usethefollowingcommand:

SW1(config)#cdprun

ToturnoffCDPgloballyontheentireswitch,simplyexecutethenocdprun

commandinglobalconfigurationmode.

Additionally,CDPcanbeenabledonanindividualinterfaceusingthefollowingcommands:

SW1(config)#interfacefastEthernet0/1

SW1(config-if)#cdpenable

SinceCDPmessagescontainimportantandidentifiableinformationregardingdevicesonanetwork,thisisasecurityissue.IfamalicioususerisabletocapturethoseCDPmessages,they'llbeabletodeterminethevariousrolesandfunctionsofnetworkcomponents.Therefore,itisrecommendedtodisableCDPmessagesfromexistinginterfacesthatareconnectedtotheenddevice.CDPmessagesshouldonlybeexchangedbetweenswitchesandroutersthatareauthorizedonthenetwork.

Usingtheshowcdpneighborscommandwillprovideyouwiththe

characteristicsandrolesofdirectlyconnecteddevices.ThefollowingsnippetshowsvariousdevicesconnectedtoSW3:


Figure5.23–CDPneighbors

Theprecedingsnippetshowsusafewswitchesandroutersthatareconnected,theirfunctions,platformormodelnumber,andthelocalandremoteportsthatarebeingused.SuchinformationisusefulwhenyouareremotelyaccessingadeviceviaIPaddressandarenottoosureaboutthenetworktopology.Additionally,thisinformationhelpsyoumapanetworkwithoutseeinganetworkdiagram.

Usingtheshowcdpneighborsdetailcommandprovidesyouwith

moreinformationaboutdirectlyconnecteddevicesandtheirIPaddresses,asshowninthefollowingsnippet:


Figure5.24–CDPprovidestheIPaddressoftheconnecteddevice

ThefollowingareadditionalcharacteristicsofCDP:

CDPmessagesaresentevery60seconds.

Thedefaulthold-downtimeris180seconds.IfaCDPmessageisnot

receivedwithinthistime,theneighbordeviceisremovedfromtheCDPcache/database.

Theshowcdpinterfaceinterface-IDcommandisusedto

determinetheCDPtimersonaninterface.


ThechallengethatnetworkprofessionalsfacewhenusingCDP,isthefactthatitonlyworksonCiscodevices.Inalotofenterprisenetworks,wegetamixofvendorequipmentandthisisamajorshortcomingofCDP.Inthenextsection,wewilltakealookatusinganindustrystandardtohelpusdiscovernetworkdevices:LLDP.

Link-LayerDiscoveryProtocol(LLDP)LLDPisanotherdiscoveryprotocolthatoperatesoverlayer2.LLDPissupportedonbothCiscoandnon-Ciscodevices,thussurpassingtheshortcomingsofbeingaproprietaryprotocolasisthecasewithCDP.Forthisreason,LLDPisthestandardusedfordiscoveryprotocolsonenterprisenetworks.

Importantnote

LLDPisdefinedbyIEEE802.1AB,whichmakesitinter-operableonother

vendordevices.LLDPisnotturnedonbydefaultonCiscodevices.

ToconfigureLLDPonaCiscoIOSdevice,usethefollowingsteps:

1. ToturnonLLDPglobally,executethelldpruncommandinglobal

configurationmode,asshown:

SW1>enable

SW1#configureterminal

SW1(config)#lldprun

2. ConfiguretheinterfacesyouwanttousewithLLDP:



SW1(config-if)#lldpreceive

SW1(config-if)#lldptransmit

3. ToverifytheLLDPstatusonadevice,usetheshowlldpcommand,as

shown:

Figure5.25–LLDPstatusoutput

4. Toviewallconnecteddevices,usetheshowlldpneighbors

command:

Figure5.26–LLDPconnectedneighbors

5. TogetfurtherdetailsandtheIPaddressesofconnectedLLDPneighbors,usetheshowlldpneighborsdetailcommand,asshown:


Figure5.27–LLDPneighborwithIPaddress

GatheringtheinformationfromeithertheCDPorLLDPoutput,youarenowabletobuildanup-to-datenetworkdiagrameasily.Inthenextsection,we'lllearnhowtocombinemultiplephysicalinterfacesonaswitchtooperateasasinglelogicalinterface,anEtherChannel.

UnderstandingandconfiguringEtherChannelsLet'simagineyouareconnectingtwoswitchesusingtheirGigabitEthernet


interfaces;yourobjectiveistocombinethebandwidthofthetwophysicalinterfacestogetatotalof2GB/sbetweentheswitches.Makingthephysicalconnectionsbetweenbothswitchesdoesnotsimplycombinethebandwidthautomatically.Thefollowingdiagramshowsavisualrepresentationoftheconnection:

Figure5.28–Twoswitchesconnectedtogether

Whyisonelinkblockedbetweentheswitches?Bydefault,Ciscoswitcheshavealayer2looppreventionprotocolknownasSpanning-TreeProtocol(STP).Therefore,physicallyinterconnectingswitches,asshowninthepreviousdiagram,willcauseSTPtoautomaticallyblockoneoftheinterfaces.

ThisiswhereEtherChannelscomeintosaveusoncemore.AnEtherChannelallowsustocombinemultiplephysicalportsonaswitchtocreateasinglelogicalinterface.Therefore,theEtherChannelwillcarrythetotalbandwidthofallthephysicalportscombined.

Importantnote

IntheCiscoworld,physicallinkaggregationisknownasEtherChannel.Withothervendors,thistechnologyisknownasLinkAggregationGroup(LAG).


EtherChannelprovidesthefollowingbenefitsinanenterprisenetwork:

Ratherthanconfiguringindividualinterfaces,theconfigurationscanbedonedirectlyontheEtherChannelinterface,ratherthanthephysicalports.

ImplementingEtherChannelsonanetworkcanassistwithloadbalancingandthelinkaggregationoftrafficbetweenswitches.

EtherChannelsusetheexistingphysicalinterfacesonaswitch;therefore,youdonotneedtoinstalladditionalmodules.

ThefollowingcriteriaarerequiredwhencreatinganEtherChannelbetweenswitches:

Theinterfacetypemustmatchbetweenswitches.IfswitchAisusingGigabitEthernetinterfaces,thenswitchBmustusethesame.

Usethesamenumberofphysicalinterfacesonbothdevices.IfswitchAisusing4physicalinterfaces,thenswitchBmustuse4physicalinterfaces

aswell.

BothduplexandspeedmustmatchonallphysicalinterfacesthatarebeingusedtocreatetheEtherChannel.

TheVLANsandnativeVLANsmustmatchontheinterfaces.

Toputitsimply,everythingmustmatchinordertocreatetheEtherChannel.

ThefollowingdiagramshowstheresultwhentwoswitchesattempttoformanEtherChannelwhenallconfigurationsmatch:


Figure5.29–EtherChannel

However,ifthereareanyconfigurationsoffoneitheroftheswitches,theEtherchannelwillnotbeformed.ThefollowingdiagramshowsamisconfigurationononedevicethatpreventstheformationoftheEtherChannel:


Figure5.30–MisconfigurationpreventingtheformationoftheEtherChannel

OnCiscoIOSdevices,therearetwolayer2protocolsthatallowustoformanEtherChannel:

PortAggregationProtocol(PAGP)

LinkAggregationControlProtocol(LACP)

PAGPisaCiscoproprietaryprotocolthatisusedtoformanEtherChannel.PAGPusesthefollowingmodestohelptwoswitchesnegotiatewhethertoformanEtherChannel:

On:SetstheinterfacetobecomeanEtherChannelwithoutnegotiating

Desirable:ActivelyseekswhethertheotherdevicewantstoformanEtherChannel

Auto:PassivelywaitsfortheotherdevicetonegotiateincreatinganEtherChannel

WhenusingPAGP,anEtherChannelwillonlybeformedwhenusingthefollowingconditions:


Figure5.31–PAGPconditions

LACP,ontheotherhand,isanopensourceprotocoldefinedbyIEEE

802.3adthatallowsanyvendorofswitchestoformEtherChannels.LACPhas

becomethestandardwhencreatingEtherChannels.LACPhasthefollowingmodes:

On:SetstheinterfacetobecomeanEtherChannelwithoutnegotiating

Active:ActivelyseekswhethertheotherdevicewantstoformanEtherChannel

Passive:PassivelywaitsfortheotherdevicetonegotiateincreatinganEtherChannel

WhenusingLACP,anEtherChannelwillonlybeformedwhenusingthefollowingconditions:


Figure5.32–LACPconditions

NowthatyouhaveanideaofthepurposeandfunctionalityofanEtherChannel,let'sgainsomehands-onexperienceofusingLACPtocreateanEtherChannel.

Lab–implementingEtherChannelsTogetstarted,we'llbeusingtheCiscoPacketTracerapplication,whichallowsustosimulateaCiscoenvironment.Withintheapplication,designthefollowingnetworktopologyusingCisco2960switches.Makesureyou'reusingcrossovercablesbetweentheswitches:


Figure5.33–EtherChannellabtopology

TocreateanEtherChannel,usethefollowinginstructions:

1. OnSW1andSW2,administrativelyshutdownthephysicalinterfacesthatyouareplanningtousetoformtheEtherChannel.InSW1andSW2,applytheshutdowncommandonbothinterfaces:Gi0/1andGi0/2.This

willpreventanylayer2loopsfromforming,meaningtheinterfacesgointoanerr-disablestate.

Importantnote

Torestoreaninterfacefromerr-disabledtoconnected,firstlyyou

mustadministrativelyshutdowntheinterfaceusingtheshutdown

command,waitforafewseconds,thenapplythenoshutdown

commandtorestoretheaffectedinterfaces.

2. OnSW1,usethefollowingcommandstoactivateLACPonboththeGi0/1andGi0/2interfaces:

SW1(config)#interfacerangeGigabitEthernet0/1

-GigabitEthernet0/2

SW1(config-if-range)#channel-group1modeactive

SW1(config-if-range)#noshutdown

SW1(config-if-range)#exit

3. OnSW1,accessthenewlycreatedchannel-group(EtherChannel)andconfigureitonthetrunk:


SW1(config)#interfaceport-channel1


SW1(config-if)#exit

4. OnSW2,usethefollowingcommandstoactivateLACPonboththeGi0/1andGi0/2interfaces:


-GigabitEthernet0/2

SW2(config-if-range)#channel-group1modeactive



5. OnSW2,accessthenewlycreatedchannel-group(EtherChannel)andconfigureittothetrunk:

SW2(config)#interfaceport-channel1


SW2(config-if)#exit

6. ToverifyEtherChannelsonyourdevices,usetheshow

etherchannelsummarycommand,asshown:


Figure5.34–Theshowetherchannelsummaryoutput

Theoutputshowsthatthere'soneEtherChannelonSW1usingLACP.Additionally,thecodesontheport-channeltellusthatbothGi0/1andGi0/2arelayer2port-channelsinuse.

7. Lastly,usingtheshowetherchannelport-channelcommand

providesuswithmoredetailsabouttheEtherChannelsontheswitch:


Figure5.35–Theshowetherchannelport-channeloutput

Inthissection,youhavegainedtheskillstoimplementandtroubleshoot


EtherChanneltechnologiesinaCiscoenvironment.

SummaryInthischapter,youhavelearnedtheimportanceofsegmentinganetworkusingVLANstoimprovebothnetworkperformanceandsecurity.Youalsonowhavethehands-onexperiencetocreateandassignVLANs,configurebothaccessandtrunkports,andperforminter-VLANroutingonaCisconetwork.YouhavegainedtheskillsneededtoimplementandperformnetworkdiscoveryusingtheLLDPlayer2protocol.Lastly,youhavegainedtheknowledgeandhands-onexperienceofmergingphysicalinterfacesintoasinglelogicalinterfaceknownasanEtherChannel.

IhopethischapterhasbeeninformativeandhelpsyouinyourjourneytowardimplementingandadministratingCiscosolutionsandpreparingfortheCCNA200-301certification.Inthenextchapter,Chapter6,UnderstandingandConfiguringSpanning-Tree,youwilllearnhowtosegmentyournetworktoimproveperformanceandsecurityandimplementlinkaggregationtechnologiesanddiscoveryprotocols.

QuestionsThefollowingisashortlistofreviewquestionstoreinforceyourlearningandhelpyouidentifytheareasyouneedtorevisit:

1. WhichVLANsarenotusableonaCiscoIOSswitch?

A.945


B.1002

C.1001

D.1

2. WhencreatingVLANs,wheredoestheswitchstoretheVLANs?

A.running-config

B.startup-config

C.vlan.bin

D.vlan.dat

3. WhichmodeallowsaswitchinterfacetocarrymultipleVLANs?

A.Access

B.Up

C.Trunk

D.Administrativelyup

4. Whichstandarddefinestaggedtraffic?

A.IEEE802.1Q

B.IEEE802.3ab

C.IEEE802.1X


D.IEEE802.11

5. WhichcommanddisablesDTPonaninterface?

A.switchporttrunkencapulationdot1q

B.switchportnonegotiate

C.switchportaccessnovlan

D.switchportnodtp

6. Whichportstateswillcreateatrunk?

A.SwitchA–DynamicAutoandSwitchB–DynamicAuto

B.SwitchA–DynamicAutoandSwitchB–DynamicDesirable

C.SwitchA–DynamicAutoandSwitchB–Access

D.SwitchA–AccessandSwitchB–DynamicTrunk

7. Whenconfiguringasub-interface,whichcommandneedstobeexecutedbeforeassigninganIPaddress?

A.switchporttrafficencapsulationdot1Q

B.switchporttrunkdot1Q10

C.encapsulationtrunkdot1Q

D.encapsulationdot1Q10


8. Whichlayer2discoveryprotocolisabletoworkonallvendordevices?

A.CDP

B.ISL

C.LLDP

D.DSL

9. WhatisanothernameforEtherChannels?

A.LAG

B.LACP

C.PAGP

D.Port-channel

10. WhichLACPmodeactivelyseekstodeterminewhethertheotherdevicewantstoformanEtherChannel?

A.On

B.Desirable

C.Auto

D.Active

Furtherreading


Thefollowinglinksarerecommendedforadditionalreading:

ConfiguringEtherChannels:https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swethchl.html

Configuringaccessandtrunkinterfaces:https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/AccessTrunk.html

Configuringinter-VLANrouting:https://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3-intervlanrouting.html

ConfiguringLLDP:https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/46sg/configuration/guide/Wrapper-46SG/swlldp.html


https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swethchl.html

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/AccessTrunk.html

https://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3-intervlanrouting.html

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/46sg/configuration/guide/Wrapper-46SG/swlldp.html

Chapter6:UnderstandingandConfiguringSpanning-TreeWhenextendingyourLayer2networkandensuringalldevicesareconnected,itisimportanttoimplementphysicalredundancy.Thisistoensurethattherearemultiplepathsavailableintheeventwhereanetworkswitchorlinkgoesdown.Inthischapter,youwilllearnhowredundancycancreateabroadcaststormanddeterioratenetworkstability.You'llalsolearnhowtoconfigureLayer2looppreventionprotocolstoensurethattherearenoloopsonyourswitchnetwork.


WhatisSpanning-TreeProtocol?

Spanning-Treestandards

Portrolesandstates

Determiningtherootbridge

ConfiguringandtroubleshootingSpanning-TreeProtocollabs

TechnicalrequirementsTofollowalongwiththeexercisesinthischapter,pleaseensurethatyouhavemetthefollowingsoftwarerequirement:

CiscoPacketTracer:https://www.netacad.com.



Thecodefilesforthischaptercanbefoundathttps://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions/tree/master/Chapter%2006.

CheckoutthefollowingvideotoseetheCodeinAction:https://bit.ly/2RQY8uS

WhatisSpanning-TreeProtocol?OneofthemajortopicsintheCCNAcertificationisunderstandinghowtheSpanning-TreeProtocol(STP)worksonaLayer2switchnetwork.Innetworksofallsizes,fromsmallbusinessestolargeenterprisesandmultiplebranchsites,therearemanyinterconnectedswitchesthatprovideconnectivitytoenddevices.InChapter1,IntroductiontoNetworking,wespokeabouttheCiscohierarchicalthree-tierdesign,whichcontainsthecore,distribution,andaccesslayers.

Torecap,thefollowingisadiagramshowingtheCiscothree-tierswitchmodel:



https://bit.ly/2RQY8uS

Figure6.1–Ciscothree-tiermodel

Ciscorecommendsthatthismodelshouldbeimplementedinanysizednetworkasitprovidesthefollowingbenefits:

Allowsscalability

AllowsEtherChannelsbetweendevices

Providesredundancy


Scalabilityallowsustosimplyaddmoreaccessswitchesandconnectthenewlyaddedswitchestothedistributionlayertosupportgrowth,asanorganizationmaybeexpandingitsphysicalinfrastructure.Additionally,asyoulearnedinthepreviouschapter,EtherChannelsplayavitalroleinournetworksastheyareusedtocombinephysicalinterfacesintoasinglelogicalinterfaceandthereforecarrymorebandwidthbetweenswitches.Lastly,redundancyisveryimportantonanetworkofanysize.Withoutredundancy,shouldaswitchorlinkgodown,anareaofthenetworkwillbeunavailablewithoutanyalternativepaths.

Let'sfocusalittlemoreonhowredundancyisbothagoodandbadthinginanetwork.It'sabitlikeadouble-edgedsword,whereonesideisusedtoattackanenemywhiletheothersidecanhurtyou.Weallknowthatredundancyisfundamentallyaverygoodthingonanetwork,buthowcanredundancybeabadthinginanetworkenvironment?Togetabetterunderstandingofhowredundancycancrippleanetwork,takealookatthefollowingdiagram:


Figure6.2–Layer2loops

IfPC1sendsabroadcastmessageonthenetwork,thefollowingistheeffectwithoutspanning-tree:

1. PC1sendsabroadcastmessagewithadestinationMACaddressofFF-

FF-FF-FF-FF-FFtoSW1.

2. SW1willseethatthedestinationMACaddressoftheframeisabroadcast,andforwarditoutofallotherports.ThismeansthemessageissenttoSW2,SW3,andPC2.WhenPC2receivesthemessage,itwillprocessit.


3. WhenSW2receivesthebroadcastfromSW1,itwillforwardittoSW3.Additionally,SW3willreceivethebroadcastfromSW1andforwardittoSW2.

4. WhenSW2receivesthebroadcastfromSW3,itwillforwardittoSW1.Furthermore,whenSW3receivesthebroadcastfromSW2,itwillalsoforwardittoSW1.

5. Thiscreatesanever-endingLayer2looponthenetworkwherethebroadcastmessagesarebeingregeneratedconstantly.

TheoveralleffectofPC1generatingasinglebroadcastmessagewillresultinnever-endingregeneratingbroadcastmessagesbetweentheswitchesthatarecontinuouslybeingcreatedandloopingbetweendevices.Thiswillcauseabroadcaststormonthenetwork,andthereforewilleventuallycrippletheLayer2networkinfrastructure.

STPisaLayer2looppreventionprotocolthatisdefinedbyIEEE802.1D.

STPisautomaticallycreatedbyonelogicalactivepathbetweenalldevicesonaLayer2networkwhilelogicallyblockingaredundancypathtopreventloopsfromoccurringonthenetwork.

Thefollowingdiagramshowsspanning-treeblockingaredundantpathtoensuretherearenoloops:


Figure6.3–Redundantpathblocked

Intheprecedingdiagram,ifPC1sendsabroadcastmessage,STPhasalreadyplaceditsblockingmechanismtopreventtheregenerationofthebroadcastmessagefrompropagatingacrossthenetwork.EachswitchwillautomaticallysendBridgeProtocolDataUnits(BPDUs)every2seconds;theseBPDUshelpSTPtodetermineredundantpaths.

Iftheactivepathgoesdown,whatwillSTPdo?Spanning-treewillautomaticallydetectthefailureonthenetworkwithinafewsecondsandautomaticallyconvertalogicallyblockedpathintoanactivestatetoallowdevicestoreacheachotherwhileensuringtherearenoloops.


BridgeProtocolDataUnitHowdoesSpanning-Treeknowwhenapathisdown?Bydefault,spanning-treeisenabledandevery2seconds,eachCiscoswitchexchangesaspecialframeknownasaBPDU.

ThefollowingdiagramshowsagraphicalrepresentationofaBPDUframe:

Figure6.4–BPDUframe

ThefollowingpointsoutlinethecompositionofeachBPDUframesentbyaCiscoIOSswitch:

BridgeID:Eachswitchcontainsapriorityvaluethatisusedtoelectarootbridge.ThedefaultbridgeIDonallCiscoswitchesissetto32768.

Thisvaluecanbemodifiedtoincrementsof4096andsupportsarange

from0to61440.Thebenefitofadjustingtheprioritymeansthatthe

lowerthevalue,themorelikelytheswitchistobeelectedastherootbridgeonthenetwork.

ExtendedsystemID:ThisvalueisthesameastheVLANIDforthespanning-treeinstance.OnaCiscoIOSswitch,thereisaseparate


spanning-treeinstanceforeachVLANexistingonthedevice.ThismeansiftherearesixVLANsonthenetwork,thentherearesixinstancesofspanning-tree.

MACaddress:EachswitchhasitsownuniqueMACaddressthatitusesforcommunicationwithotherdevicesonthenetwork.ToviewtheMACaddressofaswitch,usetheshowversioncommand,asshown:

Figure6.5–MACaddressofaCiscoIOSswitch

TheinformationcontainedwiththeBPDUmessagehelpstheswitchestodetermine(elect)arootbridgeonthenetwork.Nowthatyou'velearnedthefundamentalsofspanning-tree,let'stakeadeeperdiveintolearninghowspanning-treemakesitschoicesonanetworkinthefollowingsection.

Rootbridgeandsecondaryrootbridge


Inmanyorganizations,therearemanagersforalmostalltypesofemployees.Thepurposeofthemanageristoguideandsupporttheemployeesintheirdailyduties.Theorganizationusuallyhiresamanagertoensuretheirdepartmentisabletomeetthebusinessobjectivesandgoalsonadailybasis.

Similarly,onanetwork,aspecialswitchhastobeelectedtoinformallotherswitcheswhichpathstoleaveasactivetoensurethereisonlyonelogicalpathbetweenanydevicesonthenetwork,whileallotherpathsarelogicallyblockedtopreventanyLayer2loops.Thisspecialswitchisknownastherootbridge.

Therootbridgeisdeterminedbytheswitchwiththelowestpriorityonthenetwork.AllCiscoIOSswitcheshaveadefaultpriorityof32768.Inthe

situationwhereallswitcheshavethesamepriorityvalue,thentheswitchwiththelowestMACaddressiselectedastherootbridgeonthenetwork.Oncetherootbridgehasbeenelected,allotherswitchesonthenetworkwillnowpointtowardtherootbridge,asitservesasthecentralreferencepointforalltraffic.

Usingtheshowspanning-treecommand,wecanviewtheSTPdetails

andoperationsonaswitch:


Figure6.6–Spanning-treeoperation

Oneachswitch,youwillalwaysseeboththerootbridgeinformation,asseenintheuppersectionoftheprecedingscreenshot,andthelocalswitch'sinformation,whichisshownintheBridgeIDsectioninthemiddleportionofthescreenshot.EachswitchonthenetworkwillalwayspointtowardtherootbridgeandhavetherootIDdetailsintheirspanning-treeinstancefortheVLAN.


Fromtheprecedingsnippet,wecandeterminethefollowingabouttherootbridge:

Thespanning-treeinstanceisforVLAN1.

Thisswitchisrunningthedefaultspanning-treemode,Per-VLANSpanning-Tree+(PVST+).Thisisindicatedbytheieeeprotocol.

TherootIDfortherootbridgeis4097.

TherootbridgeMACaddressis00D0.FFA3.AC10.

Thecostis19,thereforethelocalswitchisusingaFastEthernetinterface

astherootport.

Importantnote

EachtypeofinterfaceonaCiscoIOSswitchhasacostvalueassociatedwithit.AnEthernetinterfacesupportsaspeedof10Mbps=100,

FastEthernetinterfacesare100Mbps=19,GigabitEthernetinterfaces

are1Gbps=4,and10GigabitEthernetinterfacesare10Gbps=2.

TheHelloTimeris2seconds(default).

Additionally,wecandeterminethefollowingaboutthelocalswitch(D2):

ThePriorityvalueofD2is32768(defaultvalue).

TheextendedsystemID(VLAN)is1.

BridgeID=Priority+Ext.Sys.ID=32768+1=32769.Keepin


mindthatthebridgeIDisnotthepriorityvalueonly.

TheMACaddressofD2is0001.9671.BEDE.

Spanning-treealsousesthesumofthecostbetweenalocalswitchandtherootbridgeinchoosingtheclosestpath.

Spanning-treewillautomaticallyelectaswitchtotherootbridge,whichisnotagoodthing.Inabadsituation,spanning-treewillelecttheoldestswitchonthenetworkandthisswitchmaybeontheaccesslayerwheretherearenoredundancypowersupplies.Sinceaccesslayerswitchesareusedtoconnectenddevicestothenetwork,thesecanberegularlymoved(disconnected).Therefore,it'srecommendedthataswitchinthecorelayerbeconfiguredastherootbridge.

Onemajorconcernisiftherootbridgegoesdown,spanning-treewillautomaticallyelectanotherswitchtotakeuptheroleofbeingthenewrootbridgeonthenetwork.Asanetworkprofessional,it'snotrecommendedtoallowtheauto-electionprocesstoselectarootbridgeforus,butratherwemanuallyconfigureaspecificswitchtobethesecondaryrootbridgeintheeventthattheprimaryrootbridgegoesoffline.

Asecondaryrootbridgecanbecreatedbysimplyassigningapriorityvaluehigherthantherootbridge.Thepriorityvaluecanonlybeinincrementsof4096.Iftherootbridgefails,thesecondaryrootbridgewillstepinandtakethe

roleasthenewrootbridgeonthenetwork.

Additionally,iftherearemultipleVLANsonthenetwork,theremustbearootbridgeforeachVLAN.Attimes,youmaythinkit'swisethatonecoreswitchistherootbridgeforalltheVLANs,butinreality,itshouldnot.IfasinglecoreswitchistherootbridgeforallVLANs,that'sextraloadandresourcesthatthe


coreswitchhastoexertinperformance.Whatifweload-balancetheVLANsbetweenmultiplecoreswitches?

ThefollowingdiagramshowstwocoreswitchesloadbalancingtherootbridgefunctionbetweenmultipleVLANsonanetwork:

Figure6.7–Spanning-treeloadbalancing

ShouldcoreSW1godown,SW2willtaketheroleoftherootbridgeforVLAN10,20,and30inadditiontoVLAN40,50,and60,andviceversaifSW2goesdownaswell.

Spanning-treestandardsTheSTPisanopensourceLayer2looppreventionmechanismthatisenabledonswitchesbydefault.STPisdefinedbyIEEE802.1D.However,Ciscodoes

notimplementtheIEEE802.1Dversionofspanning-treeontheirdevices.


PortrolesandstatesInthissection,youwilllearnaboutthevariousportrolesandstatesinvolvedwhenaninterfacetransitionsintoforwardingorblockingtraffic.

Thefollowingaretheportrolesusedinspanning-tree:

Rootports:Thesearetheportsthatareclosesttotherootbridge.Ifyourecall,eachswitchalwayspointstowardtherootbridgeattheendoftheelectionprocess.Thismeansthateachswitchhasarootportthatpointsbacktotherootbridgeonthenetwork.Rootportsareneverontherootbridgeitself.

Designatedports:Thesearewhatareknownasnon-rootports,whicharestillalwaysabletoforwardtrafficbetweendevicesonthenetwork.

Alternateorbackupports:TheseareinterfacesthatareinalogicallyblockedstatethatiscausedbytheSTPtopreventanyLayer2loopsonredundantpaths.

ToviewtheportrolesandstateofeachinterfaceonaCiscoIOSswitch,usetheshowspanning-treecommand.Thefollowingsnippetshowsboththe

rolesandstatesofeachinterface:


Figure6.8–Ports'rolesandstates

Whenaswitchbootsup,itsinterfacesdonotgodirectlytoaforwardingstatetoallowtraffictoflowimmediately,butgothroughafewphases.Thefollowingistheorderinwhichaninterfacetransitionsfromthetimeaswitchbootsup:

1. Blocking:Inthisstate,userdataisnotpassedontothenetwork;

however,BPDUsarestillreceivedontheport.

2. Listening:ThisstateprocessesBPDUsbutneitherforwardsuserdata

norframesontothenetwork.

3. Learning:ThisstateprocessesBPDUsandlearnstheMACaddresses

butdoesnotforwardframes.

4. Forwarding:Thisisthenormaloperatingstateofaswitch'sinterface.

Itisabletosendandreceiveusers'dataandprocessBPDUs.


5. Disabled:Thisstateisadministrativelyshutdownbythedevice

administrator.

Nowthatyouhavelearnedaboutthevariousportrolesandstates,inthenextsub-section,youwilllearnhowtouseasystematicapproachtoidentifytherootbridgeandportrolesinanetworktopology.

DeterminingtherootbridgeandportrolesAnimportantskillforanyupcomingnetworkprofessionalistheabilitytolookataspanning-treetopologyandidentifytherootbridgeandalltheportroles.Inthissection,Iwillguideyouthroughtheprocessofhoweasilythiscanbedonebyusingtheinformationfromtheprevioussectionsandafewadditionalguidelines.

Thefollowingismypersonalruleofthumbtohelpidentifytherolesofeachportinspanning-tree:

1. Identifytherootbridge.

2. Identifytherootports.

3. Identifythedesignatedports.

4. Identifythealternateports.

Togetstarted,let'sstudythefollowingnetworktopologywithspanning-tree:


Figure6.9–Spanning-treetopology

Usingallyouhavelearnedsofar,includingtheguidelinesandthenetworktopology,let'sdeterminealltheportrolesandunderstandwhyeachporthasaspecificrole.Thefollowingstepsshowhowtodeterminewhatistakingplaceinthespanning-treetopology:


1. Firstly,identifytherootbridge.Fromthetopology,wecanseethatSW2hasthelowestbridgeIDandthereforewilltaketheroleoftherootbridgeinthenetwork.

2. Identifyalltherootportsonthenetwork.Rootportsarethosethatareclosesttotherootbridge.Fromthetopology,theSW1FastEthernet

0/1andSW4FastEthernet0/4interfacesareclosestanddirectly

connectedtotherootbridge.Therefore,thesearerootports.

3. DoesSW3haveanyrootports?Yes,itdoes.TherearetwopathsfromSW3totherootbridge.TheseareSW3toSW1andSW3toSW4.Thesepathsareofequalcost(interfacevalue).Therefore,weneedtotakealookatwhichdevicehasalowerbridgeIDbetweenSW1andSW4.Lookingclosely,wecanseethatbothadjacentswitches,SW1andSW4,havethesamebridgeIDvalue.Therefore,theswitchwiththelowestMACaddressbreaksthetieondeterminingthepreferredpath.ThismeansthepreferredpathfromSW3totherootbridgeisviaSW1.Therefore,SW3FastEthernet0/2willalsobearootport.

4. Nowthatwehavelabeledallourrootports,let'sassigndesignatedports.Allportsontherootbridgearealwaysdesignationports.

5. SincethepreferredpathfromSW3totherootbridgeisviaSW1,FastEthernet0/2onSW1willalsobedesignatedport.

6. Lastly,oneoftheinterfacesbetweenSW3andSW4hastobeanalternateporttopreventaLayer2looponthenetwork.Thequestionishowtodeterminewhichinterfaceshouldbeanalternateportandwhichshouldbeadesignatedport.Tohelpus,let'stakealookattheirbridgeIDs.Since


SW3hasthesamebridgeIDbutadifferentMACaddressthanSW4,SW3FastEthernet0/3willbeadesignatedportandSW4

FastEthernet0/3willbethealternateport.

Thefollowingdiagramshowsthecompleteportlabelsofeachswitchinournetworktopology:


Figure6.10–Portlabels

Youmaybewondering,sinceSW3FastEthernet0/3isadesignatedport

(theForwardingstate)andSW4FastEthernet0/3isanalternateport

(theBlockingstate),howdoesSW3forwardtraffictoSW4andviceversa?

EachswitchwillonlyforwardtrafficusingtheavailablepathcreatedbySTP.SW3willtakethepathtoSW1–SW2–SW4andSW4willusethereversepathtosendtrafficbacktoSW3.

Identifyingandunderstandinghowspanning-treeworksisimportantinnetworksasitalsohasanimportantparttoplayinyourCCNAexamination.Havingcompletedthissection,youhavegainedtheskillstoidentifytherolesandfunctionsofeachportinaspanning-treetopology.Inthenextsection,youwilllearnaboutCisco'sproprietaryimplementationofspanning-tree,PVST+.

PVST+CiscohastakentheopensourceIEEE802.1Dstandardandhascreatedtheir

improvedproprietaryversionknownasPVST+,whichisenabledonallCiscoIOSswitchesbydefault.UnlikeSTP(IEEE802.1D),CiscoPVST+createsa

uniqueinstanceforeachVLANexistingonthenetwork,hencethenamePerVLANSpanningTree+.

BothSTPandPVST+havethefollowingportstates:

Blocking:Duringthisstate,theinterfacedoesnotforwardframesor

learnaboutMACaddresses.ItsimplysendsandreceivesBPDUs.

Listening:TheinterfacelistensforBPDUstodeterminethepathto


therootbridgeandsendBPDUs.ItdoesnotforwarddataframesorlearnMACaddresses.

Learning:MACaddressesarelearnedandpopulatetheContent

AddressableMemory(CAM)table.

Forwarding:TheinterfacecontinuestosendandreceiveBPDUsand

learnMACaddresses.Theinterfacebeginstoforwarddataframestootherdevicesonthenetwork.

Disabled:Theinterfaceisadministrativelydown.

Importantnote

CiscoallowsitsPVST+tointer-operatewithothervendersthatarerunningtheIEEE802.1DSTP.

NetworksthatarerunningSTPandPVST+usuallytakearound30–50seconds

toconvergeandallowtraffictoflowonthenetwork.Sometimes,afterdevicesarebootedupfromapoweroutageormodificationsarebeingmadeonthenetwork,50secondsmaybealotoftimetogettrafficflowing.

Importantnote

MultipleSpanning-TreeProtocol(MSTP),definedbyIEEE802.1s,isan

opensourceprotocolthatisdesignedtouseasingleinstanceofspanning-treetomanagealltheVLANsonanetwork.

Inthenextsection,youwilllearnhowtousetheCommand-LineInterface(CLI)tofindtherootbridgeandidentifyvariousportrolesandstatesonaCisco


environment.

Lab–discoveringtherootbridgeIt'stimetogetourhandsonsomepracticalexperienceandlearnhowtodiscovertherootbridgeonaCiscoswitchnetwork.Togetstarted,we'llbeusingtheCiscoPacketTracerapplication,whichallowsustosimulateaCiscoenvironment.Withintheapplication,pleasedesignthefollowingnetworktopology:


Figure6.11–DiscoveringtherootbridgeonaCisconetwork

Pleaseensuretousethefollowingguidelinestomakesureyougetthesameresults:

Usethecrossovercabletointerconnectalltheswitches.


UseonlyFastEthernetinterfaceswhenattachingthecablestoeachdevice.TheinterfaceIDisnotneededasit'sasimplelab.

UsetheCisco2960switchesattheaccesslayer.

UsetheCisco3560switchesatboththedistributionandcorelayers.

Assignthehostnamestoeachdeviceasshowninthetopology.

DonotcreateanyEtherChannelsbetweenC1andC2inthecorelayer.

StartbyplacingtheaccesslayerswitchesontheCiscoPacketTracerinterface,thenthedistribution,andlastlythecoreswitches.Cablingshouldbeappliedinthesamesequenceaswell.Thisistocreateaspecificoutcome.

Oneofthefirsttasksyoumayhaveasanetworkprofessionalistodiscoverwhichswitchwithinyournetworkhastheroleofbeingtherootbridge.Toensureyoucansuccessfullyperformthistask,usethefollowinginstructions:

1. Inanenterprisenetwork,it'srecommendedthatthecoreswitchbecomestherootbridge,butthisisn'talwaystheexpectedresultinmanynetworks.Usetheshowspanning-treecommand,asshown,toverifythe

status:


Figure6.12–Spanning-TreestatusonC1

TheoutputshowstheSpanning-TreeinstanceforVLAN1.Here,weare

abletoseethatC1isrunningPVST+bydefaultashighlightedinthe

snippet.Additionally,youareabletoseetherootIDinformationabouttherootbridgeandC1'sBridgeIDinformation.NoticethattherootIDdetails

donotmatchthatofC1'sbridgeinformation.ThisindicatesthatC1isnot

therootbridge.Remember,therootportsarealwaysclosesttotherootbridge.NoticethatC1hasarootport,FastEthernet0/2.Wecan

usethisinformationtohelptofindtherootbridge.

2. Let'susetheshowcdpneighborscommandtoidentifythetypeof

devicethatisconnectedtoC1onitsFastEthernet0/2interface:


Figure6.13–DiscoveringconnecteddevicesonC1

Wecanseethatthere'sanotherswitch(3560model)connectedonC1's

FastEthernet0/2interface.WecannowlogontoD2andcheck

whetherit'stherootbridge.

Tip

Ifyoudonotgetthesameresultsareoutlinedinthislabexercise,that'sOK.Pleaseusethesameconceptsonidentifyingtherootbridgeandportstates.Usetheshowspanning-treeandshowcdpneighbors

commandstohelpyoutracethepathtotherootbridgeonyournetworktopology.

3. OnD2,let'sexecutetheshowspanning-treecommandtoverify

whetherit'stherootbridge:


Figure6.14–Spanning-TreestatusonD2

TheresultsindicatethatD2isn'ttherootbridgebutitalsohasarootport,

FastEthernet0/3,whichpointstotherootbridge.

4. Onceagain,let'susetheshowcdpneighborscommandtohelpus

identifywhatisconnectedtoD2'sFastEthernet0/3interface:


Figure6.15–DiscoveringconnecteddevicesonD2

Wecanseethatthere'sanotherswitch(2960model)connectedonD2's

FastEthernet0/3interface.WecannowlogontoA3andcheck

whetherit'stherootbridge.

5. OnA3,let'sexecutetheshowspanning-treecommandoncemore

toverifywhetherit'stherootbridge:


Figure6.16–Spanning-TreestatusonA3

Wehavehitapotofgoldherebyfindingtherootbridgeinourtopology.ThefirstthingthattellsuswehavefoundtherootbridgeisthesentencethatsaysThisbridgeistheroot.Ifyoucross-referenceeachshow

spanning-treeoutputfromallotherswitchesinthetopology,you'llsee

theyallhavetherootIDthatmatchesthatofA3'sbridgeIDdetails.

Importantnote

Furthermore,allportsontherootbridgealwayshavetheroleofbeingdesignatedportswiththeiroperatingstatusesasForwarding.

Throughoutthislabexercise,youhaveseenhoweachswitchonthetopologyhasbeenusingitsdefaultconfigurationswiththeexceptionofitshostname.


Eachswitchhasabridgepriorityof32768andanextendedsystemIDof1

(forVLAN1).

Thefollowingdiagramshowsthehighlightlinksbeingthosethataremadeactivebytherootbridge,whileothersarelogicallyblockedtopreventanyLayer2loopsonthenetwork:


Figure6.17–Activepaths

Additionally,ifyourecall,therootbridgeisthecentralreferencepointforalltrafficontheswitchnetwork.Aswehavediscovered,therootbridgeinournetworkisattheaccesslayer.Theaccesslayerswitchesarenotasrobustandresilientasthecoreswitchesinanetworkwiththeirredundantpowersuppliesandsupportforhot-swappablecomponents.Therefore,asanupcomingnetworkingprofessional,it'srecommendedtoconfigureoneofthecoreswitchesastherootbridge,asshowninthenextexercise.

Thelearningoutcomeofthisexercisewastoprovideyouwiththehands-onexperienceofdiscoveringtherootbridgeonanetworkusingoneofthemostimportantspanning-treecommands,theshowspanning-treecommand.

Theshowcdpneighborscommandhasalsobeenveryhelpfulinthe

process.Lastly,todemonstrateanenterpriseenvironmentthatisn'tconfiguredproperly,therootbridgemaynotalwaysbetheswitchweexpect.

Inthenextsection,youwilllearnaboutafasterconvergingversionofPVST+,Rapid-PVST+.

Rapid-PVST+There'samuchfasterversionofSTP,knownasRapidSTP(RSTP).ItisdefinedbyIEEE802.1wandhastheabilitytoconvergeanentirenetworkin

approximately2seconds,comparedtotheotherIEEE802.1Dstandard.Cisco

tooktheimprovedRSTP(IEEE802.1w)standardandmadeaproprietary

versionknownasRapid-PVST+.

ToenableRapid-PVST+onaCisconetwork,usethefollowingcommandin


globalconfigurationmodeonallCiscoIOSswitches:

spanning-treemoderapid-pvst

Rapid-PVST+supportsthefollowingportstates:

Discarding:ThisstateissimilartoBlocking.Itdoesnotforward

framesorlearnaboutMACaddresses.ItsimplysendsandreceivesBPDUs.

Learning:MACaddressesarelearnedandpopulatetheContent

AddressableMemory(CAM)table.

Forwarding:TheinterfacecontinuestosendandreceiveBPDUsand

learnMACaddresses.Theinterfacebeginstoforwarddataframestootherdevicesonthenetwork.

KeepinmindwhenusingRapid-PVST+thattherearenoBlockingand

ListeningstatessimplybecauseRSTPandRapid-PVST+donotneedto

havealisteningstatetolearnMACaddressesandpopulatetheCAMtable.

Importantnote

PortFast,BPDUguard,BPDUfilter,rootguard,andloopguardare

applicableinRapid-PVST+.

PortFastThisfeatureallowstheporttogodirectlyintoaForwardingstatewithout

havingtomovethroughtheLearningandListeningstates.PortFast


shouldbeconfiguredonedgeportsonly.

Importantnote

Edgeportsarethosethatarenotconnectedtoanotherswitch.

Edgeports(PortFast)shouldnotreceiveBPDUsontheirinterfaces.The

BPDUguardfeatureshouldbeusedwithPortFasttopreventBPDUsfrom

enteringanedgeport.IfaBPDUisreceivedonanedgeportwithBPDUguard

enabled,theportwillswitchintoanerr-disabledstate(logicallyshuts

down).

Importantnote

BPDUguardisalsoimplementedforsecurityreasons;itwillnotallowarogue

switchtoautomaticallyconnecttotheportwithBPDUGuardenableddueto

PortFast,whichwillcreateL2loopingissues.

Inthefollowinglab,youwilllearnhowtoefficientlyconfigureRapid-PVST+onaCisconetwork.

Lab–implementingRapid-PVST+onaCisconetworkHavingcompletedthepreviousexercise,thespanning-treeelectionprocesshasautomaticallyselectedanaccesslayer(A3)switchtobetherootbridge.To

configuretherootbridgeonourtopology,usethefollowinginstructions:


1. Bydefault,theCiscoIOSswitchisrunningPer-VLANSpanningTree+(PVST+).Let'sfirstconfigureRapid-PVST+toensureconvergenceonournetwork.Executethespanning-treemoderapid-pvst

commandinglobalconfigurationmodeonallswitchesonthenetwork.Thefollowingisademonstrationofoneofthecoreswitches:

C1(config)#spanning-treemoderapid-pvst

2. AfterenablingRapid-PVST+onallswitches,usetheshow

spanning-treecommandoneachdevicetoverifywhetherthenew

operatingstandardhasbeenchangedtoRapid-PVST+.ThefollowingsnippetshowshowtoidentifythatRapid-PVST+isenabled:

Figure6.18–Rapid-PVST+status

TheCiscoIOShasaveryunusualwayoftellingyouthatRapid-PVST+isrunning;ontheoutput,itsaysRSTP(RapidSpanningTreeProtocol),butinreality,itisactuallyRapid-PVST+thatisrunningonthedevice,asshownintheprecedingscreenshot,becauseCiscorunsonlyitsproprietary


versionofIEEE802.1w.

3. TomakeC1therootbridgeonthenetwork,wehavetoadjustitsbridge

prioritytobelowerthanalltheotherswitchesonthetopology.Thebridgepriorityrangesfrom0–61440inincrementsof4096.Wecanusethe

followingcommandtosetabridgepriorityof4096forVLAN1onour

C1switch:

C1(config)#spanning-treevlan1priority4096

4. Let'susetheshowspanning-treecommandtoverifythatC1isthe

rootbridgeonthenetwork:

Figure6.19–RootbridgestatusonC1


Asexpected,C1hasnowbecometherootbridgeforVLAN1onthe

networkandisrunningRapid-PVST+.

5. Additionally,wecancreateasecondaryrootbridgesuchthatintheeventC1goesoffline,thesecondaryrootbridgecantaketheroleofbeingthe

primaryrootbridgeforVLAN1.TosetC2asthesecondaryrootbridge,

usethefollowingcommand:

C2(config)#spanning-treevlan1priority8192

Tocreatethesecondaryrootbridge,ensurethatthepriorityvalueisoneincrementof4096higherthantheprimaryrootbridgepriorityvalue.

Importantnote

TheCiscoIOSwillnotallowyoutosetanyvaluethatisnotanincrementof4096.

6. Lastly,let'scheckswitchA3toverifythatthechangehasalsotakenplace:


Figure6.20–SwitchA3pointstoC1asthenewrootbridge

Asexpected,switchA3containsthedetailsofthenewrootbridge,C1,withinits

spanning-treeofVLAN1andhasarootportthatpointstowardC1onthe

topology.

Thehighlightedlinksinthefollowingdiagramarethosethataremadeactivebythenewrootbridgeonthenetwork,whileothersarelogicallyblockedtopreventanyLayer2loopsonthenetwork:


Figure6.21–Activepaths

Asyoucansee,theentirelogicaltopologyhaschangedwiththeconfigurationofthenewrootbridgeandthereisonlyonelogicalpath,thereforepreventinganyLayer2loopsonthenetwork.


Boththeprimaryrootbridgeandthesecondaryrootbridgecanbeconfiguredtoautomaticallyadjusttheirbridgepriorityvaluetobethelowestonthenetworkatalltimes.Usinganalternativecommandofeachswitchprovidesthisoptionforus.

Toconfiguretheprimaryrootbridge,usethefollowingcommand:

C1(config)#spanning-treevlan1rootprimary

Toconfigurethesecondaryrootbridge,usethefollowingcommand:

C2(config)#spanning-treevlan1rootsecondary

Havingcompletedthisexercise,youhavegainedtheskillstoconfigureandimplementRapid-PVST+onaCisconetwork.Inthenextlab,wewillcontinueusingthisexistingtopologywhereyouwillgainhands-onexperienceofconfiguringPortFastandBPDUguardonaCiscoswitch.

Lab–configuringPortFastandBPDUguardAswelearnedearlier,PortFastisafeaturethatallowsaninterfaceto

transitionintoaForwardingstatewithoutgoingthroughboththeLearning

andListeningstates.ItisafeatureusedwhenrunningRapid-PVST+ona

Ciscoswitch.Inthislab,youwilllearnhowtoconfigureaninterfacewithPortFastandimplementBPDUguardtopreventanyunwantedBPDU

messagesfromenteringtheinterface.

Importantnote


Theseconfigurationsshouldonlybeappliedtoedgeports.Edgeportsareportsthatarenotconnectedtoanotherswitch,suchasenddevices,routers,firewalls,printers,andsoon.

Togetstartedwiththisexercise,pleaseusethefollowinginstructions:

1. Let'simagineaPCisconnectedtoswitchA1onFastEthernet0/3.

WecanimplementPortFastbyensuringtheinterfaceisanaccessport:

A1(config)#interfaceFastEthernet0/3

A1(config-if)#switchportmodeaccess

A1(config-if)#switchportnonegotiate

2. ToenablethePortFastfeatureontheinterface,usethefollowing

command:

A1(config-if)#spanning-treeportfast

3. OncePortFasthasbeenenabled,enableBPDUguardtoprevent

BPDUsfromenteringtheport:

A1(config-if)#spanning-treebpduguardenable

Thefollowingsnippetshowstheexpectedsequenceandoutcomesofcompletingtheprevioussteps:


Figure6.22–ConfiguringPortFastandBPDUguard

4. Lastly,wecanusetheshowrunning-configcommandtoverifythe

configurationundertheinterface,asshown:


Figure6.23–Therunning-configfile

Additionally,theshowspanning-treeinterfacefastEthernet

0/3portfastcommandcanbeusedtoverifywhetherPortFasthasbeen

enabledonaninterface.

Havingcompletedthisexercise,youhaveacquiredtheskillstoimplementthePortFastandBPDUguardfeaturesonalledgeportswithinaCisco

environment.

SummaryWetookadeepdiveintolearninghowredundancycanbeagoodbutalsoabad


thing,asitmaycreateaLayer2loopinourswitchnetwork.Mostimportantly,wecoveredtheimportanceofunderstandingspanning-treeandhowitworkstohelppreventphysicalredundancyfromtakingdownourenterprisenetwork.Havingcompletedthischapter,youhavegainedtheskillstodetermineportrolesinaspanning-treetopology,configurebothprimaryandsecondaryrootbridges,andlastly,implementPortFastwithBPDUguard.

IhopethischapterhasbeeninformativetoyouandishelpfulinyourjourneytowardlearninghowtoimplementCiscosolutionsandpreparefortheCCNA200-301certification.Inthenextchapter,Chapter7,InterpretingRoutingComponents,youwilllearnabouttheimportanceofroutingandhowroutersdeterminethebestpathtoadestinationnetwork.

QuestionsThefollowingareashortlistofreviewquestionstohelpreinforceyourlearningandhelpyouidentifyareasyoumightneedtoworkon:

1. WhichcommandallowsyoutoseetheMACaddressofaswitch?

A.showversion


C.showrunning-config

D.showstartup-config

2. WhichofthestandardspreventsLayer2loopsonanetwork?

A.IEEE802.1X


B.IEEE802.3

C.IEEE802.11

D.IEEE802.1D

3. Whatisthepriorityvalueofaswitchthathasbeenfactoryrestored?

A.0

B.32768

C.32769

D.4096

4. Whichisthedefaultspanning-treeoperatingmodeonCiscoIOSswitches?

A.PVST+

B.STP

C.Rapid-PVST+

D.RSTP

5. WhichportisnotincludedinRapid-PVST+?

A.Discarding

B.Forwarding


C.Listening

D.Learning

6. Whichportisclosesttotherootbridge?

A.Backupport

B.Alternateport

C.Designatedport

D.Rootport


UnderstandingSpanning-Tree:https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/5234-5.html

ConfiguringRapidPVST+:https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/RPVSpanningTree.html

ConfiguringPortFastandBPDUGuard:https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/8-2glx/configuration/guide/stp_enha.html


https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/5234-5.html

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/RPVSpanningTree.html

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/8-2glx/configuration/guide/stp_enha.html

Section3:IPConnectivityThissectionbeginsbyintroducingyoutohowroutersareusedtointerconnectremotenetworksandhowroutersmaketheirforwardingdecisionstosendapackettoitsintendeddestination.Next,youwilllearnaboutbothstaticanddynamicroutingprotocols,theiradvantages,andusecases.Then,youwilllearnhowtoimplementandtroubleshootbothstaticanddynamicroutingonanetworktoensureconnectivity.


Chapter7,InterpretingRoutingComponents

Chapter8,UnderstandingFirstHopRedundancy,StaticandDynamicRouting


Chapter7:InterpretingRoutingComponentsAllnetworkprofessionalsmusthaveanunderstandingoftheconceptsofrouting.InembarkinguponthisnewdomainonIPconnectivity,youwillbeintroducedtothetopicsofroutersandhowtheyhelpusconnecttoremotenetworks.Routershelpsusreachtheinternet,accessresourcesonline,andshareinformationwitheachother.Therefore,ifyouareunabletoconfigurerouterstosendpacketsbetweenremotenetworksandtoenablethemtoautomaticallyexchangeroutes,youwillhavegreatdifficultyworkinginnetworking.

Uponcompletingthischapter,youwillhavelearnedtheprocessCiscoIOSroutersusetomaketheirforwardingdecisions.Additionally,youwillhavegainedtheabilitytoidentifyanddescribeeachcomponentwithintheroutingtableofarouterandwillbeabletopredicttheforwardingdecisionofeachdeviceinaCiscoenvironment.


UnderstandingIProuting

Componentsoftheroutingtable

Routingprotocolcodes

Prefixandnetworkmask

Nexthop


Administrativedistance

Routingmetrics



Thecodefilesforthischapterareavailableat:https://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions/tree/master/Chapter%2007.

UnderstandingIProutingRoutersplayanimportantroleinhownetworksoperatedaytoday.Withoutthem,wewouldn'tbeabletoconnecttoothernetworksortheinternet.Inthissection,wewilllearnhowCiscoroutersconnectremoteandforeignnetworks,allowingustoaccessdevicesandapplicationslocatedwithinadatacenterorevenanotherlocationsomewhereontheinternet.WewillconsiderthequestionHowdoesaroutermakethedecisiontoforwardtraffictotherightnetwork?

Inthepreviouschapters,wehavespentalotoftimelearninghowtobuildanoptimallocalareanetworkusingalotoftechnologieswithCiscoIOSswitches.OneofthekeythingsyoumayhavenoticedregardingCiscoIOSswitchesisthatanewCiscoswitchwithdefaultconfigurationswillstillallowyoutoconnectenddevicesontoitsphysicalinterfacesandwillforwardtraffic(frames)without




youinsertinganyadditionalconfigurationsonthedevice.However,thisisnotthecasewithaCiscoIOSrouter.

TheCiscoIOSrouter,whichhasdefaultconfigurationsorfactorysettings,doesnotdothingssuchasforwardtraffic(packets)betweenitsinterfaces.Tomakearouteroperational,thenetworkprofessionalsuchasyourselfhastotelltherouterhowtrafficshouldflowbetweenitsinterfaces.Inotherwords,withoutconfiguringtheCiscorouter,itwillsimplydonothingonanetworkwhenit'spoweredon.

ArouterhasthecapabilitytoreadtheLayer3headerofanIPpacketandmakeadecisiononhowtoproceedinforwardingthepacket.Whenapacketentersaninterfaceonarouter,itisde-encapsulatedbyremovingtheLayer2headerinformation,suchasthesourceanddestinationMACaddresses.However,theroutertakesalookatthedestinationIPv4orIPv6addressandchecksitsroutingtableforasuitableroute.

TheroutingtableisdynamicallyupdatedwhenalocalinterfaceontherouterisassignedanIPaddressandisenabled.Inaddition,therouterhasthecapabilityofrunningdynamicroutingprotocolsthatallowotherroutersonthenetworktoexchangeroutes.Arouteissimplyapathtoreachadestinationnetwork;withoutanyroutes,arouterwon'tbeabletoforwardpacketstotheirdestinations.

Let'stakealookatthefollowingtopologytogainabetterunderstandingofhowrouterswork:


Figure7.1–Simplenetworktopology

Thetopologyillustratesanorganization'snetwork,consistingoftheheadquartersandthreeremotebranches/offices.TheorganizationusesaMetroEthernet(MetroE)WANtointerconnecttheirbranchestotheheadquarters.TheWAN


serviceismanagedbyalocalInternetServiceProvider(ISP).

Importantnote

AMetropolitan-areaEthernetorMetroEconnectionisatypeLayer2WANservicethatiscommonlyprovidedbyanISPusingEthernetstandards.

Let'simaginethataPContheBranchAnetwork(172.16.1.0/24)hasto

sendtraffictoaserverinHQthatislocatedonthe10.1.1.0/24network.

Whatwillbethepathorroutethetrafficwilltake?Toanswerthisquestionandfullyunderstandwhattakesplaces,let'slookatalow-levelviewofthetopology:


Figure7.2–Low-leveltopology

IwouldrecommendtakingsometimetobuildthistopologyusingCiscoPacketTracerasyouwillbeabletoperformthesamevalidationchecksthatIwillbeusingfortheremainderofthischapterandthenext.Whenbuildingthetopology,usethefollowingguidelines:

UseonlyCisco2911routers.

EnsureyouconfiguretheIPaddressoneachdeviceasshowninthediagram.

EnsureeachPCisabletopingitsdefaultgateway.

Ensureeachroutercanpingallotherroutersonthenetwork.

Let'sseewhetherPC2ontheBranchAnetworkisabletopingPC1ontheHQnetwork.First,let'sverifytheIPaddressonPC2byusingtheipconfig

command:


Figure7.3–PC2IPaddressing

YouneedtochecknetworkconnectivitybetweenPC2anditsdefaultgateway,theBranch-Arouter:

Figure7.4–ConnectivitytesttotheBranchArouter

Fromtheprecedingsnippet,wecandeterminethatfourInternetControlMessageProtocol(ICMP)EchoRequestmessagesweresentfromPC2totheBranch-Arouter.TherouterhasrespondedtoeachmessagewithanICMPEchoReply.ThismeansthatPC2hasconnectivitytoitsdefaultgateway,theBranch-Arouter.

ThenextstepistocheckwhetherPC2hasconnectivitytoPC1.Let'spingPC1fromPC2:


Figure7.5–ConnectivityfailurebetweenPC2andPC1

Thistime,wedidnotgettheexpectedresults.WhenevertheresponseisDestinationhost(ornetwork)isunreachable,thismeansthatthedeviceyouaretestingconnectivityfromdoesnotknowhowtoreachthedestinationhostornetwork.Inourpreviousstep,PC2isabletoreachitsdefaultgateway.Let'sattempttoperformsomebasictroubleshootingtofurtherinvestigateandlearnwhythere'snoend-to-endconnectivity.WecanusethetraceroutetoolinMicrosoftWindowstocheckthepaththepacketwilltakefromPC2toPC1.OnMicrosoftWindows,thetracertcommandisused:


Figure7.6–Performingatraceroute

ThetracerouteutilityusestheICMPtosendICMPEchoRequeststoadestinationhostdevicewhileadjustingtheTimeToLive(TTL)valueofeachpacketitsendstothedestination.Thepurposeofthistoolistocheckthepathapacketwilltakebetweentwodevicesandalsocheckforlatencyissuesbetweenhops.AhopreferstoeachLayer3devicethepackethastopassinordertoreachitsdestination.Thelatencyissimplyameasurementofthetimeittakesadevicetorespondtoamessagesuchasarequest.Higherlatencymeansadevicetakesalongertimetorespond.Asanetworkengineer,wewanttoensurethatournetworkhaslatencytoensurefasterresponsetimes.

Importantnote

OnMicrosoftWindowssystems,thetracertcommandisusedwithinthe

commandprompt,whileLinuxandCiscodevicesusethetraceroute

command.

Thetracerouteresultsshowthatat172.16.1.1(theBranch-Arouter),there

arerequesttimedoutmessages.It'satthispointthatwecanbegin


troubleshootingtounderstandwhyweareexperiencingaproblem.

Let'sheadovertotheBranch-Arouterandcheckitsroutingtableusingtheshowiproutecommand:

Figure7.7–RoutingtableoftheBranch-Arouter

TheCiscoIOSrouterwillonlycontaindestinationrouteswithinitsroutingtable.Intheprecedingsnippet,thereisnodestinationnetworkof10.1.1.0/24inanyoftherows(entries).Ifarouteisnotpresenthere,it

simplymeanstherouterdoesnotknowhowtoforwardthepackettothe10.1.1.0/24networkandwillsendanICMPmessagebacktoPC2

indicatingitdoesnothaveavalidroutetothedestination,hencetheresponsewasDestinationhostisunreachable.

Tip

IfyouwouldliketolearnmoreaboutthedifferentICMPmessagetypes,pleaserefertomyarticleathttps://hub.packtpub.com/understanding-network-port-


https://hub.packtpub.com/understanding-network-port-numbers-tcp-udp-and-icmp-on-an-operating-system/

numbers-tcp-udp-and-icmp-on-an-operating-system/.

Furthermore,wecanseeinFigure7.7thattheBranch-Arouteronlyknowsabouttwouniquenetworks;the10.2.1.0/24networkthatisusedforthe

MetroEWANconnectionontheGigabitEthernet0/2interface,andthe

172.16.1.0/24networkthatisconnectedonGigabitEthernet0/0

fortheLANinterface.However,theBranch-ArouterdoesnotknowabouttheotherthreeLANs:Branch-B,Branch-C,andHQlocations.

IftheBranch-Arouterhadknownaboutallnetworkswithinthetopology,theexpectedroutewouldbepointingtowardtheHQrouterattheIPaddress10.2.1.5.Routersarenotconcernedwiththeentirepathapacketwilltaketo

reachitsdestinationhostornetwork.Allarouterisconcernedwithishanding-offthepackettoanexthop;inotherwords,anotherrouterthatwillforwardthepackettowarditsdestination.Keepinmindthatthisprocessisrepeateduntilthepacketisdelivered.

Importantnote

Ciscoroutersreadtheirroutingtablefromtoptobottomeachtimetheyhavetocheckforasuitableoravailableroute.

ThefollowingoutlinestheprocessofactionstakenbyarouterwhenitreceivesanIPpacket:

1. WhenarouterreceivesanIPpacketononeofitsinterfaces,itchecksthedestinationIPaddresswiththeLayer3headerofthepacket.

2. ItthenusesthedestinationIPaddressandchecksitsroutingtableforan


availableroute(path).

3. Ifasuitablerouteisfound,itsendsthepackettothenexthopviatheexitinterface.

4. Ifarouteisnotfound,therouterchecksforagatewayoflastresorttoforwardthepacket.

5. Ifneitherrouteisfound,therouterrepliestothesenderwithaDestinationhost(network)notfoundmessage.

Nowthatyouhavecompletedthissection,youhavelearnedhowCiscoIOSroutersdetermineasuitablepathtoforwardapacket.Inthenextsection,wewilldiscusseachcomponentwithintheroutingtable.

ComponentsoftheroutingtableTofurtherunderstandhowroutersmaketheirdecisionswhenitcomestoforwardingpacketsbetweennetworks,it'simportanttounderstandeachcomponentoftheroutingtablewithinaCiscoIOSrouter.Inthissection,wewillcoveralltheessentialcomponentsthatarepartoftheroutingtable,including:

Routingprotocolcodes

Prefix

Networkmask

Nexthop

Administrativedistance(AD)


Metric

Gatewayoflastresort

Let'sstartwithroutingprotocolcodes.

RoutingprotocolcodesWhenyouexecutetheshowiproutecommandonaCiscorouter,thevery

firstthingyouwillseeisaconciselistofcodes.Thesecodesareformallyreferredtoasroutingprotocolcodes.Eachcodeisusedtohelpyouidentifyhowaroutehasbeenlearnedandaddedtotheroutingtable.

ThefollowingsnippetshowstheroutingprotocolcodesofaCiscoIOSrouter:

Figure7.8–Routingprotocolcodes

ThefollowingisabriefdescriptionoftheessentialcodesyouneedtoknowasaCCNAstudent:

C:Thiscodeindicatesthattherouteisdirectlyconnectedtotherouter.Put


simply,whenyouconfigureanIPaddressonarouter'sinterfaceandit'smadeactive,therouterautomaticallyinsertsadirectlyconnectedroutetothatnetworkwithinitsroutingtable.

L:Thiscodeindicatestherouteisalocalroute.Alocalrouteisonethat

pointsnottoanetworkliketheothers,buttoaspecifichostdeviceonanetwork.LocalroutesarecommonlyinsertedintotheroutingtablebydefaultwhenyouconfigureanIPaddressonanactiveinterfaceonarouter.Ifyoulookcloselyattheroutingtable,youwillnoticethattheIPaddressonalocalrouteisthesameastheaddressontheinterfaceitself.Additionally,youcanconfigurealocalroutethatpointstoadeviceonaremotenetwork.

S:Thiscodeindicatestheroutehasbeenmanuallyconfiguredand

insertedintotheroutingtable;thisisknownasastaticroute.

R:Thisroutingcodeindicatesthattherouterhaslearnedaboutaremote

networkviaadynamicroutingprotocolknownasRoutingInformationProtocol(RIP).RIPisanoldroutingprotocolthatallowsrouterstosimultaneouslyexchangeroutinginformationandupdatetheirroutingtablesautomatically.RIPisusedwithinaninternalorprivatenetwork.

B:Thiscodeindicatesthattherouterhaslearnedaboutaremotenetwork

viatheBorderGatewayRoutingProtocol(BGP).BGPisknownasanExteriorGatewayProtocol(EGP)andiscommonlyusedontheinternetbetweenISPstoexchangepublicnetworks.

D:Thisroutingcodeindicatesthattheroutehasbeenlearnedbythe

EnhancedInteriorGatewayRoutingProtocol(EIGRP).


EX:Thiscodeindicatesthatanexternalroute,suchastheroutetothe

internet,hasbeenlearnedviatheEIGRP.

O:ThiscodeindicatesthattheroutehasbeenlearnedbytheOpen

ShortestPathFirst(OSPF)routingprotocol.

*:Thiscodeindicatestherouteisadefaultroutethatusuallypointstothe

internet.Thiscodeiscommonlycoupledwithotherroutingcodes,asyouwilldiscoverinthenextchapter.

ThefollowingsnippetshowsthecurrentrouteoftheBranch-Arouter:

Figure7.9–Parentroute

Withintheroutingtable,youwillcommonlyseeroutesinstalledwithoutanactualpathtoreachthedestinationnetwork.Thehighlightedrouteisknownasaparentroute.TheparentrouteisusuallyindicatedbyaclassfulnetworkID.Intheprecedingsnippet,theparentroutecontainsadestinationnetworkof10.0.0.0./8withtwochildroutes:10.2.1.0/24and10.2.1.10/32.


Let'stakealookatthefollowingsnippet,whichshowsexamplesofchildroutesontheBranch-Arouter:

Figure7.10–Childroutes

Lookingcloselyatthehighlightedareasintheprecedingsnippet,youshouldnoticethatonlychildroutescontaintheroutingprotocolcodes;theparentroutesdonot.AnicefeatureoftheCiscoIOSisthatitplaceseachrouteinnumericalorderwithintheroutingtable,whichmakesiteasyforbothusandtheroutertoperformroutelookups.

ThefollowingsnippetshowsanexampleofrouteslearnedviatheOSPFroutingprotocol:


Figure7.11–Dynamicallylearnedroutes

Adynamicallylearnedroutealwayscontainsextraparameterswithintheroutecomparedtobothlocalanddirectlyconnectedroutes.Inthenextfewsections,wewilltakealookattheseadditionalcomponentsandtheirfunctions.

PrefixandnetworkmaskAnotherimportantcomponentoftheroutingtable,andspecificallypartofaroute,istheprefix.TheprefixisidentifiedasthedestinationnetworkID.When


therouterislookingforasuitableroute,itcheckstheprefixofeachinstalledrouteinitsroutingtableforasuitablematch.

Thefollowingsnippetshowstheprefixwithintheroutingtable:

Figure7.12–Prefix

Foreveryprefixwithintheroutingtable,there'sanassociatednetworkmaskintheformof/xformat.Thefollowingsnippetshowsthatthehighlightedarea

withineachroutehasaprefixandnetworkmask:


Figure7.13–Networkmask

Thenetworkmaskintheroutingtablerepresentsthesubnetmaskforeachprefix(networkID).Ifyourecall,inChapter3,IPAddressingandSubnetting,welearnedthatthevaluerepresentsthenumberofoneswithinthesubnetmaskofeachnetwork.Forexample,anetworkmaskof/24simplymeansthereare24

oneswithinthesubnetmask;whenconvertingthemaskfrombinarytodecimal,theresultwillbe255.255.255.0.

NexthopWhenaremoterouteisinsertedintotheroutingtable,anexthopisusually


associatedwithreachingthedestinationnetwork.Togainabetterunderstandingofthis,let'stakealookatthefollowingsnippet:

Figure7.14–Nexthop

Intheprecedingsnippet,wecanidentifyatotaloffourremotenetworkslearnedviatheOSPFroutingprotocol.Let'stakealookattherouteforthe10.1.1.0/24network.Fromourtopology,wecanseethatthisnetworkis

locatedontheHQLANandtheonlywayabranchrouterisabletoforwardapackettothatnetworkisviathepacketbeingsenttotheHQrouteronthe10.2.1.5address.


Let'sbreakdowntherouteandthetopologyabitfurther.Onceagain,let'sdissectthefollowingroute:

O10.1.1.0/24[110/2]via10.2.1.5,00:07:45,

GigabitEthernet0/2

Wecandeterminethefollowing:

TheroutewaslearnedviatheOSPFroutingprotocol.

Thedestinationnetworkis10.1.1.0/24.

Theonlywaytoreachthedestinationnetwork(10.1.1.0/24)is

through10.2.1.5,whichisknownasthenexthopintheroutingtable.

Thetimerindicateshowlongtheroutehasbeenintheroutingtable.

Theinterface(GigiabitEthernet0/2)representstheexitinterface.

TheexitinterfaceissimplytheexitdoorfromtheBranch-Arouterthatleadstoward10.2.1.5.

Inthenextchapter,wewillexploreroutinginmoredetail.Wewillneedtoaddressthefactthatnotallconfiguredrouteshaveanexthopsincesomeroutersmaybeconfiguredtouseonlyanexitinterface,whileothersuseanexthopandexitinterfaceatthesametime.

AdministrativeDistanceAdministrativeDistance(AD)issimplythetrustworthinessofarouteorpath.ACiscoIOSroutercansupportmultipleroutingprotocolsrunningatonetime.Eachroutingprotocolhasitsownuniquealgorithmthatisusedtochooseabest


pathorroutetoinstallwithintheroutingtable.Thebestroutewillbeusedwhenforwardingpacketstoadestination.

Let'stakealookatthefollowingtopology:

Figure7.15–AdministrativeDistancetopology

Intheprecedingdiagram,let'simaginethePCwantstosendamessagetotheserver.ThefollowingarethestepstakenbythePCandtherouterwhenforwardingapacket:


1. ThePCwillcheckthedestination'sIPaddressanddeterminewhether10.0.0.10belongsonthesameIPnetworkasthePC.Sinceit'sa

differentnetwork,thePCwillproceedtosendthemessagetoitsdefaultgateway.Additionally,thePCwillsetthedestinationMACaddressasthatofthedefaultgateway,Router-A.Thisishowenddevices,suchasPCsandservers,sendmessagestotheirdefaultgatewaythatisintendedtoleavethenetwork.

Importantnote

Thedefaultgatewayisadevicesuchasarouterthathasapathtotheinternetoraforeignnetworkthatdoesnotbelongtotheorganization.Thisisalsoanodethatpacketsareforwardedtowhennootherspecificroutesarefoundintheroutingtabletothedestination.

2. WhentherouterreceivestheincomingpacketfromthePC,itwillde-encapsulateitandcheckthedestinationIPaddress.Inthisscenario,thedestinationIPaddressis10.0.0.10.

3. Therouterwillthencheckitsroutingtableforasuitableroute(path)toforwardthepacket.

Atthispoint,therouterisconnectedtofourroutestoreachtheserver.ThesearePathA,PathB,PathC,andPathD.Let'sassumeeachpathhasauniqueroutingprotocol:

RIP–configuredonPathA

OSPF–configuredonPathB


EIGRP–configuredonPathC

Staticroute–configuredonPathD

Whatwouldtherouterdo?CiscohassetthedefaultadministrativedistanceforeachroutingprotocolwithintheirCiscoIOSforalltheirdevices.Thefollowingtablecontainstheadministrativedistancesforeachroutingprotocol:

Figure7.16–AdministrativeDistancetable

Backtoourscenario.Lookingattheprecedingtable,theroutewiththelowestadministrativedistancewillbethepreferredroutetothedestinationnetwork.So,thepreferredroutewouldbethestaticrouteviaPathDbecauseithasanADof1,whichisthelowestoutofalltheotherroutingprotocolsandpaths.

Anotherimportantquestionwemustconsideris:Howcanyoudeterminetheadministrativedistanceofaroute?Thesimplestmethodwouldbetolearnthetableprovided.Additionally,foreachrouteinstalledinitsroutingtable,therouterinsertstheADaftertheprefixandnetworkmask,asshowninthe


followingsnippet:

Figure7.17–AdministrativeDistanceintheroutingtable

Let'simaginetheroutingtabledoesnotcontainanyroutingprotocolcodes.SimplybylookingattheADvaluenexttoeachprefixandcross-referencingthetable,youcanquicklydeterminetheroutingprotocol,andviceversaifthereisn'tanyadministrativedistancevaluebutonlyroutingprotocols.

Ifyoulookcloselyattheprecedingroutingtable,youseethatdirectlyconnected(C)routesdonotcontainanyadministrativedistances.ItissimplyimpliedthattheADvalueis0,since0isthemosttrustworthyroutegiventhatitisphysically

connectedtotherouter.


RoutingmetricsIntheprevioussection,wespokeaboutarouterthatwasrunningmultipleroutingprotocolsandhadtochoosethemosttrustworthyroutetoinstallinitsroutingtable.So,whatiftherouterisusingonlyoneroutingprotocolsuchasOSPFandtherearemultiplepathstothesamedestinationnetwork.Whatwilltherouterdothen?Inthissituation,therouterwillcheckthemetricvalueforeachpossiblerouteandwillonlyinstalltheroutethathasthelowestmetric.

Importantnote

Themetricisalsoreferredtoasthecostofaroute.Eachroutingprotocolusesitsownalgorithm,whichisusedtocalculatethebestpossiblepathtoadestinationnetwork,andassignsanumericalvalue(metric)toeachavailablepath.

Thefollowingsnippetshowsaroutingtablecontainingvariousroutesandtheirmetricvalues:


Figure7.18–Metric

Asmentioned,eachroutingprotocolusesadifferentmethodofcalculatingthemetric(cost)toreachadestinationnetwork.Here,wewilltakeabrieflookatthemetricsusedbyeachInteriorGatewayProtocol(IGP).

Thefollowingisabrieflistofdynamicroutingprotocols.

RoutingInformationProtocolRIPisoneofthefirst-generationroutingprotocolsthatallowedrouterstoautomaticallylearnaboutnewnetworksandupdatetheroutingtableifachangewasmadeonthenetworktopology.ThedownsideofRIPisthatitusesametric


ofhopcountandonlysupportsamaximumhopcountof15.Thismeans,betweenasenderandadestinationnetwork,theremustexist15orfewerrouters.Iftherearemorethan15hopsbetweenthesenderandthedestination,the15thhoprouterwilldiscardthepacketandthesenderofthemessagewillreceiveaDestinationhostunreachableresponsefromtherouter.

Ifyourecall,intheUnderstandingIProutingsection,wenotedthatanIPpacketcontainsaTimeToLive(TTL)field,whichcontainsanumericalvaluethatdecreasesasitpasseseachhop(routerorLayer3device)onthewaytoitsdestination.Thisisalooppreventionmechanismtoensurethatapacketdoesnotliveforeveronacomputernetwork.

Importantnote

RIPisadistance-vectorroutingprotocol.However,sinceRIPisnolongerapartoftheCCNA200-301examinationobjectives,wewillnotbediscussingRIPfurther.

RIPusestheBellmanFordalgorithm,whichcalculatesthehopcountbetweenalocalrouterandthedestinationnetworks.Itwillusetheroutewiththelowestnumberofhops(metric)andinstallitwithintheroutingtable.

OpenShortestPathFirstTheOSPFroutingprotocolusestheShortestPathFirst(SPF)algorithm,whichwascreatedbyEdsgerDijkstra.Thisalgorithmwasdesignedtousethecumulativebandwidthtocalculatethemetricsforaroute(path)toadestinationnetwork.WithOSPF,thenumberofhopsapackethastopassbeforereachingitsdestinationdoesnotmatter;ratheritisthefastestroutetoreachtherethatis


important.

EnhancedInteriorGatewayRoutingProtocolEIGRPwasaCiscoproprietaryprotocoluntil2013.ItusestheDiffusingUpdateAlgorithm(DUAL)tocalculatethebestandmostcost-effectivepath.Unliketheotherdynamicroutingprotocols,EIGRPisconsideredtobeahybridroutingprotocolasitdoesnotonlycalculatethebestloop-freepathtoadestinationnetwork,butalsoabackup,loop-freepath.Thus,intheeventthemainpathgoesdown,EIGRPcanalmostimmediatelyplacethebackuploop-freepathintotheroutingtable.

Importantnote

EIGRPisnolongerpartoftheCCNA200-301examinationobjectives.

DUALusesthefollowingtocalculatethemetricfornetworkroutes:

Bandwidth

Delay

TXLoad

RXLoad

Reliability

TheseareknownasEIGRPmetricweightsandarerepresentedbyaKvalue.By

default,EIGRPonlyusesthebandwidthanddelayvaluesduringitsmetriccalculations.


GatewayoflastresortThelastcomponentoftheroutingtable,andonethatisofgreatimportance,isthegatewayoflastresort.ThisisthedefaultgatewaythatisinsertedwithintheroutingtableofaCiscorouter.Ciscoroutersalsoneedtobeconfiguredwithadefaultgatewaythatpointstotheinternet.Withoutagatewayoflastresort,CiscorouterswillnotbeabletoforwardtrafficfromtheinternalLocalAreaNetworks(LANs)totheinternet.

ThegatewayoflastresortiseitherstaticallyconfiguredbyanetworkprofessionalontheCiscorouterordistributedviaadynamicroutingprotocolsuchasOSPF.

ThefollowingsnippetshowsaCiscorouterthathasagatewayoflastresortwithinitsroutingtable:


Figure7.19–Gatewayoflastresort

Intheprecedingsnippet,thegatewayoflastresortis10.2.1.5.Additionally,

thelastrouteintheroutingtablecontainsadefaultroutethatislearnedviaOSPFandthatalsohasanexthopof10.2.1.5.Inbestpractice,defaultroutes

arealwaysplacedatthebottomoftheroutingtable.

Importantnote

Adefaultrouteisonlyconfiguredtopointtowardanynetworkthatdoesnotexistwithinaroutingtable.Ciscoroutersdonotcontaineverynetworkthatexistsontheinternetand,iftheydid,theroutingtablewouldbehuge.Thedefaultrouteis


designedtosendtraffictoadevicethatleadstotheinternet;thisdeviceisknownasthegatewayoflastresort.

Thereasonforthisplacementisthat,whenarouterperformsalookup,italwaysstartsatthetopofthelistandworksitswaydown.Iftherearenoavailableroutestoforwardthepacket,thedefaultrouteisusedtoforwardthepacket.However,ifarouterdoesnothaveanavailablerouteoradefaultroute,theroutersendsaDestinationunreachablemessagebacktothesender.

Havingcompletedthissection,youhavegainedtheessentialknowledgetopredictthedecisionsofaCiscorouter.Furthermore,youhavelearnedhowroutersmaketheirdecisionsonpopulatingrouteswithintheirroutingtableandhowtheymakeforwardingdecisionstoensurethatthepacketsalwaystakethemosttrustedandcost-efficientpathstotheirdestinations.

SummaryDuringthecourseofthischapter,wehavediscussedthestrategiesthatCiscoIOSroutersusetoforwardpacketstotheirintendeddestinations.Welookedattheroutingtableandbrokedowneachcomponenttogiveyouagreaterunderstandingofeachcomponent'spurposeandresponsibilityontherouter.YouhavelearnedhowtopredicttheforwardingdecisionofaCiscorouterinthefollowingsituations:whentherearemultipleroutingprotocolsgivingaroutetothesamedestinationnetwork,whenthesameroutingprotocolhasmultiplepathstothesamenetwork,andwhentherearemultiplepathswiththesamecost(metric).

IhopethatthischapterhasbeeninformativeandhelpsyouonyourjourneytowardlearninghowtoimplementandadministrateCiscosolutionsandprepare


fortheCCNA200-301certification.Inthenextchapter,UnderstandingStaticandDynamicRouting,wewilllearnhowtosetupstaticanddynamicroutingprotocolstoensureIPconnectivitybetweenmultiplenetworksinaCiscoenvironment.

QuestionsThefollowingisashortlistofreviewquestionstohelpreinforceyourlearningandhelpyouidentifywhichareasrequireimprovement.

1. Whatistheadministrativedistanceofadirectlyconnectedroute?

A.0

B.1

C.5

D.110

2. ArouterhasRIP,EIGRP,andOSPFrunningatthesametime.Eachprotocolhasapathtothenetwork192.168.1.0/27.Whichpathwill

beinstalledintheroutingtable?

A.EIGRP

B.RIP

C.OSPF

D.Alloftheabove


3. Whichofthefollowingroutingprotocolcodesisusedtorepresentadefaultrouteintheroutingtable?

A.D

B.*

C.S

D.O

4. Whichofthefollowingstatementsistrueregardingadministrativedistance?

A.Administrativedistanceisthecostbetweenasourceanddestinationnetwork.

B.Administrativedistancerepresentstheactualdistancebetweenthesourceanddestinationnetwork

C.Administrativedistanceiscalculatedbytherouter

D.Administrativedistanceisusedtorepresentthetrustworthinessofaroute

5. ArouterisusingonlytheOSPFroutingprotocoltolearnremotenetworks.Iftherearethreepathstothesamedestinationnetwork,whatwilltherouterdo?

A.Therouterwillinstallthepathwiththehighestmetric.

B.Therouterwillinstallthepathwiththelowestmetric.


C.Therouterwillinstallallpathsthathavethesamemetrics.

D.Therouterwillinstallallpathsregardlessoftheirmetrics.

6. Arouterusestheparentrouteswhenforwardingpacketstoadestination.Trueorfalse?

A.True

B.False

7. Thenetworkmaskofaparentrouteisthesameasthechildroutes.Trueorfalse?

A.True

B.False

8. Whatisthepurposeofthetimerwithintheroutingtable?

A.Itindicatesthecurrenttimeontherouter.

B.Itindicateshowlongtherouterhasbeenpowered-on.

C.Itindicateshowlongtheroutingtableisavailablefor.

D.Itindicateshowlongtheroutehasbeeninstalledintheroutingtable.

9. Whichofthefollowingstatementsisnottrue?

A.Theroutingtableisstoredintherunningconfig.

B.TheroutingtableisstoredinFlash.


C.TheroutingtableisstoredinNVRAM.

D.Alloftheabove.

10. WhichofthefollowingprotocolcodesrepresentsEIGRPintheroutingtable?

A.O

B.E

C.D

D.R


Routeselection:https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/8651-21.html

Understandingtheroutingtable:https://www.ciscopress.com/articles/article.asp?p=2180210&seqNum=12


https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/8651-21.html

https://www.ciscopress.com/articles/article.asp?p=2180210&seqNum=12

Chapter8:UnderstandingFirstHopRedundancy,StaticandDynamicRoutingRoutersarecomputerstoo.TheyhelpusinterconnectdifferentIPnetworks.Withoutthem,wecan'tcommunicateorexchangemessageswithadeviceoruseronanothernetworkinadifferentlocation.Thesedevicesaresupersmartandhelpforwardpacketstotheirintendeddestinations.Routersdeterminethebestpathtoforwardpacketstotheirdestinations,ratherthanushavingtomakeadecisioneachtimeadevicewantstoexchangeamessageacrossanetwork.

Inthischapter,youwilllearntheessentialdetailsofstaticrouting.We'lltalkaboutthetypesofstaticroutesthatcanbeimplementedonanetworkandtheirusecases.Furthermore,youwilllearnhowdynamicroutingprotocolsautomaticallylearnremotenetworksandupdateroutingtables.Lastly,youwilllearnhowtoimplementstaticroutesandconfiguretheOSPFroutingprotocolonaCiscoenvironment.


Understandingstaticrouting

Configuringstaticrouting

Understandingdynamicrouting

Configuringthedynamicroutingprotocol

Understandingfirsthopredundancy




CiscoIOSv

GNS3

Cisco2911routers

Thecodefilesforthischapterareavailablehere:https://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions/tree/master/Chapter%2008.

CheckoutthefollowingvideotoseetheCodeinAction:https://bit.ly/33QUbvL

UnderstandingstaticroutingWhydon'tCiscoroutersautomaticallyforwardtrafficlikeCiscoIOSswitches?EachinterfaceonaCiscoroutermustbeonauniqueIPnetwork.WithoutconfiguringanIPaddressonarouter'sinterface,therouterwillnotknowwhattodowithincomingmessageswithoutanIPassignment.Toputthissimply,whenyouunboxanewCiscoIOSrouterandinsertitintoyournetwork,itdoesnotdoanything.That'sright–itdoesabsolutelynothingbydefault.

WhenyouconfigureanIPaddressonaCiscoIOSrouter'sinterface,therouterinsertstworouteswithinitsroutingtable.Let'stakealookatthefollowing




https://bit.ly/33QUbvL

topologytogetabetterunderstandingofthis:

Figure8.1–Simplenetworktopology

Withinthenetworktopology,thereareatotalofthreenetworks:192.168.1.0/24,192.168.2.0/24,and192.168.3.0/24.Wewould

assumetheroutersautomaticallyknowaboutallthenetworksandupdatetheroutingtable,butthisdoesnothappen.

Let'stakealookatR1'sroutingtableafterconfiguringtheIPaddressesonbothitsGigabitEthernet0/0andGigabitEthernet0/1interfaces:


Figure8.2–Routingtable

R1onlyknowsaboutitsdirectlyconnectednetworks:192.168.1.0/24and

192.168.2.0/24.Therefore,ifPC1triestosendamessagetothe

192.168.3.0/24network,R1willrespondwithadestinationhost

unreachablemessage.Bydefault,routersonlyknowaboutdirectlyconnectednetworks.Allothernetworksareconsideredtoberemotenetworks.StaticroutingallowsustomanuallyimplementastaticroutethattellsR1howtoreachthe192.168.3.0/24network.

Howdowecreateastaticroute?Astaticrouteisthepathtoaremotenetworkthatmayormaynotbedirectlyconnectedtotherouter.Firstly,lookingatthetopology,wemustaskourselves:ifapacketiscurrentlyonR1,howdoesitreachthe192.168.3.0/24network?ItdefinitelyhastobesenttoR2.More

specifically,ithastobesenttoR2'sGigabitEthernet0/1interfacevia


the192.168.2.1IPaddress.Ifweweretowriteastatement,wewouldget

thefollowing:

"Trafficwhosedestinationis192.168.3.0thathasasubnetmaskof255.255.255.0shouldbeforwardedto192.168.2.1asthenexthop."

WhenwecreateastaticrouteonR1fromtheprecedingstatement,wegetthefollowingcommand:

iproute192.168.3.0255.255.255.0192.168.2.1

Wheneveryou'recreatingastaticroute,startwiththedestinationnetwork(192.18.3.0),thenitssubnetmask(255.255.255.0),andlastly,specify

thenexthopIPaddress(192.168.2.1).Additionally,insteadofspecifying

thenexthop,youcanspecifytheexit-interfaceofR1,GigabitEthernet

0/1.KeepinmindthatR2willalsoneedaroutetoreturntrafficbacktothe

192.168.1.0/24network.

Implementingstaticrouteshasbothitsprosandcons.Inthenextsection,wewilltakealookatthebenefitsanddownsidesofusingstaticroutinginanenterprisenetwork.

Doweneedstaticrouting?Asanetworkgrows,additionalstaticroutesarecreated.Therefore,thenumberofstaticroutesincreasesasthenetworktopologygrows.Ifthereisachangeonthenetworktopology,whetheranewnetworkiscreated,removed,ormodified,thenetworkengineerhastomanuallyadjustthestaticrouteconfigurationsoneachdevicetosupportthechangeonthenetwork.Staticroutesaregoodenough


forsmallandsimplenetworktopologiesbutforalargeenterprisetopologythathasmanyIPsubnetswithremotesites(offices/networks),staticroutingcanbecomecomplex.

However,thereareadvantagestousingstaticroutingonanetwork.Whenanetworkadministratorinstallsastaticroutewithintheroutingtableofarouter,itismanuallyconfiguredandinserted.Thisprovidesimprovedsecurity,comparedtousingdynamicroutingprotocols,whichhavetheabilitytomodifytheroutingtableautomatically.Let'simagineahackerinjectsunsoliciteddynamicroutestoanenterpriseroutingdomainandcausesalltheorganization'srouterstoforwardtrafficdestinedfortheinternetthroughthehacker'scomputer.Withstaticroutes,therouteshavetobemanuallyadjusted.

Withdynamicroutingprotocols,theiralgorithmshavetocalculatethebestpathbyusingvariousmetrics.Withstaticrouting,there'snoalgorithm.Theroutersimplycheckstheroutingtableforabest-matchroute.Onceasuitablerouteisfound,theroutersimplystopssearchingandexecutesthestaticroute.

Whenitcomestopredictingthenexthop,thisiseasywithstaticroutingasthepathdoesnotchange.Withdynamicroutingprotocols,ifthereisachangeonthenetworktopology,thenexthopaddressmaychangebasedonthedynamicroutingprotocolalgorithm'schoicewhenselectingthebestpathandthenexthoptoforwardpackets.

Thefollowingarethebestsituationswhenstaticroutesshouldbeusedinyournetworkenvironment:

Tocreateastaticroutetoaspecificnetworkinorderto,forexample,ensurethepathtoaspecificnetworkdoesnotchange


Tocreateadefaultroutetoforwardpacketstotheinternet

Tocreateabackuproute

Inthefollowingsections,we'lllearnaboutvarioustypesofstaticroutesandhowtoapplythemtotheCiscoIOSrouter.

TypesofstaticroutesTherearemanytypesofstaticroutes,andeachisusedwithinacertainscenarioonanetwork.Inthissection,wewilllearnaboutthecharacteristicsofeachtypeofstaticrouteandhowtoimplementthemonaCisconetwork.

NetworkroutesStaticnetworkroutesarethosethatarecommonlyusedwhenconfiguringstaticrouting.Theseroutesarecreatedtotelltherouterhowtoforwardpacketsthataredestinedforaremotenetwork.

ToconfigureanIPv4staticroute,usethefollowingsyntax:

Router(config)#iproutedestination-network-address

subnet-mask[next-hop-IP-address|exit-interface]

ToconfigureanIPv6staticroute,usethefollowingsyntax:

Router(config)#ipv6unicast-routing

Router(config)#ipv6routeipv6-prefix/ipv6-mask

[next-hop-ipv6-address|exit-interface]


Inthenextsection,wewilltakealookatnexthopstaticroutes.

NexthopstaticroutesNexthopstaticroutesdothesameasthepreviouslydescribednetworkroute,butthistimewewillusethenexthoptospecifywhichIPaddressthelocalroutershouldforwardthepacketto.

ToconfigureanIPv4nexthopstaticroute,usethefollowingsyntax:


subnet-masknext-hop-IP-address

ThefollowingisanexampleofanIPv4staticrouteusinganexthop:

Branch-A(config)#iproute10.1.1.0255.255.255.0

10.2.1.5

ToconfigureanIPv6nexthopstaticroute,usethefollowingsyntax:



next-hopipv6address

ThefollowingisanexampleofanIPv6nexthopstaticroute:

HQ(config)#ipv6unicast-routing

HQ(config)#ipv6route2001:ABCD:1234:2::/64

2001:ABCD:1234:5::10

ThebenefitofusinganexthopisthattheroutespecifiesanIPaddress.


Rememberthatstaticroutesdonotchangewithoutuserintervention.Therefore,therouterwillalwaysusethenexthopIPaddress.

Inthenextsection,we'lltakealookatusingdirectlyconnectedstaticroutes.

DirectlyconnectedstaticroutesAdirectlyconnectedstaticroutehasthesamefunctionalityasthenetworkroutebutratherthanspecifyinganexthop,weusetheexit-interfaceofthelocalrouterwhenconfiguringthisroute.

ToconfigureanIPv4directlyconnectedstaticroute,usethefollowingsyntax:


subnet-maskexit-interface

ThefollowingisanexampleofanIPv4directlyconnectedstaticroute:


gigabitethernet0/2

ToconfigureanIPv6directlyconnectedstaticroute,usethefollowingsyntax:



exit-interface

ThefollowingisanexampleofanIPv6directlyconnectedstaticroute:




gigabitethernet0/1

Theexit-interfaceactsasthedoorwaytoleavethelocalrouter.Whenusingthistypeofstaticroute,therouterisnotconcernedaboutthedeviceontheotherendcatchingthispacket.Itsimplyshootsthepacketoutadoorway(exit-interface).

Inthenextsection,we'lltakealookatconfiguringafullyspecifiedstaticroute.

FullyspecifiedstaticroutesAfullyspecifiedstaticrouteiscreatedbysimplyspecifyingboththeexit-interfaceofthelocalrouterandthenexthopIPaddressofthenextrouter.

ToconfigureanIPv4fullyspecifiedstaticroute,usethefollowingsyntax:


subnet-maskexit-interfacenext-hopIPaddress

ThefollowingisanexampleofanIPv4fullyspecifiedstaticroute:


gigabitethernet0/2192.168.2.1

ToconfigureanIPv6fullyspecifiedstaticroute,usethefollowingsyntax:



exit-interfacenext-hopLink-Local-IPv6address

ThefollowingisanexampleofanIPv6fullyspecifiedstaticroute:




gigabitethernet0/1FE80::2

Thefullyspecifiedstaticrouteensuresallparametersaremanuallyconfiguredonthelocalrouter.Inthenextsection,we'lltakealookatthepurposeofadefaultroute.

DefaultrouteWhatiftherouterreceivesapacketthathasadestinationaddresslocatedontheinternet?Whatwilltherouterdo?Asyouwillhaverealizedbynow,ifarouterdoesnothavearoutewithinitsroutingtable,itwillreplytothesenderwitheitheradestinationhostunreachableordestinationnetworkunreachablemessage.Ontheinternet,therearehundredsofthousandsofpublicnetworks,soitwouldbeveryinefficienttoinstallallthosepublicnetworkswithintheroutingtableofyourrouter.It'samajorissueifyourrouterdoesn'tknowhowtoreachorforwardpacketstotheinternet.

Tosolvethisproblem,wecanuseaspecialtypeofstaticrouteknownasadefaultroute.Thedefaultrouteisusedtoforwardtraffictoanotherrouterthatmayknowwhattodowithapacket.Practicallyspeaking,weusedefaultroutestoforwardtraffictotheinternet.

ToconfigureanIPv4defaultroute,usethefollowingsyntax:

Router(config)#iproute0.0.0.00.0.0.0<next-hop-

IP-address|exit-interface>


Noticethatintheprecedingsyntax,thedestinationnetworkIDandsubnetmaskareallzeros(0s).Thisimpliesanynetworkthatdoesnotexistwithintheroutingtableusesthisroute.

ThefollowingisanexampleofanIPv4defaultroutethatisusing10.2.1.5as

thenexthop:

Branch-A(config)#iproute0.0.0.00.0.0.010.2.1.5

ToconfigureanIPv6defaultroute,usethefollowingsyntax:


Router(config)#ipv6route::/0<next-hop-IPv6-

address|exit-interface>

ThefollowingisanexampleofanIPv6defaultroute:

Branch-A(config)#ipv6unicast-routing

Branch-A(config)#ipv6route::/02001:ABCD:1234:5::5

Whyuse::/0astheIPv6destinationnetwork?Asyoumayrecallfrom

Chapter3,IPAddressingandSubnetting,thedouble-colon(::)representsthat

twoormorehextetsarezeros(0s).Inthisinstance,thedouble-colon(::)

representsthatallhextetsare0swithasubnetmaskof0aswell.

Inthenextsection,we'lltakealookathowhostroutesareusedwithinanetwork.

Hostroutes


HostroutesareeitherintheformofIPv4orIPv6addressesintheroutingtable.Theycanbeinstalledautomaticallyintheroutingtable,configuredasstatichostroutes,orobtainedautomaticallythroughothermethods.Hostroutesareusedtoroutetraffictoaspecifichost.

Thefollowingsnippetshowssomehostroutesthatwereautomaticallyinstalledintheroutingtable:

Figure8.3–Hostroutes

Ahostrouteisastaticroutethatsimplyspecifiesahostratherthananetwork.Thistypeofstaticrouteallowsyoutocreateindividualstaticroutesthatspecifyhowtoreachaspecifichostonanetwork.


ToconfigureanIPv4hostroute,usethefollowingsyntax:

Router(config)#iproutedestination-ipv4-address

255.255.255.255<next-hop-IP-address|exit-

interface>

ThefollowingisanexampleofanIPv4hostroute:

Router(config)#iproute192.168.1.14

255.255.255.255gigabitethernet0/2

ToconfigureanIPv6hostroute,usethefollowingsyntax:


Router(config)#ipv6routedestination-ipv6-global-

unicat-address/128<next-hop-IP-address|exit-

interface>

ThefollowingisanexampleofanIPv6hostroute:


Router(config)#ipv6route2001::201/128

gigabitethernet0/3

Whenconfiguringahostroute,ensureallbitsare1swithinthesubnetmasktoimplyallthebitsatthedestinationIPv4addressesmatch.ForanIPv4hostroute,thesubnetmaskis255.255.255.255;forIPv6,it's/128.

Inthenextsection,we'lltakealookathowtocreateabackuprouteusingfloatingroutes.


FloatingrouteLet'simagineyourorganizationisusingtwointernetserviceproviders:ISPAandISPBforinternetconnectivityredundancy.ISPAservesastheprimarylinkwhileISPBisthebackupintheeventtheconnectiontoISPAgoesdown.

Thefollowingdiagramshowsasimplenetworktopology:

Figure8.4–Redundantinternetconnections

AlltrafficfromtheinternalLANwilluseISPAasthepreferredroute.ThefollowingistheconfigurationusedonR1toensurepacketsaresenttoISPA:

R1config)#iproute0.0.0.00.0.0.0192.0.2.1


AfloatingstaticroutecanbecreatedbysimplyspecifyinganAdministrativeDistance(AD)ashigherthanastaticrouteoradynamicroutingprotocol.Asanexample,tocreateafloatingstaticroute,thefloatingstaticrouteshouldbeconfiguredwithanADgreaterthan1.Floatingstaticroutesareveryusefulonarouter,astheycanactionabackuproutetotheprimaryroute.

TocreateafloatingrouteonR1withanADvalueof2,wecanusethefollowingcommands:

R1config)#iproute0.0.0.00.0.0.0192.0.2.12

Noticethat,attheendofthenexthop,thereisanumericalvalue.CiscoIOSallowsustospecifyanADvaluefortheroute.Thisallowsustocreatebackuproutesfordynamicroutesthatarenolongeravailable.

ThefollowingsnippetshowsthepaththepacketsitwilltakeifISPAgoesdown:


Figure8.5–Backuproute

Theoriginalroutewillberemovedfromtheroutingtableandthefloatingroutewillbeinstalledandwillbecometheprimaryroute/pathtoreachtheinternet.

ToconfigureanIPv4floatingroute,usethefollowingsyntax:


subnet-mask[next-hopIPaddress|exit-interface]

administrative-distance-value

ToconfigureanIPv6floatingroute,usethefollowingsyntax:




[next-hopipaddress|exit-interface]

administrative-distance-value

ImportantNote

Floatingstaticroutesarecreatedasbackupsforthedefaultrouteoradynamicrouteontherouter.Keepinmindthatstaticroutesarepersistentintheroutingtable.

Havingcompletedthissection,youhavelearnedaboutthevarioustypesofstaticroutesandhowtoimplementthem.Thefollowingsectionswilltakeyouthroughafewhands-onlabs,whichwillhelpyoudevelopyourstaticroutingskillsasaprofessional.

Lab–configuringstaticroutingusingIPv4It'stimetogetsomepracticalexperienceinimplementingstaticroutestogainconnectivitybetweenremotenetworks.Togetstarted,we'llbeusingtheCiscoPacketTracerapplication,whichallowsustosimulateaCiscoenvironment.Withintheapplication,pleasedesignthefollowingnetworktopology:


Figure8.6–IPv4staticroutinglabtopology

Usethefollowingguidelinestocreatethislabtoensureyougetthesameresults:

EachPCisconfiguredcorrectlywithitsappropriateIPaddressingschemes,asshowninthetopologydiagram.


EnsureeachPCcanpingonlyitsdefaultgateway.Forexample,PC2shouldbeabletopingtheBranch-Arouterviaits172.16.1.1IP

address.

Theroutersshouldbeabletopingeachotherviatheirinterfacesonthe10.2.1.0/24networkonly.

UseonlyCisco2911routers.

Havingbuiltthenetworktopology,usethefollowinginstructionstoimplementstaticroutes:

1. Firstly,asagoodnetworkprofessional,itiswisetoverifyyourIPconfigurationsonyourdevices.OneachPC,opentheCommandPromptprogramandexecutetheipconfigcommandtoverifythatthecorrect

IPaddress,subnetmask,anddefaultgatewayhavebeenassigned.

ImportantNote

IfyouareusingaphysicallabwithaLinuxoperatingsystem,usetheifconfigcommandtovalidateyourIPaddressconfigurations.

2. Oneachrouter,usetheshowipinterfacebriefcommandto

verifythattheappropriateIPaddressisassignedonthecorrectinterfacesandthattheinterfacesareinanUp/Upstatus.

3. Let'stesttheconnectivitybetweeneachPCanditsdefaultgateway.OnPC1,let'spingtheHQrouter,asshowninthefollowingsnippet:


Figure8.7–Defaultgatewayconnectivitytest

TheHQrouterrespondsbysendingtheICMPmessagesbacktoPC1.ThisresponseverifiesconnectivitybetweenPC1anditsdefaultgateway.

4. Next,let'sattempttotestconnectivitybetweenremotenetworksbetweenPC1andPC2.OnPC1,usetheping172.16.1.10command,as

showninthefollowingsnippet:


Figure8.8–ConnectivitytestfromPC1toPC2

Thedefaultgateway,whichistheHQrouter,hasrespondedwithadestinationhostunreachablemessage.Thisindicatesitdoesnothavearoutetoreachhost172.16.1.10initsroutingtable.

5. Wecanusetheshowiproutecommandoneachroutertodetermine

whichnetworkstheyhavewithintheirroutingtable.ThefollowingsnippetshowstheroutingtableontheHQrouter:

Figure8.9–RoutingtableoftheHQrouter

You'llnoticethateachrouteronlyknowsaboutitsdirectlyconnectednetworks.Ourjobistoensureeachrouterknowshowtoreachallothernetworks.Wewillconfigurethedefaultroutesinthenextlab.

6. Let'sbeginbyconfiguringtheHQrouterwithstaticroutestoreachBranchB,BranchC,andtheHQnetworks.Ensureyouenterthefollowingcommandsinglobalconfigurationmode:

HQ(config)#iproute172.16.1.0255.255.255.0

10.2.1.10


10.2.1.15



10.2.1.20

Theprecedingconfigurationswillinstallastaticrouteforeachbranchnetworkinthetopology.

ImportantNote

Toremoveastaticroute,usethenocommand,followedbytheentire

staticroute,suchasnoiproute172.16.1.0255.255.255.0

10.2.1.10.

Wecanusetheshowiproutecommandtoverifythattherouting

tablehasbeenupdated:

Figure8.10–UpdatedroutingtableontheHQrouter

Now,therearestaticroutesthathavebeeninstalledontheHQroutingtableforeachremotebranchnetwork.


7. Let'sattempttopingbetweenPC1andPC2againtoverifywhetherwehaveend-to-endconnectivity:

Figure8.11–Requesttimedoutmessages

Asyoucansee,theresponseshavechanged.Now,we'regettingRequesttimedoutresponses.Whatdoesthismean?Theseresponsesareprovidedwhenthetargetdevice(PC2)hasdisabledICMPresponses,afirewallorsecurityapplianceisblockingICMPmessages,orthetargetdoesnothavearoutebacktothesender(PC1).Inthissituation,thereisn'tafirewallorICMPbeingblockedanywhere,soit'sthethirdreason.

8. Let'schecktheroutingtableontheBranch-AroutertoverifywhetherithasaroutebacktotheHQnetwork:



Assuspected,theBranch-Arouterdoesnothavearouterbacktothe10.1.1.0/24network,northeotherremotenetworks.

9. Usingthefollowingcommands,wewillconfiguretheBranch-Arouterwithstaticroutestoallotherremotebranchnetworkswithinthetopology:


10.2.1.5

Branch-A(config)#iproute172.20.1.0

255.255.255.010.2.1.15

Branch-A(config)#iproute192.168.1.0

255.255.255.010.2.1.20

ChecktheroutingtableoftheBranch-Arouter.Thisway,wecanverifythatthenewroutesareinplace:


Figure8.13–StaticroutesontheBranch-Arouter

NowthattheBranch-Arouterhasaroute(path)backtotheHQnetwork(10.1.1.0/24)via10.2.1.5,let'stestend-to-endconnectivityonce

more.

10. TestconnectivityfromPC1toPC2toverifyroutingisworkingproperlybetweentheHQandBranch-Arouters:


Figure8.14–Connectivitytest

Additionally,wecanperformatraceroutetovalidatethepaththepackettakesbetweenPC1andPC2:

Figure8.15–Tracerouteshowingpath

ThefirsthopisthedefaultgatewayforPC1,whilethesecondhopisthenexthopfortheaddressforthe172.16.1.0/24network,asseen

withintheroutingtableoftheHQrouter.Thethirdhopistheactual


destinationhost.

11. Let'snotforgettoconfigurethestaticroutesontheBranch-Brouter.Usethefollowingcommands:


10.2.1.5

Branch-B(config)#iproute172.16.1.0

255.255.255.010.2.1.10

Branch-B(config)#iproute192.168.1.0

255.255.255.010.2.1.20

12. ToconfigurethestaticroutesontheBranch-Crouter,usethefollowingcommands:

Branch-C(config)#iproute10.1.1.0255.255.255.0

10.2.1.5

Branch-C(config)#iproute172.16.1.0

255.255.255.010.2.1.10

Branch-C(config)#iproute172.20.1.0

255.255.255.010.2.1.15

13. Lastly,usepingtovalidateend-to-endconnectivitybetweenallthe

devicesonthetopology.

Havingcompletedthislab,youhavegainedthehands-onskillstoimplementstaticroutingandperformtroubleshootingtechniquesinaCiscoenvironment.

Lab–configuringanIPv4defaultroute


Inthislab,youwilllearnhowtoimplementadefaultroutethatpointstotheinternet.Pleasekeepinmindthatthislabissimplyanextensionofthepreviouslab.Asyoumayrecall,adefaultrouteisaroutethatpointstoaforeignnetworkthatdoesnotbelongtoyourorganization.It'ssimplyyourpath(route)totheinternet.

Togetstartedwithconfiguringadefaultroute,usethefollowinginstructions:

1. OntheBranch-Arouter,usethefollowingcommandtocreateadefaultroutethatpointstotheHQrouter,asthat'swheretheinternetlinkislocated:


10.2.1.5

2. ChecktheroutingtableoftheBranch-Aroutertovalidatethatthedefaultroutehasbeeninstalledandthatthelastresortgatewayhasbeenset:


Figure8.16–Defaultroute

ConfiguringthedefaultrouteonBranch-Awillcreatethefollowingeffect:ifanypacketsaredestinedforanetworkthatdoesnotexistwithintheroutingtableoftheBranch-Arouter,thedefaultroute(gatewayoflastresort)willbeused.Therouterwillforwardthepacketto10.2.1.5.

Furthermore,sincethedefaultroutedoesnothaveanexit-interface,therouterwillperformarecursivelookupwithintheroutingtabletodeterminewhichnetwork10.2.1.5belongsto.Thisisdoneto

determinewhichexit-interfacetheroutershouldusewhenforwardingthepacket.Accordingtotheroutingtable,therouterwillforwardthepacketoutofinterfaceGigabitEthernet0/2since10.2.1.5belongsto

the10.2.1.0/24subnet.

3. Repeatbothsteps1and2ontheBranch-BandBranch-Crouterstoconfigureadefaultroute.

4. Let'sconfiguretheHQrouterasthestubrouterthathastheactualinternetconnection.OntheHQrouter,wewillconfigureadefaultroutethatpointstothe192.0.2.1internetgatewayaddressontheISProuter:

HQ(config)#iproute0.0.0.00.0.0.0192.0.2.1

ImportantNote

Inarealenvironment,theISPwillprovideyouwiththepublicIPaddressyouneedtoconfigureonyourstubrouter'sinterface,aswellastheinternetgatewayaddress.


Atthispoint,alltheroutershaveadefaultroutethatpointstowardtheinternetorISPnetwork.Tokickitupanotch,ensuretheISProuterandtheserverhavebeenconfiguredwiththeIPscheme,asshowninthetopology.EnsuretheservercanpingtheISProuterandviceversa.

5. ConfigureadefaultrouteontheISProuterthatpointstowardtheHQrouter:

ISP(config)#iproute0.0.0.00.0.0.0192.0.2.2

ThepurposeofthissteptoallowthePCstoreachthepublicserverontheinternetwithinourlab.

6. Let'stesttheconnectivityfromanyPCtotheserver,whichisontheinternet.ThefollowingscreenshotshowstheresultsfromPC2onournetwork:

Figure8.17–Connectivitytesttotheserver

7. Next,let'sperformatraceroutetotheserver:


Figure8.18–Traceroutetest

Asyoucansee,thetracerouteshowsthepaththepackettookfromPC2totheserver.

8. Furthermore,lookingattheroutingtable,wecanseethat192.0.2.4/30doesnotexist:



TheBranch-Arouterusedthedefaultroutegatewayasalastresorttoforwardthepackettoanotherdevice,whichmayhaveapathorroutetothedestinationhost.

Tip

Foreachbranchrouter,ratherthaninstallingastaticrouteforeachremotenetwork,youcansimplyinstallasingledefaultroutetothemainoffice,suchastheHQrouter.Thiswillensuretheroutingtableiswithinreachandthattheremotebranchrouteriskeptsmallandconcise.Additionally,theHQroutershouldcontainstaticroutestoeachremotebranchnetwork.Toputthissimply,wheneverabranchofficerhastosendamessagetoanotherbranchorremotenetwork,themessagewillalwaysbesenttotheHQrouter.Inthenextlabexercise,wewillapplythismethodandlearnhowtoperformthistask.

Havingcompletedthislab,youhavegainedthehands-onskillsandexperienceyouneedtoconfigureandimplementadefaultrouteonanIPv4network.

Lab–configuringstaticroutingusingIPv6Inthislab,youwilllearnhowtoconfigurebothIPv6staticanddefaultroutesinaCiscoenvironment.Youarenotrequiredtorebuildanewtopologyforthisexercise;IPv6supportsdualstacking,whichallowsyoutoconfigurebothIPv4andIPv6addressesonthesameinterfaces.Therefore,youcansimplycontinueworkingfromthepreviouslab.

ThefollowingistheIPv6topologywe'llbeusingtocompletethishands-on


exercise:

Figure8.20–IPv6routinglabtopology

Beforeyoubegin,ensureyouhaveconfiguredthedeviceswithboththeglobalunicastandlink-localIPv6addressingschemes,asshowninthefollowingtable:


Figure8.21–ISPandHQdeviceIPv6addressingschemes

ThefollowingtableprovidestheIPv6addressingschemesforeachbranchrouter:


Figure8.22–Branchrouters'IPv6addressingscheme

Lastly,eachenddevice,suchasthePCsandtheserver,alsorequireIPv6addresses:


Figure8.23–EnddeviceIPv6addressingscheme

OnceeachdevicehasbeenfullyconfiguredwithitsIPv6addresses,ensurethereisend-to-endconnectivity:

PingbetweeneachPCanditsdefaultgatewayusingboththeglobalunicastandlink-localIPv6addresses.

Pingfromonebranchroutertoanother.

PingfromtheHQroutertotheISProuter.

TogetstartedwithimplementingIPv6staticroutes,usethefollowinginstructions:

1. Enterglobalconfigurationmodeoneachrouterandexecutetheipv6


unicast-routingcommandtoallowIPv6routing.

2. Firstly,installIPv6staticroutersforeachbranchnetworkontheHQrouter,asfollows:


2001:ABCD:1234:5::10


2001:ABCD:1234:5::15


2001:ABCD:1234:5::20

3. Oneachbranchrouter,installonlyanIPv6defaultroutethatpointstoHQasitsIPv6gatewayoflastresort.Usethefollowingcommandstoachievethistask:

Branch-A(config)#ipv6route::/0

2001:ABCD:1234:5::5

Branch-B(config)#ipv6route::/0

2001:ABCD:1234:5::5

Branch-C(config)#ipv6route::/0

2001:ABCD:1234:5::5

Atthispoint,eachPCcanreachanotherPConaremotenetworkandalltrafficpassesthroughtheHQrouter.

4. Let'sinstalladefaultrouteontheHQroutertopointtowardtheinternet:

HQ(config)#ipv6route::/02001:abcd:1234:6::1


Toensurewecansimulatetheinternetwithinourlabenvironment,wealsoneedtoinstalladefaultrouteontheISProuterthatpointsbacktotheHQrouterusingthefollowingcommand:

ISP(config)#ipv6route::/02001:abcd:1234:6::2

5. Verifyend-to-endconnectivityfromonePCtoanother.ThefollowingsnippetshowsthepingresultsbetweenPC2andPC4:

Figure8.24–ConnectivitybetweenPC2andPC4

ThefollowingsnippetshowsthepaththepackettookfromPC2andPC4:


Figure8.25–TraceroutebetweenPC2andPC4

Asexpected,alltrafficpassesthroughtheHQroutersincewehaveconfigureditusingthedefaultrouteoneachbranchrouter.

6. Usingtheshowipv6routecommand,wecanvalidatetheIPv6

routingtableofeachrouter.ThefollowingsnippetshowstheroutingtableoftheBranch-Arouter:


Figure8.26–Branch-AIPv6routingtable

7. Lastly,wecanusetheshowipv6interfacebriefcommandto

verifytheIPv6addressesoneachrouter'sinterface.ThefollowingsnippetshowsboththeIPv6link-localandglobalunicastaddressesontheHQrouter:


thenetworkexpands.

Tosavetheday,therearedynamicroutingprotocols.Whatexactlyaredynamicroutingprotocols?Theanswertothisquestionisquitesimple:theyarelayer3routingprotocolsthatcanbeconfiguredonaroutertoautomaticallydiscoverremotenetworks,maintainandupdateroutingtables,andcalculatethebestpathtoadestinationnetwork.Intheeventarouteorpathisnolongeravailable,dynamicroutingprotocolscanfindanewpathandinstallitintheroutingtableautomatically.

Therearevarioustypesofdynamicroutingprotocols.Thefollowingfigureprovideabreakdownofthem:


Figure8.28–Dynamicroutingprotocols

Therearevariouscategoriesandsub-categoriesofdynamicroutingprotocolsthataregroupedbasedontheircharacteristicsandhowtheyfunction.Let'stakealookatthem.

TypesofdynamicroutingprotocolsTherearetwomaincategoriesofdynamicroutingprotocols:InteriorGateway


Protocols(IGPs)andexteriorgatewayprotocols(EGPs).Thedifferencebetweenthesetwoisquitesimple.IGPsareusedwithinaprivatenetworkownedbyanorganization.IfIGPsareusedonprivatenetworks,wheredoyouthinkEGPsareused?Theyaremostlyusedontheinternet,whichisapublicnetwork.

ThereiscurrentlyoneEGPandit'scalledthebordergatewayprotocol(BGP).BGPisusedtoexchangeroutinginformationbetweenAutonomousSystems(ASes)ontheinternet.AnASisdefinedasanorganizationthatmanagesalotofpublicnetworks.AsimpleexampleofthisisanISP.ImagineISP_Ahasto

informotherISPsaroundtheworldaboutthenetworksISP_Aownsandhowto

reachthem.EachISPsharesroutinginformationviatheBGProutingprotocolontheinternet.

EachISPhasauniqueAutonomousSystemNumber(ASN),whichallowsittoestablishaBGPadjacencywithanotherASNtoexchangeBGProutes.BGPisunliketheotherroutingprotocolsasitchoosesthebestroutebasedonitspath.

ThefollowingdiagramshowsasimplerepresentationofBGPinterconnectingviaASNs:


Figure8.29–BGPbeingusedbetweenvariousASNs

BGPisaveryslowconvergingdynamicroutingprotocol,whichiswhyitismostlyusedontheinternetratherthanonprivatenetworks.WhenwespeakaboutBGP,weusuallymeanexternalBGP(eBGP),whichisusedontheinternetandbetweenASes.However,there'sanotherversionknownasinternalBGP(iBGP)thatexchangesroutinginformationwithinasingleAutonomousSystem.

ImportantNote


BGPisnolongercoveredintheCCNA200-301examobjectivesandhasmovedtotheCiscoCertifiedNetworkProfessional(CCNP)Enterprisecertificationlevel.However,it'sworthmentioninginthissection.

ThefollowingistheBGProutingtableofapublicBGProuter:

Figure8.30–BGProutingtable

Theprecedingsnippetshowsthedestinationnetworksontheleft,theirnexthop,andpath.ThepathprovidestheASNvalues.Therefore,foreachofthe1.0.0.0/24networks,thepackethastobesenttoAS24441via

202.93.8.242,thentoAS13335,andsoon.

Tip

TheBGPLookupGlassprojectiscreatedamongISPsaroundtheworld;itallowsanyonetoTelnetintotheirBGP-enabledrouterstolearnmoreabouttheBGProutingprotocol.Simplyusethesearchtermbgplookingglass


withinyourwebbrowsertofindpubliclyaccessibleBGProuters.

OneoftheoldestIGPdynamicroutingprotocolsistheroutinginformationprotocol(RIP).RIPisdefinedasadistancevectorroutingprotocol.Adistancevectorroutingprotocolisonlyconcernedaboutthedistanceanddirectionofthedestinationnetwork.RIPusestheBellman-Fordalgorithm,whichuseshopcountasitsmetrictocalculatethedistancebetweentherouterandthedestinationnetwork.

ImportantNote

RIPhasamaximumhopcountof15.Foranetworkthathasmorethan15

hops,RIPwillnotbesuitable.Additionally,RIPdoesnotsupportVLSM.

Thepathwiththeleastnumberofhops(routers)willbeelectedasthebestrouteandwillbeinstalledintheroutingtable.Furthermore,beingadistancevectorprotocol,RIPwillforwardthepackettothenexthop(neighbor)alongthepathuntilthepacketisdelivered.

ImportantNote

RIPwascoveredinthepreviousversionsofCCNA.ItisnolongerpartoftheCCNA200-301examinationobjectivesandisbeyondthescopeofthisbook.

Theenhancedinteriorgatewayroutingprotocol(EIGRP)isanotherdistancevectorroutingprotocolandwasaCisco-proprietaryroutingprotocoluntilMarch2013,whenCiscoannouncedthatit'sopentothenetworkcommunityandvendorsinregardtoitsimplementation.EIGRPusesthediffusingupdatealgorithm(DUAL)tocalculatethebestpathtoadestinationnetwork.


DUALusesthefollowingfactorswhencalculatingasuitableroute:

Bandwidth

Delay

TransmittingLoad(txload)

ReceivingLoad(rxload)

Reliability

However,EIGRPusesbandwidthanddelaybydefault.Theotherfactorsareoffbydefault.ThefollowingsnippetshowsthevaluesusedbyDUALforitscalculation:

Figure8.31–Interfacedetails

TheadvantageEIGRPhasoverotherdynamicroutingprotocolsisitsabilitytocalculateabackuploop-freepathatthesametimeitiscalculatingaprimary


routetoadestinationnetwork.

ImportantNote

EIGRPisnolongercoveredintheCCNA200-301examobjectivesandhasmovedtotheCiscoCertifiedNetworkProfessional(CCNP)Enterprisecertificationlevel.However,it'sworthmentioninginthissection.

Aloop-freepathisonethatdoesnothavealayer3routinglooponanetwork.ThisisveryusefulintheeventarouteisunavailableasEIGRPcanalmostimmediatelyinsertthebackuploop-freepathwithintheroutingtabletoensureconnectivity.

OpenShortestPathFirstOneofthemostpopularlink-stateroutingprotocolsisOpenShortestPathFirstversion2(OSPFv2).DefinedbyRFC1247,OSPFv2wasintroducedtothenetworkingindustrybackin1991andsincethen,ithasbeenwidelyadoptedandimplementedinmanyorganizations.

ThefollowingarethebenefitsofusingOSPF:

Opensource:BeingopensourceallowsanorganizationwithmixedvendorequipmenttoimplementOSPFtoexchangeroutinginformationbetweenthevariousmanufacturersofrouters.

Scalability:OSPFcanbeimplementedinanetworkofanysize.Additionally,OSPFcanbeconfiguredinahierarchicalsystemwhereOSPF-enabledrouterscanbegroupedintoareas.


Secure:TheOSPFroutingprotocolsupportsbothMessageDigest5(MD5)andSecureHashingAlgorithm(SHA)forauthentication.ThisallowstwoOSPF-enabledrouterstoauthenticatewitheachotherbeforeexchangingOSPFroutingdetailssuchasnetworkinformation.

Efficiency:Unlikeolderdynamicroutingprotocols,OSPFwillonlysendanupdateifachangeoccursonanetworkratherthansendingperiodicupdatesatspecificintervals.

Classless:TheOSPFroutingprotocolsupportstheuseofcustomsubnetmasksandVLSM.

TheOSPFroutingprotocolismadeupofvariouscomponents.Theseenabletheprotocoltohaveaclearideaoftheentirenetworktopologywhenithastotelltherouterhowtoforwardapacket.

ThefollowingaretheOSPFcomponents:

Adjacencytable:BeforeOSPFexchangesroutinginformationwithaneighborrouteronthenetwork,theybothneedtoestablishanOSPFadjacencywitheachother.Thisadjacencyissimplylikeamutualhandshakeindicatingthatbotharewillingtosharenetworkroutes.Thisadjacencytablecontainsalistofalltheneighborroutersthathaveestablishedanadjacencywithalocalrouter.Thistableissometimesreferredtoastheneighbortable.Theshowipospfneighbor

commandallowsyoutoviewtheadjacencytable.

Link-statedatabase:TheLink-StateDatabase(LSDB)simplycontainsalistofinformationaboutalltheOSPF-enabledroutersonthenetwork.TheLSDBisalsousedtocreatethenetworktopologytablethatOSPF


usestodeterminethecostofthebestpathorroutetoadestinationnetwork.Theshowipospfdatabasecommandwillallowyouto

viewthecontentsoftheLSDB.

Forwardingdatabase:Thisissimplytheroutingtable.AftertheOSPFalgorithm,ShortestPathFirst(SPF)calculatesallthepathstoallthedestinationnetworks.Itwillinstallthebestpath(route)withintherouter'sroutingtable.Byusingtheshowiproutecommand,youcanview

theforwardingdatabase.

Inthefollowingsection,wewilltakeamuchdeeperdivetofurtherunderstandtheoperationsofOSPFasalink-stateroutingprotocol.

OSPFoperationsOSPF-enabledroutersensuretheyallmaintainup-to-dateinformationabouttheentirenetworktopology;thisenablesOSPFtochoosethebestpathatalltimes.However,toensureeverythingworkssmoothly,OSPFusesthefollowingsequenceofoperationsbetweenallenabledroutersonthenetwork:

1. OSPFwillattempttoestablishneighboradjacencieswithotherOSPF-enabledroutersonthenetwork.WhenOSPFisenabledonarouter'sinterface,itsendsaHelloPacketevery10secondslikeapulseoutofitsinterface.TheHelloPacketissimplyawaytoletaneighborrouterknowitwantstoestablishadjacency.

2. AfterestablishingOSPFadjacencies,therouterswillbegintoexchangeLink-StateAdvertisements(LSAs)withtheirneighborsonthenetwork.TheseLSAsaresimplyspecialOSPFpacketsthatcontaininformation


aboutthecostandstateofthedirectlyconnectednetworksoneachneighborrouter.WhenanOSPF-enabledrouterreceivesanLSA,itwillthenforwardthatsameLSAtoallotherdirectlyconnectedneighbors.ThisprocessisrepeateduntilalltherouterswithinthenetworkreceivealltheLSAs.

3. Next,allOSPF-enabledrouterswillusetheinformationcontainedwithintheLSAstobuildtheLSDB.ThisallowsOSPFtovirtuallyseetheentirenetworktopology,theirinterfacecosts,andtheirstates.

4. AftertheLSDBhasbeenbuilt,OSPFexecutesitsSPFalgorithmtocalculatethebestpathbetweennetworks.

5. TheSPFalgorithmtheninstallsthebestpathtoeachnetworkwithintheforwardingdatabase,alsoknownastheroutingtable.

ImportantNote

KeepinmindthatifthereisaroutewithalowerADthanOSPFthatalreadyexistswithintheroutingtable,theOSPFroutewillnotbeinstalledsinceADtakespriority.

TheOSPFv2routingprotocolusesthefollowinglayer2andlayer3addressestoexchangeinformation:

DestinationmulticastMACaddress:01-00-5E-00-00-05or01-

00-5E-00-00-06

IPv4multicastaddress:224.0.0.5or224.0.0.6


Inthenextsection,wewilldiscussthevarioustypesofOSPFmessagesthatareexchangedbetweenroutersonanetwork.

OSPFmessagesEnablingtheOSPFroutingprotocolonarouter'sinterfaceisquitesimple.Asanetworkprofessional,youneedtounderstandthetechnicaldetailsthatoccurinthebackgroundinOSPF.TheOSPFprotocolusesvariousOSPFpackettypestosendinformationtoaneighborrouter.ThefollowingaretheOSPFpackettypesandtheirdescriptions:

Type1:ThesearetheOSPFHelloPacketsthatareusedtocreateandmaintaintheneighboradjacencies.

Type2:TheseareknownasDatabaseDescription(DBD)packets.ThesepacketsareusedtoensureeachOSPF-enabledrouter'sLSDBisexactlythesame.

Type3:ThistypeofpacketisknownasaLink-StateRequest(LSR)packet.OSPF-enabledroutersusethispackettorequestfurtherinformationaboutanyentryintheDBDbysimplysendinganLSR.

Type4:ThispacketisknownastheLink-StateUpdate(LSU).ThesepacketsareusedbyOSPFtorespondtoLSRsandnewroutinginformation.

Type5:ThistypeofpacketistheLink-StateAcknowledgement(LSA).ThesearesentwhenanLSUisreceivedfromanotherrouter.

Inthenextsection,wewilllearnabouttheimportanceoftheOSPFHello


Packet.

OSPFHelloPacketanddeadtimersTocreateandmaintainanOSPFadjacencywithaneighborrouter,HelloPacketsaresentevery10secondsbydefaulttotheIPv4multicastaddressof

224.0.0.5andtheIPv6addressofFF02::5.SendingaHelloPacket

constantlycreatesapulsethattellsarouteritsneighborisalive.Thisdoesnotremoveanynetworkfromtheroutingtablethatbelongstotheneighborrouter.However,onslowernetworks,suchasthosethataredefinedasnon-broadcastmultipleaccessnetworks,OSPFusesadefaultHellotimerof30seconds.

WhatwouldhappenifanOSPF-enabledrouterdoesnotreceiveaHelloPacketfromoneofitsneighborswithin10seconds?Theneighborrouterwillbe

considereddownandwillberemovedfromtheroutingtable,itsdirectlyconnectednetworks,anditsassociatedroutes.However,OSPFhasaDeadtimer,whichis40secondsbydefaultand120secondsfornon-broadcast

multipleaccessnetworks.TheDeadtimerissimplythetimeforwhichanOSPF-enabledrouterwillwaittoreceiveaHelloPacketfromitsneighborbeforedeclaringtheneighbordeviceisdown.

TheHellotimermustmatchbetweenneighborsforanOSPFadjacencytobeformed.Thefollowingdiagramshowstworouters.R1isusingthedefaultOSPFHelloTimerof10secondsonitsGigabitEthernet0/1interfaceandR2

isusing11seconds:


Figure8.32–HelloTimermismatch

Usingtheshowipospfinterfacecommand,wecanverifytheHello

andDeadtimersontheinterface:

Figure8.33–Checkinginterfacetimers

TheprecedingsnippetshowsthattheOSPFHelloTimerhasbeenadjustedto11secondsontheinterface.OSPFallowsustomodifytheHelloandDeadtimers


oneachinterfaceonarouter.ToadjusttheHelloTimerandDeadtimers,usethefollowingcommands:

R2(config)#interfacegigabitEthernet0/1

R2(config-if)#ipospfhello-intervaltime-in-seconds

R2(config-if)#ipospfdead-intervaltime-in-seconds

ImportantNote

KeepinmindthatthedefactostandardfortheDeadtimeris4timeswhatitisfortheHelloTimer.

Inthenextsection,wewilltakealookatthevariousOSPFinterfacestatesandtheirdescriptions.

OSPFinterfacestatesBeforeOSPFestablishesanadjacencywithaneighbor,theOSPF-enabledinterfaceonarouterhastotransitionbetweenvariousoperationalstates.Thesestatesareusedwhencreatingneighboradjacencies,exchangingroutingdetails,calculatingthebestpathtoadestinationnetwork,andensuringallroutersconverge.

Thefollowingisthesequenceofaninterfaceasitreachesconvergence:

1. Down:Atthisstate,theroutersendsHelloPacketsbuthasn'treceivedany

HelloPacketsfromanyneighborrouters.

2. Init:HelloPacketsarereceivedfromaneighborrouter.


3. Two-way:Thisstateindicatesthereisatwo-waycommunication

betweentworouters.

4. ExStart:Thisstateindicatesthatthelinkisapoint-to-pointnetwork

andtherouternegotiateswhichinterfacewillsendtheDBD.

5. Exchange:ThisstateiswhereroutersexchangeDBDpacketsonthe

network.

6. Loading:Withinthisstate,LSRandLSUpacketsareexchanged

betweenrouterstogainmoreinformationaboutroutes.TheSPFalgorithmprocessesalltheroutestocalculatethebestpathtodestinationnetworks.

7. Full:Thisstateindicatesthatalltheroutershaveconvergedandknow

aboutallthenetworks,interfacecosts,androuters.

ToverifytheOSPFinterfacestates,usetheshowipospfneighbor

command,asshowninthefollowingsnippet:

Figure8.34–VerifyingOSPFinterfacestates

Inthenextsection,wewilllearnhowOSPFusesinterfacebandwidthtochoose


itsbestpath.

OSPFinterfacecostOSPFisalink-stateroutingprotocol,whichmeansitusescumulativebandwidthasitsmetrictodeterminethemostcost-efficientpathtoadestinationnetwork.OSPFusesthefollowingformulatocalculateitspathcost:

Cost=referencebandwidth/interfacebandwidth

Firstly,you'llneedtodeterminethedefaultreferencebandwidthonarouter.Thiscanbedonebyusingtheshowipospfcommand,asshowninthefollowing

snippet:

Figure8.35–Referencebandwidth

Asshownintheprecedingsnippet,thedefaultreferencebandwidthissetto


100.Next,wecanusetheshowinterfacescommandtoobtainthe

bandwidthvalueonaninterface,asshowninthefollowingsnippet:

Figure8.36–Interfacebandwidth

Now,wecansubstituteourvaluesinourformula:

Cost=100/1000000

Theresultroundsto1.WecanverifythecostofanOSPF-enabledinterfacelikeso:

Figure8.37–OSPFcost

Asexpected,theOSPFcostonthisinterfaceis1.OSPFcalculatesthecostofeachinterfaceonalltheroutersbetweenallnetworks,thenusesthepaththathas


theoverallleastcostasthebestpathtoadestinationnetwork.

Interfacecostscanbemanuallyadjustedsimplybyusingthefollowingcommands:


R2(config-if)#ipospfcostvalue-in-kilobits

Inthenextsection,wewillcovertheconceptsoftheDesignatedRouter(DR)andBackupDesignatedRouter(BDR).

DesignatedrouterAsmentionedpreviously,eachOSPF-enabledrouterhasestablishedanadjacencywithitsneighborsbeforetheycansharenetworkroutes.Oncetheadjacencieshavebeenestablished,HelloPacketsarecontinuouslyexchangedbetweenneighbors.Butwhatifarouterhasmultipleadjacenciesonthesameinterface?

Let'stakealookatthefollowingdiagram,whereeachrouterhasanadjacencytoeveryotherrouter:


Figure8.38–OSPFadjacencies

Intheprecedingdiagram,alltheroutersshareasinglemulti-accessnetworkviatheswitch.Insuchsituations,eachrouterwillbesendingHelloPacketstoallotherrouters.Ifthere'satopologychange,therouterswillfloodupdatestoallroutersaswell.

Tip

Tocalculatethenumberofadjacenciesonamulti-accessnetwork,usetheformulaN(N-1)/2,whereNisthenumberofrouters.


HavingsomanyadjacenciescausesextensivefloodingofLSAsacrossthenetwork,thuscreatinganunnecessarilyhighnumberofOSPFadjacencies.Tohelpsolvethisissue,OSPFassignsaDRandaBDRonthenetwork.

AllotherroutersthatarenotaDRorBDRbecomeaDROTHER.EachDROTHERwillcreateanadjacencytotheDRandtheBDRonly.EachrouterwillsenditsHelloPackettoboththeDRandBDR.WhentheDRreceivesthepacketfromanotherrouter,theDRsendsthepackettoallotherroutersthatrequirethemessage.Therefore,aDROTHERwillhavetwoadjacenciesonly:oneadjacencytotheDRandanothertotheBDR.Thisconceptreducesthenumberofunnecessaryadjacenciesandfloodingoflink-statemessagesacrossthenetwork.

RouterID

ARouterIDisrequiredbyeachroutertoparticipateinanOSPFdomain.RouterIDscanbeassignedmanuallyorautomaticallybytherouter.TheRouterIDisusedtouniquelyidentifyarouterandparticipateintheDRandBDRelectionprocess.

TheRouterIDistakeninthefollowingorderofprecedence:

1. TheRouterIDismanuallyconfiguredviatherouterospfmode.

2. AnIPv4loopbackinterfaceisconfiguredandtheIPv4addressofthisinterfaceisthenusedastheRouterID.

3. Asthelastresort,OSPFwillusethehighestactiveconfiguredIPv4addressontherouter'sinterfaces.

ThefollowingsnippetshowshowtoconfiguretheRouterIDusingtheloopback


interfaceontherouterandhowtomanuallyconfigureitwithintherouterospf

mode:

Figure8.39–RouterIDconfiguration

ToresettheRouterID,usetheclearipospfprocesscommandwithin

privilegedmode.

TheRouterIDplaysakeyroleduringtheDRandBDRelectionprocess.Inthenextsection,wewilltakealookathowOSPFmakesitschoiceinelectingaDRonthenetwork.


DRandBDRelectionprocess

Inthissection,wewillcovertheOSPFDRandBDRelectionprocessthoroughly.Let'simaginetherearefiveOSPF-enabledroutersallsharingasinglebroadcastnetwork.Eachrouterhasbeenmanuallyconfiguredwithaunique32-bitRouterID,asshowninthefollowingdiagram:

Figure8.40–DRandBRDelectionprocess–part1


Bydefault,therouterwiththehighestRouterIDiselectedastheDR,whiletherouterwiththesecondhighestrouterIDiselectedBDR.AllotherrouterswilltaketheroleofbeingDROTHER.

Let'simaginetheDRgoesdown.TheBDRwilltaketheroleofbecomingthenewDRwithinthenetwork,whiletheDROTHERwiththehighestrouterIDwillnowbecomethenewBDR,asshowninthefollowingdiagram:



WhatiftheoriginalDRcomesbackonline?DoesitregaintheroleofDRonthenetwork?Theanswerisno–itbecomesaDROTHERsimplybecausetheelectionprocesshasended.Thefollowingdiagramshowstheeffectofthissituation:


Inanothersituation,whatifanewrouterwithahigherRouterIDthantheDRis


insertedintothenetwork?WouldthenewrouterwiththehigherrouterIDbecomethenewDR?Aswiththepreviousscenario,sincetheelectionprocesshasended,thenewrouterwillbeaDROTHER,asshowninthefollowingdiagram:



Havingcompletedthissection,youhavegainedtheessentialskillstopredicttheelectionofaDRandaBDRonamultiaccessnetwork.Inthenextsection,we'lldiscusshowtoconfigureOSPFv2onaCiscoIOSrouter.

OSPFv2commandsLet'simaginewehavetoenabletheOSPFroutingprotocoltoshareroutinginformationonthefollowingnetworktopology:

Figure8.44–Simplenetwork

WecanbeginbyenablingOSPFonR1.First,you'llneedtoaccessrouter

ospfmodebyusingthefollowingsyntax:

R1(config)#routerospfprocess-id

process-idisanumericalvaluethatrangesfrom1-65535anddoesnot

havetobethesameonotherOSPF-enabledroutersonthenetwork.

Whenconfiguringadynamicroutingprotocol,youonlyadvertiseyourdirectlyconnectednetworks.OnR1,therearetwodirectlyconnectednetworks:


192.168.1.0/24and192.168.2.0/24.Toadvertisethesetwonetworks,

wecanusethefollowingsyntax:

R1(config-router)#networknetwork-IDwildcard-mask

areaarea-id

ImportantNote

OSPF-enabledroutershavethefunctionalitytobesegmentedintomultipleareastoensuretheirroutingtableiskeptsmall,aswellastoreducetheamountofLSAsthatarebeingexchangedonanetwork.ThisfunctionalityisreferredtoasMulti-AreaOSPF.Area0isdefinedasthebackboneareaandyoushouldalwaysstartwithArea0onyournetwork.Ciscorecommendsthatallother

OSFPareasshouldbedirectlyconnectedtoArea0.However,Multi-Area

OSPFisbeyondthescopeoftheCCNA200-301examobjectives.

Whenusingthenetworkcommandtoadvertiseanetwork,OSPFdoesnot

allowyoutospecifyasubnetmask;instead,itusesawildcardmask.Awildcardmaskissimplytheinverseofasubnetmask.Let'ssaywehavetorepresentthe255.255.255.0assubnetmaskawildcard.Here,weusethefollowing

calculations:

Figure8.45–Wildcardmaskcalculations


ThebroadcastIPaddress,whichis255.255.255.255here,isusedatall

timeswiththesubnetmaskofthenetworkID.Asshownintheprecedingsnippet,thesubnetmaskissubtractedfromthebroadcastIPaddressandtheresultisthewildcardmask.

ToadvertisethedirectlyconnectednetworksonR1,weusethefollowingcommand:

R1(config-router)#network192.168.1.00.0.0.255area

0

R1(config-router)#network192.168.2.00.0.0.255area

0

Additionally,youcanchoosetoenableOSPFonaspecificinterface.Todothis,usethefollowingcommands:

R1(config-router)#network192.168.1.10.0.0.0area0

R1(config-router)#network192.168.2.20.0.0.0area0

Eachzero(0)withinanoctetonthewildcardsimplytellstheroutertomatchthecorrespondingoctetwithintheNetworkID.Therefore,theprecedingsetsofcommandsimplythatOSPFwillonlybeenabledoninterfacesthatmatch/assignedtheIPaddresses;thatis,192.168.1.1and192.168.2.2.

Therefore,OSPFwillnotbeenabledonaninterfacewithanIPaddressof192.168.1.129/25.

OnceOSPFhasbeenenabledonarouterinterface,itisrecommendedtopreventOSPFmessagesfromenteringandleavinginterfacesthatarenotconnectedtoanotherOSPFneighborrouter.Suchinterfacesincludethosethatareconnected


totheinternetandtheLANinterfacesthathaveswitchesandendusers.

TopreventOSPFmessagesfromenteringandleavinganinterface,usethefollowingcommand:

R1(config-router)#passive-interfaceGigabitEthernet

0/0

PleasekeepinmindthatthiscommandalsopreventsOSPFHelloPacketsfrombeingsentandreceivedontheinterface,andthereforepreventsOSPFadjacencyfromformingonthisinterface.

TomanuallyconfiguretheRouterIDonR1,usetherouter-idcommand,as

follows:

R1(config-router)#router-id1.1.1.1

ToadjusttheglobalreferencebandwidthonOSPF,usethefollowingsyntax:

R1(config-router)#auto-costreference-bandwidth?

<1-4294967>Thereferencebandwidthintermsof

Mbitspersecond

OnCisco2911routers,thisissetto100Mbps.Tochangethedefaultto1Gbps,

usethefollowingcommandinrouterospfmode:

R1(config-router)#auto-costreference-bandwidth1000

ThisconfigurationmustbeappliedtoallotherOSPF-enabledroutersonthenetworktoensureOSPFmakesaccuratecalculationstodeterminethebestpathandroutes.


NowthatyouhavelearnedabouttheessentialcommandsneededtoimplementOSPFonanetwork,wewillgethands-onwithsomelabs.

Lab–configuringOSPFv2Inthishands-onlab,youwilllearnhowtoimplementtheOSPFroutingprotocoltoautomaticallypopulatetheroutingtableoneachCiscorouter,aswellascalculatethebestpathtoeachremotenetwork.Thefollowingtopologyisthesameoneweusedinthepreviouslabsinthischapter:


Figure8.46–IPv4OSPFroutinglabtopology

Feelfreetocreateanewcopyofthelabfile,butensureyouhaveremovedanystaticroutesfromtheroutingtableofeachrouter.IftherearestaticrouteswhileweareconfiguringtheOSPFroutingprotocol,theOSPFrouteswillnotbeinstalledintheroutingtableofanyroutesincestaticrouteshavean


AdministrativeDistanceof1,whereasOSPFhasavalueof110.

TogetstartedwithconfiguringOSPFinourtopology,usethefollowinginstructions:

1. First,wewillbeginbyconfiguringtheHQroutersothatitusesOSPFtoautomaticallylearnremotenetworks.Tobegin,entertherouter'sOSPFmodeusingaprocess-IDof1:

HQ(config)#routerospf1

2. Manuallysettherouter-idvalueto4.4.4.4:

HQ(config-router)#router-id4.4.4.4

3. Asasecuritymeasure,disableLSAsorOSPFpacketsfromgoingoutofalltheinterfaces:

HQ(config-router)#passive-interfacedefault

4. Usethenetworkcommandtoadvertisethenetworksthataredirectly

connectedtoHQandusethedefaultareavalueof0:

HQ(config-router)#network10.1.1.00.0.0.255

area0

HQ(config-router)#network10.2.1.00.0.0.255

area0

5. AllowOSPFpackets/LSAstoonlybesentoutofinterfacesthathaveanotherOSPF-enabledrouter:

HQ(config-router)#nopassive-interface


GigabitEthernet0/0

HQ(config-router)#exit

Ifthepassive-interfacecommandisappliedtotheWAN

interface,itwillnotbeabletoformanadjacencywiththeotherOSPF-enabledrouters.ThisisbecausethispreventsHelloPacketsfromenteringandleavingtheinterface.NowthatyouhaveconfiguredOSPFontheHQrouter,wewilldothesamefortheotherbranchrouters.

6. Next,usethefollowingcommandsontheBranch-AroutertoenabletheOSPFroutingprotocol:

Branch-A(config)#routerospf1

Branch-A(config-router)#router-id2.2.2.2

Branch-A(config-router)#passive-interface

default

Branch-A(config-router)#network172.16.1.0

0.0.0.255area0

Branch-A(config-router)#network10.2.1.0

0.0.0.255area0

Branch-A(config-router)#nopassive-interface

GigabitEthernet0/2

Branch-A(config-router)#exit

7. ToconfiguretheBranch-Brouter,usethefollowingconfigurations:

Branch-B(config)#routerospf1


Branch-B(config-router)#router-id3.3.3.3

Branch-B(config-router)#passive-interface

default

Branch-B(config-router)#network172.20.1.0

0.0.0.255area0

Branch-B(config-router)#network10.2.1.0

0.0.0.255area0

Branch-B(config-router)#nopassive-interface

GigabitEthernet0/1

Branch-B(config-router)#exit

8. Let'snotforgetabouttheBranch-Crouter!UsethefollowingconfigurationstoenableOSPF:

Branch-C(config)#routerospf1

Branch-C(config-router)#router-id1.1.1.1

Branch-C(config-router)#passive-interface

default

Branch-C(config-router)#network192.168.1.0

0.0.0.255area0

Branch-C(config-router)#network10.2.1.0

0.0.0.255area0

Branch-C(config-router)#nopassive-interface

GigabitEthernet0/2

Branch-C(config-router)#exit


Atthispoint,eachbranchnetworkcanintercommunicate.However,wecannotforgetaboutsettingupadefaultroutetotheinternet.

9. ToconfigureadefaultrouteonHQthatpointstowardtheinternet,usethefollowingcommands:


10. Let'suseOSPFtoautomaticallypropagatethedefaultroutetoallotherOSPF-enabledroutersfromHQ:

HQ(config)#routerospf1

HQ(config-router)#default-informationoriginate

HQ(config-router)#exit

Byusingthedefault-informationoriginatecommand,the

defaultroutewillbeautomaticallydistributedtoallotherOSPF-enabledrouters.Thissavesyoutimethatwouldbespentmanuallyconfiguringadefaultrouteoneachrouterwithinyourtopologyandnetwork.

11. Lastly,tosimulateourinternetconnectionproperly,let'screateadefaultroutefromtheISProuterbacktoHQ:


Havingcompletedthislab,youhavegainedthehands-onskillsyouneedtodeploytheOSPFroutingprotocolinareal-worldnetworkenvironmentusingCiscorouters.Inthenextsection,wewilllearnhowtoperformtroubleshootingwhenusingtheOSPFroutingprotocol.


ValidatingOSPFconfigurationsAsanetworkprofessional,wealwaysneedtoverifyourconfigurationsonourdevices.Wecanstartbytakingalookattheroutingtableandensuringeachrouterhasroutestoallremotenetworks,aswellasaroutethatpointstotheinternet.

ThefollowingsnippetshowstheroutingtableoftheBranch-Arouter:

Figure8.47–TheBranch-Aroutingtable

Intheprecedingsnippet,wecanseethatalltheremotenetworksarelearnedandpopulatedwithintheroutingtableviatheOSPFroutingprotocol.Furthermore,


thelastrouteisthedefaultroutefromtheHQrouterthatwepropagateusingthedefault-informationoriginatecommand.ThisiswhyourBranch-

ArouterhasagatewayoflastresortthathasbeensetautomaticallyviaOSPF.

Anotherimportanttroubleshootingcommandyoumustknowaboutistheshow

ipprotocolscommand.Wheneverweareusingadynamicroutingprotocol

suchasOSPF,EIGRP,orRIP,theshowipprotocolscommandwill

alwayspresentdetailsabouttheprotocolsrunningonthelocalrouter.

Let'stakealookatthefollowingsnippet:

Figure8.48–OSPFprocess-id

Fromtheoutput,wecandeterminethefollowingabouttheroutingprotocol:

TheOSPFroutingprotocoliscurrentlyenabledontheBranch-Arouter.

OSPFiscurrentlyusingtheprocess-idvalueof1.Pleasenotethatthe

process-idvaluedoesnotneedtomatchbetweenOSPF-enabled

routers.


router-idwasmanuallyconfiguredas2.2.2.2.

Iftherearemultipleroutestothesamenetworkthathavethesamecostvalue(metric),OSPFwillload-balanceuptoatotaloffourpaths.

TheBranch-Arouterisadvertisingthatithastwonetworks:10.2.1.0/24and172.16.1.0/24.

Let'stakealookattheremainingportionsoftheshowipprotocols

output:

Figure8.49–Analyzingtheroutingprotocol

Wecandeterminethefollowingbasedontheprecedingsnippet:

TheinterfaceslistedunderPassiveInterface(s)willnotsendorreceiveanyOSPFmessages.


ThelocalrouterissharingrouteswithadditionalOSPF-enabledrouters,theirAD,andtheirlastupdatetimer.

Theshowipospfneighborcommandprovidesuswithdetailsabout

OSPF-enabledneighbordevices:

Figure8.50–OSPFneighbors

Thefollowingisabreakdownofeachcolumnfromtheshowipospf

neighboroutput:

TheNeighborIDcolumncontainsalistofOSPFneighborsthathaveanadjacencywiththelocalrouter.ThisvalueistheRouterID.

ThePricolumncontainsthepriorityvalueforeachneighboradjacency.

TheStatecolumncontainsthelinkstatusforeachOSPFneighboradjacency.

TheDeadtimerisusedtoindicatewhenaHelloPacketwaslastreceivedfromeachneighbor.Thistimeralwayscountsdownandrefreshes


wheneverthelocalrouterreceivesaHelloPacket.

TheAddresscolumncontainstheactualIPaddressassignedontheneighbor'sinterface.

TheInterfacecolumndisplaysthelocalinterfaceusedtocreateanadjacencywiththeneighborrouter.

Theshowipospfinterfacecommandcanbeusedtoverifythe

followingdetailsaboutOSPF:

TheOSPFprocess-idassociatedwiththeOSPF-enabledinterfaceon

therouter

TheOSPFrouter-idvalue

TheDRanditsIPaddress

TheBDRanditsIPaddress

TheOSPFHelloandDeadtimersvaluesontheinterface

ThenumberofOSPFadjacenciesthatexistsonthisinterface

Thefollowingsnippetshowstheoutputofusingtheshowipospf

interfacecommandonBranch-A:


Figure8.51–VerifyingOSPFinterfacedetails

AnotherusefulcommandtocheckwhethertheinterfaceonarouterisparticipatinginOSPFistheshowipospfinterfacebrief

command.ThiscommandonlyworksontheactualCiscoIOSdevicesandnotonCiscoPacketTracer.Thelinkwillprovideyouwithdetailsaboutaninterface.Let'stakealookatthefollowingsnippet,whichwastakenfromtheBranch-Arouter:


Figure8.52–OSPFinterfaces

ThefirstrowindicatesthatGigabitEthernet0/2isparticipatinginthe

OSPFinstance,whichhasaProcessIDof1andstatesthattheinterfacebelongs

toOSPFArea0,whichisthebackbonearea.Additionally,theIPaddressand

subnetmaskareprovided,aswellastheOSPFcostontheinterfaceandtheOSPFstateontheinterface.

Lastly,wemustnotforgettotestend-to-endconnectivityonourlabnetwork.ThefollowingsnippetshowsapingtestfromtheBranch-ALANinterface(172.16.1.1)totheserverat192.0.2.6.Thefollowingcommandwill

workonlyontheactualCiscoIOSandnotonCiscoPacketTracer:


ThisallowsyoutospecifyasourceIPaddress,sothatyoucanusethesourceIPaddressfromaninterfaceontherouterthatisattemptingtoestablishconnectivitybetweenremotenetworks.


Nowthatyouhavecompletedthissection,youhavetheknowledgeandhands-onskillstodescribe,configure,troubleshoot,andvalidateOSPFanditsconfigurationsonaCiscoenvironment.

UnderstandingfirsthopredundancyLet'simaginethat,withinyourorganization,eachdeviceisconfiguredtouseaspecificIPaddressasitsdefaultgatewaytotheinternet.WhatifthatIPaddressordevicegoesoffline?Howwillyourclientdevicesreachtheinternet?

Thefollowingdiagramshowsthedefaultgatewaygoingdown,thuspreventingclientsfromreachingtheinternet:

Figure8.54–Defaultgatewaygoesoffline


Youmaybethinking,wecanreplacetherouterwithanotherandapplythesameconfigurationstoitandourinternetconnectivitywillberestored.Thisisaworkablesolution,butit'snottooefficientbecauseit'sareactivesolutionandrequirestoomanyinterventions.

Whatifwecouldimplementredundancyonthedefaultgatewaytoensurethat,ifthemainroutergoesdown,there'sanotherdevicethatwillactasthenewdefaultgateway,withoutushavingtochangethedefaultgateway'sIPaddressonanyoftheclients?ThisisdefinitelypossiblewithaCiscoIOSrouter.

ThetechnologyknownasFirstHopRedundancyProtocol(FHRP)allowsustousetwoCiscoIOSrouterstocreateasinglevirtualrouterthathasavirtualIPaddressandvirtualMACaddress.ThevirtualIPaddressandvirtualMACaddresswillbesharedbetweenthetwophysicalrouters.Additionally,thevirtualIPaddresswillactasthedefaultgatewayforclients.Therefore,onephysicalrouterwillhavearoleastheactiverouter,whichwillroutetrafficbackandforthtotheinternet,andtheotherphysicalrouterwillbethestandbyrouterintheeventtheActiveroutergoesoffline,takinguptheroleasthenewactiverouterwiththevirtualIPaddress.

ThefollowingdiagramshowsR1astheActiverouter:


Figure8.55–Activerouter

IntheeventR1goesdowninthenetworktopology,theStandbyrouterwilltakeuptheroleastheActiverouteronthenetwork.Thiscausesverylittleserviceinterruptionasthefailoverhappens.ThefollowingdiagramshowsthetrafficflowwhenR2becomesthenewActiverouteronthenetwork:


Figure8.56–NewActiverouter

UsinganFHRPisabettersolutionasit'sproactiveanddoesnotrequireanetworkprofessional'sintervention.ThereareafewFHRPsthatexistintheindustry.We'lllookattheircharacteristicsinthenextsection.

VariousFHRPsThefollowingsub-sectionwillbrieflyoutlinethecharacteristicsofeachFHRPthatcanbeimplementedinanetworktoensurethatinternalhostdevicesarealwaysabletoreachtheirdefaultgateway.

HotStandbyRouterProtocol


TheHotStandbyRouterProtocol(HSRP)isaCisco-proprietaryFHRPthatallowsanumberofCiscoIOSrouterstobegroupedintoaclustertocreateavirtualrouter.ThevirtualrouterwillhaveavirtualIPaddressthatwillbesharedbetweenallphysicalroutersthatarepartoftheHSRPgroup.

ThefollowingarethetwostatesofanHSRProuter:

Active

Standby

TheActiverouterisonethatisactivelyforwardingthepacketasthedefaultgateway.IntheeventthattheActiveroutergoesoffline,theStandbyrouterwillassumetheroleofbeingthenewActiverouterandtrafficwillberoutedthroughthenewActiverouter.

ThefollowingtableoutlinesthedifferencesbetweenHSRPversion1andversion2:


Figure8.57–HSRPversions

WhenconfiguringHSRP,therouterwiththehighestIPv4addresswillbeselectedastheActiverouterwithinthegroup,whileallotherswillbeStandbyrouters.ThedefaultHSRPpriorityis100onallrouters;therouterwiththe

highestHSRPpriorityvaluewillbeelectedastheActiverouter.Thepreempt

commandenablespreemptionandforcesanHSRPre-electionprocess.ThisshouldbedonetoensureaspecificrouterbecomestheActiverouter.

ImportantNote

Bydefault,preemptionisdisabledinHSRP.

Sincepreemptionisdisabled,therouterthatbootsupfirstwilltaketheroleofbeingtheActiverouter.HSRPusesHelloPacketsthataresentevery3secondsbydefault.IfaStandbyrouterdoesnotreceiveaHelloPacketfromtheActiverouterafter10seconds,itwillassumethattheActiverouterisdownandtakeuptheroleofbeingthenewActiverouter.Furthermore,thereisHSRPforIPv6networks.ThisversionofHSRPhasthesamefunctionalityasitsIPv4version.

Lab–implementingHSRPInthishands-onlab,youwilllearnhowtoimplementHSRPasthepreferredFHRPonaCiscoenvironment,ensuringthedefaultgatewayisalwaysavailable.ThefollowingtopologycanbebuiltwithintheCiscoPacketTracerapplication:


Figure8.58–HSRPlabtopology

Pleaseensureyouusethefollowingguidelineswhenrunningthislabtoensureyougetthesameresults:

AssigntheIPaddressesshowninthetopologytoeachdeviceaccordingly.

Eachrouterinterfacemustbeconfiguredasshowninthetopology.

ConfigurethedefaultgatewayonbothPCsas192.168.1.1.


EnsurethedefaultgatewayonthePublicServerissetto192.0.3.1.

CreateanEtherChannelusingLACPbetweenCore1andCore2usingportsFastEthernet0/23and0/24onbothswitches.

Nowthatyourlabisready,usethefollowinginstructionstocreateavirtualrouterusingHSRP:

1. EnsureR1andR2havethefollowingdefaultrouteswithintheirroutingtables:

R1(config)#iproute0.0.0.00.0.0.0192.0.2.1

R2(config)#iproute0.0.0.00.0.0.0192.0.2.5

2. OnR1,enableHSRPversion2ontheLANinterfaceontherouterusingthefollowingcommands:


R1(config-if)#standbyversion2

3. Next,createthevirtualIPaddressthatwillbeusedasthedefaultgatewayforclientsonthenetwork:

R1(config-if)#standby1ip192.168.1.1

4. SettheHSRPprioritynumbertobegreaterthan100toensurethisrouterbecomestheActive(desired)routerbyusingthefollowingcommand:

R1(config-if)#standby1priority150

5. Configurethisroutertopreemptthestandbyrouter:

R1(config-if)#standby1preempt


R1(config-if)#exit

NowthatyouhaveconfiguredR1astheactiverouter,let'sheadonovertoR2asitrequiressomeconfigurationinordertobecometheStandbyrouterwithintheHSRPgroup.TheStandbyrouterwilltaketheplaceoftheActiverouterintheeventR1goesdownoroffline.ToconfigureR2astheStandbyrouter,usethefollowinginstructions:

1. OntheR2LANinterface,enableHSRPversion2:


R2(config-if)#standbyversion2

2. Next,configurethevirtualIPaddressofthedefaultgateway:

R2(config-if)#standby1ip192.168.1.1

R2(config-if)#exit

3. Lastly,toensuretheinternetsideportionofourlabisworking,configurethefollowingdefaultroutesontheISProuter:



Nowthatyouhavefinishedtheconfigurationaspectofthislab,let'stakealookatvalidatingandtroubleshootingtheconfigurationsonourlabenvironment.

OneofthemostimportanttroubleshootingcommandsforHSRPistheshow

standbycommand.Theoutputofthiscommandprovidesuswithvital

informationabouttheHSRPstatusonthelocalrouter,suchasthefollowing:


TheHSRProuter'sstate,whetherit'sActiveorStandby

ThevirtualIPaddressandMACaddressforthevirtualrouter

TheHelloandHolddowntimersontheinterface

Whetherpreempthasbeenconfiguredontheinterfaceornot

WhetherthelocalrouteristheActiveorStandbyrouter

TheIPaddressoftheStandbyrouter

TheHSRPpriorityvalue

Thefollowingsnippetshowstheoutputoftheshowstandbycommandon

R1inourlab:


Figure8.59–HSRPstatusonR1

Let'stakealookattheshowstandbycommand'soutputonR2.You'llnotice

thatthestateofR2issettoStandbyandthattheActiverouterinthegroupis

192.168.1.1,whichisR1'sIPaddress:


Figure8.60–HSRPstatusonR2

Furthermore,toseeasummaryHSRPstatusoneitherrouter,usetheshow

standbybriefcommand:


Figure8.61–HSRPstatussummary

Theshowstandbybriefcommand'soutputprovidesuswiththelocal

interfacethat'sbeenconfiguredwithHSRP,theHSRPgroupnumber,theHSRPpriorityvalue,theinterfacestate,theHRSProuterstate,thestandbyrouter,andthevirtualIPaddressofthevirtualrouter.

Forourfinalconnectivitytest,let'sperformatraceroutefromPC1(192.168.1.10)tothePublicServerat192.0.3.10:

Figure8.62–Tracerouteconnectivitytest

Accordingtotheoutputshownintheprecedingsnippet,thepackettookthepathviaR1astheActiverouterwithintheHSRPgroup,asexpected.

Let'screateanetworkfailurebyshuttingdownGigabitEthernet0/1and

GigabitEthernet0/2onR1only.ThiswillcreatetheeffectofR1going

offlineonthenetwork.Afterafewseconds,performanothertraceroutetestfromPC1totheserveroncemore.


ThefollowingarethenewtracerouteresultswhenR1hasgoneoffline:

Figure8.63–Newtracerouteresults

R2hasassumedtheroleofbeingtheActiverouterwithintheHSRPgroup,andthepacketsarenowtakinganewpathviaR2(192.168.1.3)toreachthe

PublicServer.Thedefaultgatewayconfiguredontheclientdevicesremainsas192.168.1.1.

Havingcompletedthissection,youhavegainedhands-onexperiencewithconfiguringfirsthopredundancyusingHSRP.YoucreatedavirtualroutertoensuretheinternaldevicesonthecorporateLANcanaccesstheinternet.Inthenextsection,wewillconfigureVRRPtoprovideredundancyforourdefaultgateway.

VirtualRouterRedundancyProtocolTheVirtualRouterRedundancyProtocol(VRRP),currentlyatversion2,isavendor-neutralFHRPthatalsosupportsgroupingtogethertwoormorephysical


routerstocreateavirtualrouteronanIPv4network.VRRPv2allowsmultiplerouterstojointheVRRPgroupandsharethesamevirtualIPaddresstoprovidedefaultgatewayredundancyonanenterprisenetwork.

ImportantNote

PreemptionisenabledbydefaultinVRRP.

VRRPusesthefollowingtworouterstates:

Master

Backup

TheMasterrouteristheonethatcurrentlyhastheresponsibilityofactingasthedefaultgatewayandforwardingpacketsbackandforthbetweennetworks.TheBackuproutertakestheroleofMasteronlyintheeventoftheactualMasterroutergoingoffline.

Additionally,VRRPv3supportsfirsthopredundancyonanIPv6networkenvironmentandisabitmorescalablecomparedtoVRRPv2.

Lab–implementingVRRPInthishands-onlab,youwilllearnhowtoimplementVRRPonaCiscoenvironmenttoensurethedefaultgatewayisalwaysavailable.Thefollowingtopologyisthesameaswehaveusedinthepreviouslabsinthischapter.However,youwillneedeitherphysicalCiscoroutersorCiscoIOSvimagestocompletethislab:


Figure8.64–VRRPlab

FollowthesameguidelinesthatyoufollowedforthelabforHSRPwhenrunningthislabtoensureyougetthesameresults.

Nowthatyourlabisready,usethefollowinginstructionstocreateavirtualrouterusingVRRP:



theBackuprouter:

Figure8.65–VerifyingVRRP

R1hasthelowerIPv4address,192.168.1.2,configuredontheVRRP

LANinterface,whereasR2hasthehigherIPv4addressof192.168.1.3.R2waselectedtobetheMasterrouterandR1became

theBackuprouter.Furthermore,youcanseethevirtualIPv4andMACaddressesthattheclientswillbeusingasthedefaultgateway.

6. Let'susetheshowvrrpbriefcommandtoverifyadditionalVRRP

details:

Figure8.66–Theshowvrrpbriefcommand'soutput

Theshowvrrpbriefcommandprovidesuswiththeinterfacethatis

usingVRRP,theVRRPgroupnumber,theVRRPinterfacepriorityvalue,theVRRProuterstate,theMasterIPaddress,andthevirtualgroupIPaddress.


7. Lastly,thefollowingsnippetshowstheoutputofshowvrrponR2:

Figure8.67–VRRPoutputonR2

TheoutputshowsthatR2isdefinitelytheMasterrouterwithintheVRRPgroupandhasthesamevirtualIPandMACaddresses.Furthermore,wecanverifythatpreemptionisindeedenabledbydefaultonVRRP-enabledroutersandhasadefaultpriorityof100.

Havingcompletedthislab,youhavegainedhands-onexperiencewithimplementingVRRPasanFHRPonaCiscoenvironment.Inthenextsection,youwilllearnhowtoimplementandconfigureGLBPforloadbalancing.

GatewayLoadBalancingProtocolTheGatewayLoadBalancingProtocol(GLBP)isabitdifferentfromtheaforementionedFHRPs.GLBPallowsloadbalancingbetweentheroutersthatarepartoftheGLBPgroup.Toputthissimply,ifyouhavetwophysicalrouterswithinaGLBPgroup,trafficthatissenttothedefaultgatewayIPaddresswillbeload-balancedbetweenalltheroutersusingaround-robintechnique.


ImportantNote

GLBPisanotherCisco-proprietaryFHRP.PreemptionisdisabledbydefaultonGLBP.

GLBPensuresthatonerouterdoesnothandlealltheloadandconstraintsofbeingthedefaultgateway;itallowstheotherrouterstosharetheloadaswell.GLBPusesthefollowingrouterstatuses:

Active

Standby

SimilarlytoHSRP,theActiverouteristheonethathasthecurrentroleasthedefaultgateway,whiletheStandbyrouterprovidesfailoverintheeventthattheActiveroutergoesdown.GLBPforIPv6supportsthisimplementationwithinanIPv6environment.

Lab–implementingGLBPInthishands-onlab,youwilllearnhowtoimplementGLBPonaCiscoenvironmenttoensurethedefaultgatewayisalwaysavailable.Thefollowingtopologyisthesameonethatweusedinthepreviouslabsinthischapter.However,youwillneedeitherphysicalCiscoroutersorCiscoIOSvimagestocompletethislab:


Figure8.68–GLBPlab

PleasefollowthesameguidelinesthatyoudidintheHSRPlabwhenrunningthislabtoensureyougetthesameresults.

Nowthatyourlabisready,usethefollowinginstructionstocreateavirtualrouterusingGLBP:



R1(config)#iproute0.0.0.00.0.0.0192.0.2.1

R2(config)#iproute0.0.0.00.0.0.0192.0.2.5

2. OnR1,enterinterfacemodeandusethefollowingcommandtocreatetheGLBPgroupandsetthevirtualrouterIPaddress:


R1(config-if)#glbp1ip192.168.1.1

3. OnR2,enterinterfacemode,settheGLBPgroupto1,andconfigurethe

virtualrouterIPaddress:


R2(config-if)#glbp1ip192.168.1.1

4. Lastly,toensuretheinternetsideofourlabisworking,configurethefollowingdefaultroutesontheISProuter:



Nowthatyouhavefinishedtheconfigurationpartofthislab,let'stakealookatvalidatingandtroubleshootingtheconfigurationsonourlabenvironment,asshowninthefollowingsteps:

1. UsetheshowglbpcommandtoverifytheGLBPstate,asshowninthe

followingsnippet:


Figure8.69–GLBPoutput

Fromtheprecedingsnippet,wecandetermineR1istheActiverouterwithintheGLBPgroup,thedefaultGLBPpriorityis100,andthat

preemptionisdisabledbydefault.

2. Let'susetheshowglbpbriefcommandtoverifythestatusofthe

localinterfacesonR1:

Figure8.70–Theshowglbpbriefcommand'soutput

TheoutputprovidesuswithvariousGLBPdetails,suchastheinterfacesthatare


participatinginGLBPgroup1,thevirtualIProuter'sIPaddress,andwhich

devicesaretheActiveandStandbyrouters.

Havingcompletedthislab,youhavegainedtheessentialskillsrequiredtoimplementGLBPwithinaCiscoenvironment.

SummaryInthischapter,we'vediscussedanddemonstratedhowtoestablishIPconnectivitybetweenremotenetworksusingCiscorouters.HavingcompletedthischapteronIPconnectivity,youhavegainedtheskillstosetupbothstaticanddynamicroutingonanenterprisenetworktoensureend-to-endconnectivity.Furthermore,you'velearnedhowtopropagateadefaultrouterthroughaCiscoenvironment,whichallowsuserstoreachtheinternetfromtheirclientdevice.

IhopethischapterhasbeeninformativeforyouandishelpfulinyourjourneytowardlearninghowtoimplementandadministrateCiscosolutionsandpreparefortheCCNA200-301certification.Inthenextchapter,Chapter9,ConfiguringNetworkAddressTranslation(NAT),wewilllearnhowtoimplementvarioustypesofnetworkaddresstranslationonaCiscorouter.

QuestionsThefollowingisashortlistofreviewquestionstohelpreinforceyourlearningandhelpyouidentifyareasyoumightneedtoworkon:

1. WhatisthedefaultAdministrativeDistanceofastaticroute?

A.0


B.1

C.2

D.90

2. Whichofthefollowingcommandswillallowyoutoconfigureastaticroute?

A.network

B.route

C.ip

D.iproute

3. WhichcommandwillallowaroutertoperformIPv6routing?

A.enableipv6routing

B.ipv6router

C.ipv6unicast-routing

D.ipv6enable

4. WhichIPv4addressrepresentsadefaultroute?

A.0.0.0.0255.255.255.255

B.0.0.0.00.0.0.0


C.255.255.255.255255.255.255.255

D.255.255.255.2550.0.0.0

5. WhatistheAdministrativeDistanceoftheOSPF?

A.110

B.120

C.90

D.170

6. WhichroutingprotocolisusedbetweenISPs?

A.IS-IS

B.OSPF

C.BGP

D.MPLS

7. WhichcommandallowsyoutoviewtheforwardingdatabaseinOSPF?

A.showsipospfinterfacebrief

B.showipospfinterface

C.showipospfdatabase

D.showiproute


8. WhatisthedefaultHelloTimerinOSPF?

A.30

B.10

C.5

D.15

9. WhichcommandallowsyoutoverifytheHSRPstatusonarouter?

A.showhsrp

B.showrouterstandby


D.showstandby

10. WhichFHRPisopensource?

A.VRRP

B.HSRP

C.GLBP

D.ICMP



Understandingstaticrouting:https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/unicast/configuration/guide/l3_cli_nxos/l3_route.html

RIProuting:https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_rip/configuration/15-mt/irr-15-mt-book/irr-cfg-info-prot.html

EIGRProuting:https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-mt/ire-15-mt-book/ire-enhanced-igrp.html

OSPFrouting:https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-16/iro-xe-16-book/iro-cfg.html

UnderstandingHSRP:https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swhsrp.html


https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/unicast/configuration/guide/l3_cli_nxos/l3_route.html

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_rip/configuration/15-mt/irr-15-mt-book/irr-cfg-info-prot.html

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-mt/ire-15-mt-book/ire-enhanced-igrp.html

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-16/iro-xe-16-book/iro-cfg.html

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swhsrp.html%20

Thissectionteachesyoutheimportanceofvariousnetworkservicesthatarecriticaltodailyoperations.Youwillthenlearnhowtoimplementvariousservicesusingindustrybestpracticesonnetworks.Furthermore,youwilllearnhowtotroubleshooteachserviceasyouaretakenthrougheachsectionandchapter.


Chapter9,ConfiguringNetworkAddressTranslation(NAT)

Chapter10,ImplementingNetworkServicesandIPOperations


Section4:IPServices


Chapter9:ConfiguringNetworkAddressTranslation(NAT)Howdodevicesonprivatenetworksaccesstheinternet?Networkaddresstranslation(NAT)iswhatconnectsthemagicbetweentheprivateandpublicnetworks.Inthischapter,youwilllearnaboutthevarioustypesofNATandhowtoimplementstaticNAT,dynamicNAT,andportaddresstranslation(PAT)onaCisconetwork.YouwillalsolearnhowtoimplementNATtoensurethatyouhaveinternetconnectivityonanenterprisenetwork.


ThechallengeofusingIPv4ontheinternet

UnderstandingNAT

TypesofNAT

ConfiguringPAT

ConfiguringstaticNATwithportforwarding

ImplementingdynamicNAT

TechnicalrequirementsTofollowalongwiththeexercisesinthischapter,pleaseensurethatyouhavemetthefollowinghardwareandsoftwarerequirement:




CheckoutthefollowingvideotoseetheCodeinAction:https://bit.ly/3clR4Qr

ThechallengeofusingIPv4ontheinternetOneofthemanyissueswefaceisthattherearen'tenoughpublicIPv4addressestoassigntoeachuniquedeviceontheinternet.AsyoulearnedinChapter3,IPAddressingandSubnetting,eachdevicethatisdirectlyconnectedtotheinternetmustbeassignedauniqueIPaddress.Furthermore,thereare232publicIPv4addresses,whichmeansthatthereareapproximately4,294,967,296public

IPv4addressesthatareroutableontheinternet.Thisnumberseemshuge,buttherealityisthatmostinternet-connecteddeviceshavealreadybeenassignedapublicIPv4addressandtherestofthepublicIPv4poolisreservedbyvariousorganizationsforspecialuse.

Intheworldtoday,therearemorethan4billiondevicesconnectedtotheinternet.HowisitpossibletohavemoredevicesonlinethanthenumberofavailablepublicIPv4addresses?RFC1918definesthreeclassesofIPv4addressesthatareassignableonprivatenetworksandarenotroutableontheinternet.

ThefollowingtableshowstheprivateIPv4addressclasses:




https://bit.ly/3clR4Qr

Figure9.1–PrivateIPv4addressclasses

EachclassofprivateIPv4addressneedstobeuniquebetweenorganizationsandprivatenetworks.EachorganizationcanusewhicheverclassofprivateIPv4addresstheyseefit.EachclassofprivateIPv4addressprovidesarangeofusableIPv4addressespernetwork,rangingfrom254toover16millionusable

addresses.

RFC1918addressesallowanorganizationofanysizetoassignoneoftheseaddressestoauniquedevicewithoutneedingtoassignapublicIPv4addresstoeachdevice.Therefore,theseaddressesarestrictlyforuseonprivatecomputernetworksonly.

TheInternetAssignedNumbersAuthority(IANA)hasdesignatedthesespecificIPv4classesasprivateandnonroutableontheinternet.InternetServiceProviders(ISPs)haveimplementedsecuritymechanisms,suchasaccess-controllists(ACLs),topreventRFC1918addressesfromenteringtheISPnetworkandtheinternet.

Anotherimportantconcernishow,sinceRFC1918addressesarenonroutableontheinternet,doesadevicewithaprivateIPv4addresscommunicateandaccessresourcesontheinternet?Inthenextsection,wewilldiscusshowdevicesthat


areonprivatenetworksareabletocommunicateontheinternet.

UnderstandingNATAdevicethatisassignedaprivateIPv4addressisnotabletosimplycommunicatewithdevicesontheinternetonitsown—itneedssomeassistance.Forexample,yourcomputerorsmartdeviceismostlylikelyassignedaprivateIPv4addressonyournetwork,butit'sabletoconnecttodevicesontheinternet.ThisisbecauseofsomethingcalledNAT.NATmakesourlivesinnetworkingthatbiteasierasitallowsaroutertotranslateaprivateaddressintoapublicaddress.Let'stakealookatthefollowingdiagramtogetaclearideaofhowNATreallyworks:

Figure9.2–NATtopology

Intheprecedingfigure,therearetwonetworks—acorporatenetworkandtheinternet—andinbetweenbothisaNATrouter.Let'simaginethatthereisadeviceonthecorporatenetwork,PC1,withanIPaddressof192.168.1.10.


PC1wantstosendamessagetoadeviceontheinternet,let'ssayaCiscowebserverat23.10.104.199.Thefollowingaretheactionstakenbytherouter:

1. PC1sendsthemessagetoitsdefaultgateway,therouterinourtopology.

2. Whenthepacketisreceivedbytherouter,theLayer3headerisinspectedtodeterminethedestinationIPaddress.

3. SincethedestinationaddressisapublicIPaddress,therouterwilltranslatethesourceIPaddressfrom192.168.1.10totherouter's

publicIPaddressof209.65.1.2.ThisprocessisknownasNAT.

4. AftertheNATprocessiscompleted,therouterforwardsthepackettoitsdestination,23.10.104.199.

Ifanotherdeviceonthecorporatenetworkwishestocommunicatewithanotherdeviceontheinternet,thentheprocessisrepeated.Devicesontheinternetdonotseethecorporate,privatenetwork.TheyonlyseetheinternetIPaddressof209.65.1.2.Therefore,thereturningtrafficwillbesenttothe209.65.1.2

addressandtherouterwillreversethetranslationprocessandforwardthemessagebacktoPC1.

AfeaturesuchasNATallowsustoconservetheIPv4publicaddressspace,allowingustoassignasinglepublicIPv4addressperorganizationorprivatenetworkowner.Asimpleexampleisyourhomemodem,whichhasasinglepublicIPv4addressassignedtoitsinternet-facinginterface(port)andontheinternalsideofyourhomenetwork;you'reusingaprivateaddressschemewithmanydevicesbeingNATedthroughthatsinglepublicIPaddress.Thesameconceptappliestoorganizationswithhundredsofdevicesontheirprivatenetwork;theyallhaveasinglepublicIPv4addressviaNATontheirinternet


routerormodem.

Importantnote

TheprimarybenefitofusingNATistoconservethepublicIPv4addressspace.

TherearemanyadvantagesofusingNATonanetwork.ThefollowingarethekeybenefitsofusingNAT:

TheprimarybenefitistheconservationofthepublicIPv4addressspace.

NATallowstheflexibilityofusingpoolsofaddresses,suchaspublicIPv4addressesforload-balancingtraffictotheinternet.Thisfeatureensuresthereliabilityofconnectionstopublicnetworkssuchastheinternet.

NAThidesusersanddevicesthatareusingRFC1918addressingschemes.Inotherwords,NATpreventsusersanddevicesthatarelocatedontheinternetfromseeingintoyourprivatenetwork—instead,theywillonlyseeyourpublicIPaddress.

NATallowsthenetworkadministratorstomaintainconsistencyfortheirinternalnetworkaddressingstandards.ThisallowsallinternaldevicestouseRFC1918addresseswithouthavingtobeassignedapublicIPv4addresstoaccesstheinternet.TheNATrouterhandlesthetranslationsofaddressesbetweentheinternalandpublicnetworks.

WhilethereareclearadvantagestousingNAT,wemustalsounderstandthatNAThassomedisadvantagesonanetwork,suchasthefollowing:

OneofthemajordisadvantagesofusingNATisrelatedtothedegradation


ofnetworkperformanceonvarioustypesofnetworktraffic,suchasvoiceoverIP(VoIP).AstrafficpassesthroughaNAT-enabledrouter,thereissomedelayastherouterhastoperformtheaddresstranslationprocess.Aseachpacketenterstherouter,therouterhastoinspecttheLayer3headerofeachpackettodeterminewhethertoperformNATbeforeforwardingthepackettoitsdestination.

Anotherimportantdisadvantagetonoteisthatend-to-endaddressingislostwithNAT.AsapacketpassesthroughNAT-enabledrouters,thesourceIPaddressofthepacketischanged,andthismakesithardertotracetheactualsourceorsenderofapacket.

Virtualprivatenetwork(VPN)technologies,suchasIPsecurity(IPSec),donotworkwellwithNAT.SinceNATmodifiestheLayer3headerofpackets,itcausesamajorproblemforIPSecVPNstryingtoestablishasecuretunnelbetweenremotebranches.

NowthatwehaveunderstoodthebasicsofNAT,let'slookatitsoperationandterminology.

UnderstandingNAToperationandterminologyIntheworldofCiscoandNAT,thereareafewtermsthatareusedtohelpusidentifywhetheranIPv4addressisontheprivatenetworkorthepublicnetwork.Inthissection,youwilllearnabouttheNATterminology.

Let'sinspectthefollowingfiguretobetterunderstandNAToperations:


Figure9.3–SimpleNAToperations

Intheprecedingnetworktopology,therearetwotypesofnetworks:theprivatenetwork,whichistypicallythecorporatenetworkownedbyanorganization,andthepublicnetworkknownastheinternet.Bydefault,theCiscoIOSrouterdoesnotknowwhichtypeofnetworkPC1ortheserverbelongsto.AlltherouterknowsisthattherearetwodifferentIPv4networksanditsjobistoforwardpacketsbetweenthem.However,whenweashumanslookatthetopologyhere,wecansimplysaythatPC1isontheprivatenetworkwithaprivateIPv4addressclassthatisnonroutableontheinternet,whilethepublicserverhasapublicIPv4addressandisontheinternet.

Themainquestionnow,whentherouterhastoperformNAToperationsbytranslatingtheprivateIPv4addressintoapublicaddress,ishowdoestherouterknowwhichsideofthenetworkeachIPaddressbelongsto?Tounderstandthis,wemustfirstidentifytheinsideaddressandtheoutsideaddress.

TheinsideaddressistheIPaddressthatistobetranslatedbytherouter.Intheprevioustopology,wecanidentifytheinsideaddressasanyaddressontheprivateorinternalnetwork.Theoutsideaddressissimplytheaddressofthedestinationdevice.So,ifthePCisattemptingtocommunicatewiththeserver,


thentheoutsideaddressis209.65.1.10;however,assimpleasitseems,the

routerdoesnotseethisasplainlyaswedo.Furthermore,NATusesthelocalandglobalparameterstotelltherouteradditionaldetailsabouttheaddressesthataretobetranslated.ThelocaladdressisanyIPaddressthatisontheinsidenetworkwhiletheglobaladdressisanyaddressonthepublicsideofthenetwork.

Toexplorethisfurther,let'stakealookatthefollowingfigure:

Figure9.4–NATprocesspart1

Intheprecedingdiagram,PC1hascreatedamessageforthepublicserver.WhenNATisenabledontheCiscoIOSrouter,itseestheinsidelocaladdressas192.168.1.10andtheoutsidelocaladdressasthedestinationdevice,which

is209.65.1.10.Theaddressasshownintheprecedingfigureispriortothe

NATprocess.


ThefollowingfigureshowstheresultsaftertheaddresshasbeentranslatedbyNAT:

Figure9.5–NATprocesspart2

Whenthepacketenterstherouter,theprocessofNATtakesplace.Theroutertakesalookatthesourceanddestinationaddress.Ifthedestinationaddressbelongstotheglobalnetwork,thentherouterperformsNATontheinsidelocaladdress,convertingittotheinsideglobaladdress.Inotherwords,NATtranslatestheprivateIPv4addressofthePCtothepublicIPv4addressontherouter'sinterface.

Importantnote

TheoutsidelocalandoutsideglobaladdressesareusuallythesameIPaddress.


Theseaddressesarethosethatbelongtothedestinationdevice.

Inthenextsection,wewilldiscussthevarioustypesofNAT,theiruses,andhowtoconfigureeachoneonaCiscoIOSrouter.

TypesofNATTherearemanytypesofNATtranslations.Eachtypehasitsownadvantages,disadvantages,andreal-worlduse.Inthissection,youwilllearnabouttheircharacteristicsandoperations,andhowtoconfigureeachtypeofNATonaCiscoIOSrouter.

StaticNATStaticNATusesaone-to-onemappingoftheinsidelocaladdresswiththeinsideglobaladdress.ThistypeofNATmappingdoesnotchange—asthenameimplies,themappingremainsconstant.ThistypeofNATisveryusefulwhenyouwanttoallowexternalusersontheinternettoaccessadevicesuchasawebserverthatsitsonyourinternalprivatenetworkinyourorganization.

Let'simaginethatyourorganizationhasawebserverlocatedonaprivatenetworkandyouaretaskedtoallowusersfromtheinternetaccesstotheserver.Tocompletethistask,youcancreateaone-to-onestaticmappingbetweenthewebserver'sprivateIPaddress(insidelocal)andthepublicIPaddressontherouter(insideglobal).ThiswillallowanyoneontheinternettosimplyenterthepublicIPaddress(insideglobal)ontheirwebbrowserand,whentherouterreceivestraffic,itwillsimplyforwardittotheinsidelocaladdress,whichistheserver.


ThefollowingfigureshowshowPC2isabletoaccesstheinternalwebserverviastaticNAT:

Figure9.6–StaticNAT

Thedevicesthatareontheinternet,suchasPC2,willnotseetheinsidelocaladdressoftheserver—theywillonlyseetheinsideglobaladdress.Additionally,devicesontheinternetwillnotbeawarethattherouterisperformingNATinthebackground.


ToconfigurestaticNATonaCiscoIOSrouter,gothroughthefollowinginstructions:

1. Configuretheinsideinterfaceontherouter.Thisinterfaceisconnectedtotheinsidenetwork:

Router(config)#interfaceinterface-ID

Router(config-if)#ipnatinside


2. Configuretheoutsideinterface.Thisinterfaceisconnectedtotheoutsidenetwork:


Router(config-if)#ipnatoutside


3. Createthemapbetweentheinsidelocaladdressandtheinsideglobaladdress:

Router(config)#ipnatinsidesourcestatic

inside-local-ipinside-global-ip

Now,let'sseehowdynamicNATworks.

DynamicNATDynamicNATusesapoolofinsideglobaladdressesthatareautomaticallytranslatedonafirst-comefirst-servedbasisbytheNAT-enabledrouter.UnlikestaticNAT,whichmanuallycreatesastaticmappingbetweenaninsidelocal


addressandaninsideglobaladdress,dynamicNATallowsyoutoallocatearangeofavailableaddressesviaaNATpool.

Let'ssaythatyourcompanyhasarangeofpublicIPv4addressesallocatedtoyourorganizationbythelocalISP,andyouwanttoallowasmallIPsubnetofenddevicestouseanyaddresswiththeallocatedrangewhencommunicatingwiththeoutsidenetwork.DynamicNATsimplyallowsyoutocreateanACLtospecifywhichIPsubnetsareallowedtousetherange(pool)ofpublicIPaddresses.

ThefollowingfigureshowsarouterthatisconfiguredwitharangeofpublicIPv4addresses:


Figure9.7–DynamicNAT

TheoutsideinterfaceoftherouterisconfiguredwithaNATpoolofaddressesrangingfrom209.65.1.2–209.65.1.5.Theseaddressesareallocatedfor

usebytheinsidenetwork.WhenPC1communicatesontheoutsidenetwork,


theroutercheckstheNATpoolforanavailableIPv4addressandtranslatestheinsidelocaladdresstoanavailableinsideglobaladdress.Inthissituation,theinsidelocaladdressis192.168.1.10,whichwillthenbetranslatedto

209.65.1.2.Ifanotherdevice,suchasPC2(192.168.1.11),wantsto

communicateovertheinternet(outsidenetwork),thentheprocessisrepeated,andthistimetherouterwillusethenextavailableaddressfromthepool,209.65.1.3.

ThedisadvantageofdynamicNATisthatsinceeachaddressinthepoolcanbemappedtoonlyoneinsidelocaladdress,thenumberofaddressesinthepoolislimited.Therefore,ifmoredevicesontheinsidenetworkareattemptingtosimultaneouslycommunicateontheoutsidenetwork,thepoolofavailableaddresseswillbecomeexhausted.

Whendynamicmappingoccurs,itisonlytemporaryforthedurationofthesessionbetweentheinsidedeviceandthedestinationdevice.TheroutermonitorsforinactivityindynamicNAT.WhenitdetectsthatdynamicNATtranslationisnolongerbeingused,itwillmaketheinsideglobaladdressavailableforfuturetranslations.

Importantnote

Theclearipnattranslation*commandwillallowyoutoclearall

NATtranslationontherouter.

KeepinmindthatifyouareimplementingdynamicNATwithinyournetwork,youshouldensurethatthereareenoughpublicIPaddressestosatisfythenumberofsimultaneoussessionsthatwillbegeneratedbytheinsidenetwork.


ToconfigureDynamicNATonaCiscoIOSrouter,usethefollowinginstructions:









3. CreateapoolofglobalinsideaddressestousewithdynamicNAT:

Router(config)#ipnatpoolpool-namestart-ip

end-ip[netmasksubnet-mask|prefix-length

prefix-length]

4. CreateanACLtoallowtheaddressesthataretobetranslated:

Router(config)#ipaccess-liststandardaccess-

list-name

Router(config-std-nacl)#permitnetwork-ID

wildcard-mask


Router(config-std-nacl)#exit

Additionally,youcanusetheaccess-list<acl-number>permit

<network-ID><wildcard-mask>commandtocreateanumbered

standardACL.

5. MergethedynamicNATpoolofaddresseswiththeACLoftheaddresstobetranslated:

Router(config)#ipnatinsidesourcelistaccess-

list-namepoolpool-name

Next,let'slearnaboutPAT.

ConfiguringPATPAT,alsoknownasNAToverload,differsfrombothstaticanddynamicNATtranslations.PATallowsaroutertotranslatemultipleprivateIPv4addressesintoasinglepublicaddress.ThistypeofNATiscommonlyusedwithinhomenetworks.TheISPusuallyassignsasinglepublicIPaddresstotheinternetmodem/router.ThemodemisconfiguredwithPAT(NAToverload),whichtranslatesanynumberofprivateaddressesontheinsidenetworktothesinglepublicaddressassignedonthemodem/routerinterfaceontheoutsidenetwork.

Ifyourecallfrompreviouschapters,whenadevicewantstoinitiateaconnectionwithanotherdevice,thesendergenerateseitheraTCPorUDPsourceportanddestinationport,basedontheapplicationlayerprotocol/service.PATtakesadvantageofthisandkeepstrackoftheportnumbersbeingusedforeachsessionandIPaddress.Withineachsession,thesenderalwaysgeneratesauniquesourceportwithitssourceIPaddress;thisensuresthattheIP-to-port


combinationisalwaysunique,andthusPATcantracktheseuniquesessionstoidentifyspecificNATtranslations.

Importantnote

PATalsoensuresthatdevicesalwaysuseuniqueTCPportsforsessionswithwebserversontheinternet.

TogetabetterunderstandingofhowPATworks,let'stakealookatthefollowingfigure.Therearetwodevicesontheinsidenetwork—PC1andPC2—thatwanttocommunicatewiththewebserversontheinternet:

Figure9.8–PAToperations


EachdeviceontheinsidenetworksendsitsmessagecontainingthesourceIPaddress,sourceport,destinationIPaddress,anddestinationporttotherouter.Whentherouterreceivesmessagesonitsinsideinterface,itwillinspectthedestinationIPaddressintheLayer3header.Sincethedestinationdevicesarelocatedontheoutsidenetwork,therouterperformsPAT.Theroutertranslatestheinsidelocaladdresstotheinsideglobaladdresswhilekeepingtrackoftheportnumber,asshowninthefollowingfigure:

Figure9.9–PAToperations

Whenthemessageleavestherouter'soutsideinterface,itwillcontainthenewsourceIPaddressof209.65.200.228.Devicesontheinternetsuchasthe


webserversintheprecedingfigurewillsee209.65.200.228asthesender

andnotthedevicesontheinsidenetwork(PC1andPC2).

Duringsessionsbetweentheinsideandoutsidenetwork,PATtriestomaintaintheoriginalportnumbersthatarebeingused;however,ifasourceportnumberisalreadybeingusedbyanotherinsidedevice,PATwillattempttousethenextavailableportnumberandkeeptrackofthesessionandtranslationmapping.

TherearetwomethodstoconfigurePAT(NAToverload)onaCiscoIOSrouter.ThefirstmethodconfiguresPATtouseapoolofinsideglobaladdresses.ThismethodisusefulinsituationswhereallportnumbersarebeingusedbyasinglepublicIPaddress.PATthenmovesontothenextavailablepublicIPaddresswithinthepoolandbeginsallocatingportnumbers.

ToconfigurePATwithapoolofaddresses,usethefollowinginstructions:










3. CreateapoolofglobalinsideaddressestousewithNAToverload:



prefix-length]



list-name


wildcard-mask


5. MergethedynamicNATpoolofaddresseswiththeACLoftheaddressfortranslationusingtheoverloadkeyword:


list-namepoolpool-nameoverload

Additionally,youcanalsouseanumberedstandardACLratherthanusinganamedACL.

ThesecondmethodofconfiguringPATallowsyoutotranslateallinsideaddressestoasinglepublicIPaddress.ThismethodisusefulwhenyouhaveonlyonesinglepublicIPaddressandmultipleinsidedevicesthatrequireconnectivitytotheinternet.

ToconfigurePATtouseasingleinsideglobaladdress,usethefollowinginstructions:










3. CreateapoolofglobalinsideaddressestousewithNAToverload:



prefix-length]



list-name


wildcard-mask


5. MergetheDynamicNATpoolofaddresseswiththeinterfaceonthe


routerthathastheinsideglobaladdress:


list-nameinterfaceinterface-IDoverload

Lastly,wecanuseNATtoperformportforwardingonaCiscorouter.

ToconfigureportforwardingonaCiscoIOSrouter,usethefollowinginstructions:









3. Createthemapbetweentheinsidelocaladdressandtheinsideglobaladdress:

Router(config)#ipnatinsidesourcestatic

inside-local-iplocal-portinside-global-ip

global-port


Havingcompletedthissection,youhavelearnedhowtoconfigurevarioustypesofNATtranslationsonaCiscoIOSrouter.Inthenextsection,youwillgainhands-onexperienceofimplementingeachtypeofNATonaCiscoenvironment.

Lab–implementingNAToverload(PAT)Inthishands-onlab,youwilllearnhowtoimplementPAT.Thefollowingnetworktopologyshowsanorganization'snetworktotheleftoftheISPthatisconnectedtotheinternet.Forthislab,we'llbeusingCiscoPacketTracertobuildourlabandcompletetheexercise:

Figure9.10–NAToverloadtopology

TheobjectiveofthislabistoconfiguretheHQrouterwithNAToverloadtoalldevicesonthecorporatenetwork,suchasthePC1privateIPaddress(10.1.2.10/24),tobetranslatedtoapublicIPaddresswhenit'sattempting


toconnecttothePublicWebServer(209.65.1.3/28).

Pleaseusethefollowingguidelineswhencreatingthislab:

AssigntheIPaddressestoeachdeviceaccordingly,asshowninFigure9.10.

UseonlyCisco2911models.Ensurethateachinterfaceisconfiguredasshowninthetopology.

ConfigureeachenddevicewiththecorrespondingIPaddress,subnetmask,anddefaultgateway,asshowninthetopology.

ConfigureadefaultrouteonHQtopointtotheISProuterat192.0.2.1.

ConfigureadefaultrouterontheISProuterthatpointstoHQat192.0.2.2.Thisistosimulatetheinternetonthenetwork.

EnableOSPFv2ontheprivatenetwork,whichisbetweentheHQandBranch-Anetworks.UseOSPFtopropagatethedefaultroutetotheBranch-Arouter.

Nowthatyourlabenvironmentisready,usethefollowinginstructionstoconfigureNAToverload:

1. ConfiguretheinsideinterfacesontheHQrouterforNAT:

HQ(config)#interfaceGigabitEthernet0/1

HQ(config-if)#ipnatinside

HQ(config-if)#exit




HQ(config-if)#exit

2. ConfiguretheoutsideinterfaceontheHQrouterforNAT:


HQ(config-if)#ipnatoutside

HQ(config-if)#exit

3. CreateanACLwithawildcardmaskontheHQroutertoonlyallowtheprivateaddressestobetranslatedviaNAT:

HQ(config)#ipaccess-liststandardNAT-LIST

HQ(config-std-nacl)#permit172.16.1.00.0.0.255


HQ(config-std-nacl)#exit

We'veusedanamedACLcalledNAT-LISTtohelpusunderstandthe

purposeoftheaccesslistontherouter.

4. MergetheNAT-LISTACLtotheinterfacewiththepublicIPaddress

(192.0.2.2):

HQ(config)#ipnatinsidesourcelistNAT-LIST

interfacegigabitEthernet0/0oveorload

5. OnPC1,openthewebbrowser,entertheIPaddressofthePublicWebServer,andhitEnter:


Figure9.11–Webpage

ThisisagoodindicatorofwhetherPC1hasconnectivitytothePublicWebServer.

6. OnHQ,usetheshowipnattranslationscommandtovalidate

theprivateIPaddressesthatarebeingtranslatedtothepublicIPaddressusingNAToverloadorPAT:

Figure9.12–PATtranslations

Thetranslationisusingtcpasexpected,sinceweaccessthedefaultweb

pageontheserverviaHTTP.TheinsideglobaladdressisthepublicIPv4


addressontheoutsideinterfaceonHQ:192.0.2.2withasourceport

of1025.TheinsidelocaladdressistheprivateIPv4addressofPC1:

10.1.2.10withasourceportof1025.Boththeoutsidelocaland

outsideglobaladdressesbelongtothePublicWebServer:209.65.1.3withadestinationportof80.

7. OnHQ,usetheshowipnatstatisticscommandtoverifythe

NATinterfacesandpool:

Figure9.13–NATstatistics

TheoutputprovidesuswithinformationaboutwhichinterfacesareusedasinsideandoutsideinterfacesontherouterforNAT,thenumberoftranslationsthathaveoccurred,andwhetherthereareanydynamicmappings.SincethelabistranslatingprivateIPv4addressestoasinglepublicIPv4addressviatheGigabitEthernet0/0interface,therearenodynamicmappingsinthe

output.Additionally,Totaltranslationsindicateswhethertherouteris

usingstaticNAT,dynamicNAT,orextended(NAToverload(orPAT)).

Havingcompletedthislab,youhaveacquiredtheskillsneededtoimplementandvalidateNAToverload(PAT)configurationsonaCiscoenvironment.Inthe


nextlab,youwilllearnhowtoconfigurestaticNATtoperformportforwardingtoaninternalwebserverwithinaprivatecorporatenetwork.

Lab–implementingstaticNATwithportforwardingInthislab,youwilllearnhowtoimplementstaticNATonanorganizationroutertoforwardtrafficthatisoriginatingfromtheinternettoaninternalprivateserver.Thisexerciseisanextensionofthepreviouslab.We'llbeusingthefollowingtopologyandthesameguidelinesasbefore:

Figure9.14–StaticNATwithport

Theobjectiveofthislabistoallowusers(PublicPC)ontheinternettoaccesstheinternalwebserverontheprivatecorporatenetworkviaNAT.Therefore,


whenthePublicPCentersthepublicIPaddressintothewebbrowser,theHQrouterwilltranslateandforwardthetraffictoonlytheinternalwebserver.

ToimplementstaticNATwithportforwarding,usethefollowinginstructions:

1. ConfiguretheinsideinterfaceontheHQrouterthatpointstotheinternalwebserver:



HQ(config-if)#exit




HQ(config-if)#exit

3. Configureastatictranslationbetweentheinsideglobaladdressandtheinsidelocaladdressoftheinternalwebserverusingthefollowingcommand.Sinceit'sawebserver,usethedefaultservice80:

HQ(config)#ipnatinsidesourcestatictcp

172.16.1.1080190.0.2.280

ThisstaticmappingwillallowanydevicethatisontheinternetsideofthetopologytoaccesstheinternalwebserverbysimplyusingthepublicIPaddressoftheHQrouter:192.0.2.2withadestinationportof80.

4. OnHQ,usetheshowipnattranslationscommandtoverify


thestaticNATmap:

Figure9.15–StaticNATmapping

WheneveryoucreateastaticNATmaponaCiscoIOSrouter,boththeinsideglobalandinsidelocalmapareshownwithintheshowipnat

translationsoutput.Keepinmindthatiftheportnumberswerenot

specifiedduringthepreviousstep,theywon'tappearintheprecedingsnippet.

5. OnPC2(PublicPC),openthewebbrowserandenterthepublicIPaddressoftheHQrouterandhitEntertoverifythatyouhaveconnectivity:

Figure9.16–Connectivitytestviawebbrowser


Theprecedingsnippetvalidatesthatthereisconnectivitytotheinternalwebserverontheprivatecorporatenetworkfromtheinternetsideofthetopology.

6. OnHQ,usetheshowipnattranslationscommandtoshow

thatthestaticNATtranslationisworkingwithportforwarding:

Figure9.17–StaticNATtranslationsonHQ

Asshownintheprecedingsnippet,NATisworkingasexpected.ThetrafficisoriginatingfromPC2(PublicPC)withIPaddress209.65.1.2andtheHQrouterisperformingastaticNATtranslation

withportforwardingtotheinternalwebserverat172.16.1.10:80.

ThepublicPCisseeingtheinternalwebserveras190.0.2.2,butHQ

translatesandforwardsthetraffictotheprivateIPaddress172.16.1.10.

7. OnHQ,usetheshowipnatstatisticscommandasshownin

thefollowingfigure:


Figure9.18–NATstatistics

Fromtheoutput,wecandeterminethatthereisastaticNATmapontheHQrouterwithtwoporttranslationshavingtakenplace.Furthermore,theNAToutsideandinsideinterfacesaredisplayedasthisinformationhelpsusdeterminewhetheranymisconfigurationsexistonaNATedinterface.

Havingcompletedthislab,youwillhavelearnedhowtoconfigureaCiscoIOSroutertoperformstaticNATwithportforwarding.Thisexercisealsodemonstrateshowtoallowusersontheinternettoaccessinternalserversonacorporatenetwork,specificallyviaaserviceportsuchasport80fortheHTTP

server,asinourlab.Inthenextlab,youwilllearnhowtoimplementdynamicNATonaCiscoenvironment.

Lab–implementingdynamicNATInthislab,youwilllearnhowtoimplementdynamicNATwithapoolofIPaddresses.Thefollowingnetworktopologyshowsanorganizationnetwork(left)thatisconnectedtotheinternetviatheISProuter:


Figure9.19–DynamicNATtopology

TheobjectiveofthislabistoallowtheIPaddressesofdevicesinthecompanyattemptingtocommunicateontheinternettobetranslatedtoanavailablepublicIPaddress,viadynamicNAT,ontheHQrouter.

Pleasebesuretousethefollowingguidelineswhencreatingthislabtoensurethatyougetthecorrectresults:

AssigntheIPaddressesasshownintheprecedingfiguretoeachdeviceaccordingly.

Eachrouter(Cisco2911model)interfacemustbeconfiguredasshowninthetopology.

ConfigureeachenddevicewiththecorrespondingIPaddress,subnetmask,anddefaultgateway,asshowninthetopology.



ConfigureadefaultrouterontheISProuterthatpointstoHQat192.0.2.2.Thisistosimulatetheinternetonthenetwork.

ToconfigureDynamicNATonaCiscoIOSrouter,usethefollowinginstructions:

1. ConfiguretheinsideinterfacesontheHQrouterforNAT:



HQ(config-if)#exit




HQ(config-if)#exit

3. CreateaNATpooltospecifytherangeofusablepublicIPaddresses.BeginwiththestartingIPaddressof190.0.2.2andtheendingIP

addressof192.0.2.5,andanetworkmaskof255.255.255.240:

HQ(config)#ipnatpoolNAT-IPAdd192.0.2.2

192.0.2.5netmask255.255.255.240

4. CreateanACLwithawildcardmaskontheHQroutertoonlyallowtheprivateaddressestobetranslatedviaNAT.UsetheACLnameNAT-

List:

HQ(config)#ipaccess-liststandardNAT-List




5. MergetheACLlist(NAT-List)withtheNATIPpool(NAT-IPAdd)to

createthedynamicmapping:

HQ(config)#ipnatinsidesourcelistNAT-List

poolNAT-IPAdd

6. OnPC1,openthewebbrowser,entertheIPaddressofthewebserver,andhitEnter:

Figure9.20–Webserver

7. OnHQ,useshowipnattranslationstoverifywhether

dynamicNATisworking:


Figure9.21–DynamicNATtranslations

TheoutputprovesthatdynamicNATisworkingasexpected.Ifanotherclientdeviceonthecompanysideofthenetworkestablishesaconnectiontothewebserver,thenanotherpublicIPaddresswillbeusedfromtheNATpoolandthiswillreflectinthetranslationwindow.

8. OnHQ,usetheshowipnatstatisticscommandtovalidate

dynamicNATconfigurations:


Figure9.22–DynamicNATstatistics

TheoutputshowsthenameofthedynamicNATpool,theIPrangesandsubnetmask,thenumberofIPaddressesthatarebeingusedatthatpointintime(allocated),andtheinsideandoutsideNATinterfaces.

Havingcompletedthislab,youhavegainedtheessentialskillsneededtoconfiguredynamicNATinaCiscoenvironment.

SummaryInthischapter,wehavediscussedtheimportantrolethatNATplaysinalmostallprivatenetworksofallsizes.WeexploredthecharacteristicsandfunctionsofeachtypeofNATandinwhichsituationstheywouldbeused.Bycompletingthischapter,youhavegainedbothatheoreticalunderstandingoftheoperationsofNATonanenterprisenetwork,andthehands-onskillstoimplementstaticNAT,dynamicNAT,andPATonaCisconetwork.

IhopethatthischapterhasbeeninformativeandhelpsyouinyourjourneytowardlearninghowtoimplementandadministrateCiscosolutionsandpreparefortheCCNA200-301certification.InthenextChapter10,ImplementingNetworkServicesandIPOperations,wewilllearnhowtoimplementtheNetworkTimeProtocol(NTP),DynamicHostConfigurationProtocol(DHCP),andotherIPservicesonaCiscoenvironment.

QuestionsThefollowingisashortlistofreviewquestionstohelpreinforceyourlearningandhelpyouidentifywhichareasofyourknowledgerequiresome


improvement:

1. Whichofthefollowingnetworkaddressesarenonroutableontheinternet?

A.192.167.68.200

B.192.169.87.23

C.172.31.1.5

D.172.32.1.6

2. WhichofthefollowingisabenefitofusingNAT?

A.HidesusersbehindasinglepublicIPaddress

B.AllowsVoIPcommunicationovertheinternet

C.Ensuresend-to-endconnectivitybetweeninternalandexternaldevices

D.SupportsIPSec

3. IntermsofNAT,whatisdefinedastheinsideaddress?

A.ThepublicIPaddress

B.TheMACaddress

C.Theaddressthatisvisibleontheinternet

D.Theaddresstobetranslated

4. Howwouldyoudescribetheaddressofthedestinationdevice?


A.Insidelocal

B.Outsidelocal

C.Insideglobal

D.Outsideglobal

5. WhichtypeofNATisrecommendedforforwardingalltraffictoaninternalserverifauserontheinternetknowsthepublicIPaddress?

A.Portforwarding

B.PAT

C.DynamicNAT

D.StaticNAT

6. WhenconfiguringNAT,whichkeywordmustbeusedtotelltheroutertoperformportaddresstranslation?

A.ipnat

B.overload

C.source

D.static

7. Whichcommandtellstherouterthataninterfacebelongsontheinsidenetwork?


A.ipnatinside

B.ipnat

C.ipnatinternal

D.ipnatenable

8. Whatisanothernameforportaddresstranslation(PAT)?

A.NATportaddresstranslation

B.NATport

C.NAToverload

D.NAToverwork

9. WhichcommandallowsyoutoseethepoolofNATaddresses?

A.shownat

B.showipnatstatistics

C.shownatstatistics

D.showstatistics

10. HowmanyinsidelocaladdressescanbemappedwhenusingdynamicNAT?

A.65,535


B.0

C.1

D.Noneoftheoptionspresentedhere


Networkaddresstranslation:https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html

ConfiguringNAT:https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/nat-15-mt-book/iadnat-addr-consv.html


https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/nat-15-mt-book/iadnat-addr-consv.html

Chapter10:ImplementingNetworkServicesandIPOperationsTheCiscoIOSoperatingsystemisfilledwithmanyfeaturesthatweareyettoexplore.Theoperatingsystemcontainsawidevarietyofnetworkservicesthataredesignedtoprovidescalabilityandflexibilityonanetwork;thesefeaturesarecommonlyreferredtoasIPservices.IPservicesaretheessentialserviceseachnetworkneeds,suchastheDynamicHostConfigurationProtocol(DHCP)toassistwiththeautomaticassignmentofIPaddressestoclientdevices,theDomainNameSystem(DNS)toresolvehostnamestoIPaddresses,andevennetworkmonitoringandmanagementprotocolstoprovideaccountabilityandvisibilityonanetwork.

Duringthecourseofthischapter,youwilllearnhowtoimplementtheNetworkTimeProtocol(NTP)toensurealldevices'clocksaresynchronizedandthatpropertimekeepingismaintainedonanetwork.You'lllearnhowtoimplementDHCPonaCiscosystemtodistributeIPconfigurationstoenddevicestoallownetworkconnectivity,understandtheimportanceofDNSonanetworkandthevitalroleitplaysontheinternet,andconfigureSimpleNetworkManagementProtocol(SNMP)andSyslogtoassistinnetworkmanagement.Lastly,youwilllearnabouttheimportanceofusingQualityofService(QoS)toimprovenetworkperformance.


UnderstandingNTP

UnderstandingDHCP


DNS

UnderstandingthebenefitsofusingSyslog

SNMP

QoStrafficclassification




CheckoutthefollowingvideotoseetheCodeinAction:https://bit.ly/3mKumGp

UnderstandingNTPTime...whatanimportantroleitplaysinourdailylives.FromhelpingusmeasurehowlongittakesustoarriveatadestinationoreventtocalculatinghowquicklyathletesperformattheOlympicgames.Timeissimplythemeasurementbetweenpast,present,andfutureevents.

Timeisusedtohelpustakeaccountofanevent.Timestampsareusedonelectronicdevices,surveillancesystems,andcomputerandnetworkingdevices




https://bit.ly/3mKumGp

toprovideanaccountofwhencertainactionsandeventsoccur.Onanenterprisenetwork,itiscriticaltoensurepropertimekeepingismaintainedthroughouttheorganization.

Whyistimekeepingacriticalfactoronanetwork?Ensuringalldevicesareconfiguredwithaccuratetimeisimportantforlogandeventmanagementonanenterprisenetwork.Eventsoccurfrequentlyonnetworks;inallthelabsyou'vecompletedthusfar,whenyoumakeachangeonaCiscodevice,aSyslogmessageisgeneratedandpresentedontheconsolewindow.Themessageusuallycontainsinformationandspecificdetailsabouttheeventthatoccurred,whichisknownasaSyslogmessage.

Logmessagesaregeneratedallthetimeforvariouspurposes,suchasindicatingthataninterfacestatusmayhavechanged,checkingsecurity-relatedevents,andtroubleshootingnetworkissues.Timehelpsuscoordinateandgainabetterpictureofthesequencesthatoccuronanetwork.Therefore,itisimportanttoensurealldevices'systemclocksareaccuratelyconfiguredwithintheorganization.CiscoIOSdeviceshaveaninternalclockknownasthesystemclockthatthedeviceusesasitsprimarysourceoftimekeeping.Thesystemclockbeginstickingwhenthedevicebootsup.

Importantnote

Bydefault,thesystemclockonCiscoIOSdoesnotautomaticallyassumethecurrenttimeanddateasexpected,simplybecauseCiscostartsitsdevices'clocksatUTCMonday,March1,1993.

TherearetwomethodsbywhichwecanconfiguretimekeepingonaCiscoIOSdevice:


Manually

UsingtheNTP

Withthemanualmethod,weusetheclocksetcommandfollowedbythe

timeanddateinprivilegemode.Thefollowingisanexampleofthesyntaxforconfiguringthetimemanually:

clocksethh:mm:ssmonthdayyear

Theissuewefacewhenconfiguringtimemanuallyonanetworkisit'saverytime-consumingprocessand,mostimportantly,thetimemaynotbesynchronouswithotherdevicesonthenetwork.Asmentionedpreviously,accuratetimekeepingisveryimportantonanetwork,astimestampsareinsertedwithineventlogssuchasSyslogmessagesgeneratedbyyourdevices.Ifthetimeisnotaccurate,whentrackingthesequenceoflogmessagesforanevent,theremaybeinconsistencies.Theseinconsistencieswillresultininaccuratelogeventsbetweendevices.

ToviewthesystemclockonaCiscoIOSdevice,usetheshowclock

commandasshowninthefollowingsnippet:

Figure10.1–SystemclockonaCiscorouter

Asanetworkgrows,itbecomesevenhardertomaintainaccuratetimekeepingondevices.UsingtheNTPhelpsuseasilysynchronizetimethroughoutanentirenetworkofanysize.CiscoIOSdevices,suchasroutersandswitches,can


synchronizetheirsystemclockswithNTPserversastheirsourceoftime,thusenablingtheroutersandswitchestobecomeNTPclientsonanetwork.

Importantnote

NTPusesUDPport123bydefault.

NTPusesahierarchicalsystemtomanagethetimesourcesthroughyournetworkandtheinternet.EachlevelwithinthehierarchyisreferredtoasaStratum.AStratumlevelisusedtomeasurethedistancebetweenanauthoritativesourceandtheNTPclients.

Importantnote

Anauthoritativesourceisthedevicethatismanuallyconfiguredtoprovidetimeandhasthemostaccuratetimeonthenetwork.Theauthoritativesourceisatthetopofthehierarchyatalltimes.

ThefollowingdiagramshowstheNTPStratumhierarchicalstructure:


Figure10.2–Stratumhierarchy

Theauthoritativesourcesarethedeviceswiththemostaccuratetimeandare


locatedwithintheStratum0layer.Stratum0devicesareverypreciseattimekeepinganditisassumedthattherearenodelaysorinaccuraciesintheirtimemanagement.Stratum1devicesarethosethatareassociatedwithStratum0.Stratum2arethosethatareassociatedwiththeupperlayer,andsoon.WhenadevicehasalowerStratumnumber,it'sanindicationtheNTPclientisclosertotheauthoritativesourceoftime,whileahigherStratumnumberindicatestheNTPclientisfurtheraway.However,themaximumnumberofhopswithinNTPis15.

Importantnote

Stratumlevelsrangefrom0–15.

AnydevicethatexistsinaStratum16layerisconsideredtobeunsynchronizedwiththenetworktimeprotocol.Inthenextsection,youwilllearnhowtoconfigureCiscodevicesasbothanNTPserverandNTPclients.

Lab–configuringNTPInthishands-onlab,youwilllearnhowtoimplementNTPthroughoutaCiscoenvironmenttoensuretimeissynchronizedbetweentheCiscoswitchesandrouters.Forthislab,wewillbeusingthefollowingnetworktopology:


Figure10.3–IPservicelabtopology

Pleaseensureyouusethefollowingguidelineswhencreatingthislabtoensureyougetthesameresults:

UseswitchestorepresenttheMetroEthernetWANandtheinternetconnections.

UseCisco2911routersandCisco2960switches.

ConfigureastaticrouteontheHQroutertoreachthe172.16.1.0/24

networkviatheBranch-Arouterusingtheiproute172.16.1.0

255.255.255.0192.0.2.2command.Youalsohavetheoptionto

usedynamicroutingbetweentheHQLANandBranch-ALAN.

ConfigureadefaultrouteontheBranch-ArouterthatpointstoHQvia192.0.2.1usingtheiproute0.0.0.00.0.0.0

192.0.2.1command.

ConfigurealltheIPaddressesonalltheinterfacesontheroutersandservers.


Ensureyouconfigurethedefaultgatewayoneachserverto209.65.200.2.

ThislabtopologywillbeusedtoconfigureNTP,DHCP,DHCPrelay,andDNS.

NowthatyourCiscolabisready,usethefollowinginstructionstoimplementNTP:

1. Firstly,let'sconfiguretheNTPserverwiththecurrenttime.ClickonNTPServer,choosetheServicestab,andclickonNTP,asinthefollowingscreenshot:


Figure10.4–NTPServerconfigurations

EnsuretheNTPserviceisonandthetimeisaccuratelyconfigured.TheNTPserverwilloperateasaStratum0devicewithinthetopology.

2. ConfiguretheHQroutertobeanNTPclientandsynchronizeitwiththeNTPserverbyusingthefollowingcommandsinglobalconfigmode:

HQ(config)#ntpserver209.65.200.10

TheprecedingcommandisusedtoinformtheHQroutertouse


209.65.200.10asitsNTPserverforitstimesource.Afterafew

minutes,therouter'ssystemclockwillbeinsyncwiththetimeontheNTPserver.SometimesthereisalongdelayforanNTPclienttosynchronizewithanNTPserver.

3. UsetheshowntpstatuscommandtovalidatethattheNTPclient

andserverhavebeensynchronized:

Figure10.5–NTPsynchronization

TheoutputvalidatesthattheHQrouter(NTPclient)issynchronizedwiththeNTPserver,209.65.200.10,andtherouterisoperatingasa

Stratum2device.ThisindicatesthattheNTPserverisaStratum1device.

4. UsetheshowntpassociationscommandtovalidateanyNTP

associationsontheHQrouter:


Figure10.6–NTPassociations

TheoutputverifiesthattheHQrouterisconfiguredandpairedwiththedevice209.65.200.10asaStratum1NTPserver.Sometimesthe

sys.peer(*)codetakesabitoftimetoappearnexttotheIPaddress.

5. Usetheshowclockcommandtoverifythatthetimeisnowaccurate

andisthesameastheNTPserver:

Figure10.7–Systemclock

6. Let'smaketheHQrouteranNTPserverfortheHQLANandBranch-ALANnetworks.Toperformthistask,usethentpmaster

<stratum-number>command,orwecansimplyusethentp

mastercommandandtherouterwillautomaticallyincrementthe

Stratumnumberby1fromtheNTPserver:

HQ(config)#ntpmaster

7. Usetheshowntpassociationscommandoncemoretovalidate


thattheHQrouterisnowanNTPserver:

Figure10.8–NTPassociations

ThesecondlineindicatesthattheHQrouterisoperatingasanNTPserverbecauseitisrepresentedbyaloopbackIPaddress(link-local)andthereferenceclockissettolocal.

8. Next,configuretheBranch-ArouterasanNTPclientanduseHQfortimesynchronization:

Branch-A(config)#ntpserver192.0.2.1

TheshowntpassociationscommandverifiesthattheBranch-A

routerissynchronizedwithHQastheNTPserver:


Figure10.9–NTPassociationsontheBranch-Arouter

9. Next,beforewecanconfiguretheswitchwithintheHQLANasanNTPclient,weneedtoconfigureaSwitchVirtualInterface(SVI)byusingthefollowingcommands:


SW1(config-if)#ipaddress192.168.1.2

255.255.255.0


SW1(config-if)#exit

TheconceptofusingSVIswascoveredinChapter2,GettingStartedwithCiscoIOSDevices.

10. Configurethedefaultgatewayontheswitchusingthefollowingcommand:


11. UsethentpservercommandtoconfiguretheswitchasanNTP

client:

SW1(config)#ntpserver192.168.1.1

12. Lastly,usetheshowntpassociationscommandtovalidatethat

theswitchisassociatedwithHQ:


Figure10.10–NTPassociationontheswitch

Bycompletingthislab,youhavegainedthehands-onskillsyouneedtoimplementbothNTPclientsandNTPserversonaCisconetwork.Inthenextsection,youwilllearnabouttheimportanceofDHCPasanIPserviceonanenterprisenetwork.

UnderstandingDHCPOnanycomputernetwork,therearemanyenddevices,networkintermediarydevices,andevenservers.EachdevicerequiresanIPaddresstoexchangemessagesandshareresourceswitheachother.AnetworkadministratorusuallyassignsstaticIPaddressestodevicesthatprovideaserviceorresourcetothenetwork–devicessuchasswitches,routers,firewalls,andservers.WhenadeviceisassignedastaticIPaddress,itallowsnetworkadministratorstoremotelyaccessandmanagethedevice,astheaddresswillneverchange.

Sinceanetworkismostlymadeupofacomputerandotherenddevicesthatoftenchangephysicallocations,it'snotwisetoalwaysassignstaticIPaddressestosuchdevices.WhenadevicewithastaticIPaddressismovedtoanotherlocation,whetherphysicalorlogical,theIPschemeatthenewlocationmaynotbethesameastheIPconfigurationsonthedeviceitself.Therefore,thenetwork


administratorwillberequiredtoreconfigurethedevicewiththeappropriateIPconfigurationstomatchtheaddressingschemeatthenewlocationonthenetwork.

Asanetworkgrows,itbecomeschallengingandabittimeconsumingtomanuallyconfigurestaticIPaddressesonnewdevicesasusersmovebetweenlocations.Additionally,staticIPaddressconfigurationisalsovulnerabletohumanerror.Forexample,theadministratormightmisconfigureadevicewithaduplicateIPaddressthatisassignedtoanothermachineorevenanincorrectsubnetmask.

TheDHCPservercanbeimplementedonalocalnetworktoautomaticallyprovideIPconfigurations,suchasanIPaddress,subnetmask,defaultgateway,andDNSserversettings.HavingaDHCPserveronanetworksimplifiesandautomatesthetaskofassigningIPconfigurationstoenddevicesefficiently.

ACiscoIOSrouterhasmanynetworkservices;anetworkadministratorcanconfigureaCiscoIOSroutertoprovideDHCPservicesonanetwork.TheDHCPserverfeaturewithinCiscoIOSallowstheroutertoalsoprovideDHCPservicestoclientsonanetwork.Thisfeatureisusefulforsmalloffices,asadedicatedDHCPserverisnotrequired.TheCiscoIOSrouteriscapableofprovidingtheDHCPservicestothelocalnetwork.

DHCPoperationsWheneveraclientisconnectedtoanetwork,whetherit'sawiredorwirelessconnection,mostclientsautomaticallysearchforanactiveDHCPserver,whichwillassignorleaseanIPaddressandotherIPconfigurationstotheclient.TheIPaddressesthatareprovidedbytheDHCPserverarealwaysleasedforaperiodof


time.

TogetabetterideaofDHCPoperations,let'stakealookatthefollowingDHCPprocess:

1. Whenaclientisconnectedtoanetwork,itstartslookingforalocalDHCPserver.ItcreatesaDHCPDiscovermessageandsendsitasabroadcastonthenetwork,asshown:

Figure10.11–DHCPDiscover

TheDHCPDiscoverpacketcontainsthesourceMACaddressastheDHCPclient,withasourceportof68,adestinationMACaddressof

FF:FF:FF:FF:FF:FF,andadestinationportof67.TheDHCPclient

usesUDPport68,whiletheDHCPserverusesUDPport67.Thesource

IPaddressisleftasblank,whilethedestinationIPaddressis255.255.255.255.

2. WhentheDHCPserverreceivestheDHCPDiscovermessage,itwill


respondwithaDHCPOffer.Atthisphase,theDHCPserverusesthesourceMACaddressfromtheDHCPDiscovermessagetocreatealeaseforanavailableIPaddressfortheclient.TheDHCPserverwillsendtheinformationintheDHCPOffermessagebacktotheclient,asshown:

Figure10.12–DHCPoffer

TheDHCPserverrespondswithabroadcastandsetsthedestinationMACaddressasthelayer2broadcast,FF:FF:FF:FF:FF:FF.

3. WhentheclientreceivestheDHCPofferfromtheserver,aDHCPRequestmessageissentbacktotheDHCPserverasaformofacceptancefortheIPconfigurationstheclienthasreceived,asshowninthefollowingdiagram:


Figure10.13–DHCPrequest

TheDHCPRequestmessageissentasabroadcasttotheserver.

4. WhentheDHCPserverreceivestheDHCPrequestfromtheclient,theserververifiesthattheleaseinformationisnotbeingusedalreadybysendinganICMPpingmessagetotheIPaddressithasassignedtothenewclient.TheDHCPserverrespondswithaDHCPAcknowledgementtocompletetheDHCPprocess,asshown:


Figure10.14–DHCPacknowledgement

TheDHCPAcknowledgementmessageisalsosentasabroadcasttotheclientonthenetwork.

TheleaseprovidedtotheDHCPclientisvalidforaperiodoftime.IfaclientwantstocontinueusingtheIPaddressassignedbytheDHCPsever,theclientsendsaDHCPRequest(unicast)messagetotheDHCPserverrequestingtheleaseberenewed.

Importantnote

Fortherenewalofleases,bothDHCPRequestandDHCPAcknowledgmentmessagesaresentasunicastmessages.

TheDHCPserverwillverifythattheleaseinformationisavailableandreturnaDHCPAcknowledgment(unicast)message.TheclientwillcontinueusingthecurrentIPaddressonceit'savailable.Keepinmindthattheclientdoesnotwaituntilaleasehasexpiredtorequestarenewal;itdoesthisrenewalprocesspriortotheexpiration.

Cisco'sDHCPconfigurationsConfiguringtheDHCPserviceonaCiscoIOSdeviceisquitesimple.UsethefollowingstepsasaguidelinewhenconfiguringDHCPonaCiscorouter.

ExcludingaddressesWhencreatingaDHCPpoolofaddresses,theCiscoIOSrouterbegins


distributingIPaddressesautomatically.It'srecommendedtocreateanexclusionpoolorrangeofaddressesthatyoudonotwanttheDHCPservertodistributeonthenetwork.Theseaddressesmayincludethosethatarestaticallyassignedtodevicesandanyreservations:

Toexcludeasingleaddress,usetheipdhcpexcluded-address

ip-addresscommand.

Toexcludearangeofaddresses,usetheipdhcpexcluded-

addressstart-addressend-addresscommand.

Next,you'lllearnhowtocreateaDHCPpoolonaCiscoIOSrouter.

CreatingtheDHCPpoolTheDHCPpoolcontainsalltheIPconfigurationsthatwillbesenttoDHCPclientsonthenetwork,suchastheIPaddress,subnetmask,defaultgateway,DNSserver,andsoon.TakethefollowingstepswhencreatingaDHCPpoolonaCiscoIOSrouter:

1. TocreateaDHCPpool,usetheipdhcppoolpool-name

command.Onceyou'vecreatedapool,youwillentertheDHCPconfigurationmodeforthepool.

2. Usethenetworknetwork-IDsubnet-maskcommandtodefine

theaddresspool.

3. Thedefault-routerip-addresscommandisusedtospecifythe

defaultgatewayaddress.


4. Thedns-serverip-addresscommandisusedtodefinetheDNS

servers.

5. Thedomain-namedomaincommandisusedtodefinethedomain

nameonthenetwork.

Importantnote

TodisableDHCPservicesonaCiscoIOSrouter,usethenoservice

dhcpcommandinglobalconfigurationmode.ToenableDHCPservices,

usetheservicedhcpcommand.

MultiplepoolscanbecreatedonthesameDHCPserverorCiscoIOSdevicetofacilitateanorganizationwithmultiplenetworksandasingleDHCPserver.

Tip

ACiscodeviceinterfacecanbeconfiguredasaDHCPclientbyusingtheip

addressdhcpcommand.

Inthenextsection,wewilllearnabouttheconceptsandbenefitsofusingDHCPrelayonaCisconetwork.

DHCPrelayInmanyorganizationswithlargeandcomplexnetworks,theserversareusuallylogicallylocatedwithinadatacenteroradifferentsubnet.Theseserversusuallyprovidenetworkservicesandhostapplicationsfortheentireorganization'susersanddevices.TheseservicesincludeDHCP,DNS,filehostingservices,andso


on.Whenaclientwantstoaccessthesenetworkservices,theclientdevicesendsabroadcastmessageinthehopeoflocatingtherelevantserver.

Let'simagineaclientisconnectedtoanetwork.ItbroadcastsaDHCPDiscovermessagetolocateaDHCPserverbecauseitneedsanIPaddress.IftheDHCPserverisnotonthesamesubnetastheDHCPclient,therouterwillpreventtheDHCPDiscovermessagefrompropagatingbelowthelocalsubnet.ThiscausesanissuebecausetheclientwillnotreceiveanIPaddressandotherIPconfigurationstocommunicatewithotherdevicesonthenetwork.

ThefollowingdiagramshowsaDHCPserverislocatedonanothersubnet:

Figure10.15–Therouterdoesnotforwardbroadcastmessages

ADHCPDiscovermessageissentasabroadcast,androuters(layer3devices)blockanybroadcastmessagesfrompropagatingbydefault.However,CiscoIOShasasolutiontoallowtheforwardingofDHCPDiscoverandDHCPRequestmessagestoaDHCPserveronadifferentsubnet.


Theiphelper-addresscommandcanbeappliedtotheinterfaceofthe

routerthatreceivesDHCPDiscoverandDHCPRequestmessages.Therefore,wecanusethefollowingcommandstoconfiguretheroutertoforwardDHCPbroadcastmessages:


R1(config-if)#iphelper-address172.16.1.2

R1(config-if)#exit

Thefollowingdiagramshowstheeffectofapplyingtheiphelper-

addresscommand:

Figure10.16–DHCPpropagation

iphelper-addressshouldalwaysbeappliedtotheinterfacethatis

connectedtoorfacingtheDHCPclientsonthenetwork.Inthenextsection,youwilllearnhowtoconfigureDHCPservicesandDHCPrelayonaCiscoIOS


router.

Lab–configuringDHCPandDHCPrelayInthislab,youwilllearnhowtoconfigureDHCPservicesinaCiscoenvironment.PleasekeepinmindthatthislabissimplyanextensionofthepreviouslabonNTPservices,sowewillbeusingthesamenetworktopologyasshowninthefollowingscreenshot:

Figure10.17–DHCPlab

Togetstarted,usethefollowinginstructionstoimplementDHCPonthetopology:

1. ExcludeaddressesthatyoudonotwanttobeassignedtoclientdevicesbytheDHCPserver:

HQ(config)#ipdhcpexcluded-address192.168.1.1

192.168.1.10

HQ(config)#ipdhcpexcluded-address172.16.1.1

172.16.1.10


Wehaveexcludedthefirst10addressesofeachprivatenetwork:192.168.1.0/24and172.16.1.0/24.Thisisanexampleto

demonstratehowtousetheDHCPexclusioncommand.

2. CreateaDHCPpoolfortheHQLANnetworkontheHQrouter:

HQ(config)#ipdhcppoolHQ-LAN

HQ(dhcp-config)#network192.168.1.0

255.255.255.0

HQ(dhcp-config)#default-router192.168.1.1

HQ(dhcp-config)#dns-server209.65.200.20

HQ(dhcp-config)#exit

ForeachDHCPpool,configuretherangeofaddressestobedistributedviatheserverbyusingthenetworkcommand.Thedefault-router

commandisusedtospecifythedefaultgatewayforDHCPclients.(TheDNSserverinformationwillbeusedinthenextlab.)

3. CreateanotherDHCPpoolfortheBranch-ALANnetworkontheHQrouter:

HQ(config)#ipdhcppoolBranch-A-LAN

HQ(dhcp-config)#network172.16.1.0255.255.255.0

HQ(dhcp-config)#default-router172.16.1.1

HQ(dhcp-config)#dns-server209.65.200.20

HQ(dhcp-config)#exit


4. ConfiguretheBranch-ArouterasaDHCPrelaytotheHQrouter:

Branch-A(config)#interfaceGigabitEthernet0/0

Branch-A(config-if)#iphelper-address192.0.2.1

Branch-A(config-if)#exit

iphelper-addressisalwaysconfiguredontheLANsideofthe

routerwiththeIPaddressoftheDHCPserver.

5. OntheBranch-Arouter,usetheshowipinterfacecommandto

validatethattheDHCPhelperaddressisconfigured:

Figure10.18–Helperaddress

6. ClickonPC1andPC2,selecttheDesktoptab,thenclickonIPConfigurationandsetittoDHCP,asshown:


Figure10.19–IPaddressing

Afterawhile,eachDHCPclient–PC1andPC2–willreceiveitsIPconfigurationsfromtheDHCPserver,theHQrouter.

7. OntheHQrouter,theshowipdhcpbindingcommandshowsthe

numberofclientdevicesthatareusinganIPaddressfromtheDHCPserver,theclient'sMACaddress,theleasetime,andthetype:


Figure10.20–DHCPbindingtable

SinceaDHCPpoolhasafinitenumberofavailableIPaddresses,aleaseisusedtosetthedurationofhowlongaclientcanuseanIPaddress.Whentheleaseexpires,theIPaddressontheclientmachineisreturnedtotheDHCPserver.However,clientscanrenewtheleasepriortoexpirationtokeeptheIPaddressinuse.TheTypecolumnsimplydefineshowa

clientwasassignedanIPaddressfromtheDHCPserver.

8. Lastly,theshowipdhcppoolcommandprovidesdetailsabout

statisticswithineachDHCPpoolontheCiscoIOSrouter:


Figure10.21–DHCPpool

Havingcompletedthislab,youhavegainedthehands-onskillstouseaCiscoIOSrouterasaDHCPserverandaDHCPrelayonanetwork.Inthenextsection,wewilltakealookatDNSasanetworkservice.

DomainNameSystemLet'simagineyouwanttoresearchadditionalinformationabouttheCiscoCertifiedNetworkAssociate(CCNA)certification.ThebestplacetostartresearchingwouldbeCisco'swebsiteatwww.cisco.com.OpenyourfavoritewebbrowserandsimplyentertheURLintotheaddressbarandhitEnter.Afterafewseconds,theCiscowebsiteappearsandyoucancontinueyourresearch.Everythingseemstoworklikemagic,buthaveyoueverwonderedhowyour



computerdeterminestheIPaddressforthewebserverthatishostingCisco'swebsite?

AsmentionedinChapter3,IPAddressingandSubnetting,eachdevicethatisconnectedandexchangingmessagesonacomputer-basednetworkmustbeassignedauniqueIPv4orIPv6address.Thesameisalsoappliedtoalldevicesontheinternet,suchaswebandmailexchangeservers.IfawebserverisidentifiedbyitsIPaddress,whydoesithaveawebsiteURLaddresssuchaswww.cisco.com?

Tohelpyouunderstandthesituationabitbetter,imaginehavingtorememberalltheIPaddressesofeachwebsiteyouwanttovisitontheinternet.ThatwouldbeverychallengingasIPaddressesmaychangeorbereassignedtoanotherdeviceonanetworkandeventheinternet.YoucannotconnecttoaserverordeviceontheinternetifyoudonothaveknowledgeoftheIPv4orIPv6address.

Tosolvethisissue,theDNSnetworkserviceprotocolwascreatedwiththeprimarypurposeofresolvingthehostnametotheIPaddress.Inreality,it'saloteasiertorememberaUniformResourceLocator(URL)ordomainnameofawebsite.WiththebenefitandconvenienceofusingDNS,ITprofessionalscaneasilypurchaseadomainnameandpointittoawebserverordevice.Thisallowsanyonewhoknowsthedomainname,suchaswww.cisco.com,toeasilyvisittheCiscowebsiteusingacomputerorsmartdevicewithastandardwebbrowser.

BeforethedaysofDNS,eachcomputerhadafileknownasthehostsfile.The

hostsfilewouldcontainthehostnameforIPaddressmapping.Whenevera

userwantstovisitawebsite,theyenterthehostname,andthecomputerthenqueriesthelocalhostsfileinsearchofanavailablemapthatinformsthe




computeroftheIPaddresstoreachthehostname.However,ifthehostsfile

doesnothaveanavailableentryforthehostname,thecomputerwillnotknowhowtoreachtheserver.Usershavetoensurethatthehostsfileisfrequently

updatedtocontainthemostup-to-daterecords.

ToviewthehostsfileonaWindowsoperatingsystem,goto

C:\Windows\System32\drivers\etc\hosts.Thefollowingisthe

contentswithinthehostsfileonaWindows10operationsystem:


Figure10.22–Thehostsfile

Frequentlyupdatingthehostsfileisnotagoodstrategyastheinternetis

continuouslygrowing,andnewdevicesarecomingonlinewithnewanduniquehostnames.ThecreationofDNSserverscameabout,witheachserverbeingtherootforitsdomainandcontainingalltheDNSrecordsforaspecificTop-LevelDomain(TLD).ATLDisadomainthathastheroot(.)andendswithaname

suchas.com,.net,.org,.xyz,andsoon.Adomainnameisadomainthat

containsanamewithaTLD,suchascisco.com.AFullyQualifiedDomain

Name(FQDN)containsanadditionalextension,ahostname,andadomainsuchaswww.cisco.com.TheFQDNspecifiedtheexactlocationordevice.Forexample,cisco.comissimplyadomainnamethatmaycontainmanydevices,

butspecifyinganFQDNsuchaswww.cisco.comsimplysayswearetryingtoconnecttothedevicewiththehostnamewwwthatbelongswithinthe

cisco.comdomain.

DNSrootserversAsmentioned,therearevariousrootDNSserversthatcontaintheDNSrecordsforeachobjectthatbelongstotheparentdomain.Asshowninthefollowingdiagram,the.comrootservercontainsalltheDNSrecordsforcisco.com

anditssub-domains,suchascommunity.cisco.com:




http://community.cisco.com

Figure10.23–DNShierarchy

WheneveradevicewantstolookuptheIPaddressforahostname,itwillsendaDNSquerytoitsconfiguredDNSserver.Oncetherecordisfound,theDNSserverwillsendaDNSreplywiththeIPaddressforthehostnamebacktothecomputer.ThecomputerwillusetheIPaddresstoreachthehostnameordevice.

ThefollowingdiagramshowstheDNSprocesswhenauserentersaURLwithinthewebbrowser:


Figure10.24–DNSprocess

TherearemanyfreepublicandreliableDNSserversontheinternet;thefollowingaresomeofmypersonalrecommendationsastheyprovidespeedandsecurity:

CloudflareDNS:https://1.1.1.1/

CiscoOpenDNS:https://www.opendns.com/

GoogleDNS:https://developers.google.com/speed/public-dns

WhatifyourDNSserverdoesnothavetherecordofaspecifichostnameordomainname?Whatwillitdo?DNSserversoftenexchangeinformationwitheachothertoensuretheirrecordsarealwaysuptodate.IfaDNSserverdoesnot


https://1.1.1.1/

https://www.opendns.com/

https://developers.google.com/speed/public-dns

havearecord,itcanrespondbyinformingtheclientitdoesnothaveoneorbysimplyaskinganotherDNSserverfortheinformationandthenrelayingtheresponsebacktotheclient.

DNSrecordtypesTherearemanyDNSrecordtypesthatareusedonaDNSserver:

A:ResolvesthehostnametoanIPv4address

AAAA:ResolvesthehostnametoanIPv6address

MX:Mapsthedomaintomailexchange(email)servers

NS:Pointstothedomain'snameservers

CNAME:Allowsyoutocreateanaliasnameforthedomain

SOA:Usedtospecifytheauthorityforthedomain

SVR:Specifiestheservicerecords

PTR:MapsanIPaddresstoahostname

RP:Specifiestheresponsiblepersonforadomain

HINFO:Specifieshostinformation

TXT:AllowsyoutoaddtextasaDNSrecord

Therefore,ifacomputerwantstodeterminetheIPv4addressforCisco'swebsite,www.cisco.com,thecomputerwillneedtosendaDNSquery



requestingtheArecordfromtheDNSserver.Thenslookuputilityonboth

MicrosoftWindowsandLinuxoperatingsystemsareusedtotroubleshootDNSissuesontheclientsideofthenetwork.

Lab–configuringDNSInthislab,youwilllearnhowtoconfigureDNSservicesinaCiscoenvironment.PleasekeepinmindthatthislabissimplyanextensionofthepreviouslabonNTPandDHCPservicesandwewillbeusingthesamenetworktopologyasshowninthefollowingdiagram:


209.65.200.20viaDHCP,wecanmoveontothenextstep.

3. OnPC1andPC2,clickonDesktopandopentheWebBrowserapplication.Enterthewebaddressofthewebserver,http://websvr.local,andclickonGo:

Figure10.27–Webpage

TheoutputshowsPC1isabletoreachthewebserverviathehostname,websvr.local.ThisisvalidationthattheDNSserverisabletoresolve

thewebsvr.localhostnametoitsIPaddressinthebackground.

4. OnPC1,opentheCommandPromptapplication.Usethenslookup

utilitytoverifytheDNSconfigurationsonthelocalmachine:


Figure10.28–DNSvalidation

Afterenteringthenslookupcommand,thesystemprovidesuswiththeDNS

settingsitiscurrentlyusing–209.65.200.20–asitsDNSserver.Next,by

enteringthehostname,websvr.local,thesystemqueriestheDNSserver

(209.65.200.20)toretrievetheDNSARecordtothehostname.TheDNS

server(209.65.200.20)wasabletoresolvethewebsvr.localhostname

totheIPaddress209.65.200.30.Additionally,ifyouattempttopingthe

domainname,websvr.local,theDNSserverwillresolvetheIPaddressand

willrespond.

Havingcompletedthislab,youhavegainedtheessentialskillsneededtoconfigureandunderstandDNSconceptsonaCiscoenterprisenetwork.

UnderstandingthebenefitsofusingSyslog


Wheneventsoccuronanetwork,networkingdevices,suchasrouters,switches,andfirewalls,generatealogmessagetonotifytheadministratorwithdetailsabouttheevent.Theselogmessagescancontaindetailsaboutcriticalornon-criticalevents.Networkprofessionalsuseawiderangeoftoolsandoptionsformanagingtheselogmessages,suchasstoring,displaying,interpreting,andnormalizing.Thishelpsnetworkprofessionalstofocusonthemorecriticallogmessagesanddeterminethetimelineofaneventthathasoccurred.

Syslogisbothaprotocolandstandardforaccessing,creating,andmanaginglogmessagesonacomputerandnetworkdevice.Syslogdefinesthemethodofhowsystemmessages,suchaslogs,aregenerated,formatted,andaccessed.

Importantnote

TheSysloglogusesUDPport514tosendeventmessagesacrossanetworktoa

centralizedSyslogserverformanagement.

Implementingproperlogmanagementonanetworkhasseveralbenefits,suchasthefollowing:

Havingproperlogmanagementwithinanetworkhelpsnetworkprofessionalstoimprovebothmonitoringandtroubleshooting.

YoucanconfiguredevicestosendlogmessagesofacertainseverityleveltothecentralizedSyslogserveronthenetwork.

Asanetworkprofessional,youcanspecifythedestinationofyourSyslogmessage,suchasaserver.

Bydefault,Ciscodeviceslogtheirsystemmessagestotheconsoleline.


However,adevicecanbeconfiguredtologitsmessagestoaninternalbufferwithinthedeviceitself,onaTerminalline(VTY),andeventoaSyslogserveronthenetwork.It'srecommendedtosetupacentralizedlogserveronthenetworktocapturelogmessagesfromallnetworkdevices;thisstrategywillallowyoutoviewallthecorrelatedlogsinsequentialorder.Thisallowsyoutoseeatimelineofeventsthroughoutthenetworkthroughasingledashboardinterfaceontheserver.

SyslogseveritylevelsEachSyslogmessagecontainsaseveritylevelandafacility.Thefollowingtableshowsalltheseveritylevelsindescendingorderandtheirdescription:


Figure10.29–Syslogseveritylevels

Here'sasimplewaytoremembertheSyslogseveritylevels–takeeachinitialletterfromeachlevelandcreateaphrase.Ifoundthefollowingphraseontheinternetandthoughtitwasabitgoofybutanawesomewaytoremembereachseveritylevel:EveryAwesomeCiscoEngineerWillNeedIce-creamDaily.

ThefollowingisthedefaultSyslogmessageformatonCiscoIOSdevices:

seqno:timestamp:%facility-severity-MNEMONIC:

description

ThefollowingisabreakdownofeachpartoftheSyslogformatmessage:

seqnorepresentsthesequencenumberassignedtoeachlogmessage.

Toenablethesequencenumber,usetheservicesequence-

numberscommandontheglobalconfigurationmode.

Thetimestampareaincludesthedateandtimeoftheevent.Toenablea

timestamp,usetheservicetimestampscommandontheglobal

configurationmode.

facilityrepresentswhatthelogmessageisreferringto,suchasa

protocol,module,orthesourceoftheproblem.

severityprovidesaseveritycodeintherange0–7,whichdescribes

howcriticalthealarmis.

MNEMONICissimplytextthatisusedtouniquelydescribethealarm.

descriptionsimplycontainsabriefdescriptionoftheeventoralarm.


ThefollowingisanexampleofaSyslogmessagegeneratedbyaCiscoIOSrouter:

*Apr28,15:53:58.5353:%LINEPROTO-5-UPDOWN:Line

protocolonInterfaceGigabitEthernet0/1,changed

statetoup

WecanseethatthetimestampisApr28withthetimeas15:53:58.5353,

facilityisLINEPROTO,theseveritylevelis5,MNEMONICisUPDOWN

andthedescriptionisLineprotocolonInterface

GigabitEthernet0/1,changedstatetoup.

ThefollowingisanexampleofaSyslogmessagecontainingasequencenumber:

000019:%SYS-5-CONFIG_I:Configuredfromconsoleby

vty2

Thesequencenumberintheexampleis000019.

Importantnote

Toforcethelogmessagestodisplayadateandtime,usetheservice

timestampslogdatetimecommandintheglobalconfigurationmode.

Bydefault,Syslogmessagesaregeneratedwithoutdatesandthiscanbeaproblemwhenweneedtotrackissuesbydate.

Whenitcomestoacquiringaloggingserver,therearemanyfreeandcommercialproductsfromreputedvendorsthatallowyoutosimplydownloadandinstallthemonyouroperatingsystem.Forexample,SolarwindshasitsKiwiSyslogServer(www.kiwisyslog.com)asacommercialproduct,while


http://www.kiwisyslog.com

PRTG(www.paessler.com)isabletofunctionasafreeSyslogserver.

Inthenextsection,youwilllearnhowtoimplementSyslogonaCisconetwork.

Lab–configuringSyslogInthislab,youwilllearnhowtoconfigureCiscoIOSdevicestouseSyslogandforwardlogmessagestoacentralizedlogmanagementserveronthenetwork.Thefollowingdiagramisthetopologywe'llbeusingforthisexercise;pleasenoteit'sthesameastheoneweusedinpreviouslabswiththeadditionofaSyslogserveronthe192.168.1.0/24networkwithastaticIPaddressof

192.168.1.5:

Figure10.30–Syslogtopology


Asmentionedpreviously,theonlyadditiontothetopologyistheSyslog


http://www.paessler.com

server.

ConfiguretheSyslogserverwiththeIPaddressandsubnetmaskasshowninthediagram.

EnsuretheSyslogserverisconfiguredwithadefaultgatewayaddressof192.168.1.1.

Nowthatyou'relab-ready,usethefollowinginstructionstoconfigureSyslogonyournetworktopology:

1. Firstly,wewillconfigurethenewservertoacceptSyslogmessages.Clickonthenewserver(192.168.1.5),selecttheServicestab,thenclickon

SYSLOG,asinthefollowingscreenshot:


Figure10.31–SyslogServer

EnsuretheSyslogserviceissettoOn,asintheprecedingscreenshot.

2. ConfiguretheBranch-AroutertosendSyslogmessagestotheSyslogserver:

Branch-A(config)#logging192.168.1.5

3. ConfiguretheBranch-AroutertosendallSyslogmessagetotheSyslogserverbyspecifyingtheseveritylevelas7,debugging:


Branch-A(config)#loggingtrapdebugging

Whenyouspecifyaseveritylevel,therouterwillsendallseveritylevelmessagesthatrangefromseveritylevel0totheseveritylevelyouspecify.Byspecifyingdebugging,therouterwillsendallSyslogseverity

messagesfromlevel0–7,asdebuggingisseveritylevel7.

4. Toenabletheservicetimestampwithmillisecondsonlogmessages,usethefollowingcommands:

Branch-A(config)#servicetimestampslogdatetime

msec

5. OntheBranch-Arouter,eitherdisconnectandreconnecttheLANcableoradministrativelyshutdowntheLANinterfacetogeneratesomeSyslogmessagesonthedevice.

6. ConfiguretheHQroutertosendSyslogmessagestotheSyslogserver.

7. HeadonovertotheSyslogserverandchecktheSyslogservice:


Figure10.32–Syslogmessages

TheSyslogmessagesthatappearherearethosethataregeneratedbytheBranch-Arouter.

8. Usetheshowloggingcommandtoverifythedefaultloggingservice

settingsontherouter:


Figure10.33–Loggingservice

Wecandeterminethatthelocalrouterlogstotheconsoleandincludesallmessagetypes,fromEmergencytoDebugging.10messageshavebeen

loggedsofar.

Havingcompletedthislab,youhavegainedthehands-onskillstoimplementSyslogonCiscoIOSdevices.Inthenextsection,wewilldiscoverhowtomonitorandmanageyournetworkusingSNMP.

SimpleNetworkManagementProtocol


SNMPwasdesignedtoenableITadministratorstomanagenetworkandenddevices,suchasworkstations,servers,switches,routers,andsecurityappliances,easilyonanIP-basednetwork.SNMPprovidesthefunctionalitytoallowdeviceadministratorstomonitor,manage,andtroubleshootnetworkperformance.

SNMPismadeupofthefollowingthreecomponents:

SNMPmanager

SNMPagent

ManagementInformationBase(MIB)

ThesethreecomponentsallworktogethertocreateaNetworkManagementSystem(NMS).TheSNMPmanageristheapplicationthatisinstalledandrunningontheadministrator'scomputer.TheSNMPmanagerisresponsibleforcollectingtheinformationfromtheSNMPagentsusingSNMPGETmessages.

Themanagerisabletomakemodificationstothenetworkdevice'sconfigurationbyusingSNMPSETmessages.

TheSNMPagentandMIBexistontheactualnetworkingdevice,suchasaswitchorrouter.TheSNMPagentisthecomponentthatcommunicateswiththeSNMPmanageracrossthenetwork.TheuserinteractswiththeSNMPmanager,whichthenrelaystheinformationtotheSNMPagent.TheSNMPagenteithergathersinformationandsendsitbacktotheSNMPmanagerorexecutesasetofinstructions.

TheMIBislikeadatabasethatcontainsdataonthenetworkdeviceanditsoperationalstate.ThisinformationisavailableonlytouserswhoareauthenticatedviaSNMPonthelocaldevice.Putsimply,theSNMPagentmust


beconfiguredonanetworkdevice,thentheuseropensanSNMPmanagerapplicationontheircomputerandsimplyspecifiestheIPaddressofthetargetdeviceandusercredentials,suchasacommunitystring.Ifthecredentialsarevalid,theSNMPmanagerwillauthenticatetheSNMPagentonthenetworkdevice,allowingtheusertointeractwiththedeviceandgatherinformationandmakeadjustmentsonit.

Importantnote

SNMPoperatesonUDPport161.However,SNMPagentssendSNMPtrap

messagestotheSNMPmanageronUDPport162.

ThefollowingdiagramshowstheoverallflowofmessagesontheNMS:

Figure10.34–SNMPmessages

TheSNMPGETrequestisusedtogatherorquerythedeviceforinformationand

theSNMPSETrequestisusedtomodifytheconfigurationonthedeviceviathe


SNMPagent.TrapmessagesarelikenotificationsthataregeneratedandsentbyanSNMPagenttoalerttheSNMPmanageraboutaneventonthenetworkdevice.

ThefollowingfigureshowsanSNMPmanagerinterface:

Figure10.35–SNMPmanager

Theprecedingscreenshotshowssomeinformationaboutaswitchonanenterprisenetwork.Togatherthisinformation,theSNMPmanager(Solarwinds)


hassentanSNMPGETmessagetoretrievetheinformationforus.Oncethe

informationisgathered,itispresentedontheSNMPmanagerGUI.TheSNMPprotocolwasabletogatherdetailssuchastheCPUandmemoryload,latency,andpacketlossstatistics.Withoutusingthecommandline,theSNMPmanagerisabletoshowusthedaysandtimeswhennetworklatencywashigherthanothers.Thisinformationcanbeusedtogeneratereports,createnetworkbaselines,andassessanynetworkperformanceissues.

TheSNMPtrapsarecontinuouslyexchangedbetweentheSNMPmanagerandtheSNMPagenttogatherinformationaboutthenetworkdevice.ThedownsideoftheSNMPpollingmechanismisthedelaybetweenaneventoccurringonanetworkdeviceandtheSNMPmanagertakingnoticeofit.SomeorganizationsconfiguretheirSNMPpollingintervalsto10minutes,whichallowstheNMStodetectanevent/issuewithin10minutesofoccurrence.However,thisintervalmaybetoolongwhenitcomestodetectingafailureonacriticalnetwork,sopollingintervalscanbeadjustedtofittheorganization'sresponsetimetomeetnetworkissues.Keepinmindthattoomanypollingmessagesmayfloodtheavailablebandwidthonthenetwork.

SNMPversionsThereareseveralversionsofSNMP.Theseareasfollows:

SNMPv1

SNMPv2c

SNMPv3

SNMPv1doesnotprovideanyformofauthentication,privileges,orencryption


betweentheSNMPmanagerandtheSNMPagent.SNMPv2cusescommunitystrings–publicandprivate–foradministrativetasks.Thepublicstring

isusedforread-onlytasks,whiletheprivatestringisusedforread-write

actions.However,SNMPv2cdoesnotprovideanyauthenticationorencryption.SNMPv3comeswithimprovedsecuritytoprovideauthenticationforusersandusergroups.SNMPv3usesMessageDigest5(MD5)orSecureHashingAlgorithm(SHA)duringitsauthenticationphase,andDataEncryptionStandard(DES)orAdvancedEncryptionStandard(AES)fordataencryption.

SNMPv1andSNMPv2cbothusecommunitystringstoaccessMIBonanetworkorcomputerdevice.ThefollowingaretwotypesofcommunitystringsusedinSNMP:

Read-only(ro):ThisstringallowsyoutoaccesstheMIBonthenetwork

devicebutdoesnotallowyoutomakemodificationsonthedevice,henceread-only.

Read-write(rw):Allowsyoutobothreadandwritetoallobjectswithin

theMIBonthedevice.

Next,youwilldiscoverthepurposeoftheMIBandthekeyrolesitplaysinSNMP.

ManagementinformationbaseTheMIBisadatabasethatcontainsalltheObjectIDs(OIDs)foreachcomponentonthenetworkdevice.Toputitsimply,fortheSNMPmanagertointeractwithaninterfaceofarouter,togathernetworkstatisticsfromthe


interface,forexample,anOIDmustexistforthatspecifictaskontherouter.

OIDsarerepresentedasvariableswithintheMIB.TheMIBisdesignedasahierarchicaltreestructurecontainingmanychildsub-sectionsknownasbranches.ThefollowingdiagramshowstheMIBOIDsusedbyCiscodevices:

Figure10.36–MIB

TheSNMPmanagerusestheOIDvaluesfromtheMIBtogatherinformationormakechangestoobjectsontheSNMPagentdevice.ThehierarchicalstructuredefineswhereanSNMPmanagercanfindspecificinformationaboutadevice.


Tip

TheCiscoSNMPObjectNavigatortoolisafreeonlinetooltohelpyoutranslateOIDsintotheirrespectiveobjectnamesanddetails.

Inthefollowingexercise,youwilllearnhowtoconfigureSNMPonCiscodevices.

Lab–configuringSNMPInthislab,youwilllearnhowtoconfiguretheSNMPserviceinaCiscoenvironment.PleasekeepinmindthatthislabissimplyanextensionofthepreviouslabonDNSservicesandwewillbeusingthesamenetworktopologyasshowninthefollowingdiagram:


Figure10.37–SNMPlabtopology

TheobjectiveofthislabistoenableSNMPonboththeHQandBranch-Arouters.OnceSNMPisenabled,we'llusePC1astheSNMPmanagertoretrievedeviceinformationandmakeconfigurationstotherunning-configfileon

therouter.

ToconfigureSNMPontheCiscoIOSrouter,usethefollowinginstructions:


1. OntheBranch-Arouter,configurethecommunitystring(public)and

theaccesslevelforread-only(ro)usingthefollowingcommands:

Branch-A(config)#snmp-servercommunitypublicro

2. Next,configureacommunitystring(private)withaccesslevelfor

read-write(rw)ontheBranch-Arouter:

Branch-A(config)#snmp-servercommunityprivate

rw

Read-writewillallowtheSNMPmanagertousetheprivate

communitystringtomakemodificationstotheconfigurationsofthedevice.

3. Applysteps1and2ontheHQrouter:

HQ(config)#snmp-servercommunitypublicro

HQ(config)#snmp-servercommunityprivaterw

4. HeadonovertoPC2,opentheDesktoptab,andselectMIBBrowser,asinthefollowingscreenshot:


Figure10.38–PC2Desktopinterface

5. ClicktheAdvanced…button,asinthefollowingscreenshot:


Figure10.39–MIBBrowser

6. Anewwindowwillappear.SettheReadCommunityvalueaspublic,

WriteCommunityasprivate,andSNMPVersionasv3andclick

OK:

Figure10.40–SNMPbrowsersettings

7. Intheleftpanel,expandtheMIBtreestructuretoios>org>dod

>internet>mgmt>mib-2>system>sysUpTime,set


OperationsasGet,andclickonGO:

Figure10.41–Deviceuptime

TheSNMPmanageronPC2wasabletoretrieve(GET)thedevice's

uptimefromtheSNMPagentontherouter.

8. Tomakeamodificationtothedevice'sconfiguration,wecanusetheSNMPSEToperation.Tochangethedevice'shostnametoBranch-A-


RTR,navigatetothesysNamebranch,usetheSEToperation,andset

DataTypetoOctetStringandValuetoBranch-A-RTR,asshown

inthefollowingscreenshot:

Figure10.42–TheSNMPSEToperation

OnceyouclickonGO,theMIBmanagerwillusetheSNMPSETmessageto

informtheSNMPagentontheroutertomaketheadjustmentonthedevice.


Havingcompletedthislab,youhavelearnedhowtoenableSNMPonaCiscoIOSdeviceandsawtheoperationsofSNMPonaCisconetwork.Inthenextsection,wewilltakealookatunderstandingthekeyroleQoSplaysinanenterprisenetwork.

QoStrafficclassificationLet'simaginetheroadwaysofacitydonotwidenautomaticallyandiftherearetoomanyvehiclesusingthemedium(roadways)andtheyarenotexitingquicklyenough,trafficstartsaccumulatingandresultsincongestion.Therefore,eachpersonmaytakeamuchlongertimetoreachtheirdestination.

Inaproductionenvironment,you'rethenetworkengineerforaverylargeorganizationwithalotofusersandmanynetworkapplications.Eachday,usersaresimultaneouslyaccessingbothinternalresourcesonthenetwork,suchaslocallyhostedapplications,andexternalresources;therearetonsofvarioustraffictypesthataretravelingalongthenetworkeachday.Whatwouldyoudoifusersbeganexperiencinganunacceptableuserexperienceonthecorporatenetwork,suchasveryslowresponsetimes?

Eachday,therearethousandsandevenmillionsofpacketsbeinggeneratedbydevicesandtheyaresentwithmessagestoanotherdeviceasaformofdigitalcommunication.Sometimes,whenthereistoomuchtrafficonthenetworkthatexceedsthebandwidthbetweenasenderanddestination,networkcongestionoccurs.

Onanetwork,someofthesetraffictypesincludevoiceandvideotransmissionforonlineandvirtualcollaborationwithothermembersofstaff,whileothertraffictypesmaybeusingUserDatagramProtocol(UDP)astheirtransport


layerprotocol,whichdoesnotguaranteethedeliveryofamessage.UsingQoStoolsonanetwork,professionalscanclassifyandprioritizenetworktraffictypes,suchasvoiceandvideo,overnon-time-sensitivetraffic,suchaswebbrowsingandemail.

Whiledevicessuchascomputers,servers,andIPphonesaresendingtraffictothenetworkswitchandrouters,theyarenotconsideringwhetherthenetworkingdevicesareabletotransmitmessagesasfastasit'sbeingreceived.Switchesandroutersareusedtoconnectdevicesandnetworks;theysitatthecoreofallexchangepointsonanenterprisenetwork.Thismeanstheyacceptthousandsofpacketsperminuteontheirphysicalinterfacesandhavetoprocesseachincomingmessageandforwarditthroughanoutgoinginterfacetowarditsdestination.Allnetworkingdeviceshaveabufferoflimitedsizethattemporarilystoresincomingmessages(inaqueue)untilthedeviceisabletoprocessandforwardthem.Whenadevice,suchasarouter,receivestoomanyincomingmessagesandthebufferisfull,newincomingmessagesmaybediscardeduntiltherouterisabletoprocesstheexistingmessagesandfreethebuffermemory.

Importantnote

Thequeuingoftrafficincreasesthedelayonanetwork.Hence,networkcongestioncausesdelays.

Thisisnotgoodforanetworkthathascriticalapplicationsthatgeneratetime-sensitivetraffic,suchasvoiceandvideo.ImagineyourorganizationhasaVoiceoverIP(VoIP)solutionandduringeachphonecallwithanotheremployeeorexternalparty,forthedurationofthecall,theotherpersonandyourselfhaveanunacceptableexperience,suchasnothearingeachwordtheotherpersonis


saying,hearingstatic,andevenexperiencingdelays.VoiceandvideotrafficuseUDPastheirpreferredtransportlayerprotocolbecauseUDPcreatesalotlessoverheadonthenetworkandit'smuchfasterthanTransmissionControlProtocol(TCP).However,thedisadvantageofusingUDP,especiallyforvoiceandvideotraffictypes,isthatUDPisaconnectionlessprotocolandthereisnoguaranteeofdeliveryforanymessages.Therefore,voiceandvideotraffichasamuchhigherpossibilityofbeingdiscardedordroppedonanetworkifcongestionoccursalongthepath.UsingQoStools,anetworkengineercanconfigurenetworkdevicestoprioritizecertaintraffictypesoverotherstoensureusershaveanacceptableexperienceonthenetwork.

Importantnote

AnetworkdevicewillonlyimplementQoSwhenitisexperiencingsomeformofcongestion.

QoSterminologiesThroughoutyourjourneyinthefieldofnetworking,youwillencountermanytechnologiesandterminologies.Inthissection,youwilllearnabouttheterminologiesthatareusedtodescribecertaincharacteristicsofanetworkandhowtheyhelpustodefinenetworktransmissionquality.

Bandwidth:Bandwidthreferstotheamountofbitsthatcanbetransmittedinasecond.Thisiscommonlymeasuredasbitspersecond(bps).Onnewernetworkdevices,therearehighercapacityinterfaces,suchasGigabitEthernetports,whichcansupportuptoonegigabitpersecondoftraffic.

Congestion:Asmentionedearlier,congestioncausesdelaysonanetwork.


Congestionoccurswhenthereisalotmoretrafficonanetworkthanitcanhandle.Thebufferwithinnetworkdevicesbecomesoverwhelmedwhenthereisalotofincomingtrafficfillingupthebuffermemoryfasterthanthenetworkdevicecanprocessitandforwardittoanoutgoinginterface.Networkdevicesareusuallylocatedatthecongestionpointsonanetwork,whichiswhereQoSshouldbeapplied.

Delay:Delayisalsoreferredtoaslatency.Thisisthetimeittakesapackettotravelbetweenasourceandadestination.Anetworkwithhighlatencywillresultinusersexperiencingslowerresponsetimestonetwork-basedapplicationsthatarehostedonalocalserver.Theobjectiveistoensureanetworkhasaverylowresponsetimebetweenanysenderanddestination.

Jitter:Jitteristhevariationofthedelayofincomingpackets.Onastablenetwork,thelatencyofacontinuousstreamofpacketsreceivedfromasinglesourcewillbethesame.However,networkcongestion,improperqueuing,andinterfaceerrors(collisions)affectthelatencybetweeneachpacketbeingreceivedonadevice.

Packetloss:Oncethebufferisfull,newincomingpacketswillbediscardedordroppedfromthenetwork.Thisresultsinpacketloss.Havingtoomuchpacketlossonanetworkmakesitdifficulttotransmitamessagebetweenasourceanddestination.IfthemessageisusingTCP,thesenderwillre-transmitthedroppedpacketuntilthedestinationsendsanacknowledgement,unlikeUDP,wherethesenderwillnotre-transmitthemessage.

TraffictypecharacteristicsMoreusersaremovingtheirbusinessapplicationstothecloud,employeesare


workingremotelyathome,andacademicinstitutionsareusingtheinternetandtechnologiestodelivertheirclassestoaglobalaudience.Theincreaseinvoiceandvideotrafficovertheyearshasbeenrapid,anditiscontinuingtosurpassdatatrafficonanenterprisenetwork.

Voicetrafficisquitepredictableandsmoothflowing.However,itisverysusceptibletopacketlossanddelaysoveranetwork.SincevoicetrafficusesUDP,ifapacketislost,thesenderdoesnotre-transmitthemessage.Therefore,voicetrafficshouldbeconfiguredwithahigherpriorityoverallothertrafficonthenetwork.Voicetrafficcantoleratesomelevelsofpacketloss,latency(delay),andjitterbeforeitbecomesnoticeablebythereceiver.

Voicetrafficshouldusethefollowingrecommendations:

Thedelayorlatencyshouldnotexceedmorethan150milliseconds(ms).

Jittershouldnotexceedmorethan30milliseconds(ms).

Packetlossshouldnotexceedmorethan1%.

Voicetrafficrequiresaminimumof30kbpsofbandwidth.

Unlikevoicetraffic,videotrafficusesalotofextrabandwidthandwithoutanyQoSmechanismtoprioritizethetraffictype,thequalityofthevideostreamdegrades.Fromauserpointofview,thevideowillbegintoappearblurryandjaggedandtheaudiomaynotbesynchronouswiththepicture.Comparedtovoicetraffic,videotrafficisknowntobeinconsistent,unpredictable,andlessresilient.Withvideotraffic,packetsmaybereceivedat20-millisecondtime

intervals,whichthenchangesrandomlyto40-millisecondintervals,thenback

againto20milliseconds.Additionally,eachvideopacketisnotalwaysthesame


sizeinbytes;thiscausesinconsistencywhentransportingsmallandlargevideopacketsalonganetwork.

Toputitsimply,videotrafficusesUDPasitstransportlayerprotocol,whichisveryvulnerabletopacketlossanddelaysonanetwork.Videotrafficalsousesalotofnetworkbandwidthandthemessagesizevariesfrompackettopacket.

Videotrafficshouldusethefollowingrecommendations:

Latencyshouldnotexceedover400milliseconds(ms).

Jittershouldnotexceedmorethan50milliseconds(ms).

Packetlossshouldnotbemorethan1%.

Videotrafficrequiresaminimumof384kbpsofbandwidth.

Anothertraffictypeisdata.Therearemanyapplicationsandnetworkresourcesthatdonothavetoleranceforpacketlossduringtransmission,sotheyuseTCPasthetransportlayerprotocol.DuringaTCPstream,ifanypacketislostduringthetransmission,thesenderwillre-transmitthemessagetothedestination.Therearecertaintraffictypes,suchaswebbrowsing,thatuseHypertextTransferProtocol(HTTP)andHTTPSecure(HTTPS);theseprotocolssometimesoccupyalotofbandwidthonanetworkanddonotleaveroomforothertime-sensitiveprotocols.IfTCPtraffictakesupallthebandwidthonanetwork,theUDPtrafficwillhaveahigherchanceofbeingdiscardedordropped.

Althoughsomedatatraffictypesmaybemission-criticaltotheorganizationtoimprovetheQualityofExperience(QoE),anetworkadministratorcansimplyconfiguretheQoStoolstoprioritizecertaindatatraffictypesonthenetwork.


QoSqueuingalgorithmsOnemethodaCiscodeviceusestoqueueincomingtrafficiscalledFirst-In,First-Out(FIFO).Thistechniqueisquitesimple;itoperateslikethephrasefirstcome,firstserve.Whenpacketsentertheinterfaceofanetworkdevice,theyareplacedinaqueuewhilethedeviceprocesseseachmessageoneatatime,thenforwardsthemessageoutofanexitinterfacetoitsdestination.WithFIFO,thepacketsareprocessedintheordertheyarrive.Nopacketisprioritizedovertheother,asthereisonlyasinglequeueandallpacketsaretreatedequally.Packetswillbeprocessedandsentoutinthesameorderastheyarriveonthedevice,hencethenameFIFO.

ThefollowingareadditionalQoSqueuingalgorithms:

AnotheralgorithmisWeightedFairQueuing(WFQ).WFQensuresfairbandwidthallocationisgiventoalltrafficonthenetwork.Thisalgorithmusestheconceptofapplyingweights(priority)toidentifyandclassifynetworktrafficintowhatitcallsconversationsorflows.Oncethetraffichasbeenclassified,WFQthenautomaticallydeterminestheamountofbandwidththatshouldbeallocatedtoeachflow.

Importantnote

TheTypeofService(ToS)fieldwithinanIPpacketcanbeusedtoclassifytraffictypes.TOSiswhereDSCP(layer3marking)islocatedintheIPpacketfield.

ThedownsideofusingWFQisitdoesnotsupportencryptiontunnelingsimplybecausethesesecurityfeaturesmodifythepacketcontent


informationthatisrequiredbyWFQforitsclassificationmechanism.

TheClass-BasedWeightedFairQueuing(CBWFQ)algorithmissimplyanextensionofWFQ.WithCBWFQ,trafficclassescanbedefinedbasedonvariousmatchingcriteria,suchasnetworkprotocols,Access-ControlLists(ACLs),andeventheinputinterfacesonnetworkdevices.Onceamatchisfound,aFIFOqueueisreservedforeachclassandthetrafficthatbelongstoaclassisthensenttothequeue.Foreachclassoftraffic,youcanassignvariouscharacteristics,suchasbandwidth,maximumpacketlimit,andevenweights.Duringtimesofcongestion,theallocatedbandwidthisdeliveredtotheclass.

TheLow-LatencyQueuing(LLQ)algorithmaddsverystrictpriorityqueuingtoCBWFQ.Priorityqueuingenablestraffictypessuchasvoicetraffictobesentbeforepacketsthatareinotherqueues.WithLLQ,thereisjitterreductiononvoiceconversationsonanetwork.WithLLQ,traffictypesthatarevulnerabletodelayaresentfirstbeforeallotherpacketsinotherqueues.

Next,wewilldiscussvariousQoSpolicymodels.

QoSpolicymodelsWhenitcomestochoosingtheappropriateQoSpolicyforanetwork,wemustfirstunderstandthefollowingthreeQoSpolicymodels:

Besteffort

Integratedservices(IntServ)


Differentiatedservices(DiffServ)

Usingbesteffortasapolicymodelsimplyprovidesnoguaranteeorreassuranceofthedeliveryofamessageonanetwork.Asimpleanalogytohelpexplainthismodelisthelocalpostalservice.Whenyousendaletterusingthestandardpostalservice,yourletteristreatedthesameasallotherletterswithinthepostalcompany.Thereisnoprioritization.Whentheletterisdeliveredtotheintendedrecipient,thereisn'tanynotificationthattheletterhasbeendeliveredsuccessfully.Onbothprivateandpublicnetworks,besteffortisthepredominantmethodusedontheinternettodayandwillcontinuetobeusedformostgeneralpurposesbyapplicationandprotocolvendors.

Thebesteffortmodelhasthefollowingadvantages:

Itisveryscalable.

NoQoSmechanismsarerequired.

Itisverysimpleandavailabletodeployonanetwork.

Thefollowingarethedisadvantagesofusingthebesteffortmodel:

Itdoesnotprovideanyguaranteeofmessagedelivery.

Packetsmayarriveoutoforderandnotallatonce.

Thereisnoprioritizationappliedtomission-criticalapplicationsortime-sensitivetraffictypes.

SincebesteffortisnotanimplementationofQoS,it'snotconfiguredbythenetworkadministrator.However,itisstillusedbyQoSonthenetworkeven


thoughitisnotrequired.Keepinmindthatwhenusingthismodel,allmessagesaretreatedexactlythesameasallothermessagesthataretravelingacrossthenetwork.Thismeansvoicetrafficwillbetreatedthesameaswebbrowsingtraffic;noprioritizationisapplied.

AnotherQoSmodelisIntServ.IntServsupportsreal-timetraffictypes,suchasremotevideo,onlineconferencing,andvirtualrealityapplications.ThismodelwasdesignedtosupportmultipleQoSrequirements.Ithasthecapabilitytoprovideend-to-endQoSbetweenasourceanddestination,unliketheothermodels.Suchafeatureisusuallyrequiredbyreal-timeapplicationstomanagepacketstreamsoftraffic;thisisknownasmicroflow.

IntServusesaconnection-orientedtechnique,whichallowseachuniqueorindividualconnectionbetweenasourceanddestinationtospecifyrequestedresourcesonthenetwork.Theseresourcesmayincludebandwidth,delay,andevenpacketlossmetricstoensurethedeliveryofeachmicroflow.Toensureeachnetworkdevicebetweenthesourceanddestinationismadeawareoftherequiredresources,IntServusestheResourceReservationProtocol(RSVP).However,iftheresourcesarenotavailableonthepath,thesendingapplicationdoesnotforwardanydataalongthepath.

ThefollowingaretheadvantagesofusingIntServ:

Itprovidesend-to-endadmissioncontrolofresources.

Individualconnectionsbetweenasourceanddestinationhavetheirownper-requestpolicyadmissioncontrolsalongthenetwork.

ThefollowingarethedisadvantagesofIntServ:


IntServisveryresource-intensive.

Theflow-basedapproachisnotscalableinlargenetworks.

ThethirdpolicymodelisknownasDiffServ.DiffServusesasimpleandscalablemechanismtoclassifyandmanagetraffictypesusingQoS.Thismodelisabletoprovidelow-latencyformission-criticalandtime-sensitivetraffictypes,suchasvoiceandvideo,whileusingbesteffortfornon-criticaltraffictypes,suchaswebbrowsingandemail.OnemajoradvantageDiffServhasoverIntServisthatitcanprovideanalmostguaranteedQoStopacketstreamswhileremainingscalable.

DiffServdoesnotprovidetheend-to-endQoSfeature.However,beingscalableonlargeimplementationshasitsadvantages.Whenasenderforwardsitstraffictoarouter,therouterwillclassifythetrafficflowinaclassandprovidetheappropriateQoSpolicyfortheclass.

QoSimplementationmethodsInthissection,youwilldiscoverhowQoSmechanismsareappliedtotraffictypes.

ClassificationQoStoolsareappliedtoadevice'sinterface.Thisenablestherouterorswitchtomatchthefieldsinapacket(message)tomakeachoiceontakingorapplyingsomeQoSaction.Afterthedevicehasclassifiedpackets,theyareplacedinawaitingqueuefortheoutgoinginterface.Thequeuingtoolwillthenschedulewhichpacketshouldbetakenfromthewaitingqueuetoforward.Theschedule


isbasedonthepriorityplacedonapacket(message).

Thefollowingdiagramshowstheclassificationprocess:

Figure10.43–Traffictypeclassification

Next,let'slearnaboutmarking.

MarkingMarkingistheprocesswheretheQoStoolchangesoneormoreheaderfieldsinapacket,settingavalueintheheader.WithinanIPpacket,therearecertainheaderfieldsthataredesignedforthepurposeofmarkingbyaQoStool.Whenthemarkedpacketispassedalongtoothernetworkingdevices,itmakesclassificationmucheasier.


Importantnote

TheDifferentiatedServicesCodePoint(DSCP)fieldisa6-bitfieldwithinanIPpacket,whichisusedforQoSmarking.ClassofService(COS)islayer2markinginQoS.

ThefollowingdiagramshowstheDSCPfieldwithinanIPpacketusingWireshark:

Figure10.44–DSCPfield

CiscohascreatedatoolcalledNetwork-BasedApplicationRecognition(NBAR),whichisusedtomatchpackets(traffic)forclassification.


QueuingQueuingreferstotheQoStoolsformanagingthequeuesthatholdpacketswhiletheywaitfortheirturntoexitaninterfaceonanetworkdevice,suchasaswitchorrouter.Allnetworkdevicesplacepacketsinaqueuewhiletheymakeadecisiononwhethertoforwardthepacketoutofanexitinterfacetoitsdestination.

Whenusingaqueuingsystem,thetrafficmustfirstbeclassifiedsothatitcanbeplacedinanappropriatequeue(iftherearemultiplequeuespresent).Additionally,aschedulerisusedtodeterminewhichpacketistobesentwhentheinterfaceofthedevicebecomesavailable.

Ciscodevicesuseascheduleralgorithmknownasround-robin.Thisalgorithmcyclesthrougheachqueue,takingeitheronemessageoranumberofbytesfromeachqueue.Inotherwords,thealgorithmtakesafewmessagesfromthefirstqueue,thenafewfromthesecondqueue,andsoon,thenstartsbackatqueue1untilthealgorithmacquiresenoughmessagestocreateatotalnumberofbytestosendtoanexitinterface.

TherouterusestheCBWFQtooltoensureaminimumamountofbandwidthisneededforeachclassoftraffic.Thenetworkengineerwillconfiguretheweightsasapercentage–thepercentageofbandwidthneededpertrafficclass.

PolicingandshapingTheseQoStoolsaretypicallyusedontheWANedgeofatypicalenterprisenetwork.Bothofthesetoolsnoteeachpacketasitpassesandmeasuresthenumberofbitspersecondovertime.Thepolicertoolisresponsiblefor


discardingpackets,whiletheshapertoolisresponsibleforholding/keepingpacketsinthequeue.Thesetoolsaredesignedtokeepthebitratebelowacertainspeed.

CongestionavoidanceCongestionavoidanceisusedtoreducetheoverallpacketlossbypreemptivelydiscardingsomepacketsinaTCPconnection.

Havingcompletedthissection,youhavegainedessentialknowledgeoftheoperationsofQoSanditsimportanceonanetwork.

SummaryInthischapter,wecoveredawidearrayofIPservicesthatarecrucialforimprovingtheefficiencyofanenterprisenetwork.YoulearnedabouttheimportanceofpropertimekeepingandhowtoimplementNTPtoensuredevices'systemclocksaresynchronized.Furthermore,yousawthebenefitsofimplementingDHCPonanetworktoautomaticallydistributeIPaddressestoenddevicesandDNStohelpresolvehostnamestoIPaddresseseasily.

Next,yousawhownetworkmanagementprotocolssuchasSNMPcanbeusedtohelpnetworkengineerstoeasilymonitorandmanagenetworkdevices,andSyslogcanbeusedtoimprovelogmanagementusingacentralizedloggingserver.Lastly,yougainedaninsightintothedifferencethatQoScanmakeonanetwork.

IhopethischapterhasbeeninformativeforyouandishelpfulinyourjourneytowardlearninghowtoimplementCiscosolutionsandpreparefortheCCNA


200-301certification.Inthenextchapter,Chapter11,ExploringNetworkSecurity,youwilllearntheessentialsofprotectingyournetworkfromcyberthreatsandimprovingyourorganization'ssecurity.

QuestionsThefollowingisashortlistofreviewquestionstohelpreinforceyourlearningandidentifyareasthatrequiresomeimprovement:

1. WhatisthedefaultportforNTP?

A.143

B.110

C.123

D.1234

2. Whichcommandallowsyoutoconfigurethesystemclockonadevice?

A.ntpserver

B.ntpmaster1

C.ntpmaster

D.clockset

3. WhichStratumlevelhasthemostaccuratetimeonanetwork?

A.0


B.4

C.1

D.All

4. DHCPhaswhichofthefollowingopenports?

A.68

B.67

C.69

D.53

5. AfteraDHCPserverreceivesaDHCPrequestmessage,whatmessagewilltheserversendtotheclient?

A.None

B.Discover

C.Acknowledgement

D.Offer

6. WhichDNSrecordisusedtoresolveanIPaddresstoahostname?

A.SOA

B.MX


C.A

D.PTR

7. Sysloguseswhichofthefollowingports?

A.123

B.161

C.512

D.514

8. WhichportdoesSNMPuse?

A.TCP123

B.UDP161

C.TCP161

D.UDP514

9. WhichSNMPmessageisusedtomodifyadevice'sconfiguration?

A.Set

B.Trap

C.Get

D.Create


10. WhichofthefollowingisthedefaultQoSmethodforforwardingtraffic?

A.CBWFQ

B.Besteffort

C.LLQ

D.DiffServ


ConfiguringNTP:https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/configuration/guide/sm_nx_os_cg/sm_3ntp.html

ConfiguringDHCP:https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/xe-3se/3850/dhcp-xe-3se-3850-book/config-dhcp-server.html

ConfiguringDNS:https://www.cisco.com/c/en/us/support/docs/ip/domain-name-system-dns/24182-reversedns.html

ConfiguringSyslog:https://www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/SysMsgLogging.html

ConfiguringSNMP:https://www.cisco.com/c/en/us/td/docs/ios-


https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/configuration/guide/sm_nx_os_cg/sm_3ntp.html

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/xe-3se/3850/dhcp-xe-3se-3850-book/config-dhcp-server.html

https://www.cisco.com/c/en/us/support/docs/ip/domain-name-system-dns/24182-reversedns.html

https://www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/SysMsgLogging.html

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/configuration/xe-16/snmp-xe-16-book/nm-snmp-cfg-snmp-support.html

xml/ios/snmp/configuration/xe-16/snmp-xe-16-book/nm-snmp-cfg-snmp-support.html

ConfiguringQoS:https://www.cisco.com/c/en/us/td/docs/routers/access/800M/software/800MSCG/QoS.html


https://www.cisco.com/c/en/us/td/docs/routers/access/800M/software/800MSCG/QoS.html

Thissectionbeginsbyintroducingyoutotheessentialsofcyberthreatsandhowtheycanimpactanetwork.Then,youwilllearnhowtousevarioustoolstodiscoversecurityvulnerabilitiesandimplementsecuritycontrolstohelpmitigateandpreventbothinternalandexternalcyberthreatsinanenterprisenetwork.


Chapter11,ExploringNetworkSecurity

Chapter12,ConfiguringDeviceAccessControlandVPNs

Chapter13,ImplementingAccessControlLists

Chapter14,ImplementingLayer2andWirelessSecurity


Section5:SecurityFundamentals


Chapter11:ExploringNetworkSecurityDesigningandimplementinganetworkwithoutsecurityinmindislikeleavingallofthewindowsanddoorsopenathomewhenyougoout.Anunauthorizedvisitorcansimplyaccessyourpersonalspaceandremoveyourvaluables,simplybecauseallpointsofentryareopen.Thesameconceptsshouldbeappliedtoanetwork;securityisoneofthemostimportantfactorsanetworkengineershouldalwaysrememberwhendesigninganynetwork.

Duringthecourseofthischapter,we'lllookathowtoidentifyvariousthreatactionsandattacks,understandtheneedfornetworksecurityonanenterprisenetwork,andunderstandhowtodevelopasecurityprogramtoimproveuserawarenessandtraining.


Securityconcepts(threats,vulnerabilities,andexploits)

Passwordmanagement

Vulnerabilityassessmenttools

Authentication,Authorization,andAccounting(AAA)

Wireshark101elementsofasecurityprogram

TechnicalrequirementsTofollowalongwiththeexercisesinthischapter,pleaseensurethatyoumeetthefollowinghardwareandsoftwarerequirements:



Wireshark:https://www.wireshark.org

NessusEssentials:https://www.tenable.com/products/nessus/nessus-essentials


CheckoutthefollowingvideotoseetheCodeinAction:https://bit.ly/361vb7B

SecurityconceptsAsanetworkprofessional,ourprimaryresponsibilityistoensurealldeviceshaveend-to-endconnectivity.However,withtheriseofcyber-crime,organizationsmustensuretheirassetsarewellprotectedfromcybercriminalstryingtocompromisesystemsandnetworks.

Whendesigningasecuritynetwork,it'simportanttofirstidentifyallassetswithintheorganization.Anassetissimplyanythingthatisvaluabletoanorganization.Assetsareusuallybrokendownintothefollowingcategories:

Tangible

Intangible

People

Tangibleassetsareitemsthatarephysicallywithintheorganizationsuchas



https://www.wireshark.org

https://www.tenable.com/products/nessus/nessus-essentials


https://bit.ly/361vb7B

furniture,computers,servers,networkdevices,andcomponents.Theseassetsusuallystoredataabouttheorganizationandsometimescontainsystemlogsthatareusefulduringanincident.Intangibleassetsareitemsthatarenon-physical—theseincludeintellectualproperty,procedures,data,andanythingdigitalthatisworthvaluetotheorganization.Anothertypeofassetthatsomebusinessesdonotfocusonispeople."People"referstoemployees,customers,andevensuppliers.Anorganizationalsoneedstoprotectitshumanresourcesfromcyber-attacksandthreats.

Manyorganizationsinvariousindustriesusuallysellaproductorservicetotheircustomers,sothey'llkeeprecordsofcustomerinformationsuchasnames,locations,andcontactdetails.ThistypeofdataisreferredtoasPersonallyIdentifiableInformation(PII).Suchdatamustbesecuredatalltimesandkeptawayfromhackers.

Nowadayshackersaren'tjustlaunchingdisruptiveattackstopreventusersfromaccessingaresource—theyarecreatingmoresophisticatedattackstostealmoneyandotherfinancialassetssuchascryptocurrency(forexample,Bitcoin).Hackershaverealizedtheycanmakemoneybysimplystealingyourdataandsellingitonthedarkweborholdingithostageandencouragingyoutopayaransomtoretrieveit.

Theneedforinformationsecurityisalwaysrising,andsoistheneedforsecurityprofessionalsinallindustriestohelporganizationstoprotecttheirassetsfromhackersandotherthreats.Thefoundationsofinformationsecuritystartwiththreemainpillars:Confidentiality,Integrity,andAvailability.ThesethreepillarsformwhatiscommonlyreferredtoastheCIAtriadwithinthefieldofinformationsecurity.


TheCIAtriadAsmentionedpreviously,dataisthemostimportantassettoanorganization.Thewaydataismanagediscrucialtoitssecurity.Dataitselfexistsinthreestates:

Dataatrest

Datainuse

Datainmotion

Dataatrestreferstoanydatathatisstoredonamediumordevice.ThiscanbedatathatiscurrentlystoredonaHardDiskDrive(HDD),inonlinestoragesuchasAWSS3buckets,orevenatanoff-sitelocation.Dataatrestissimplydatathatisnotcurrentlybeingusedbyanapplicationorauser.Datainmotionissimplydatathatistravelingalonganetworkorbeingaccessedremotelybyanapplicationorauser.Anexampleofdatainmotioncanbeausercopyingafilefromthelocal/remotefileserverontotheirlocalcomputer.Datainuseisdefinedasanydatathatiscurrentlybeingaccessed/usedbyanapplicationorauser.AsimpleexampleofdatainuseisopeningaPDFfileonyourharddiskandreadingitscontents—whiletheapplicationiscurrentlyaccessingthePDFfile,thestatechangesfromdataatresttodatainuse.Asasecurityprofessional,ourtaskistoprotectallformsandstatesofdatawithinanorganization.ApplyingConfidentiality,Integrity,andAvailability(CIA)willhelpustoachieveinformationsecurity.

Confidentiality


Confidentialityensuresthatonlyauthorizedpersonshaveaccesstoviewasystemordata.Wecanapplycryptography,suchasencryption,toanydatatokeepitprivate.Duringtheencryptionprocess,anencryptionalgorithmandsecretkeyareusedtoperformtheencryptionprocess.Asecretkeyisusedtoencryptanddecryptthemessage.Thesecretkeyshouldalwaysbekeptprivateandsafeatalltimes;ifthekeyislostorstolen,thedataiscompromised.

Confidentialityplaysanimportantroleinensuringhackersandotherthreatactorsdonotgainaccesstoanorganization'sdata.TheMicrosoftWindows10operatingsystemcontainsadataencryptionapplicationknownasBitLocker.Thisapplicationallowsausertocreateanencryptedstoragecontainertostoredataatrest.IfahackerisabletoaccesstheWindows10system,thehackerwillnotbeabletoaccessthecontentsoftheBitLockercontaineraslongasit'slockedandthesecretkeyissafe.However,iftheattackerhasthesecretkeyandaccesstotheBitLockercontain,he/shecanretrievethecontentsandthereforethedataiscompromised.

Tip

TogetmoreinformationaboutBitLockeronWindows10,pleasevisitthefollowinglink:https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview.

IntegrityIntegrityplaystheroleofensuringdataisn'tmodifiedbetweensourceanddestination.Inthedigitalworld,whenadevicereceivesamessage,itneedstovalidatewhetherthatmessagewasmodifiedduringtransmissionfromthesource


https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview

tothedestination.Hackersandothermaliciousthreatscaninterceptmessagesastheyarepassingalonganetworkandmodifythemessagebeforesendingitofftothedestination.Hackersusethistechniqueforvariouspurposes,suchasspoofing,pretendingtobesomeoneorsomethingelseonanetwork,andattemptingtotrickanunsuspectingpersonintofallingvictimtoacyber-attack.

Importantnote

TheDataLinklayeroftheTransmissionControlProtocol/internetProtocol(TCP/IP)insertedaCyclicRedundancyCheck(CRC)valueintoeachmessagebeforesendingitonanetwork.ThisCRCvalueisacryptographichashvalueusedtodeterminewhetherthemessagewasmodifiedornot.

Integrityplaysanimportantpartininformationsecurity,ensuringareceiverisabletodetectwhetheramessagewascompromised.

AvailabilityTheroleofavailabilityisasimplebutchallengingone—toensureasystemorresourceisalwaysavailabletothosewhohaveaccesstoit.Duringacyber-attack,anorganization'sresources,data,applications,networkdevices,andevensystemmaybecomeunreachableandunusable.Onceasystemorresourceisunusablebylegitimatelyauthorizedpersons,anorganizationmaynotbeabletocontinueworkingatoptimalperformance.

AnexampleofavailabilitybeingdisruptedisaDenialofService(DoS)attack.ADoSattackisdesignedtoexhaustalloftheavailablecomputingpowerofatargetsystem,hencemakingitunavailabletolegitimateusers.Suchanattackcanbeappliedtoascenariowithanonlinewebserver;ifanattackerlaunchesa


DoSattackonthewebserver,thewebapplicationwillprocessalloftheincomingHTTP/HTTPSwebrequestmessagesandeventuallybecome

overwhelmedwiththehighvolumeofmessagesoriginatingfromtheattacker.Therefore,whenlegitimateusersontheinternetareattemptingtoretrievethewebpagesfromtheserver,theservermaynotrespondtothem.Hence,availabilityhasbeencompromised.

PuttingthethreepillarsofCIAtogetherOneoftheobjectivesofinformationsecurityistoensureallthreepillarsareappliedequallywithinanorganization.Maintainingthisbalanceissomewhatdifficultassomeorganizationsfocusmoreonconfidentiality;thismeanstheball(representinganorganization'sfocus)inthefollowingdiagramwouldbeplacedclosertotheconfidentialitypillar,movingawayfromintegrityandavailability.Thismeansdatawillbemoresecure(confidentiality),butaccesstothedatawillbemoredifficult(availability)andcheckinganymodificationofdatawillalsobemoredifficult(integrity).

ThefollowingdiagramshowstheCIATriadinatriangularformat:


Figure11.1–CIATriad

Ifanorganizationmakesitsdataandresourcesveryeasytoaccessandfocusonavailabilitymorethantheotherpillars,therewillbefewersecuritycontrolsinplacetoensurethedataiskeptprivatetoonlyauthorizedpersonsonly(confidentiality)andthecheckingofanyunauthorizedchangesonthedata.

Asasecurityprofessional,it'simportanttounderstandwhatthreats,exploits,vulnerabilities,andattacksstandtocompromisetheassetsofanorganization.Inthefollowingsections,thesetermswillbecoveredingreaterdetail.

ThreatsIntheworldofinformationtechnology,asmoredevicesaremovingonlineandpeopleareconnectingtotheinternet,wefindourselvesfacingsecuritythreats


eachday.Athreatisdefinedasanythingwiththemotivationtocauseharmordamagetoaperson,system,ornetwork.Asmoredevicesaregoingonlineandpersonsareconnectingtotheinternet,thereisalsoahighincreaseincyberthreats.Intoday'sworld,manyorganizationsaregoingonlinetoexpandtheircustomerreachandsupportfortheirproductsandservices.Therearemanycompaniesthatarenolongerareconsideredtraditionalbrickandmortarcompanies,butinstead,usetheinternetasatooltosupporttheirorganization.OnesuchorganizationisAmazon,whichsellsmanyitems,includingbooks.Amazonisnotatraditionalwalk-inbookstorebut,rather,anonlinebookstorethatallowspotentialbuyerstoreadtheoutline,descriptions,andreviewsofbooksandevengetapreviewbeforemakingthechoicetopurchaseone.

Almostallmodern-daybusinesseshaveaninternetconnection.Thiscreatesahugerisk—anattackerormalwarecanaccesstheorganization'sinternalnetwork.Throughoutmycareer,I'veseenmanyorganizationsfromvariousindustrieswhoinvestinscalablenetworkinfrastructure,whichisresilientandhasredundancytoensurealldeviceshaveend-to-endconnectivity.However,securityissuchanimportantfactorthatisn'talwaysacknowledged.Designinganetworktoperformatoptimalcapacityisgreatbutwithoutsecurity,yourentirenetworkinfrastructureisleftvulnerabletobothinternalandexternalthreats.

Threatsexistinmanyforms;ahackermayattempttoretrieveavictim'susernameandpasswordfortheironlineaccounts,gainunauthorizedaccessintoasystembyexploitingasecurityvulnerabilityonacomputer,orevencrackthepassphraseforthewirelessnetworkinyourorganization.

AssetsAsasecurityprofessional,it'simportanttosecuretheorganization'sassets.An


assetisanythingofvaluetoanorganization.

Tangibleassetsarephysicalobjectssuchascomputers,servers,andfurniture.Thistypeofassetneedstobeprotectedjustasequallyaseverythingelse.Tangibleassetsarevulnerabletophysicaldamageandeventheft.Imagineasmallbusinessthathasacustomerserviceoutletthatallowscustomerstowalkinandconducttransactionsonadailybasis.Let'ssayeachcustomerservicerepresentativewasassignedalaptopattheirdesktoperformtheirdutiesandcompletetasks.IfeachlaptopwasnotphysicallysecuredusingaKensingtonCable,acustomerwithbadintentmaysimplypickupalaptopwhiletheemployeeisnotlookingandwalkaway.Somecompaniesmaylookattheincidentasphysicaltheft,butacybersecurityprofessionalwilldetermineitasbothphysicalanddatatheft;thelaptophasstoragemediasuchasanHDD,uponwhichimportantandconfidentialdatamaybestored.AmalicioususercansimplyretrievethedatafromtheHDDandsellitonthedarkweb.

Themostvaluableassettoanyorganizationisdata.Hackersarecontinuouslydevelopingnewstrategiesandtechniquestogainaccesstosystemsandnetworkstostealdata.Ourjobasnetworkprofessionalsisnotonlytocreateanefficientnetworkbutalsotocreateasecurenetworkdesigntopreventvariouscyberthreats.Creatingasecurenetworkdesignextendstoallareaswhereanorganizationstoresitsdata;thesewillincludethelocalareanetworkandeventhecloud.

Thecloudisanimportantlocationmanyprofessionalsdonotconsidertobevulnerable.Withcloudcomputingbecomingcheaperastimepasses,moreorganizationsaremigratingtheirphysicalinfrastructuretoacloudserviceprovider.Therearemanycompaniesthathavealmostalloftheirdataandotherassetssuchasserversandapplicationsonthecloud.However,thecloudisjust


asvulnerableasaphysicalnetwork.Equalattentionmustbegiventothesecurityofyourcloudplatformasyouwouldforyourphysicalnetwork.

ThreatactorsThreatactorsareusuallysomeoneorsomethingthatisresponsibleforasecurityeventorincident.Threatactorscanbecategorizedbytheircharacteristicsandtheirmotivations.

Thefollowingarevarioustypesofthreatactorsinthecybersecurityworld:

Onetypeofthreatactorisknownasscriptkiddies.Ascriptkiddieisn'tnecessarilyachildoryoungperson,butrathersomeonewhoisanovicewithinthecybersecurityrealmwhousesinstructionsandtutorialsprovidedbythereal,malicioushackerstoguidehis/heractions.Thistypeofhackerdoesnotfullyunderstandthetechnicaldetailsoftheactualcyber-attackorthetoolsbeingused.However,bysimplyfollowinginstructionsandlaunchingthesametypeofattack,theyhavetheabilitytocompromiseasystemornetwork.

Thehacktivistisanothertypeofhackerwhoisbetweenanactivistandahacker.Thispersonusestheirtechnicalskillstoserveasocialorpoliticalagenda.Somehacktivistactionsincludedefacingpoliticalandgovernmentwebsites,coordinatingDoSattacksagainstanorganization'snetworkresources,andleakingconfidentialdatasuchasdocumentstovariousonlinesites.

Hackersoftenworkingroupsusingthemostelitetoolsandresourcesmoneycanbuy;thisisreferredtoasorganizedcrime.Withinthisgroup,


eachhackerisanexpertwithintheirownfieldandisassignedauniqueroleandfunction,sothatonepersonmayberesponsiblefordevelopinganexploitkitwhileanotherisperformingextensivereconnaissanceonthetarget.Thistypeofhackinggroupiswell-fundedandhasthebesthackingtools;theirmotivationistostealcurrencyfromtheirvictims.

Eachnationusuallyhasitsownteamofhackersandthesearereferredtoasstate-sponsoredhackers.Thisgroupofhackersarewell-fundedandareprovidedwiththebesttoolsandresourcesthegovernmentcanbuy.Thesetypesofhackersareusuallyhiredtoprotectthesecurityoftheircountryandevenperformcyber-attacksonothernations.Therearemanymoviesthatexplainthistypeofhackinggroup,oneofwhichwasSnowden(2016),whichexplainshowvariousnationsarepreparingforcyberwarfare.

Tip

Tolearnmoreaboutcyberwarfare,checkoutthebookCyberWarfare–Truth,Tactics,andStrategiesbyDr.ChaseCunninghampublishedbyPacktPublishingathttps://www.packtpub.com/security/cyber-warfare-truth-tactics-and-strategies.

Somepeoplethinkallcyberthreatsoriginatefromtheinternet.Sometimesaninsiderthreatcanoccurandremainundetectedbecausetheorganizationisbusylookingattheinternetandneglectingitsowncorporatenetworkforinternalthreatsandattacks.Aninsiderissimplysomeonewhohasgainedemploymentwithatargetorganizationundertheguiseofbeingatrustedpersonwhocanfillarolewithinthecompany.


https://www.packtpub.com/security/cyber-warfare-truth-tactics-and-strategies

However,thispersonhasotherintentions;oncewithintheorganization,he/shewilllearntheins-and-outsofthenetworkandinfiltratetheorganizationfromwithin.

Withtheriseincyber-attacks,organizationsareinvestingincybersecuritysolutionsandpeopletohelptosafeguardtheirnetworkandassets.Ineverynetworkandsystem,therearevulnerabilitiesthatareknownandthosethathaven'tbeendiscoveredyet.Organizationshireaspecialtypeofhackerknownasawhitehathacker—thesearecommonlyreferredtoasethicalhackers.Thesearethegoodguyswhousetheirskillsettohelporganizationstodiscovervulnerabilitieswithintheirowninfrastructurebeforethebadguysfindandexploitthem.Whitehathackersobtainlegalpermissionbeforetheirengagementinapenetrationtestexercise;thisisareal-worldsimulationattackonthesystemsandnetwork,toseehowamalicioushackermightbeabletoexploitvulnerabilitiesandgainaccessintothenetwork.

Ablackhathackerusestheirskillsettoperformmaliciousandunethicalactionsoncomputersandnetworksforpersonalgain.Thesearethetypeofhackersthatyourorganizationandassetsneedtobewellprotectedandfortifiedagainst.Agrayhathackersimplysitsbetweenawhitehatandblackhathacker.Thistypeofhackercouldcommitcrimesandperformmaliciousactions.However,theycanusetheirskillsetforbothgoodandbadthings.

Now,let'slookatvulnerabilities.

Vulnerabilities


Onequestionstudentsfrequentlyaskatthebeginningoftheircybersecurityjourneyis:howarehackersabletobreakintoasystemornetwork?Thesimpleanswerishackersandotherthreatactorslookforvulnerabilitiesonatargetsystem.Avulnerabilityisasecurityweaknessorflawinasystemthatcouldbeexploitedbyathreat.Thecompetitionbetweensecurityresearchersandhackershasbeenanongoingone—aracetodiscoversecurityflawsfirst.Securityresearchersarealwayslookingfornewvulnerabilitiestohelpsoftwareandproductvendorstofixandclosesecurityweaknesseswhilehackersarelookingtoexploitandgainaccesstotheirvictims'systems.

Tip

Nessusisoneofthemostpopularvulnerabilityassessmenttoolswithinthecybersecurityindustry.FurtherinformationonNessuscanbefoundathttps://www.tenable.com/products/nessus.

Avulnerabilitycanexistintheformofaweaknessorflawinaconfiguration,securitypolicy,orevensomethingtechnologicalinnature.Let'slookatanexample.AnetworkdevicesuchasarouterisconfiguredtouseTelnetandnotSSHasthepreferredmethodforremoteaccessmanagement.TelnetisanunsecuredprotocolthattransfersdatainplaintextwhereasSSHencryptsalltraffic.Asyouhavelearnedsofar,TCP/IPisthelanguagealldevicesspeakwhenconnectedtoanEthernetnetwork,soyoumaythinktheTCP/IPprotocolsuiteisdesignedwithgoodsecuritybutinreality,it'snot.

ManyvulnerabilitiesexistinthevariousprotocolswithinTCP/IP.TheseprotocolsincludeInternetProtocol(IP),InternetControlMessageProtocol(ICMP),HypertextTransferProtocol(HTTP),andevenSimpleNetwork


https://www.tenable.com/products/nessus

ManagementProtocol(SNMP).IftheIPwasnotdesignedwithgoodsecurity,anattackercansimplyspooftheIPaddressofanotherdeviceonthenetwork.SNMPv1doesnotsupportuserauthentication,sothismeansanattackerisabletoremotelyconnecttoanSNMPenabled-deviceandgathersensitiveinformation.Attackerscantakeadvantageofvariousweaknesseswithintheseprotocolsandcapturesensitiveinformationwhilenetworktrafficistravelingalonganetwork.

Hackersarealwayslookingforawayinsideyournetworkanddevices,andyournetworkcomponentsprovideaneasywayiniftheyarenotupdatedandsecuredproperly.

ThefollowingscreenshotshowstheNMaptoolhasfoundtheEternalBlue

vulnerabilityonaWindowssystem:


Figure11.2–EternalBlue

Intheprecedingscreenshot,NMapreportedthatthetargetsystemisvulnerabletotheEternalBlueexploit,whichwillallowanattackertoexploitthe

vulnerabilityinServerMessageBlock(SMB)version1andexecuteremotecode.Furthermore,NMapreportstheriskishighonthetargetandprovidesreferenceURLsforadditionalresearch.

Also,someenterprisenetworkdevicessuchasroutersandswitchessupportnetworksecurityfunctionstohelptopreventvariousmaliciousthreatsandattacksonyournetwork.Sometimes,amisconfigurationonaroutercangiveanattackerremoteaccessintothemanagementpaneofthedevice.

Eachdevicerequiresafirmwareoranoperatingsysteminordertoworkandperformfunctions.Operatingsystemvendorsarealwaysresearchingforvulnerabilitieswithintheirproducttoquicklyreleaseupdatesandsecuritypatchestofixanyissuesfortheircustomers.Manyorganizationsdonotupdatetheircomputers'operatingsystemsformanymonths,andthisincreasestheriskofitbeingcompromised.Imagineifanewthreatcameaboutandtheoperatingsystemvendorreleasesasecuritypatchtofixtheissuesbuttheorganizationignorestheupdatesandpatchesbythevendor;theirsystemswillbevulnerabletothethreatuntilsecuritypatchingoccursontheirnetwork.Remember,eachdayhackersarealwayslookingforwaysintoyoursystems,sooperatingsystemvendorsreleaseupdatesveryfrequentlytohelptoprotectyou.

Manyconfigurationvulnerabilitiesexistonanetwork.Thistypeofsecurityweaknessexistswithinuseraccountmanagement,misconfigurednetworkservices,anddefaultconfigurationsondevices.Whenloggingintoasystem,yourusercredentialsmaybesentacrossthenetworkviaanunsecuredprotocol.


ThefollowingscreenshotshowsaWindowsusercredentialwascapturedasitwassenttotheActiveDirectoryserveronthenetwork:

Figure11.3–Useraccountdetails

Intheprecedingscreenshot,wecanseetheuser,Bob,entershisusernameandpasswordonaWindows10systemtoauthenticatehimselfonthenetwork.However,inthisscenario,theActiveDirectoryserver(WindowsServer)isusingthedefaultdirectoryqueryprotocol,LightweightDirectoryAccessProtocol(LDAP).LDAPdoesnotencrypttheuserinformationbydefault;onlytheuser'spasswordishashedusingNTLMv2andsentacrossthenetwork.Intheprecedingscreenshot,thehashwascaptured,allowingtheattackertoperformofflinedecryptionofthehashtoretrieveBob'spassword.Thisisanexampleofanunsecureduseraccountandinsecureprotocolsonanetwork.

Configurationvulnerabilitiesalsoexistwhenanadministratorconfiguresweakorinsecurepasswordsforuseraccounts.Suchvulnerabilityenablesahackertoeasilycompromiseuseraccountsonasystemandquicklygainaccess.Another


vulnerabilityoccursifdefaultconfigurationsareusedonasystemornetworkdevice.Defaultconfigurationsareappliedonadeviceatthepointitleavesthemanufacturer;theyallowustoeasilygetthedeviceupandworkingquicklywithouthavingtospendtoomuchtimetryingtofigureouthowtogetitworking.Defaultconfigurationsoftencontainmanyconfigurationweaknessessuchassecurityfeaturesareabsentandremoteaccessisenabledforall.It'simportanttoensuredefaultconfigurationsareneverusedonsystemsanddevicesonaproductionnetwork.

HumanvulnerabilitiesOnemajorvulnerabilityweoftenoverlookwhendesigningasecurenetworkisthehumanfactor.Humansarealsovulnerabletovariousonlineandofflinecyber-attacks,suchasbeingavictimofsocialengineeringattacks.Socialengineeringissimplywhenanattackerisabletomanipulateapersontorevealsensitiveinformationorperformacertaintask.

Importantnote

Socialengineeringisusuallyanon-technicalinnature.Thismeansacomputerisnotrequiredtoperformvarioustypesofsocialengineeringattacksonavictim.Theattackusuallyexploitsthetrustandsocialbehaviorofthevictim.

Thefollowingarevarioustypesofcyber-attacksthattargethumanvulnerabilities:

Phishingisaformofsocialengineeringthatisdoneusingacomputer;theattackercreatesandsendsafakeemailtoapotentialvictim.Theemailiscraftedtolookandsoundasifitcamefromalegitimatesource,suchasa


financialinstitution.Themessageusuallycontainssomeinstructionsandamaliciouslinkembeddedwithinthemessage.Theinstructionsmightsay,Youruseraccounthasbeenhackedandclickthefollowinglinktoresetit.Iftheuserfollowstheseinstructions,they'llendupdownloadingmalwareandinfectingthesystem,visitingasitethatallowstheattackerisabletocapturethevictim'susernameandpassword.

Anothertypeofsocialengineeringisspearphishing.Inaspearphishingattack,theattackermakesafakemessageoremaillookmorelegitimateandbelievable.Thistypeofattackisusuallyfocusedonaspecificgroupofpeople.AnexamplewouldbeanattackerwhocraftsanemailthatlookslikeitoriginatesfromBankXandsendsittoeveryoneassociatedwiththatbank.PeoplewhohaveanaccountwithBankXwillbemoresusceptibletothescam,clickanymaliciouslinks,orfollowanyinstructionswiththemessagewhereasapersonwhodoesnothaveanaccountwithBankXwillsimplyblock,delete,orignorethemessage.

WhalingisatypeofphishingattackthatfocusesonthehighprofilepersonswithinanorganizationsuchasaCEOorevenadirector.Theobjectiveoftheattackistocompromiseahighprofileperson'saccountandusetheaccounttoconducttransactions.ImagineifaCEO'semailaccountiscompromised,theattackercouldsendemailstotheaccountingdepartmentrequestingconfidentialfinancialdetailsabouttheorganization.PeoplewithintheaccountingdepartmentwillseetheemailoriginatingfromtheCEOandtrustit'stheactualCEOrequestingtheinformation.Insuchanattack,trustisbeingexploitedbetweentheemployeeandtheCEO.

Socialengineeringattackscanbedoneoveratelephoneconversation—


thisisknownasvishing.Invishing,theattackercallsthepotentialvictimwhilepretendingtobesomeonewithauthorityorapersonthevictimmaytrust.Duringtheconversation,theattackermayalsotrytobuildorimprovethetrustbetweenthevictimandtheattackerandtakeadvantageofthattrust.Invishingattacks,theattackermaypretendtobecallingfromthevictim'sbankandrequestthevictim'sonlinebankingusercredentialsorperhapsrequesttheircreditcardnumberandpin.

SocialengineeringcanalsobedoneusingShortMessageService(SMS),aformofattackknownassmishing.Thisiswhenanattackerattemptstoperformsocialengineeringusingthetextmessagingserviceonmobilephones.

Sometimesanattackermaytakeamoreaggressiveapproachtogetvictimstovisitacompromisedwebsite.HackersareabletocompromisevulnerableDomainNameSystem(DNS)serversandcanmodifytheDNSrecords,forexample,bychangingtheDNSArecordfora

hostnametopointtoacompromisedwebsiteratherthanthelegitimateIPaddress.ThismeansanydevicerequestingtheIPaddressofacertainwebsitewillberedirectedtoamaliciouswebsite.Thistypeofsocialengineeringisknownaspharming.

It'simportanttobuildafortressaroundandwithinyourorganizationtoprotectitfrombothinternalandexternalcyber-attacksandthreats.Sometimes,whenanattackerrealizeshe/sheisunabletocompromisethetarget'snetwork,theattackermayattempttoperformawaterholeattack.Inawaterholeattack,theattackerwillattempttocompromiseasiteorlocationtheemployeesofthetargetorganizationcommonlyvisit,suchasalocalcoffeeshop.BycompromisingthecoffeeshopWi-Finetwork,any


deviceconnectedtothatnetworkwilldownloadapayloadandthemobiledevicewillbeinfected.Whenanemployeeconnectstheirinfectedmobiledevicetothecorporatenetwork,itwillcompromisetheorganization.However,anyonewhoconnectstotheWi-Finetwork,orthewaterhole,willbeinfected,notjustthetargetuserswhobelongtotheorganization.

Next,let'sgoaheadandlearnaboutpasswordvulnerabilitiesandmanagement.

PasswordvulnerabilitiesandmanagementToproveouridentitytoasystem,wemustprovideavalidusernameandpassword.Manypeopleoftencreatesimpleandeasy-to-rememberpasswordsfortheironlineaccounts.Whileit'ssimplefortheusertoremember,it'sasecurityvulnerabilityasahackercaneasilygainaccesstothevictim'saccount.Creatingasecureandcomplexpasswordisimportantandpreventshackersandotherthreatactorsfromcompromisingauseraccountandgainingaccesstosensitiveinformation.

Whencreatingsecureandcomplexpasswords,usethefollowingguidelines:

Passwordsshouldatleast8charactersinlength.

Ensurethepasswordincludesacombinationofuppercaseandlowercaseletters,numbers,specialcharacters,andsymbols.

Ensurethepasswordisnotbeingusedonanotheraccountyoumayown.

Passwordsshouldnotberegularwordsyou'dfindinthedictionary.

Passwordsshouldnotcontainanypersonaldetailssuchasbirthdaysorrelativenames.


Passwordsshouldbechangedfrequently.

Passwordsshouldnotbewrittendownanywherearoundyourworkplace.

Usingapasswordmanagercanhelpyoutocreate,store,andmanagesecurepasswords.Therearemanyfreepasswordmanagersavailableontheinternet.

ThefollowingscreenshotshowsasecurepasswordgeneratedbytheLastPasspasswordmanager:

Figure11.4–Securepassword

Passwordsarestillbreakablebyahackerwhohasalotoftimeandcomputingpower.UsingMultifactorAuthentication(MFA)addsanextralayerof


securitytoouruseraccounts;therefore,theuserhastoprovidemultiplesetsofinformationtoprovehis/heridentity.

Sometimes,afterausernameandpasswordcombinationhasbeenvalidatedbyasystem,itrequestsasecondformofauthenticationtovalidateyouridentity.Thisissometimesreferredtoas2-FactorAuthentication(2FA).Authenticatorappsonyoursmartphonecanbeassociatedwithasupportedwebsite.Ciscoisanexampleofthisasitsuseraccountssupport2FA,whichallowsyoutoaddathird-partyauthenticator,suchasGoogleAuthenticator,onyourCiscouseraccount.EachtimeyouattempttologintotheCiscowebsite,auniquecodeisrequiredfromtheauthenticatorapp.Thiscodechangesapproximatelyevery30

seconds,makingitdifficultforahackertoguessthesequenceofcodesbeinggeneratedeachtime.

Ratherthanusingpasswords,youcanusebiometrics.Biometricsallowsyoutouseapartofyourbodytoauthenticatetoasystem.Mostnewsmartphonessupportbiometricauthentication,whichallowsapersontounlocktheirsmartphoneusingtheirfingerprint.OnMicrosoftWindows10,WindowsHellousesfacialrecognitiontechnology.

Importantnote

Otherformsofbiometricsarevoice,iris,andretinascans.

Digitalcertificatesareanalternativemethodtoauthenticatetoasystem.DigitalcertificatesaregrantedbyaCertificatesAuthority(CA),whichverifiestheidentityandauthenticityoftherequester.TheCAfunctionsasatrustedthirdpartywhocanverifytheholderofthecertificateiswhotheyclaimtobe.


Lab–UsingNessustoperformavulnerabilityassessmentInthislab,youwilllearnhowtoperformavulnerabilityassessmentonatargetsystemusingNessusEssentials.

Togetstarted,usethefollowinginstructions:

1. Gotohttps://www.tenable.com/products/nessus/nessus-essentialsandregisterforanActivationCode:


https://www.tenable.com/products/nessus/nessus-essentials

Figure11.5–NessusEssentialshomepage

2. YouwillberedirectedtoaThankYoupagecontainingaDownloadbutton—clickit:


Figure11.6–Downloadbutton

3. ChoosethelatestversionofNessusEssentialsthatisavailableforyouroperatingsystem:

Figure11.7–NessusEssentialsdownloadpage


4. Oncethefilehasbeendownloadedontoyourcomputer,installitusingallofthedefaultsettings.

5. Afterinstallation,yourwebbrowserwillopenthefollowingURL:http://localhost:8834/WelcomeToNessus-

Install/welcome.

6. ClickonConnectviaSSLtoensureyourconnectionissecure:

Figure11.8–EnsureSSL

Ifyourwebbrowsergivesasecuritywarning,addanexception.ThiswarningiscreatedbecauseNessusisusingaself-signeddigitalcertificate.

7. Choosethedeploymenttype:NessusEssentialsandclickContinue.

8. AnActivationCodeRequestpagewillappear.SimplyclickSkipaswehavealreadycompletedthistaskinstep1:


Figure11.9–Skipregistration

9. CheckyourinboxforaconfirmationemailwithyourNessusEssentialsLicenseKey.

10. InserttheActivationCodeinthefieldasshowninthefollowingscreenshotandclickContinue:


Figure11.10–Activationwindow

11. CreatealocaluseraccountfortheNessusEssentialsapplicationandclickSubmit.

12. Afterthesetupprocess,NessusEssentialswillinitializeonyourcomputer.

13. IftheNessusPluginsfailtodownloadduringtheinitializationphase,openCommandPromptwithAdministratorprivilegesandexecutethecommandshowninthefollowingscreenshot:


Figure11.11–ReinitializingtheNessusPluginsdownloadphase

14. Oncetheprocessiscomplete,gotohttps://localhost:8834/#/

andloginusingyourusercredentials.

15. Onceyou'reloggedin,clickNewScan.You'llseethefollowingscantemplatestochoose:


Figure11.12–Nessuspre-configurationtemplates

Youcanchooseanyscantemplateandevencustomizeittofityourneeds.

16. ClickonBasicNetworkScan.

17. Completethebasicinformationwithinthefields,asshowninthefollowingscreenshot:


Figure11.13–ConfiguringabasicscanonNessus

Importantnote

Forlegalpurposes,donotscananydevicesornetworksthatyouhavenotbeenlegallyauthorizedto.Forthisexercise,Iamperformingavulnerabilityscanonapersonalmachinewithinmyownnetwork.

18. ClickSave.


19. Oncethescanhasbeensaved,clickthePlay/Launchicononthefurthestrightcolumntolaunchthescan.

20. Oncethescanisfinished,clickonittoaccessthedetails.Youwillseeanoverviewofallofthevulnerabilitiesfoundwithaseveritylevel.

21. ClickonVulnerabilitiestoseeallofthesecurityweaknessesfoundonthetargetmachine:

Figure11.14–Vulnerabilities

Asshownintheprecedingscreenshot,NessusprovidesalistofallofthevulnerabilitiesfoundonthetargetsystemandsortsthelistfromCriticaltoInformational.

22. Selectingavulnerabilitywillprovideyouwithadescriptionandsolutiononhowtofixthesecurityflaw,asshowninthefollowingscreenshot:


Figure11.15–SecurityflawinVNCServer

23. Also,youcanclicktheExport/Reportbuttoninthetop-rightcornertoexportareportoftheassessmentinPDF,CSV,orHTMLformat.NessuscangenerateanExecutiveSummaryoraCustomreport.

TheExecutiveSummarywillcontainasummarylistofallofthevulnerabilitiesfound,theseveritylevels,andtheirCommonVulnerabilityScoringSystem(CVSS)score.TheCustomreportcontainsspecificdetailssuchasthedescription,solutions,references,andevenriskfactorsforeachvulnerability.

Havingcompletedthislab,youhavegainedtheskillstoperformabasic


vulnerabilityscanandcreatereportsusingtheNessusvulnerabilityscanner.Inthenextsection,youwilllearnaboutexploits.

ExploitsExploitsarethemaliciouscodeoractionsanattackerusestotakeadvantageofavulnerabilityonasystem.Withineachoperatingsystem,application,anddevice,thereareknownandunknownvulnerabilities.Onceahackerhasdiscoveredavulnerabilityonhis/hertargetsystem,thenextstepistoacquireanexploitthatwillleveragethesecurityflaw.OnepopularwebsitetofindexploitsisExploitDatabase(www.exploit-db.com).ThiswebsiteismaintainedbyOffensiveSecurity,thecreatorsofthepopularpenetrationtestingLinuxdistro,KaliLinux.Thepurposeofsuchawebsiteisinformationsharingforothercybersecurityprofessionalssuchaspenetrationtesterswhorequireexploitsduringtheirjobs.

Tip

Tounderstandhowthreats,vulnerabilities,andexploitsallfittogether,considerthefollowingsentence:athreatusesanexploittotakeadvantageofavulnerabilityonasystem.

OnesuchvulnerabilityisknownasEternalBlue(MS17-010);thisvulnerabilityisaweaknessfoundinMicrosoftWindowsoperatingsystemswithMicrosoftServerMessageBlock1.0(SMBv1).AnattackerwithanexploitforEternalBluewillbeabletoperformremotecodeexecutiononavulnerable

machine.

Importantnote


http://www.exploit-db.com

FurtherinformationabouttheMS17-010securitybulletincanbefoundathttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010.

ThefollowingarethesearchresultsfortheEternalBlue(MS17-010)

vulnerabilityonExploitDatabase:

Figure11.16–SearchResultsforEternalBlue

Additionally,theattackerorthepenetrationtestercanuseanexploitationdevelopmentframeworksuchasMetasploittocreateacustompayloadanddeliveritontothetarget.Metasploitallowsacybersecurityprofessionaltobuildcustompayloadstoleveragetheweaknessesfoundinapplicationsandoperatingsystems;however,anattackercandothisaswell.

Tip


IfyouwanttolearnmoreaboutMetasploit,pleaseseethefollowinglink:https://www.offensive-security.com/metasploit-unleashed/.

Onceanattackerhasgainedaccesstoasystem,he/sheisabletoescalatetheiruserprivilegesonthevictim'ssystemandevenpivottheattackthroughthecompromisedsystemtoallotherinternaldevicesonthenetwork.

AttacksInthissection,youwilllearnaboutvarioustypesofcyber-attacksandhowtheycancauseharmtosystemsandnetworks.

MalwareMalwareiscodethatisdesignedtoperformmaliciousactionsonasystem.Thetermmalwareistakenfromthewordsmalicioussoftware,whichhasthecapabilitytoexfiltratedata,makeasystemunusable,orevendeleteimportantfilesonitslocaldisk.Therearemanytypesofmalwareontheinternetandeachdaysecurityresearchersandcybersecurityprofessionalsarediscoveringthesenewthreats.

Thefollowingaredescriptionsofthemostcommonlyknowntypesofmalware:

Onetypeofmalwareweallknowisthevirus.Acomputervirusissimilartoahumanvirus;onceasystemisinfected,thevirusbeginstounleashitspayloadandcausemoreharm.Computervirusesaremaliciouscodethatisdesignedtoreproducethemselvesonaninfectedsystemandcauseadditionaldamage.Computervirusesarenotself-executable;thismeansauserhastodownloadavirusontheirsystemandmanuallyexecuteit,then


https://www.offensive-security.com/metasploit-unleashed/

thepayloadisunleashedonthevictim'ssystem.

Importantnote

Thereareothertypesofvirusessuchasbootsectorvirus,programvirus,macrovirus,andevenfirmwareviruses.

Anothertypeofmalwareistheworm.Awormisself-replicatingandautomaticallypropagatesinanetwork.Onceasystemisinfectedwithaworm,itautomaticallyattemptstospreadtoothervulnerablesystemsonthenetwork.Awormisdesignedtoexhaustthecomputingresourcesonasystem,whichwillmaketheinfectedsystemworkveryslowlyorrenderitunusable.

Hackersarecreatingcrypto-malwareandransomware.Thesetypesofmalwarearedesignedtoinfectasystem,encryptallofthevictim'sdata,andrequestaransombepaidtoreleasethehostage(data).Onceasystemisinfectedwithransomware,alldataisencryptedexcepttheoperatingsystemfiles.Hackerswanttoensureyouroperatingsystemisstillworkingsotheycanpresentyouwithanon-screenbanneraskingyoutopaytheransombyprovidingyourcreditcardnumber,Bitcoin,oranothercryptocurrency.It'sneverrecommendedtopaytheransomasthereisnoguaranteeorassurancethehackerswillkeeptheirwordandprovideyouwiththedecryptionkey.It'simportanttoregularlybackupyourdatasothatintheeventsystemsarenotrecoverable,thesystemscanbewipedanddatacanberestored.

TheTrojanHorseisatypeofmalwarethatdisguisesitselftolooklikealegitimateprogramorapplicationbutcontainsamaliciouspayload.Once


anunsuspectinguserexecutestheTrojanHorse,themaliciouspayloadexecutesinthebackgroundandthesystemiscompromised.Thistypeofmalwareistypicallyusedtotrickauserintoinstallingitandthepayloadopensabackdoortoonthevictim'ssystem.Onceabackdoorisopenedonthevictim'ssystem,thehackercangainaccess.TrojanHorsesaresometimesintheformoffakeanti-virussoftware,games,andevenapplications.TheRemoteAdministrationTrojan(RAT)isanothertypeofTrojanHorse.ARATsimplyallowsthehackertogainremoteaccessandcontroloverthevictim'ssystem.Theattackerisabletomodifyconfigurations,enablemicrophonestorecordaudio,enablewebcamstorecordvideo,performactions,andexfiltratedata.

There'satypeofmalwarethatinfectsthekernelofanoperatingsystem.Thisisknownasarootkit.Oncearootkitinfectsthekernel,isgainsrootlevelaccessonthesystem.TherootkitistakenfromtheLinuxworld,thehighestleveluseraccountonaLinuxsystemistherootaccount.Therootaccountisabletoperformunrestrictedtasksandactionsonasystem.Similarly,arootkitcancontrolthekernelandthereforecanperformadministrativeactionsonacompromisedsystem.Sincerootkitsinfectthekernel,thisareaintheoperatingsystemisusuallyinaccessiblebyanti-virusprograms,however,someanti-virusprogramsallowyoutoperformabootsystemscan,whichisdonebeforeanoperatingsystemisloadedinmemory;thistypeofscanisabletodetectrootkits.

Adwareisatypeofmalwarethatdisplaysadvertisementsintheformofpopupsonyourdesktopandwithinyourbrowser.Adwareisusuallydistributedbysoftwarefromtheinternet.Duringtheinstallationofsoftware,adwaremaybeinstalledinthebackgroundandwillonlyappear


aftertheinstallationprocessiscomplete.

Spywareisatypeofmalwarethatspiesonthevictim'sactivitieswithoutconsent.Thisinformationissentbacktothehacker.Auser'sactivitymayseemabitharmlessinthecybersecurityindustrybutit'sactuallyworthalotofmoneytovariousorganizationsonthedarkwebandevencompaniesthatperformdataanalyticsonhumanbehaviorfortargetedadvertisements.

Now,let'sreadaboutreconnaissance.

ReconnaissanceThefirstphaseinhackingisinformationgatheringorreconnaissance.Duringthisphase,theattackerattemptstogatherasmuchinformationaspossibleaboutthetargetpriortoexploitinganyweaknesses.Theattackerusuallyattemptstodiscoveranyoperatingsystems,openportsonsystems,vulnerabilities,andevenrunningservicesonthetarget.SuchinformationcanbegatheredusingOpenSourceIntelligence(OSINT)techniquessuchasperformingvariousonlinesearchesusingGoogleHackingtechniquesandcheckingthetarget'swebsite,databases,andevenDomainNameSystem(DNS)records.

Tip

Nmapisoneofthebestnetworkscannerstodetectopenports,profileoperatingsystems,serviceversions,andmuchmore.

Furthermore,anattackerusesvulnerabilityscannerstodetectopenportsandvulnerabilitieswithinanoperatingsystemandapplications.Somewell-known


vulnerabilityscannersintheindustryareNessus,Saint,andCoreImpact.

Tip

Tolearnmoreabouthowtoperformethicalhackingandpenetrationtestingtechniques,checkoutmybookLearnKaliLinux2019byGlenD.SinghpublishedbyPacktPublishingathttps://www.packtpub.com/networking-and-servers/learn-kali-linux-2018.

Oncevulnerabilitiesarefound,theattackercanthenuseexploitationtoolssuchasMetasploit,SQLmap,CoreImpact,andevenSocialEngineerToolkit(SET)togainaccesstoavulnerablesystem.

SpoofingSpoofingisthetechniqueanattackerusestofakehis/heridentityonanetwork.Intechnicalterms,whenadevicesuchasacomputerissendingamessagetoanotherdevice,thesenderinsertsitssourceIPaddresswithintheLayer3headerofthepacket.Thisinformationisneededtoidentifythesourceandsenderofthemessage.AttackersareabletospoofboththeirMACaddressandIPaddress,simplytofaketheiridentitywhenlaunchinganyattack.

ThefollowingdiagramshowsanattackersendingamessagetoatargetwithaspoofIPaddress:


Figure11.17–Spoofingattack

Asyoucanseeintheprecedingdiagram,theattackusesBob'sIPaddressasthesourceIPaddress.Therefore,whenthevictimchecksthesourceofthetraffic,itshowstheattackcamefromBob'scomputer.

DenialofServiceSometimesgainingaccessorstealingdatafromavictim'ssystemisn'tthegoal;somehackerssimplywanttodisruptserviceandpreventlegitimateusersfromaccessingresources.ThistypeofattackisknownasaDoS.ADoSattackis


typicallylaunchedfromasinglesourceagainstatargetsuchasawebserver;theattackersendsacontinuousstream(flood)ofunsolicitedmessagestothetarget.Thetargetdevicehastoprocessallofthemessagesitisreceivingfromboththeattackerandlegitusersonthenetwork.SincetheDoSattackissendinghundredsandeventhousandsofmessagesperminute,thetargetwilleventuallybecomeoverwhelmedbyprocessingeachmessage.

ThefollowingdiagramshowsanattackerislaunchingaTCPSYNfloodattacktoaserver:

Figure11.18–HTTPDoSattack

Whenthetargetisoverwhelmed,itwon'tbeabletorespondtolegitimateusers'requestsandhencecreatetheeffectofdenyingthelegitimateusersaccesstotheresources/services.SinceaDoSattackisusuallyfromasinglesource,it'seasytoblocktheattackasithappens.Whenadenialofserviceattackislaunchedfrommultiplegeographiclocations,theattackisamplifiedandmoredifficulttoblock


astherearemultiplesourcesoftheattack.ThisisknownasaDistributedDenialofService(DDoS).

AmplificationandreflectionAnothertypeofDoSattackisareflectiveattack.Inareflectiveattack,theattackerspoofstheIPaddressofthetargetdevice.Theattackerthensendsafloodofunsolicitedrequestmessagestoaserveronthenetworkorinternet.Theserverwillrespondtoeachrequestandtheresponseswillbesenttotheactualtargetandnottheattacker.

Thefollowingdiagramshowsanexampleofareflectiveattack:

Figure11.19–DoSreflectiveattack

Onthetargetsystem,thelogswillindicatetheattackisoriginatingfromtheserverandnottheattacker'smachine.


Inanamplificationattack,theattackersendsspoofedrequestmessagestomultipleserversontheinternet;eachserverwillthenrespondtoeachmessage.Therefore,thevictim'smachinewillreceiveafloodofmessagesfrommultipleservers.

Thefollowingdiagramshowsanexampleofanamplificationattack:

Figure11.20–Amplificationattack

Theattackerspoofsthevictim'sIPaddressandsendsrequestmessagestomultipleservers(reflectors).Wheneachserverreceivesarequest,theywillprocessandsendareply.However,thereplymessageissenttothevictim


instead.

Man-in-the-MiddleInaMan-in-the-Middle(MiTM)attack,theattackersitsbetweenthesourceanddestinationofnetworktraffic.Thisallowsanattackertointerceptandcapturealldatathatisflowingbetweenavictim'smachineanditsdestination.Thistypeofattackisusuallydoneonaninternetnetworkwithinanorganizationtocaptureanysensitivedataandusercredentialsthatarepassingalongthenetwork.

Forthisattacktoworkproperly,theattacker'smachinemustbeconnectedtothelocalareanetwork.ItlearnsboththeIPaddressandMACaddressesassociatedwiththevictimmachinesandthedefaultgateway.TheattackerthensendsgratuitousARPmessagestothevictimmachine,informingitthattheattackermachineisthedefaultgateway.Therefore,anytrafficwithadestinationtotheinternetwillnowbesenttotheattacker'smachine.TheattackermachinealsosendsgratuitousARPmessagestothedefaultgateway,trickingtherouterintobelievingtheattackermachineisthevictim'sdevice.

ThefollowingdiagramshowstheeffectofaMiTMattackonanetwork:


Figure11.21–MiTMattack

Alltrafficbetweenthevictimmachinesandtheinternetwillflowthroughtheattackermachine.ThistypeofattacktakesadvantageofavulnerabilitywithintheAddressResolutionProtocol(ARP).ARPwasnotdesignedwiththesecuritytopreventsuchtypesofattacks.However,CiscoIOSswitchesdosupportmanysecurityfeaturestopreventtheseattacks.Inlaterchapters,wewillcoverhowtoimplementLayer2securityonanenterprisenetwork.

BufferoverflowOperatingsystemsandsoftwaredeveloperscancreateaspecialareainmemorytotemporarilystoredatawhileanapplicationisrunning;thisareaisknownasabuffer.Abufferislimitedtotheamountofdataanapplicationcanstoreatanytime,softwaredeveloperscontinuallytesttheirsoftwareorapplicationtoensuredataisbeingprocessedaccuratelyandefficiently.


Therearetimeswhenapplication/softwaredevelopersdonotproperlytesttheirapplications,andsometimesabufferoverflowvulnerabilitymayexist.Inabufferoverflow,surplusdatathatcannotbestoredinthebufferspillsoverontoreservedareasofmemorythatarenotallocatedforcodeexecution.Ifanattackerisabletodeterminethatanapplicationisvulnerabletosuchsecurityweakness,maliciouscodecanbeinjectedintothebuffer,causingittooverflow.Thespilledcode/dataisthemaliciouscodesentbytheattacker;thiscodewillthenbeexecutedinthereservedareaofmemory.

Attackerscancreatecustompayloadstocreatebackdoorsonavictim'ssystemandevensetupareverseshell/connectionfromthevictim'smachinebacktotheattacker.

Inthissection,youhavelearnedaboutcyber-attacksandtheircharacteristics.Inthenextsection,wewillcovertheimportanceofimplementingAuthentication,Authorization,andAccounting(AAA)onanetwork.

Authentication,Authorization,andAccountingImplementingAAAwithinanetworkisveryimportanttoensureauthorizedpersonscanaccessasystemornetwork.Theappropriateprivilegesoruserrightsaregrantedtotheuser,andeachactionperformedbytheuserisaccountedfor.Let'simagineyourorganizationhasmultiplenetworkdevicessuchasswitches,routers,andfirewallsatvariousremotebranchesandatheadquarterslocations.YourteamofITprofessionalsisresponsibleforensuringtheITinfrastructureoftheorganizationiswellmaintainedandoperatingefficiently.SinceeachITprofessionalmayberequiredtologintovariousnetworkdevices,auseraccount


containingtheappropriateprivilegesisrequiredforeachuser.

Creatingindividualuseraccountsforeachuserforeachdeviceisatediousandredundanttask.Imagineauserhastochangetheirpassword;thismeansthepasswordfortheuseraccounthastobemanuallychangedoneachindividualdevicetheusercanaccess.Whatifausermakesanunauthorizedchangeonadevice'sconfigurationandcausesanetworkoutage?Howcanwedeterminewhenthechangewasmade?Whomadethechange?Onwhichdevice(s)wasthechangemade?UsingAAAcanhelpustobettermanageuseraccountsandtheirprivilegesandlogallactionsperformedbyauserforaccountabilityandrecordkeeping.

Theissuewithasystemsuchasacomputeroradeviceisitcannotrecognizeatrusteduserthesamewayashumanscan.Asasimpleexample,youcanidentifyafamilymembersuchasasiblingbysimplylookingattheirface.Onceyourecognizetheperson,trustisestablished.However,asystemisunabletodothis.Therefore,computersidentifyahumanuserbysimplycheckingtheiruseraccountsdetails—ausername(identity)andpasswordcombination.Tologintoacomputer,youmustprovideavalidusernameandpassword.Ifthecomputerdeterminestheusercredentialsarevalid,theuserisauthenticatedtothesystemandaccessisgranted.Authenticationistheprocessofverifyinganaccountholderisabletousetheaccount.Withoutauthentication,anyonecouldaccessasystemandperformanytask,goodorbad.

Toauthenticateyourselftoasystem,auserwillneedcredentialstoprovetheiridentity.Thefollowingareexamplesofusercredentials:

Somethingtheuserknows:Thisisapassword,aPIN,orevenapassphrase.


Somethingtheuserhas:Thiscanbeaphysicalsecuritytokenorasmartcard.

Somethingyouare:Thisissomethingsuchasyourfingerprint,iris,orretina,orpatternsonyourbody.

Afterauserhasbeenauthenticatedonasystem,theuserisnowabletoperformanytasksoractionsuntiltheauthorizationphaseiscomplete.Authorizationistheprocessbywhichanauthenticateduserisgrantedorassignedprivilegestoaccessandmodifyresourcesonthesystemornetwork.Toputitsimply,authorizationsimplydetermineswhatausercanandcannotdoonasystem.Withinanorganization,therearemanygroupsofuserswithvariousrolesandresponsibilities.Eachpersonmaynothavethesameroleandtasks,therefore,eachpersonshouldbegrantedonlytheprivilegestocompletethetasksbasedontheirjobdescriptionandnothingmore.

Onceauserhasbeengrantedthenecessaryprivileges,logsaregeneratedasarecordforalloftheactionsperformedbytheuserwhilehe/sheisloggedintothesystem.ThisisknownasAccounting.Havinglogsforeachuser'sactionsonanetworkcanhelptodeterminewhoperformedanaction,whichdevicewasaffected,andthetimeanddatetheactionwascompleted.

Withinanenterpriseorganization,anAAAserverisusuallydeployedatacentralizedlocationonthenetwork.Thisserverisusedtocentrallymanagealluseraccounts,assignprivileges,andlogalluseractions.

ThefollowingdiagramshowsanAAAserveronanetwork:


Figure11.22–AAAserver

Intheprecedingdiagram,thenetworkadministratorwantstologintotheswitchtomakeaconfigurationchange.Theswitchpromptstheusertoprovideausernameandpassword.TheusercredentialsarethensenttotheAAAservertoverifytheidentityoftheuser.TheAAAserverconfirmstheuser'sidentityandappliesuserprivileges.Theinformationissentbacktotheswitchandtheuserisgrantedaccess.Whiletheuserisloggedin,allactionsarebeingloggedontheAAAserverforaccountability.

TherearecurrentlytwoAAAservers:


RemoteAuthenticationDial-inUserService(RADIUS):RADIUSisanAAAservicethatsupportsamulti-vendorenvironmentandusesUDPport1812forauthenticationandUDPport1813foraccounting.However,

thecommunicationbetweenanAAAclientandaRADIUSserverisnotcompletelyencrypted.RADIUSencryptsonlythepasswordthatisexchangedbetweentheclientandtheserver.

TerminalAccessControllerAccess-ControlSystem+(TACACS+):TACACS+isaCisco-proprietaryAAAservicethatissimilartoRADIUSbutprovidesmoreflexibility.TACACS+separateseachAAAfunctionintoitsownsecure,encryptedcommunicationbetweenaAAAclientandaTACACS+serveroverTCPport49.

Importantnote

IntheCiscoworld,theCiscoIdentityServicesEngine(ISE)securityapplianceisusedasanAAAserver.

Inthenextsection,youwilllearnhowtoimplementAAAinaCiscoenvironmenttoprovideauthenticationforanadministratortoremotelyconnectandmanageanetworkdevice.

Lab–ImplementingAAAInthislab,you'lllearnhowtoimplementAAAwithinaCiscoenvironmentbetweenaCisco2911routerandanAAAserverusingtheTACACS+protocol.Forthislab,wewillbeusingthefollowingtopologywithinCiscoPacketTracer:


Figure11.23–AAAlabtopology

ConfigurethefollowingIPschemeoneachdevicewithinthetopology:

Figure11.24–IPscheme

Nowthatyourlabisready,usethefollowinginstructionstoimplementAAA:

1. Ontheserver,enabletheAAAService,configuretheclientinformation(ClientName:R1,ClientIP:192.168.1.1,Secret:aaa-secret,

andServerType:Tacacs),andconfigureauseraccountforremote

accessfromthePCtotherouter:


Figure11.25–AAAserverconfigurations

2. Next,enablethenewAAAfeaturesontherouterusingthefollowingcommands:

R1(config)#aaanew-model

3. SpecifytheTACACSserverandthesecretkeyontherouter:


R1(config)#tacacs-serverhost192.168.1.5key

aaa-secret

4. CreateanAAAmethodlist(AAA-Login)forauthentication(login)

usingtheservergroup(group)usingTACACS+:

R1(config)#aaaauthenticationloginAAA-Login

group

tacacs+

5. Applythemethodlist(AAA-Login)totheVirtualTerminal(VTY)linesontherouter:


R1(config-line)#loginauthenticationAAA-Login


6. OnthePC,clicktheDesktoptab,opentheTelnet/SSHClient,andconnecttotherouterusingTelnet:


Figure11.26–Telnet/SSHClient

7. Onceyou'reloggedin,entertheusercredentialstotesttheAAAservicebetweentherouterandtheAAAserver:

Figure11.27–AAAservice

Asshownintheprecedingscreenshot,theAAAserviceworksbetweentherouterandtheAAAserver.HavingcompletedthislabyouhavegainedtheessentialskillsindeployingAAAonaCisconetworkforauthenticationusingTelnet.

Elementsofasecurityprogram


Oftenwhendesigningasecuritynetwork,weforgettotrainalluserswithintheorganizationoncybersecurityawareness.Notallcorporateusersareabletoidentifythreatsandattacksorperhapsunderstandwhatproceduresshouldbetakeniftheircomputergetsinfectedwithavirus.Therefore,it'simportanttodesignapropersecurityprogramtotrainalluserswithintheorganization.

Userawarenessisakeyfactorofanysecurityprogram.Thiselementteachesauserabouttheimportanceofconfidentialitytokeepdatasafeandsecureitfromunauthorizedpersons.Usersshouldbetaughtaboutpotentialthreatsandattacksandproceduresonhowtoreportasecurityincidentwithintheorganization.

Continualusertrainingisimportanttomakesureeachuserismadeawareofanyupdatestothesecuritytrainingprogramandensuringtheyarefamiliarwiththesecuritypoliciesandprocedureswithintheorganization.

Physicalaccesscontrolshouldbemademandatoryinrestrictedareasoftheorganization,suchasaccesstodatacenters,networkclosets,andanyotherareasunauthorizedpersonsarenotallowed.

Wireshark101Wiresharkisoneofthemostpopularnetworkprotocolanalyzersandsnifferswithinthenetworkingandcybersecurityindustry.Thistoolallowsanetworkengineertodissecteachmessageanddeterminewhetherit'saframeorpacketasitpassesthroughanetwork,henceallowingnetworkengineersandcybersecurityprofessionalstoperformvarioustaskssuchaspacketanalysisandnetworkforensics.

Tip


TodownloadWireshark,pleasevisittheURL:https://www.wireshark.org/.

Furthermore,Wiresharkallowsyoutoseeallthedetailscontainedwithinamessage,suchassourceanddestinationIPaddresses,MACaddresses,andTransportlayerinformationsuchasportsandprotocols.Suchinformationisveryusefulwhetheryou'retroubleshootinganissueonthenetworkorlookingforanyabnormalbehavioronnetworktraffic.

Thefollowingisabrieflistofhowto'swithWireshark:

Tocapturenetworkpacketsbetweenyourcomputerandtheirdestination,simplyopenWiresharkanddouble-clickontheinterfaceonwhichyouwishtocapturenetworkpackets:


https://www.wireshark.org/

Figure11.28–Wiresharkinterfaces

Eachinterfacewillshowanactiveflowoftraffictoindicatewhichinterfacesaresendingandreceivingdata.Afterdouble-clickinganinterface,Wiresharkwillbeginpopulatingitsuserinterfacewithreal-timetrafficdetails.


Bydefault,WiresharkwilldisplayIPaddressesandportnumbersinitsnumericalformat.ToallowWiresharktoresolvepublicIPaddressestohostnamesandportnumberstoaservicenetwork,clickEdit|Preferencesandenabletheoptionsshowninthefollowingscreenshot:

Figure11.29–NameresolutioninWireshark

Todisplaytrafficfromaspecificsource,usetheip.src==<ip

address>displayfilter,asshowninthefollowingscreenshot:


Figure11.30–SourceIPaddressdisplayfilter

Additionally,youcanright-clickonasourceIPaddressontheSourcecolumn,thenchooseApplyasFilter|Selectedtoautomaticallycreateadisplayfilter,asshowninthefollowingscreenshot:


Figure11.31–Automaticdisplayfilters

Todisplaytrafficbetweenaspecificsourceanddestination,usethe(ip.src==<ipaddress>)&&(ip.dst==<ip

address>)displayfiltershowninthefollowingscreenshot:


Figure11.32–SourceandDestinationdisplayfilter

Tip

TolearnmoreaboutWiresharkdisplayfilters,pleaseseetheURL:https://wiki.wireshark.org/DisplayFilters.

Toviewasummaryofallnetworkconversationsbetweenalldevices,clickStatistics|Conversations,asshowninthefollowingscreenshot:


https://wiki.wireshark.org/DisplayFilters

Figure11.33–Networkconversations

ThiswindowwillprovideyouwithvarioustabssuchasEthernet,IPv4,IPv6,TCP,andUDP,whichwillallowyoutoviewspecifictypesoftrafficbasedon


Layer2,Layer3,orLayer4details.

Importantnote

TodiscoverthefullpotentialofWireshark,besuretocheckoutthebookLearnWireshark,byLisaBockpublishedbyPacktPublishingattheURL:https://www.packtpub.com/networking-and-servers/learn-wireshark-fundamentals-wireshark.

Inthenextsection,youwilllearnhowtouseWiresharktoexportobjectsfromapacketcapture.

Lab–AnalyzingpacketsInthelab,youwilllearnthefundamentalsofgettingstartedwithWireshark.

Tobegin,usethefollowinginstructions:

1. Gotohttps://www.wireshark.org/,anddownloadandinstallWiresharkonyourcomputer.

2. Gotohttps://wiki.wireshark.org/SampleCaptures,downloadthehttp_with_jpegs.cap.gzfile,andopenwithWireshark.Oncethe

captureisloaded,youcanseeeachpacketanditsdetails.

3. Double-clickonthefirstpackettoviewthecontents:


https://www.packtpub.com/networking-and-servers/learn-wireshark-fundamentals-wireshark

https://www.wireshark.org/

https://wiki.wireshark.org/SampleCaptures

Figure11.34–Packetdetails

Here,youcanseeallofthespecificdetailsaboutthispacketsuchasthesourceanddestinationMACaddresses,sourceanddestinationIPaddresses,andthetransportlayerprotocolandportnumbersbeingused.

4. Toseealistofalloftheconversationsthathappenedduringthiscapture,clickonStatistics|Conversations:


Figure11.35–Networkconversations

EachtabwillprovideyouwithdetailsaboutthetransactionsbetweenalldevicesviatheirMACaddresses(Ethernet),IPv4andIPv6addresses,andTCPandUDPportnumbers.

5. Duringacapture,Wiresharkisalsocapturingallfilesanddatabeingsentacrossthenetwork.Toseealistofallfilesthatwereeitheruploadedordownloadedduringthecapture,clickonFile|ExportObjects|HTTP:


Figure11.36–ViewingfileswithWireshark

Theprecedingsnippetshowsalistoffiles,theirsourceoforigin,filetype,size,andfilename.

6. Toexportafileontoyourdesktop,clickonafile(packet72)andclick

Save.Oncethefilehasbeensaved,youcanviewitlocallyonyoursystem.Additionally,theSaveAlloptionwillautomaticallyexportallfilesonyourlocalcomputer.


Havingcompletedthissection,youhavelearnedhowtoviewallconversationsonanetwork,exportfilesthatweretransmittedbetweenasourceanddestination,andseefulldetailswithinapacket.

SummaryInthischapter,youhavelearnedabouttheimportanceofinformationsecurityandtheneedtoprotectallassetswithinanorganization.Wehavecoveredthevarioustypesofthreats,vulnerabilities,andattacks.Furthermore,we'vediscussedtheimportanceofimplementingAAAwithinanorganizationtohelpmanageuseraccessonacorporatenetwork.

IhopethischapterhasbeeninformativeforyouandishelpfulinyourjourneytowardlearninghowtoimplementandadministrateCiscosolutionsandpreparefortheCCNA200-301certification.Inthenextchapter,ConfiguringDeviceAccessControlsandVPNs,youwilllearnhowtosecureyournetworkdevicesandlearnaboutVirtualPrivateNetworks(VPNs).

QuestionsThefollowingisashortlistofreviewquestionstohelptoreinforceyourlearningandidentifywhichareasyoumightneedtoworkon:

1. Whichofthefollowingisanexampleofanintangibleasset?

A.Computer

B.Operationprocedures

C.Customer


D.Employee

2. Ensuringamessageisnotalteredduringtransmissionbetweenasourceanddestinationisreferredtoaswhichofthefollowing?

A.Hashing

B.Confidentiality

C.Integrity

D.Availability

3. Whichofthefollowingbestdescribesapersonwhodoesn'tfullyunderstandhowtoperformhackingtechniquesbutfollowstheinstructionsgivenbyrealhackers?

A.Hobbyist

B.Disgruntledemployee

C.Insiderthreat

D.Scriptkiddie

4. Ahackerisattemptingtotrickpeopleintoclickingamaliciouslinkwithatextmessage.Whattypeofattackisthis?

A.Smishing

B.Vishing

C.Phishing


D.Spearphishing

5. AnattackerdecidedtocompromiseaDNSservertoredirectalluserstoamaliciousdomaininthehopetheunsuspectinguserenterstheirusercredentialsonthefakewebsite.Whatisthenameofthisattack?

A.Whaling

B.Spearphishing

C.Pharming

D.Hoax

6. Whichtypeofmalwareencryptsallthedataonyourlocaldriveandasksformoney?

A.Worm

B.TrojanHorse

C.RAT

D.Ransomware

7. Anattackerisattemptingtopreventusersfromaccessingawebsiteontheinternet.Whichtypeofattackwilltheattackermostlylikelyuse?

A.Virus

B.DoS

C.RAT


D.Worm

8. WhichAAAprotocolworksonallvendorequipment?

A.RADIUS

B.TACACS+

C.aaanew-model

D.Kerberos

9. WhichcommandenablesthenewAAAfeaturesonaCiscodevice?

A.aaa-newfeatures

B.aaa-newmodel

C.aaanew-model

D.new-modelaaa

10. Howcanauserimprovethemanagementoftheirpasswords?

A.Usethesamepasswordonalluseraccounts.

B.Useeasy-to-rememberpasswords.

C.Writethepasswordsonpapernotesandstorethemaway.

D.Userapasswordmanager.

Furtherreading


Thefollowinglinksarerecommendedforadditionalreading:

Typesofmalware:https://www.cisco.com/c/en/us/products/security/advanced-malware-protection/what-is-malware.html

ConfiguringAAA:https://www.cisco.com/c/en/us/td/docs/routers/connectedgrid/cgr1000/1_0/software/configuration/guide/security/security_Book/sec_aaa_cgr1000.html

Wiresharkuser'sguide:https://www.wireshark.org/docs/wsug_html/


https://www.cisco.com/c/en/us/products/security/advanced-malware-protection/what-is-malware.html

https://www.cisco.com/c/en/us/td/docs/routers/connectedgrid/cgr1000/1_0/software/configuration/guide/security/security_Book/sec_aaa_cgr1000.html

https://www.wireshark.org/docs/wsug_html/

Chapter12:ConfiguringDeviceAccessControlandVPNsAkeytopicwithinthefieldofInformationTechnology(IT)isensuringsecureconfigurationsarealwaysappliedtoourdevices.Secureconfigurationshelptoensureunauthorizedpersonsarenotgrantedaccesstoadeviceduetoadevice'smisconfiguration.Quiteoften,hackerscangainaccesstocompanies'perimeterdevicessuchasroutersandfirewallssimplybyguessingtherequiredpassword,andattimes,deviceadministratorsusedefaultconfigurationsanddefaultuseraccounts.Sometimes,administrativeaccessisnotsecurelyconfigured,andattackersareabletoaccessdevicesandperformmaliciousactions.EnsuringsecureaccesstonetworkingdevicesshouldbeatoppriorityforallITprofessionals.

Inthischapter,youwilllearnhowtosecureyournetworkingdevicestopreventunauthorizedaccessbyimplementingsecureconfigurationbestpractices.Furthermore,youwilldiscoverandlearnabouttheimportanceofusingVirtualPrivateNetworks(VPNs)toestablishsecurecommunicationbetweenremoteofficesandremoteworkers.


Deviceaccesscontrol

VPNs

Technicalrequirements


Tofollowalongwiththeexercisesinthischapter,pleaseensureyouhavetheCiscoPacketTracerapplicationinstalledonyourcomputer.

CheckoutthefollowingvideotoseetheCodeinAction:https://bit.ly/2RSWn0m

DeviceaccesscontrolWearealwaysexcitedtoconfigureournetworkingdevicessothatwecanforwardtrafficefficientlyeitheronalocalnetworkorbetweensubnets.It'salwaysafascinatingexperiencetodesignanefficientandrobustnetworkforyourorganizationorcustomer.However,ournetworkingdeviceshaveimportantandconfidentialinformationbeingstoredonthem,suchasthedevice'sconfigurations,routingprotocol,andnetworkrouters;MACaddresses;andevenSysloginformation.Ifanattackerorunauthorizedpersonisabletosuccessfullyaccessyournetworkdevices,thatpersoncanperformalotofmaliciousactions,suchasreconfiguringyournetworkroutestoforwardtraffictoanotherpath,erasingtheCiscoIOSimageanddevice'sconfigurations,adjustingSpanning-Treepaths,andsoon.

Inthissection,wewillfocusonsecuringphysical,remote,andadministrativeaccesstoyourCiscodevices.

SecuringconsoleaccessWhenyouacquireanewCiscoIOSdevice,aconsolecableisusuallyprovidedinthebox.ThiscableallowsyoutoconnectyourcomputertotheconsoleportofaCiscodeviceforthepurposeofdevicemanagement.Bydefault,nosecurityisappliedtothisinterface.Anyonewhohasphysicalaccesstoyournetwork


https://bit.ly/2RSWn0m

devicesandaconsolecableonhandwillbeabletoaccessyourCiscoswitches,routers,firewalls,andeventheAccessPoints(APs),allowingthepersontomakeunauthorizedchangestothesecomponents.SecuringtheconsoleportonallCiscodevicesismandatorytoensureanunauthorizedpersonisnotabletophysicallyaccessthedevice.

Lab–SecuringtheconsoleportInthishands-onlab,youwilllearnhowtosecureandenableauthenticatedaccesstotheconsoleportofaCiscoIOSrouter.Forthislab,wewillbeusingthefollowingnetworktopologywithinCiscoPacketTracer:

Figure12.1–Consolelabtopology

Pleaseensureyoufollowtheseguidelineswhencreatingthislabtoensureyougetthesameresults:

UseaCisco2911routeronthistopology.

UseaconsolecablebetweenPC1andtherouter.

EnsuretheconsolecableisconnectedtotheRS-232interfaceonPC1andthattheotherendisconnectedtotheconsoleportontherouter.


NowthatyourCiscolabisready,usethefollowinginstructionstounderstandthedefaultconfigurationsontheconsoleportandhowtosecurephysicalaccesstoit:

1. ClickonPC1,selecttheDesktoptab,andclickonTerminal:

Figure12.2–AccessingtheTerminalonCiscoPacketTracer

Inaproductionenvironment,youwillneedtouseaTerminalemulationapplicationsuchasPutty,SecureCRT,orTeraTermtointerfacewithaCiscodeviceoveraconsoleconnection.

2. EnsurethefollowingparametersaresetontheTerminalapplicationand


clickOKtoestablishasession:

Figure12.3–Terminalsettings

ThesettingsshownintheprecedingscreenshotareusedtoensurethePC'sserialinterfacematchesthesettingsontheconsoleportoftheCiscodevice.

3. Theinitialsystemconfigurationdialogwillappear.TypenoandhitEnter

twice:


Figure12.4–Terminalconnection

NoticethatyouhavegainedaccesstotheUserExecmodeontherouterwithoutanyprompttoauthenticateyourselftothedevice.Thisisthedefaultsettingontheconsoleport;thereisnoauthentication.

4. Usetheshowuserscommandtoverifythemethodyouarecurrently

usingtoaccesstherouter:

Figure12.5–Verifyingaccess

Theasterisk(*)indicatesthecurrentmethodyouareusingtoaccessthe

device.Toputitsimply,wearecurrentlyaccessingtherouterviaitsconsoleinterface.


5. InUserExecmode,theuserhastheleastprivilegesandcanperform

theleastactions.Usetheshowprivilegecommandtoverifythe

privilegelevels:

Figure12.6–CheckinguserprivilegeinUserExecmode

Privilegelevelsrangefrom1-15.Auserwithprivilegelevel1accessis

notabletoperformorexecutemanyactionscomparedtoauserwithprivilegelevel15access,whohasfulladministrativerightstoperform

anyactiononthedevice.

ImportantNote

AdditionalinformationontheCiscoIOSprivilegelevelscanbefoundathttps://www.cisco.com/c/en/us/td/docs/ios/sec_user_services/configuration/guide/12_4/sec_securing_user_services_12-4_book/sec_cfg_sec_4cli.html#wp1054522.

6. AccessPrivilegeExecmodeusingtheenablecommand,thenusethe

showrunning-configcommandtoverifytheconfigurationsonthe

consoleline:


Figure12.7–Checkingtheconfigurations

Asshownhere,therearenoconfigurationsontheconsoleport.Therefore,anyoneisabletoaccessthedeviceviathisinterface.

7. Let'sapplyapasswordandenableauthenticationontheconsoleport:

Figure12.8–Securingtheconsoleport

Thelineconsole0commandwasusedtoaccesstheconsoleline

mode,thepasswordcommandwasusedtosetthepassword,andthe

logincommandwasusedtoenableuserauthenticationontheconsole

port.Withoutthelogincommand,anyunauthenticatedusercanaccess

thedevice.


8. Uponre-establishingaconsoleconnectionbetweenPC1andtherouter,theCiscoIOSwillprovideanauthenticationprompt,asfollows.Thepasswordthat'sbeenconfiguredundertheconsolelineis

consolepass:

Figure12.9–Verifyingconsoleauthentication

9. Lastly,wecanusetheshowrunning-configcommandtoverify

thattheconfigurationhasbeenupdatedontheconsoleport:

Figure12.10–Verifyingconsoleconfigurations

Inthislab,youhavegainedtheskillstobothsecureandverifyphysicalaccesstoaCiscoIOSdeviceviaitsconsoleport.

SecuringanAUXline


Onolder,legacyCiscodevices,youwouldfindanauxiliary(AUX)port.ThisinterfacewasusedtoconnectamodemthatallowsausertoremotelyaccessaCiscorouteroveracommand-lineinterface(CLI)session.Bydefault,theAUXportisnotsecureandallowsunauthenticatedaccess.

Lab–SecuringtheAUXportInthishands-onlab,youwilllearnhowtosecureandenableauthenticatedaccesstotheAUXportofaCiscoIOSrouter.Forthislab,wewillbeusingthefollowingnetworktopologywithinCiscoPacketTracer:

Figure12.11–AUXlinetopology



Thistopologyisanextensionofthepreviouslabexercise;thatis,Securingtheconsoleport.

SimplyaddanadditionalPC2tothetopology.

UseaconsolecablebetweenPC2andtheAUXportontherouter.

NowthatyourCiscolabisready,usethefollowinginstructionstounderstandthedefaultconfigurationsontheAUXportandhowtosecurephysicalaccesstoit:

1. OnPC2,openaTerminalconnectiontotherouterviaitsAUXport.PressEnteracoupleoftimestoseetheCLIprompt.

2. Usetheshowuserscommandtoverifythemethodandinterfacebeing

usedtoaccesstherouter:

Figure12.12–AUXconnection

Asshownhere,therouterindicatesthatthecurrentconnectionisbeingmadeviatheAUXport.Additionally,yougainunauthenticatedaccesstoUserExecmode.ThismeansnosecurityisappliedtotheAUXportby

default.


3. Let'susetheenablecommandtogointoPrivilegeExecmodeto

verifytheconfigurationsundertheAUXline:

Figure12.13–AccessrestrictedtoPrivilegeExecmode

Bydefault,accessisrestrictedtoPrivilegeExecmodeviatheAUXport,butonlyifnopasswordhasbeenconfiguredforPrivilegeExecmode.

4. TosecuretheAUXport,openaTerminalonPC1totherouterviatheconsoleport.

5. UsethefollowingcommandstoaccesstheAUXport,configureapassword,andenableauthentication:

Router(config)#lineaux0

Router(config-line)#passwordauxpass

Router(config-line)#login

Router(config-line)#exit

6. Uponre-establishinganAUXsessionbetweenPC2andtherouter,auserauthenticationpromptwillbepresented:


Figure12.14–VerifyingAUXauthentication

7. Lastly,usetheshowrunning-configcommandtoverifythatthe

configurationsarepresentundertheauxline,asshownhere:

Figure12.15–AUXconfigurations


Inthislab,youhavegainedtheskillstobothsecureandverifyaccesstoaCiscoIOSdeviceviaitsAUXinterface.

VTYlineaccessOnaCiscoIOSrouterorswitch,thereare16virtualterminal(VTY)lines

rangingfrom0–15.TheseVTYlinesallowanetworkengineertoremotely

connecttothedeviceformanagement.Asanetworkengineer,youdon'talwayshavephysicalaccesstothenetworkcomponents,astheymaybedeployedataremotelocationsuchasanotherbranchofficeoratacustomer'ssite.Furthermore,theseVTYlinesalsosupportoutgoingconnectionstootherCiscodevices.VTYlinesallowbothinboundandoutboundTelnetandSSHsessions.

Telnetisanetworkprotocolthatallowsyoutoestablisharemoteterminalsessionbetweenaclientandaserver.OnaCiscodevice,there'sabuilt-inTelnetserverthatallowsnetworkengineerstoremotelyconnecttoandperformremoteadministrationonthedevice.However,Telnetisanunsecuredprotocolandtransfersalldatainplaintext.Duetothissecurityvulnerabilitywithintheprotocol,it'shighlyrecommendedtonotuseTelnetforanythingasanattackercouldcapturethedatabetweentheclientandserver.

ImportantNote

Telnetoperatesonport23bydefault.

SinceTelnetcontainsthisvulnerability,SecureShell(SSH)isthepreferredprotocolforremoteterminalaccessonanetwork.SSHprovidesdataencryptionforallthemessagesbetweentheclientandtheserver.Additionally,ausermust


providetheiridentitydetails,suchasausernameandpassword,tobeauthenticatedtotheSSHserver.ThisfeatureaddsimprovedsecuritycomparedtoTelnet.

ImportantNote

SSHoperatesonport22bydefault.

Lab–ConfiguringTelnetonaCiscorouterInthishands-onlab,youwilllearnhowtoconfigureTelnetaccessonaCiscoIOSrouter.Forthislab,wewillbeusingthefollowingnetworktopology:

Figure12.16–Telnetlabtopology


UseaCisco2911routerandaCisco2960switch.

EnsureyouconfiguretheIPaddressesandsubnetmaskaccordingly.

EnsurePC1canpingtherouter.


NowthatyourCiscolabisready,usethefollowinginstructionstoconfigureTelnetforremoteaccessfromthePCtotherouter:

1. Accesstheconsoleaspectoftherouterandusetheshowrunning-

configcommandtoverifytheTelnetsettingsontheVTYlines:

Figure12.17–VTYdefaultconfiguration

OnVTYlines0-4,Telnetisenabledbydefaultandauthenticationisalsoenabled.However,ifwetrytoaccesstherouterremotelyusingTelnet,theconnectionwillautomaticallyterminatesimplybecausenopasswordhasbeensetontheVTYlines.

2. ToconfigureTelnetonall16VTYlinesontherouter,usethefollowingconfigurations:

Router(config)#linevty015

Router(config-line)#passwordtelnetpass

Router(config-line)#login


Router(config-line)#exit

Thelogincommandisnotrequiredinthisinstanceasit'salreadythere

fromthedefaultconfigurations;however,it'sgoodpracticetostillenableauthenticationontheVTYlines.

3. Usetheshowrunning-configcommandoncemoretoverifythe

configurationsarepresentundertheVTYlines:

Figure12.18–VerifyingTelnetconfigurations

4. TotesttheTelnetconnection,openTelnet/SSHClientontheDesktoptabonPC1:


Figure12.19–Telnetclient

5. ChangeConnectionTypetoTelnet,settherouter'sIPaddress,and

clickConnect:


Figure12.20–Telnetclientsettings

6. You'llbepromptedforapassword.UsetheTelnetpassword(telnetpass)wehaveassignedundertheVTYlines:


Figure12.21–Telnetconnection

Sincetheauthenticationpromptwaspresent,thisisanindicationthatTelnetwasenabledontherouter.Additionally,theshowuserscommandverifiesthat

thecurrentconnectiontotherouterisviatheVTYlinefrom192.168.1.10

(PC1).

Havingcompletedthislab,youhavegainedhands-onexperiencewithenablingTelnetonaCiscoIOSdevice.Inthenextlab,youwilllearnhowtoconfigure


SSHforremoteaccess.

Lab–EnablingSSHonaCiscoIOSdeviceInthishands-onlab,youwilllearnhowtoconfigureSSHaccessonaCiscoIOSrouter.Forthislab,wewillbeusingthefollowingnetworktopology:

Figure12.22–SSHlabtopology

Pleasenotethatthislabissimplyanextensionofthepreviousexercise;youdonotneedtorebuildthenetwork.NowthatyourCiscolabisready,usethefollowinginstructionstoconfigureSSHforremoteaccessfromthePCtotherouter:

1. Changethedefaulthostnameontherouter:

Router(config)#hostnameR1

2. Jointhedevicetoadomain:

R1(config)#ipdomain-nameccnalab.local

3. CreatealocaluseraccountfortheSSHuser:


R1(config)#usernameuser1secretsshpass

4. GenerateRSAencryptionkeysandsetthekeysizeto1024:

R1(config)#cryptokeygeneratersageneral-keys

modulus1024

5. EnableSSHversion2toimprovesecurity:

R1(config)#ipsshversion2

Bydefault,SSHv1isenabled.

6. ConfigureVTYlines0-15sothattheyonlyacceptSSHconnections(thisdisablesTelnet):


R1(config-line)#transportinputssh

7. ConfiguretheVTYlinestoquerythelocaluserdatabaseforauthentication:


8. SinceTelnetisdisabledandthelocaldatabasewillbeusedforuserauthentication,removethepasswordundertheVTYlines:


9. ConfigureaninactivitytimeoutforidlesessionsontheVTYlines.Let'suse2minutes:

R1(config-line)#exec-timeout2


10. TotestSSH,headonovertoPC1andopenTelnet/SSHClient.

11. SetConnectionTypetoSSH,specifytheIPaddressoftherouter,anduse

theusernamefromtheuseraccount,asshownhere:

Figure12.23–SSHclientconfigurations

12. Youwillreceiveanauthenticationpromptaskingforapassword(theusernamewasalreadyspecifiedontheSSHclient).SimplyenterthepasswordfortheaccountandhitEnter:


Figure12.24–SSHsession

Asshownintheprecedingscreenshot,weareconnectedtotherouteronVTYline0withtheuser1account.

13. Additionally,theshowipsshcommandverifiestheSSHversion,the

authenticationtimevalue,andthenumberofauthenticationretries,asshownhere:


Figure12.25–VerifyingSSHdetails

Furthermore,showsshverifiesthecurrentSSHsessionsandusers.Theip

sshtime-outsecondscommandallowsyoutomodifythedefaultSSH

timeoutvalues,whiletheipsshauthentication-retriesnumber

commandallowsyoutochangetheauthenticationretryvalue.

ImportantNote

Theloginblock-forsecondsattemptstrieswithin

secondscommandisusedtodisableuserloginafteraspecifiednumberof

failedauthenticationattemptswithinaspecifictimeinterval.

Bycompletingthislab,youhavegainedhands-onexperiencewithconfiguringandenablingSSHforremoteaccessonaCiscoIOSrouter.

SecuringPrivilegeExecmode


Bynow,youmayhavenoticedthatoncesomeoneisabletoaccessPrivilege

Execmode,theuserisabletogathersensitiveandconfidentialinformation

aboutthenetworkandthedevice.Furthermore,ausercanescalatetheirprivilegestoGlobalConfigmode,wheretheuserisabletoapply

configurationsandmakemodificationstothedevice.Thiscreatesasecurityrisk.

ImportantNote

Thesecureboot-imagecommandpreventsauserfromeitherpurposelyor

accidentallydeletingtheCiscoIOSimage,whilethesecureboot-config

commandisusedtoprotecttherunningconfigurations.

TheCiscoIOShasmanysecurityfeaturesbuiltintoitthatenableustopreventunauthorizedaccess.OnesuchfeatureispreventingunauthorizedaccessspecificallytoPrivilegeExecmode.Onemethodistousetheenable

password<mypassword>commandtorestrictaccesstoPrivilege

Execmode.

ImportantNote

TheautosecurecommandisusedtoinitializetheCiscoIOSlockdown

featureonthedevice.

Thefollowingisanexampleofusingtheenablepasswordcommandwith

apasswordofcisco123:

R1(config)#enablepasswordcisco123

Oncethisconfigurationisapplied,eachtimeausermovesfromUserExec


modetoPrivilegeExecmode,theCiscoIOSwillprompttheuserto

authenticatebeforeproceeding.Thedownsideofusingtheenable

passwordcommandisthatitdoesnotprovideanyencryptionoftheactual

password.Ifausercanaccesstherunning-configorstartup-config

files,thepasswordisvisibleinplaintext,asshownhere:

Figure12.26–Enablingpasswordinplaintext

Duetothissecurityvulnerability,Ciscohasimplementedasecureversionoftheenablepasswordcommand.Thisimprovedmethodusestheenable

secretcommand,whichencryptsthepasswordbydefaultusingtheMessage

Digest5(MD5)hashingalgorithm.

ThefollowingisanexampleofsecuringaccesstoPrivilegeExecmode

usingtheenablesecretcommand,followedbycisco456,whichisthe

password:


R1(config)#enablesecretcisco456

Thefollowingsnippetshowsthatthepasswordhasbeenencryptedwithintherunning-configfile:

Figure12.27–Theenablesecretcommand

Ciscousesanumericalvaluetoindicatethetypeofpasswordstoredwithinrunning-configandstartup-config.Thefollowingarevarious

passwordtypesonCiscoIOSdevices:

enablepassword:Plaintextpassword,encodingType0.

enablesecret:MD5algorithmusedtoencryptthepassword,

encodingType5.

Sincethedevicehasbeenconfiguredwithbothenablepasswordand

enablesecret,whichpasswordwillbeacceptedbytheCiscoIOS?The

simpleansweristhatitwillalwaysbethestrongerpassword,whichistheonethat'sappliedusingtheenablesecretcommand.Sincethestronger


passwordwillbeusedbythedevice,enablepasswordisnowobsoleteand

shouldberemoved.UsingtheGlobalConfigcommand,noenable

passwordwillremoveenablepasswordfromthedevice'srunning-

configfile,asshownhere:

Figure12.28–Removingenablepassword

Overtheyears,securityresearchersandhackershavebeenabletocompromisetheMD5hashingalgorithm.ThismeansanattackerhasbeenabletoreversetheMD5hashvalueofthepasswordandretrievetheactualpassword.Inlightofthissecurityvulnerability,CiscohasimplementedamoresecurehashingalgorithmknownasSCRYPT.

Thefollowingsnippetshowsthecommandthat'susedtocreateasecurepasswordusingSCRYPTonaCiscoIOSdevice:


Figure12.29–EnablingSCRYPTonCiscodevices

SCRYPTismoresecurethanMD5andthereforeusesanencodingofType9

withtheSHA256hashingalgorithm.Thefollowingsnippetshowsthatthe

SCRYPThashisalotlongerthantheenablesecretMD5hash:

Figure12.30–Type9encoding


WhenconfiguringaccesstoPrivilegeExecmode,ensureyouusethemost

securemethodavailableonthedevice.SomedevicesmaynotsupportSCRYPT.Inthissituation,enablesecretwillbethemoresecureoptioncomparedto

enablepassword,whichdoesnotprovideanyencryption.

EncryptingallplaintextpasswordsWithinsomemodesontheCiscoIOS,wearenotabletoconfiguresecurepasswords,suchaslineconsole0,lineaux0,andeventheVTY

lines.Withinthesemodes,theonlycommandthatallowsustocreateandsetapasswordisthepasswordcommand.Fromourdiscussionsintheprevious

sectionsofthischapter,youhavelearnedthatthepasswordcommanddoes

notencryptthepasswordsstoredwithinthedevice'sconfiguration.

Thefollowingsnippetshowshowpasswordsarestoredwhenthepassword

commandisused:


Figure12.31–Plaintextpasswords

Additionally,withintheCiscoIOS,thereareothermodesandconfigurationsthatrequireapasswordtobeconfiguredbutonlysupportthepasswordcommand.

AsimpleexampleisconfiguringPoint-to-Point(PPP)usingthePasswordAuthenticationProtocol(PAP)onaWideAreaNetwork(WAN).TheCiscoIOSconfigurationsrequireapasswordtobesentacrosstheWANlinktoauthenticatebothroutersbeforeestablishingtheWANconnection.InPAPauthentication,thepasswordcommandisavailable.Thismeansthepassword

isstoredinplaintextontherouter.

OnaCiscoIOSdevice,theservicepassword-encryptioncommandis

appliedtoGlobalConfigmodetoencryptallplaintextpasswords.Oncethis

commandhasbeenappliedtoadevice,allthepasswordsthathavebeenconfiguredinplaintextwillautomaticallybeencrypted.ThefollowingisanexampleofusingthiscommandonaCiscoIOSrouter:

R1(config)#servicepassword-encryption

Thefollowingsnippetshowsthatthepasswordsundertheconsole(con)and

auxiliary(aux)linesarenowencrypted:


Figure12.32–Theservicepassword-encryptioncommand

PasswordencodingType7isnotstrongencryptiononadevice.Thistypeof

encryptioncaneasilybebrokenbyanattacker.However,thisistheonlyformofencryptionforplaintextpasswordsonaCiscoIOSdeviceatthistime.

VirtualPrivateNetworksLet'simagineyou'vestartedabusinesswhereyouprovideproductsandservicestoyourpotentialcustomers.Youbeginbyopeningasinglephysicallocationandhirestafftohelprunyourcompanyandensureday-to-daytransactionsareconductedefficiently.Aftersometime,yourealizethebusinessneedsyourequireinordertoexpandandprovidemoresupportandservicestocustomerswhoarelocatedwithinanothercountry.Duetothis,youhavedecidedthatanotherbranchofficeisbettersuitedtomeetthedemandsatthenewlocation.However,oneconcernishowtheemployeesatthenewremotelocationwillaccesstheresourcesatthemainbuildinginyourhomecountry.

Thereareafewsolutionstothisissue.OnemethodistoreplicatetheITinfrastructureofthehomebranchatthenewremotebranch,butthiswillbeabit


costlyasthenewbranchonlyrequiresafewemployeesandhavingadedicatedITteamisnotnecessary.AnothersolutionmaybetosetupaWANviayourlocalInternetServiceProvider(ISP)toextendyourlocalareanetworkfromyourmainoffice,overtotheremotebranch.HavingadedicatedWANconnectionwillensurebothofficeswillbeabletointerconnectandsharenetworkresources.However,thedownsideofhavingaWANserviceisitssubscriptionfees,whicharepayabletotheserviceprovider.ThecostofadedicatedWANservicemaynotbewithinyourbudgetandperhapsanalternativesolutionmayberequired.

AnothersolutionistocreateaVirtualPrivateNetwork(VPN)betweenthetwooffices.AVPNcreatesanencryptedtunnelbetweentwoormoredevicesoveranunsecurednetworksuchastheinternet.ThismeansalltrafficthatissentthroughtheVPNtunnelwillbeencryptedandkeptconfidentialfromhackersonanetworkortheinternet.

ThefollowingarethebenefitsofusingaVPN:

UsingaVPNwillsaveyoumoneyasit'sfree.

VPNsprovidesecurityforallyourtrafficthatissentacrosstheVPNtunnel.

AVPNsupportsscalability,somoreremotesitesanduserscanconnecttothecorporatenetworksecurely.

Sincemanyorganizationsalreadyhaveafirewallattheirnetworkperimeter,mostfirewallsalreadyhavebuilt-insupportforVPNcapabilitiesintheiroperatingsystems.Therefore,youdon'tneedtopurchaseadditionalcomponentsordevices.SinceaVPNencryptsalltrafficsentacrossitstunnel,youdon'thave


toworryaboutwhetherahackerisinterceptingandreadingyourdata.Dataencryptionprovidesanextralayerofsecurityasthetrafficispassingthroughtheinternet.Additionally,VPNsuseauthenticationprotocolstoensureyourdataisprotectedfromunauthorizedaccesswhileit'sbeingsenttothedestination.VPNsallowtwoormorebranchnetworksanduserstoestablishasecureconnectionovertheinternettothecorporatenetwork.

SinceVPNscanbeusedovertheinternet,thismakesitverysimpletoaddnewremoteworkerswithouthavingtoexpandtheinfrastructureoftheservice.Toputitsimply,onceauserhasaccesstotheinternet,theycanaccessthecorporatenetworkusingaVPNconnection.

Inthenextsection,youwilllearnaboutatypeofVPNthatallowsyoutoconnectremotebranchnetworkstogetheroverthenetwork.

Site-to-SiteVPNsOnechallengemanyorganizationsexperienceisensuringalltheirremotebranchofficesarealwaysconnectedtotheircorporateheadquarters'location.Thisissimplybecausemostresources,suchasapplicationservers,arecentrallystoredatthemainoffice.Aswementionedpreviously,therearemanydifferenttypesofWANsolutions,fromvariousISPssuchasMetroEthernet(MetroE)andMultiprotocolLabelSwitching(MPLS)solutions.

ImportantNote

TolearnabouttheessentialsofMPLS,pleaseseethefollowingURL:https://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/mpls/4649-mpls-faq-4649.html.TolearnmoreaboutMetroEthernet,see


https://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/mpls/4649-mpls-faq-4649.html

thefollowinglink:https://www.cisco.com/c/dam/global/fr_ca/training-events/pdfs/Deploying_Metro_Ethernet.pdf.

However,thesesolutionsaresubscription-basedservicesandacustomermaynothavetherequiredbudgetormaybelookingforanalternativesolution.

ImportantNote

AnInternetServiceProvidercanuseMPLStocreateLayer2orLayer3virtualpathsbetweensites.OnaLayer2MPLSVPN,theISPisnotresponsibleforroutingthecustomer'straffic;instead,theISPimplementsaVirtualPrivateLANService(VPLS)toemulateEthernetovertheMPLSnetwork.OnaLayerMPLSVPN,thecustomerandtheISProutersarepeered,andthecustomer'sroutersareredistributedviatheMPLSnetworktothecustomer'sremotesites.

AsimplesolutionistocreateaSite-to-SiteVPNbetweentheHQlocationandthebranchoffice.Sincebothlocationswillalreadyhaveaninternetconnection,thereisnoneedtopurchaseanyadditionalservicesfromyourlocalISP.However,eachlocationwillrequireaVPNconcentratordeviceforbothestablishingandterminatingtheVPNtunnel.AVPNconcentratorisarouterorfirewallwiththecapabilitiesofestablishingaVPNconnectionbetweenitselfandaVPNclientoranotherVPNconcentrator.

ThefollowingdiagramshowstwobranchnetworksinterconnectedusingaSite-to-SiteVPN:


https://www.cisco.com/c/dam/global/fr_ca/training-events/pdfs/Deploying_Metro_Ethernet.pdf

Figure12.33–Site-to-SiteVPN

Asshownintheprecedingdiagram,theVPNtunnelisestablishedbetweenthetwofirewallsonly.Therefore,trafficbetweentheremotebranchandHQnetworkswillbesentacrosstheVPNtunnelandalldatawillbeencryptedbythefirewalls.KeepinmindthatalltrafficwithineachLANwillnotbeencrypted;onlythetrafficthatispassingthroughtheVPNtunnelwill.

ThistypeofVPNallowsanorganizationtoreduceitsexpenditureonconnectingremotesitesandusesitsexistinginfrastructureanddevices.Additionally,aSite-to-SiteVPNcanbeusedasaredundantconnectionbetweenbranchoffices.

RemoteaccessVPNsTherearemanyemployeeswhoworkremotelyathomeorwhoaremostlyinthefield,andawayfromtheoffice.Theymayneedtoaccessresourcesonthecorporatenetwork,andgoingintotheofficetoretrieveoraccesssuchresourcesmaynotbeconvenient.AsimplesolutionistodeployaremoteaccessVPN,whichallowsremoteworkerstoestablishaVPNtunnelbetweentheirdevice,


suchasacomputer,andthecorporatenetworkthroughtheinternet.

ThefollowingdiagramshowstheVPNtunnelbetweenaremoteworker'sPCandthecorporatenetwork:

Figure12.34–RemoteaccessVPN

WitharemoteaccessVPN,aVPNclientsuchasCiscoAnyConnectSecureMobilityClientmustbeinstalledontheremoteworker'sdevice.WhentheremoteworkermustaccessaresourceattheHQnetwork,theVPNclientisusedtoestablishasecuretunnelbetweenthedeviceandtheVPNconcentrator,suchasafirewallorrouteratthecorporatesite.

ThefirewalladministratorcanconfiguretheremoteaccessVPNforusersinoneofthefollowingmodes:

FullTunnel

SplitTunnel


InFullTunnelmode,alltrafficthatmustgoouttotheinternetfromtheclient'sPCwillbesentacrosstheVPNtunneltotheVPNconcentrator,whereitwillbesentouttotheinternet.Allreturningtrafficwilltakethesamepathbacktotheclient'sPC.

InSplit-Tunnelmode,onlytrafficwiththecorporatenetworkasitsdestinationwillbeencryptedandsentacrosstheVPNtunnel.TrafficthathastheinternetasitsdestinationwillnotbesentviatheVPNtunnelbutratherdirectlyouttotheinternetfromtheuser'sPC.ThismodecreateslessoverheadontheVPNtunnelandreducestheCPUandRAMconsumptionontheVPNconcentrator.

AnothertypeofVPNconnectionisusingaclientlessVPN.WithaclientlessVPN,thereisnoneedtoinstallaVPNclientontheuser'smachine.However,theconnectionisencryptedandsecurebetweenaclient'swebbrowserusingSecureSocketsLayer(SSL)orTransportLayerSecurity(TLS)encryptionoverHTTPS.KeepinmindthattrafficbetweenthewebbrowserandtheVPNconcentratorisencrypted;allothertrafficisnot.

IPsecInternetProtocolsecurity(IPsec)isaframeworkthatsimplydefineshowVPNscanbesecuredoveranIP-basednetwork.ThefollowingarethebenefitsofusinganIPsecVPN:

Confidentiality:ConfidentialitysimplyensuresalldatasentacrosstheIPsecVPNtunnelisencryptedwithanencryptionalgorithmsuchastheDataEncryptionStandard(DES),TripleDES(3DES),orAdvancedEncryptionStandard(AES).Dataencryptionpreventseavesdroppingwhiledataisbeingtransmitted.


Integrity:IntegrityensuresthatalldatasentacrosstheIPsecVPNtunnelisnotalteredormodified.OnanIPsecVPN,hashingalgorithmssuchasMD5andSHAareusedtodetectanyalterationofmessagesovertheIPsectunnel.

Originauthentication:AuthenticationonanIPsecVPNensureseachuserisidentifiedcorrectlyandthatthemessagesarenotoriginatingfromsomeoneelse.InIPsec,theInternetKeyExchange(IKE)isusedtoauthenticateusersandVPNclients.IKEusesvariousmethodstovalidateuserssuchasdigitalcertificatessuchasRSA,apre-sharedkey(PSK),orausernameandpassword.

Anti-replay:Anti-replaypreventsauserfromcapturingandattemptingtoperformareplayattackontheIPsecVPNtunnel.

ImportantNote

IPseccontainstwoprotocols:AuthenticationHeader(AH)andEncapsulatingSecurityPayload(ESP).ThedifferencebetweenthesetwoprotocolsisthatAHauthenticatestheLayer3packetonly,whileESPencryptstheentireLayer3packet.Keepinmindthattheseprotocolsarenotcommonlyusedtogether.

Diffie-Hellman(DH)isdefinedasanalgorithmusedtosecurelydistributepublickeysoveranunsecurednetwork.Thepublickeysarepartofakeypair:theprivatekeyandapublickeyareusedfordataencryptionanddecryption.TherearevariousDHgroups,suchas1,2,4,14,15,16,19,20,21,and24.

Inthenextsection,youwilllearnhowtoconfigureaSite-to-SiteVPNusing


IPseconaCiscoenvironment.

Lab–Configuringasite-to-siteVPNInthishands-onlab,youwilllearnhowtoconfigureandimplementaSite-to-SiteIPsecVPNusingCiscoIOSrouters.Forthislab,wewillbeusingthefollowingtopologywithinCiscoPacketTracer:

Figure12.35–Site-to-siteVPNtopology

Pleaseusethefollowingguidelineswhencreatingthislabtoensureyougetthesameresults:


UseCisco2911routers.

ConfigureadefaultroutefromboththeHQandR1routersthatpointstotheISP.

OntheISP,configurenetworkstaticrouterstotheLANofHQandtheLANofR1.

EnsureyouassignanIPaddresstoeachdevice,asshowninthefollowingtable:


Nowthatyourlabenvironmentisready,usethefollowinginstructionstoconfigureanIPsecSite-to-SiteVPNbetweenR1andtheHQrouter:

1. Configurethefollowingstaticroutesoneachroutertosimulatetheinternet:


R1(config)#iproute0.0.0.00.0.0.0192.0.2.5

ISP(config)#iproute10.10.10.0255.255.255.0


192.0.2.2


192.0.2.6

2. UsethefollowingcommandonboththeHQandR1routerstobootthesecurityk9license.Thesecurityk9licenseenablesfeaturessuch

asIPsec,SSL,SSH,andothersecuritycapabilitiesonarouter.ThiscommandenablestheVPNcapabilitiesoneachdevice:

HQ(config)#licensebootmodulec2900technology-

packagesecurityk9

3. AccepttheuseragreementbyenteringyesandhittingEnter.

4. Savethedeviceconfigurationsandrebooteachforthelicensetotakeeffect:

HQ#copyrunning-configstartup-config

HQ#reload

5. Onceeachdevicehasbeenrebooted,usetheshowversioncommand

toverifythatthesecuritytechnologypackagehasbeenabledonboththeHQandR1routers:


Figure12.37–Verifyingthesecuritypackage

6. CreateanAccessControlList(ACL)onHQtoidentifytrafficthatisallowedbetweentheLANonHQandtheLANonR1.ThistrafficwillbeencryptedandsentacrosstheIPsecVPNtunnelbetweentheLANs:

HQ(config)#ipaccess-listextendedVPN-Traffic

HQ(config-ext-nacl)#permitip10.10.10.0

0.0.0.255192.168.1.00.0.0.255

HQ(config-ext-nacl)#exit

7. ConfiguretheInternetKeyExchange(IKE)Phase1ISAKMPpolicy

ontheHQrouter.IKEPhase1createsanoutertunnelthatbothVPN

routers/firewallsusetonegotiatesecurityparametersbeforeestablishingtheIKEPhase2tunnelfordatatransfer.Thefollowingcommandsare

usedtocreatetheIKEPhase1ISAHMPpolicy:

HQ(config)#cryptoisakmppolicy5


HQ(config-isakmp)#encryptionaes256

HQ(config-isakmp)#authenticationpre-share

HQ(config-isakmp)#group5

HQ(config-isakmp)#exit

HQ(config)#cryptoisakmpkeymyipseckeyaddress

192.0.2.6

8. ConfiguretheIKEPhase2IPsecpolicyontheHQrouter.IKE

Phase2isestablishedaftertheIKEPhase1tunnelandisusedto

transporttheactualdatabetweennetworksorenddevices.Createthetransformset,nameitIPsec-VPN,anduseesp-aesandesp-sha-

hmacforconfidentialityandintegrity:

HQ(config)#cryptoipsectransform-setIPsec-VPN

esp-aesesp-sha-hmac

9. CreateacryptomapontheHQrouter,whichwillbeusedtoactuallyapplysecuritytothetrafficthatissentalongtheVPNtunnel,nameitIPsec-Map,andbindittotheVPN-TrafficACL:

HQ(config)#cryptomapIPsec-Map5ipsec-isakmp

HQ(config-crypto-map)#descriptionIPsecVPN

betweenHQandR1

HQ(config-crypto-map)#setpeer192.0.2.6

HQ(config-crypto-map)#settransform-setIPsec-

VPN


HQ(config-crypto-map)#matchaddressVPN-Traffic

HQ(config-crypto-map)#exit

10. AssignthecryptomaptotheoutboundinterfaceontheHQrouter:

HQ(config)#interfacegigabitEthernet0/0

HQ(config-if)#cryptomapIPsec-Map

HQ(config-if)#exit

Now,wewillstartconfiguringtheIPsecSite-to-SiteVPNonR1usingthefollowinginstructions:

1. CreateanACLonR1toidentifytrafficthatisallowedbetweentheLANonR1andtheLANonHQ.ThistrafficwillbeencryptedandsentacrosstheIPsecVPNtunnelbetweentheLANs:

R1(config)#ipaccess-listextendedVPN-Traffic

R1(config-ext-nacl)#permitip192.168.1.0

0.0.0.25510.10.10.00.0.0.255

R1(config-ext-nacl)#exit

2. ConfiguretheIKEPhase1ISAKMPpolicyontheR1router:

R1(config)#cryptoisakmppolicy5

R1(config-isakmp)#encryptionaes256

R1(config-isakmp)#authenticationpre-share

R1(config-isakmp)#group5

R1(config-isakmp)#exit


R1(config)#cryptoisakmpkeymyipseckeyaddress

192.0.2.2

3. ConfiguretheIKEPhase2IPsecpolicyontheR1router.Create

thetransformset,nameitIPsec-VPN,anduseesp-aesandesp-

sha-hmacforconfidentialityandintegrity:

R1(config)#cryptoipsectransform-setIPsec-VPN

esp-aesesp-sha-hmac

4. Createacryptomap,nameitIPsec-Map,andbindittotheVPN-

TrafficAPL:

R1(config)#cryptomapIPsec-Map5ipsec-isakmp

R1(config-crypto-map)#descriptionIPsecVPN

betweenR1andHQ

R1(config-crypto-map)#setpeer192.0.2.2

R1(config-crypto-map)#settransform-setIPsec-

VPN

R1(config-crypto-map)#matchaddressVPN-Traffic

R1(config-crypto-map)#exit

5. AssignthecryptomaptotheoutboundinterfaceontheR1router:


R1(config-if)#cryptomapIPsec-Map

R1(config-if)#exit


6. Atthispoint,boththeR1andHQroutersshouldestablishanIPsectunnel.OnPC1,openCommandPromptandsendapingtotheserverat

10.10.10.10.AfewpacketsmaydropsincetheIPsectunnelmaystill

beinitializing.

7. ToverifythestatusoftheIPsectunnel,performatraceroutetest

betweenPC1andtheserver:

Figure12.38–TraceroutebetweenPC1andtheserver

Basedontheprecedingresults,thepacketwentfromPC1toR1,thenfromR1toHQ,and,lastly,fromHQtotheserver.NoticethatthepacketdidnotgototheISProuterbutratherstraightfromR1toHQ.ThisisbecausethepacketwasencryptedandsentacrossIPsectunnelon

thenetwork.

8. ToviewtheIKEPhase1tunnel,usetheshowcryptoisakmp

sacommand,asshownhere:


Figure12.39–IKEPhase1tunnel

9. ToviewtheIPsecPhase2tunnel,whichistransportingtheusers'

traffic,usetheshowcryptoipsecsacommand,asshownhere:

Figure12.40–IPsecPhase2tunnel

10. Toviewthedetailsaboutthecryptomaponthelocalrouter,usetheshow


cryptomapcommand:

Figure12.41–Cryptomap

Thedetailsshownintheprecedingsnippetvalidatetheconfigurationswehaveappliedtothedevice.WecanseethattheVPNpeerisHQ,theACLforthepermittedtrafficontheVPNtunnel,andotherdetailsabouttheIPsectunnel,suchastheactiveinterface.

Havingcompletedthislab,youhavegainedthehands-onskillstoimplementanIPsecSite-to-SiteVPNinaCiscoenvironment.Inthenextlab,youwilllearnhowtoconfigureaCiscoIOSrouterinordertosupportaremoteaccessVPNbetweenaclientdeviceandacorporatenetwork.

Lab–ConfiguringaremoteaccessVPN


Inthishands-onlab,youwilllearnhowtoconfigureaCiscoIOSroutersothatitactsasaVPNgatewaytosupportaremoteaccessVPN.Inthislab,wewillbeusingthefollowingtopologyinCiscoPacketTracer:

Figure12.42–RemoteaccessVPNlabtopology

Pleaseusethefollowingguidelineswhencreatingthislabtoensureyougetthesameresults:

UseCisco2911routers.

ConfigureadefaultroutefromboththeHQandR1routersthatpointstotheISP.


OntheISP,configurenetworkstaticrouterstotheLANofHQandtheLANofR1.

EnsureyouassignanIPaddresstoeachdevice,asshowninthefollowingtable:


Nowthatyourlabenvironmentisready,usethefollowinginstructionstoconfigureanIPsecremoteaccessVPNontheHQrouter:

1. Configurethefollowingstaticroutesoneachroutertosimulatetheinternet:


R1(config)#iproute0.0.0.00.0.0.0192.0.2.5



192.0.2.2


192.0.2.6

2. UsethefollowingcommandonHQtobootthesecurityk9license.

ThiscommandenablestheVPNcapabilitiesoneachdevice:

HQ(config)#licensebootmodulec2900technology-

packagesecurityk9

3. AccepttheuseragreementbyenteringyesandhittingEnter.

4. Savethedeviceconfigurationsandrebooteachforthelicensetotakeeffect:

HQ#copyrunning-configstartup-config

HQ#reload

5. Onceeachdevicehasbeenrebooted,usetheshowversioncommand

toverifythatthesecuritytechnologypackagehasbeenabledontheHQrouter:


Figure12.44–Verifyingthesecuritypackage

6. CreateanIPaddresspoolforremoteaccessusersviatheVPN;therangeiswithintheHQcorporatenetwork:

HQ(config)#iplocalpoolRA-VPN-Pool

10.10.10.10010.10.10.110

7. EnabletheAAAservicesontheHQrouterandconfiguretheauthenticationloginmethodinordertousethelocaluserdatabase:

HQ(config)#aaanew-model

HQ(config)#aaaauthenticationloginRA-UserVPN

local

8. ConfiguretheAAAauthorizationfornetworkservicesontheHQcorporatenetworkinordertousethelocaluserdatabase:

HQ(config)#aaaauthorizationnetworkRA-Group-

VPNlocal


9. Createausernameandpasswordfortheremoteaccessuser:

HQ(config)#usernameuser1secretciscovpn1

10. ConfiguretheIKEPhase1ISAKMPpolicyontheHQrouter:

HQ(config)#cryptoisakmppolicy10

HQ(config-isakmp)#encryptionaes256

HQ(config-isakmp)#authenticationpre-share

HQ(config-isakmp)#group5

HQ(config-isakmp)#exit

11. Createtheremoteuserclientconfigurationsandthepasswordforthegroup(RA-Group-VPN)ontheHQrouter:

HQ(config)#cryptoisakmpclientconfiguration

groupRA-Group-VPN

HQ(config-isakmp-group)#keyremoteaccessvpn

HQ(config-isakmp-group)#poolRA-VPN-Pool

HQ(config-isakmp-group)#exit

12. ConfiguretheIKEPhase2IPsecpolicyontheHQrouter.Create

thetransformset,nameitRA-VPN,anduseesp-aesandesp-sha-

hmacforconfidentialityandintegrity:

HQ(config)#cryptoipsectransform-setRA-VPN

esp-aesesp-sha-hmac

13. CreateadynamiccryptomapontheHQrouter,nameit


RemoteAccessVPN,andsetthesequencenumberto100:

HQ(config)#cryptodynamic-mapRemoteAccessVPN

100

HQ(config-crypto-map)#settransform-setRA-VPN

HQ(config-crypto-map)#reverse-route

HQ(config-crypto-map)#exit

14. Createthestaticcryptomapfortheclientconfigurationforbothauthenticationandauthorization:

HQ(config)#cryptomapStaticVPNMapclient

configurationaddressrespond

HQ(config)#cryptomapStaticVPNMapclient

authenticationlistRA-UserVPN

HQ(config)#cryptomapStaticVPNMapisakmp

authorizationlistRA-Group-VPN

15. Specifyasequencenumbertoinsertthecryptomapentry:

HQ(config)#cryptomapStaticVPNMap20ipsec-

isakmpdynamicRemoteAccessVPN

16. Configuretheinternet-facinginterfaceonHQwiththecryptomap:


HQ(config-if)#cryptomapStaticVPNMap

HQ(config-if)#exit


17. OnPC1,opentheDesktoptabandclientontheVPNclient,asshownhere:

Figure12.45–VPNclientonPC1

18. EnterthefollowingconfigurationsintotheVPNclientinterfaceandclickConnect:


Figure12.46–VPNclientconfigurations

ThisprocessmaytakesometimetoestablishtheVPNtunnelbetweenthePCandHQrouters.

19. OncetheVPNtunnelhasbeenestablished,openCommandPromptandusetheipconfig/allcommandtoverifythatPC1hasaVPNtunnel

interfacewithanIPaddressfromtheHQnetwork:


Figure12.47–VPNtunnel

20. PerformaconnectivitytestfromPC1totheserverontheHQnetworkusingthepingcommand:



21. ToverifythatthepacketsaregoingthroughtheremoteaccessVPNtunnel,performatraceroutefromPC1totheserver:

Figure12.49–CheckingtheVPNtunnel


Asshownintheprecedingresults,thepacketwassentfromPC1to192.0.2.2,whichistheHQrouter.ThisissimplybecausetheVPNtunnel

wasestablishedbetweenPC1andtheHQrouter.AllpacketsfromPC1tothe10.10.10.0/24networkwillbeencryptedandsentthroughtheremote

accessVPNtunnel.Hence,theR1andISProuterswerenotshownasanyhopsalongthepath.

Havingcompletedthislab,youhavegainedthehands-onskillstoimplementaremoteaccessVPNonaCiscoIOSrouter.

SummaryDuringthecourseofthischapter,youlearnedhowtosecureaccesstotheconsole,AUXports,andtheVTYlines,howtosetupsecureremoteaccess,andhowtolockdownadministrativeaccessonaCiscodevice.Furthermore,youdiscoveredhowtoestablishasecuretunnelbetweentworemotesites,suchasCiscoIOSrouters,tosimplyextendtheLANattheHQcorporateofficetoaremotebranchsiteusingaVPN.

IhopethischapterhasbeeninformativeforyouandishelpfulinyourjourneytowardlearninghowtoimplementandadministerCiscosolutionsandpreparefortheCCNA200-301certification.Inthenextchapter,ImplementingAccessControlsLists(ACLs),youwilllearnhowtocreateandimplementLayer3securitycontrolsonaCiscoIOSroutertofiltertraffic.

QuestionsThefollowingisashortlistofreviewquestionstohelpreinforceyourlearningandhelpyouidentifyareasthatrequiresomeimprovement:


1. Whichcommandisusedtoenableauthenticationontheconsoleline?

A.enablelogin

B.loginenable

C.login

D.loginall

2. WhichcommandisusedtosetapasswordontheAUXline?

A.password

B.passwordenable

C.enablepassword

D.passwordlogin

3. WhichshowcommandallowsyoutoverifythemethodusedtoconnecttoaCiscodevice?

A.showssh

B.showlogin

C.showusers

D.showipssh

4. WhichcommandisusedtodisableTelnetonVTYlines?


A.notransport

B.transportinputssh

C.transportsshonly

D.transportnotelnet

5. WhichcommandisrecommendedwhencreatingasecurepasswordtoaccessPrivilegeExecmode?

A.enablepasswordsecret

B.enablepassword

C.enablesecure

D.enablesecret

6. Whichencodingtypeisusedontheenablepasswordcommand?

A.Type0

B.Type9

C.Type2

D.Type5

7. Whichcommandcanbeusedtoencryptallexistingandfutureplaintextpasswords?

A.enableserviceencryption


B.servicepassword-encryption

C.serviceencryption

D.serviceencryption-password

8. WhichofthefollowingisarequirementforaremoteaccessVPN?

A.MetroE

B.Wi-Fi

C.VPNclientsoftware

D.MPLS

9. Whichprotocol/standarddoesIPsecusetosecurelyexchangesecretskeysoveranunsecurednetwork?

A.AES

B.EncapsulatingSecurityProtocol

C.AuthenticationHeader

D.Diffie-Hellman

10. WhichIPsecprotocolencryptstheentireIPpacket?

A.ESP

B.DH

C.AH


D.AES


CiscoGuidetoHardeningCiscoIOSDevices:https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

ConfiguringaSite-to-SiteIPsecVPN:https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/configuration-professional/113337-ccp-vpn-routerA-routerB-config-00.html


https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/configuration-professional/113337-ccp-vpn-routerA-routerB-config-00.html

Chapter13:ImplementingAccessControlListsWhenevertheneedarisestointerconnecttwoormorenetworks,arouterisalwaysthepreferredchoice,simplybecausetheprimaryfunctionofarouteristoforwardpacketsbetweennetworks.However,theCiscoIOSrouterhasmanymorefeaturesasidefromsimplyforwarding.Onemajorfeatureistofiltertrafficbasedonitssourceanddestination.ThisfeaturesimplyenablestheCiscoIOSroutertoperformpacketfilteringinasimilarfashiontoafirewallapplianceonthenetwork.

Throughoutthischapter,youwilllearnhowAccessControlLists(ACLs)canbeappliedtoaCiscoIOSroutertofilterbothinboundandoutboundtraffic.Furthermore,youwilldiscoverthevarioustypesofACLsandhowtheycanbeusedinvarioussituationstoallowordenytrafficbetweennetworks.


WhatareACLs?

ACLoperation

ACLwildcardmasks

WorkingwithstandardACLs

WorkingwithextendedACLs

Technicalrequirements


Tofollowalongwiththeexercisesinthischapter,pleaseensurethatyouhavemetthefollowinghardwareandsoftwarerequirement:

CiscoPacketTracer


CheckoutthefollowingvideotoseetheCodeinAction:https://bit.ly/3cqh8JX

WhatareACLs?Asyouhavelearnedsofar,routersareusedtoforwardtrafficbetweendifferentnetworks.Asapacketentersaninboundinterfaceofarouter,theoperatingsystemhastoreadtheLayer3headerinformation,suchasthesourceanddestinationIPaddresses,andchecktheroutingtableforasuitableroute.Oncearoutehasbeenfound,therouterforwardsthepacketthroughanoutboundinterfacetoitsdestination.Ensuringthatallusersareabletosendandreceivemessagesisexcellentintermsofconnectivity,butwhatdosecurityandtherestrictionoftrafficflowbetweencertainnetworksmean?

TheCiscoIOSrouterhasmanyamazingfeaturesandcanperformavarietyofrolesonanetwork.Onesuchfeatureistoperformtrafficfilteringbetweennetworks.Thisisdoneusingaveryspecialmethodthatfirewallappliancesusetofiltertraffic,knownasanACL.

Importantnote



https://bit.ly/3cqh8JX

Firewallappliancesuseavarietyofmethodstofilterinboundandoutboundtraffic.ACLsaresimplyoneofmanymethods.

ACLscanbeappliedtotheinterfacesofaroutertofiltertrafficasitiseitherenteringorleavingtherouter.ACLsfiltertrafficbasedontheirsourceordestinationinformation.ACLsaretypicallyrulescreatedonarouterthatdeterminehowtrafficshouldbefiltered,suchaswhetheritisallowedordenied.ImplementingACLsonaCiscoIOSrouterdoesnotconverttherouterintoafirewallappliance,nordoesitreplacetheneedforadedicatedfirewallonyournetwork.ACLsaresimplyusedtofiltertrafficpassingthroughyourrouter,suchasfilteringmessagesbetweenIPsubnetsandVirtualLocalAreaNetworks(VLANs).

Bydefault,theCiscoIOSrouterisnotconfiguredwithanyACLsandtrafficisabletoflowwithoutanyrestrictions.However,whenanACLiscreated,itmustbeappliedtoaninterfacetotakeeffect.ACLscanbeusedtofilterinboundoroutboundtrafficonarouter'sinterface.Whenappliedtoaninboundinterface,therouterhastoperformadditionalchecksonalltrafficenteringtheinterfacebeforecheckingtheroutingtableforasuitablepath.Additionally,whenanACLisappliedtoanoutboundinterface,therouterstillhastoperformadditionalchecksbeforeallowingthemessagetoleavetherouter.

TherearetwotypesofACLs.Theyareasfollows:

StandardACLs

ExtendedACLs

AstandardACLisusedtofilteralltraffictypesofasourcehostornetwork.ThistypeofACLisverystraightforwardintermsofapplication.Ifyouwanttodeny


alltrafficoriginatingfromasinglehostornetwork,astandardACListhebetterchoice.

AnextendedACLallowsyoutobemoregranularwhenfilteringtraffic.ThistypeofACLallowsyoutofilterpacketsbasedonthefollowingcriteria:

Protocoltype

SourceIPaddress

Sourceportnumber(TCPorUDP)

DestinationIPaddress

Destinationportnumber(TCPorUDP)

ExtendedACListhebetterchoicewhenfilteringspecifictraffictypesbetweenasourceandadestination.

BenefitsofusingACLsTherearemanybenefitsassociatedwithusingACLstofiltertrafficwithinanorganization.Inthissection,you'lllearnaboutthevariousscenarioswhereACLscanhelpimprovesecurityandtrafficflowonanetwork.

Imaginewithinyourorganizationthattherearemanyuserswhofrequentlystreamonlinevideosduringtheirworkschedule.Thisvideotrafficcanconsumealotofbandwidthsimplybyincreasingtheloadonthenetwork.ByimplementinganACL,youcanenforceandrestrictvideotrafficwithintheorganizationandincreasenetworkperformance.Additionally,byimplementingACLsonacorporatenetwork,youcanrestrictorlimitaccesstovariousnetwork


resourcestoaspecificgroupofusers.Thisaddsalayerofnetworksecuritybygrantingaccesstoresourcestoauthorizedusersonly.

ACLscanbeusedtofilterunwantednetworkservicesandtraffic.Someorganizationsmayhavesecuritypoliciestopreventunsecuredcommunicationprotocolsontheirnetwork.OneexampleofanunsecuredprotocolisTelnet.AnACLcanbeusedtoenforcethispolicywithintheorganizationandrestrictallTelnettraffic.

Inthepreviouschapter,youlearnedhowtoimplementsecureremoteaccesstoyourCiscodevices.ImagineconfiguringremoteaccessonallyourdevicesandanyoneisabletoestablishanSSHsessionwithyourroutersandswitches.ByimplementinganACL,youcanrestrictremoteaccesstobegrantedtoaspecificusergroup,suchasthosewithintheITdepartmentofyourorganization.TheACLcanbeappliedtotheVirtualTerminal(VTY)linestofilterinboundtraffic.

WhenapplyingQualityofService(QoS)toanetwork,it'simportanttoidentifythetraffictypescorrectlyforclassificationandprioritization.ACLscanbeusedwithQoStoidentifyvarioustraffictypes,suchasVoiceoverIP(VoIP),therebyenablingtheQoStoolstoprocessthetrafficquickly.

Havingcompletedthissection,youhavelearnedabouttheneedforACLsandtheirbenefitstoanetwork.Inthenextsection,youwilllearnhowACLsoperateinpermittingordenyingtrafficbetweennetworks.

ACLoperationACLsarerulescreatedbyanetworkprofessionalontherouterorfirewall


appliancetofiltertrafficeitherenteringorleavingthedevice.ACLsarealistofsecurityrules,witheachACLcontainingeitherapermitordenystatement.

EachstatementwithinanACLisreferredtoasanAccessControlEntry(ACE).TheseACEsaretherealworkersthatallowandblockpacketsbetweennetworks.Whenarouterreceivespacketsonaninterface,theroutercheckseachACE,startingwiththefirstentryatthetopofthelistandmovingdownuntilamatchisfound.OnceamatchingACEisfound,therouterstopssearchingandexecutestheruleontheACE,eitherpermittingordenyingthetraffic.Thisprocessisknownaspacketfiltering.

Importantnote

IfnomatchesarefoundintheACLs,thepacketisdiscardedbytherouter.ThelastACEwithinallACLsisanimplicitdenystatement.Animplicit

denystatementsimplystatesthatifnomatchesarefoundinthepreviousACEs,

thepacketshouldbedeined.Theimplicitdenystatementisautomatically

insertedasthelastentrywithinanACL.Itisusuallyinvisible.

Withpacketfiltering,youcanconfiguretheCiscoIOSroutertoanalyzetrafficandcontrolaccessbetweennetworks.ACLscanbeusedtofilterinboundoroutboundtrafficortopermitordenytrafficbasedonitssourceanddestinationIPaddress(Layer3)and/orbythesourceanddestinationportnumbers(Layer4).

Importantnote

StandardACLsaredesignedtofiltertrafficfoundatLayer3only.ExtendedACLsareabletofiltertrafficatLayer3and4oftheOSImodel.


ACLscanbeconfiguredonaroutertofilterinboundtrafficoroutboundtraffic:

InboundACLs:WithinboundACLs,packetsenteringarouterareprocessedbeforetheyareforwardedtotheirdestination.TheplacementoftheinboundACLsallowstheroutertoconserveitsresources,suchasperformingroutinglookups,sincetheinboundACLcanfilterpacketsastheyenterthedevice.IfthepacketisallowedbytheinboundACL,therouterwillthenperformaroutelookupandforwardthepackettoitsdestination.ItisrecommendedtouseinboundACLstoperformpacketfilteringwhenthesourceofthetrafficisattachedorconnectedtotheinboundinterfaceofarouter.

OutboundACLs:OutboundACLsareplacedontheoutgoinginterfaceofarouter.OutboundACLsfilterpacketsaftertheyhavebeenprocessedbytherouter.TheplacementofthisACLisusefulwhenfilteringtrafficthatoriginatesfrommultipleinterfacesorsources.

ThefollowingdiagramshowstheconceptsofinboundandoutboundACLsonarouter:

Figure13.1–InboundandoutboundACLs


TogetabetterunderstandingofhowACLsareappliedtoarouter,let'stakealookatthefollowingoutput:

Figure13.2–VerifyingACLsonaninterface

TheshowipinterfacecommandisusedtoverifywhetheranACLis

appliedtoaninterfaceanditsdirectiontofiltertraffic.Asdemonstratedintheprecedingcodesnippet,thereare2ACLsappliedtotheGigabitEthernet

0/2interface.AnumberedACL,10,isappliedtofilteroutboundpackets

leavingtheinterface,andanamedACL,Restrict-FTP,isappliedtofilter

inboundpacketsontherouter'sinterface.

ThefollowingsnippetshowstheACEsfortheoutboundACLontheGigabitEthernet0/2interface:


Figure13.3–VerifyingACEswithinACL10

Asshown,ACL10containstwoACEs.ThefirstACEisapermitstatement

toonlyallowtrafficfromthehostdevicewithanIPaddressof192.168.1.10.ThehostcommandisusedtospecifyasingleIPaddressin

thisstatement.Therefore,awildcardmaskisnotrequiredwhenthehost

commandisinvoked.Thewildcardmaskissimplyaninverseofthesubnetmask,whichtellstherouterwhichbitsintheIPaddresstomatchandwhichpartstoignore.

ThesecondACEisapermitstatementtoallowalltrafficoriginatingfromthe

10.1.1.0/24network.Whenspecifyinganetworkrange,wildcardmasksare

usedtotelltherouterwhichbitstomatchintheaddressandwhichbitstoignore.

Next,let'sexaminethecontentsoftheinboundACLontheGigabitEthernet0/2interface:


Figure13.4–VerifyingACEswithinACLRestrict-FTP

Asshownintheprecedingcodesnippet,therearetwoACEswithintheinboundACL.ThefirstACEisadenystatementtopreventanyTCPtrafficoriginating

fromthehostIPaddress,172.16.1.10,fromreachinganydestination

networkthathasaportof21openforFileTransferProtocol(FTP).The

secondACEindicatesthatIPtrafficispermittedfromanysourcetoanydestination.

Importantnote

Thekeywordisalsousedtoindicateport21withinanACL.

ThesecondACEisapermitstatementtoallowallIPtrafficfromanysource

toanydestination.SinceneitherasourcenordestinationportwasspecifiedwithintheACE,allportsareautomaticallyconsidered.Keepinmindthatthereare65,535logicalnetworkports.

Additionally,inordertoviewalltheACLsonarouter,theshowaccess-

listscommandcanbeexecutedwithoutspecifyinganACLnameornumber.

ThefollowingisalistofalltheACLspresentonaCiscoIOSrouter:


Figure13.5–ViewingallACLs

Theoutputisabitdifferentasitcontainsplacementvaluessuchas10,20,and

30.WhencreatinganACL,it'simportantthattheACEsareplacedinorderas

youwanttheroutertoprocesseachpacket.Toputitsimply,therouterreadsanACLfromtoptobottomeachtimeithastoreferenceanACLonaninterface.ItisrecommendedtoplacemorespecificACEsatthetopoftheACLandlessspecificACEsatthebottom.Asanexample,takealookatthefollowingsnippet:


Figure13.6–AnalyzinganACL

Asshown,theACEsareplacedaccordingtotheirnumericalvalue.Bydefault,therouterautomaticallyinsertsaplacementvaluefornewACEsunderanACLwithincrementsof10.ThisallowsanetworkengineertoinsertACEsbetween

eachotheronanACL.

ACLwildcardmasksWhencreatinganACE,youmayneedtospecifyanetworkIDandthesubnetmask.However,withinACLsandACEs,youcannotuseasubnetmaskasCiscoIOSontherouterwasnotbuiltordesignedtoacceptsubnetmasksaspartofanACE.ACLsuseawildcardmask,whichisa32-bitbinarystringusedbytheCiscoIOSroutertodeterminewhichbitswithintheaddresstomatchandwhichbitstoignore.

Aswithasubnetmask,onesandzeroesareusedtoindicatethenetworkandhostportionsofanIPaddress.Forexample,theoneswithinasubnetmaskareusedtoidentifythenetworkportionofanaddress,whilethezeroesareusedtoidentifythehostportion.Withinawildcardmask,thesebitsareusedforadifferentpurpose.Here,theonesandzeroesareusedtofiltereitheragroupofaddressesorasingleIPaddresstodecidewhethertopermitordenyaccesstoanetworkresource.

Inawildcardmask,thezeroesareusedtomatchthecorrespondingbitvalueintheaddress,whiletheonesareusedtoignorethecorrespondingbitvalueintheaddress.Youcanthinkofawildcardmaskastheinverseofasubnetmask.

Togetabetteridea,let'stakealookatthefollowingexamplesofusingwildcard


masking:

00000000:Sinceallthebitsarezeroes,thiswildcardindicatestomatch

allcorrespondingbitsintheaddress.

11110000:Thisindicatestoignorethefirstfouraddressbits.

00001111:Thisindicatestomatchthefirstfouraddressbits.

11111111:Thisignoresallthebitswithintheoctet.

11111100:Thisignoresthefirstsixaddressbits.

Let'stakealookatapplyinga0.0.255.255wildcardmasktoa32-bit

address:

Figure13.7–Wildcardmaskingexample1

Asshownintheprecedingtable,awildcardmaskof0.0.255.255isusedto

matchthefirst16-bitsintheaddress.Thezeroswithinthewildcardmaskindicateamatch,whiletheonesindicatethattheroutershouldignorethecorrespondingbitsintheaddress.

Let'stakealookatanotherexampleofhowtomatchallthecorrespondingbitsonanaddress:


Figure13.8–Wildcardmaskingexample2

Asshownintheprecedingtable,awildcardmaskof0.0.0.0isusedtomatch

allthecorrespondingbitsintheaddress.ThisensuresthattheexactIPaddressof172.16.10.1mustmatchtheACL.Next,wearegoingtotakeadeeplook

intocalculatingthewildcardmaskforACLs.

CalculatingthewildcardmaskThisisastraightforwardtechniquethatwillquicklyprovideyouwithawildcardwhenconfiguringACLs.Tocalculatethewildcardmask,simplysubtractthesubnetmaskfrom255.255.255.255.

Inourfirstexample,imagineyouwanttopermitaccesstoalluserswithinthe192.168.20.0/24network.Sincethesubnetmaskis255.255.255.0,

wecansubtractthesubnetmaskfromthe255.255.255.255address,as

shownhere:


Figure13.9–Calculatingawildcardmask

Ourresultingwildcardmaskis0.0.0.255.Thisallowsustocreatethe

followingACLstatement:

Router(config)#access-list10permit192.168.20.0

0.0.0.255

Inournextexample,imagineyouwanttodenytrafficfromalluserswithinthe172.16.24.64/28network.Thesubnetmaskis255.255.255.240.We

canusethesametechniqueasinthepreviousexample:

Figure13.10–Calculatingawildcardmask

Theresultingwildcardmaskis0.0.0.15.Thisallowsustocreatethe

followingACLstatement:

Router(config)#access-list10deny172.16.24.64

0.0.0.15

Sometimes,workingwithwildcardmaskscanbeabitcomplex.Whatifyouneedtospecificallyallowasinglehostdevice,suchas192.168.1.10,within

anACL?Ratherthanusingthe0.0.0.0wildcardmask,youcanusethehost

keywordcommand,asshownhere:


Router(config)#access-list20permithost

192.168.1.10

Thehostkeywordcommandsimplystatesthatallthebitswithintheaddress

mustmatchwithintheACL.

Inanotherscenario,youmayneedtocreateanACLtoignoretheentireIPv4addressortoacceptanyaddresses.TocreateanACEtorepresentanyaddress,wecanwritethe0.0.0.0255.255.255.255statement.However,wecan

alsousetheanykeywordcommandasashortcuttorepresenttheentire

statement,asshownhere:

Router(config)#access-list30permitany

TheprecedingACLsimplystatesthatanytrafficispermittedfromanysourceaddressornetwork.Inthenextsection,wewilldiscusssomeimportantguidelinesandbestpracticeswhencreatingACLs.

ACLguidelinesandbestpracticesCreatingandconfiguringACLsonaroutercanbesomewhatcomplexandabitconfusingatfirstuntilyougetthehangofit.Inthissection,youwilllearnaboutsomeguidelinesandbestpracticestohelpyoucreateandimplementACLsefficientlyonaCiscoIOSrouter.

ThefirstruleofthumbisthatyouneedtoknowthethreePswhenapplyingACLstoarouter.Theyareasfollows:

OneACLperprotocol(IPv4orIPv6)


OneACLperdirection(inorout)

OneACLperinterface

YoucannothavetwoACLsonthesameinterfacefilteringinboundIPv4traffic.YoucannothavethesameACLfilteringinboundandoutboundtrafficonthesameinterface.However,youcanhavetwodifferentACLsonthesameinterface,whereoneACLisfilteringinboundtrafficwhiletheotherisfilteringoutboundtraffic.

UsethefollowingguidelineswhenconsideringtheapplicationofACLstoarouter:

ACLsshouldbeappliedtoyouredgerouteronthenetworktofiltertrafficbetweenyourinternalnetworkandtheinternet.

ACLsshouldbeappliedtoarouterthatisconnectedbetweentwoormoredifferentnetworksforthepurposeofcontrollingtrafficenteringandleavinganetwork.

UseACLstofilterspecifictraffictypesbetweennetworks.

ThefollowingaresomebestpracticeswhencreatingACLsonyournetworkrouters:

TheACLsshouldbealignedwithyourorganization'ssecuritypolicies.

WhencreatinganACL,ensurethatyouusetheremarkcommandto

insertadescriptionandpurposeoftheACLforfurtherreference.

WhenmodifyinganACL,useatexteditortohelpyoucreate,edit,and


saveACLs.

BeforecreatingACLs,ensurethattheyhavebeentestedwithinalabordevelopmentenvironmentbeforeapplyingthemtoaproductionnetwork.

Afteryou'vecreatedACLsonyourrouter,thenextstepistoapplythemtotheappropriateinterface.TheplacementofACLsisveryimportant.ThefollowingaresomerecommendationsbasedonthetypeofACL:

StandardACLsareconfiguredtofilter(permitordeny)trafficoriginatingfromasinglehostornetwork.ThistypeofACLshouldbeplacedclosesttothedestinationofthepacketsonthenetwork.

ExtendedACLsareconfiguredtofilterspecifictraffictypesonanetwork.Therefore,it'srecommendedtoplacethistypeofACLclosesttothesourcewherethetrafficisoriginating.Thismethodwillsimplyfilterthedeniedtraffictypebeforeitisprocessedandforwardedbytherouter.

Let'stakealookatthefollowingnetworktopologytogainabetterunderstandingofACLplacement:


Figure13.11–ACLplacement

Basedontheprecedingtopology,let'screatethefollowingscenariostobetterunderstandthemostsuitableplacewhereACLsshouldbeappliedonarouter:

Ifyouwanttofilter(restrict)trafficfromthesourcenetwork,192.168.20.0/24,tothedestinationnetwork,172.16.1.0/24,

thebestplacetoapplythestandardACLwillbeonR2'soutboundGigabitEthernet0/1interface.TheplacementofthisACLwill

filtertrafficthatisdestinedonlytothe172.16.1.0/24network.Ifthe

ACLisplacedonR2'sinboundGigabitEthernet0/0interface,the

ACLwillfiltertrafficoriginatingfromboththe192.168.10.0/24

and192.168.20.0/24networks.

IfyouwanttofilterFTPtrafficoriginatingfromthe172.16.1.0/24

networktoanydestination,themostsuitableplacetoapplytheextended


ACLwillbeonR2'sinboundGigabitEthernet0/1interface.The

placementofthisACLwillfilterallFTPtrafficoriginatingfromthe172.16.1.0/24networkonly.IftheACLisplacedonR2'soutbound

GigabitEthernet0/2interface,itwillfiltertrafficfromboththe

172.16.1.0/24and172.20.1.0/24networks.

Inthenextsection,youwilllearnhowtoconfigureandapplystandardACLstoaCiscoIOSrouter.

WorkingwithstandardACLsWhencreatinganumberedstandardACLonaCiscoIOSrouter,theACLmustfirstbecreatedonthedeviceandthenappliedtoaninterfacetofiltertraffic.NumberedstandardACLsusethefollowingrangeofnumbers:

1to99

1300to1999

TocreateanumberedstandardACLonaCiscoIOSrouter,usetheglobalconfigurationcommandfollowedbyanumberwithintherangeof1to99or

1300to1999onthedevice.Therefore,withthisrangeofnumbers,therecan

beupto798uniquestandardACLsonasinglerouter.

CreatinganumberedstandardACLThefollowingisthefullsyntaxusedtocreateanumberedstandardACL:

Router(config)#access-listaccess-list-number[


deny|permit|remark]source[source-wildcard][

log]

TheremarkcommandwillallowyoutoinsertadescriptionfortheACLand

thelogcommandwillgenerateaSyslogmessagewhenmatchesarefound.

Additionally,therecanbemorethanoneACEwithinanACL.

ThefollowingaresomeexamplesofnumberedstandardACLs:

Router(config)#access-list10permithost

172.16.1.5

Router(config)#access-list20deny192.168.20.0

0.0.0.255

ToremoveanACLfromaCiscorouter,usethefollowingguidelines:

1. Usetheshowaccess-listscommandwithinPrivilegeExec

modetoverifytheexactACLanditsnumberthatyouwanttoremove.

2. Enterglobalconfigurationmodeandusethenoaccess-lists

commandwiththeACLnumber.ThefollowingisanexampleofhowtoremoveanumberedstandardACL:


Figure13.12–RemovinganACL

ThereisnoneedtospecifytheentireACEorACL.Simplyusethenocommand

andtheACLnumbertodeleteanentireACLfromtherunning-configfile.

AftercreatinganACL,youneedtoapplyittoarouter'sinterfacetofiltereitherinboundoroutboundtraffic.ThefollowingisthesyntaxtoapplytheACLunderinterfacemode:

Router(config-if)#ipaccess-group[access-list-

number|access-list-name][in|out]

Thesyntaxenabledyoutousetheipaccess-groupcommandtospecify

eithertheACLnumberortheACLname,andthedirectiontofiltertraffic.

ThefollowingsnippetshowsanexampleofapplyinganumberedACLtoaninterface:


Figure13.13–ApplyinganACLtoaninterface

Next,wewilllearnhowtoimplementanamedstandardACL.

ImplementinganamedstandardACLOccasionally,numberedACLscanbeabitconfusingwhentherearemanyACLsonarouter.CiscoIOSallowsustocreatenamedstandardACLs,whichmakethingseasierforus.

HerearesomeguidelineswhencreatinganamedACL:

AnamedACLcancontainbothlettersandnumbers.

Itisrecommendedtousecapitalletters.

NamedACLscannothaveanyspacesorpunctuationcharacters.

AnexampleofcreatinganamedstandardACLisipaccess-list

standardfilter-ftp.

TocreateanamedstandardACL,usethefollowinginstructions:

1. EnterglobalconfigurationmodeandthenusethefollowingsyntaxtocreateanamedstandardACL:


Router(config)#ipaccess-liststandardname

Youwillthenenteranewmode–standard(std)namedACL(nacl)

configurationmode.

2. Next,usethefollowingsyntaxtocreateACEswithintheACL:

Router(config-std-nacl)#[deny|permit|

remark]source[source-wildcard][log]

ThefollowingsnippetshowsanexampleofcreatingandapplyinganamedstandardACL:

Figure13.14–CreatinganamedstandardACL

Now,let'sseehowtodeleteanACL.

DeletinganACLToremoveanACLfromaCiscoIOSrouter,takethefollowingsteps:

1. RemovetheACLfromtheinterfacebyusingthenoipaccess-

groupcommandwiththeACLnumberanditsdirection(inorout).


2. Enterglobalconfigurationmodeandusethenoaccess-lists

commandwiththeACLnumbertoremovetheentireACLfromthedevice.

Havingcompletedthissection,youhavegainedanessentialunderstandingofstandardACLoperations,andhowtoconfigureandapplythemcorrectlytoaCiscodevice.Inthefollowingsection,youwillgainhands-onexperiencewithcreatingandapplyingbothstandardandextendedACLstoaCiscoenvironment.

Lab–implementingastandardnumberedACLInthishands-onlab,youwilllearnhowtoimplementstandardACLstofiltertrafficfromasourcehostandnetwork.Thefollowingtopologyshowsanorganizationnetwork(left)thatisconnectedtotheinternet(right)viaanInternetServiceProvider(ISP):


Figure13.15–StandardACLlabtopology

TheobjectiveofthislabistodemonstratehowtoapplystandardnumberedACLstoaCiscoroutertofiltertrafficbetweendevicesandnetworks.We'lluseanumberedACLtorestricttrafficoriginatingfromalldevicesonthe192.168.1.0/24network,exceptPC1,whichisgoingtothe

172.16.1.0/24network.


Forthislab,we'llbeusingCiscoPacketTracertosimulatetheCiscoenvironment.Additionally,ensurethatyou'veassignedtheIPaddressestoeachdeviceaccordingtothefollowingIPaddresstable:

Figure13.16–IPaddressscheme

Pleaseobservethefollowingguidelineswhenfollowingthislabtoensurethatyougetthesameresults:


ConfigureadefaultrouteontheISProuterthatpointstoHQat


192.0.2.2.Thisistosimulatetheinternetonthetopology.

Ensurethateachdevicehasend-to-endconnectivitybyusingtheping

utility.Ifyouareunabletopingacertaindevice,besuretodoublethephysicalconnectionsandconfigurationsonyourdevices.

Havingbuiltyourlabenvironment,usethefollowinginstructionstoimplementastandardnumberedACLonyourHQrouter:

1. Firstly,let'screateanumberedACLtoonlyallowtrafficfromPC1onthe192.168.1.0/24networktothe172.16.1.0/24networkwhile

restrictingallotherdevices:

HQ(config)#access-list10permithost

192.168.1.10

HQ(config)#access-list10permit10.1.1.0

0.0.0.255

PleasekeepinmindthatifwedidnotcreateasecondACEtopermittrafficfromthe10.1.1.0/24networkto172.16.10/24,PC3and

PC4wouldnotbeabletoreachdevicesontheinternetsideofthetopology.

2. Next,let'sapplyACL10totheinterfaceclosesttothedestinationofthe

trafficandconfigureittofilteroutboundtrafficonly:


HQ(config-if)#ipaccess-group10out

HQ(config-if)#exit


3. Usingtheshowaccess-listscommand,youcanverifytheACEs

andtheirsequentialorder,asshownhere:

Figure13.17–VerifyingACLs

4. Usingtheshowipinterfacecommand,youcanverifytheACL

thatisassignedtoaninterfaceandthedirectioninwhichitisfilteringtraffic:

Figure13.18–VerifyingACLsonaninterface

Asshownintheprecedingsnippet,ACL10isappliedtofiltertraffic

leavingtheGigabitEthernet0/2interfaceontherouter.

5. Now,let'scheckwhetherACL10willallowPC1tocommunicatewith

devicesonthe172.16.1.0/24network:


Figure13.19–Verifyingconnectivity

Asshownintheprecedingsnippet,PC1isabletocommunicatewithPC3onthe172.16.1.0/24network.

6. Let'stestwhetherourACLisworkingcorrectlytorestrictotherdevicesonthe192.168.1.0/24network.TrytopingfromPC2toanydevice

withinthe172.16.1.0/24network:


Figure13.20–Checkingconnectivity

Asexpected,PC2isunabletocommunicatewithdevicesonthe172.16.1.0/24networksimplybecauseourACLwasconfiguredto

allowonlyPC1withahostaddressof192.168.1.10.

7. Lastly,wecanusetheshowaccess-listscommandoncemoreto

verifywhichACEshavebeenmatchedwithinanACL:


Figure13.21–VerifyingmatchesonACEs

Asshownintheprecedingsnippet,thepermitACEinACL10hasbeen

matchedfourtimessimplybecausefourICMPmessagesweresentfromPC1toPC3.TocleartheACLcounters,usetheclearaccess-listcounters

command.

Duringthislab,youhavelearnedhowtocreateastandardnumberedACLonaCiscoIOSroutertofiltertrafficbetweennetworks.Inthenextlab,we'lluseanamedACLtoonlypermittrafficfromthe172.16.1.0/24networkto

accessdevicesontheinternetsideofthetopology.

Lab–configuringastandardnamedACLInthislab,youwilllearnhowtoconfigureastandardnamedACLtoallowdevicesonthe172.16.1.0/24networktocommunicatewithdevicesonthe

internetsideofournetworktopology.OurACLwillensurethatdevicesonthe192.168.1.0.24networkwillbedenied.Tocompletethisexercise,we'llbe

continuingfromwhereweleftofffromthepreviouslab.

We'llbeusingthefollowingtopologyandthesameguidelinesasbefore:



TheobjectiveofthislabistodemonstratehowtoapplystandardnamedACLstoaCiscoroutertofiltertrafficbetweendevicesandnetworks.

TogetstartedwithconfiguringastandardnamedACLtomeetourobjective,takethefollowingsteps:

1. UsethefollowingcommandtocreateastandardnamedACLwiththe


nameINT_Access,asshownhere:

HQ(config)#ipaccess-liststandardINT_Access

2. UsetheremarkcommandtoinsertadescriptionfortheACL:

HQ(config-std-nacl)#remarkAllowingdeviceson

the172.16.1.0/24networkonly.

3. CreateanACEwithaplacementof10toallowalltrafficfromthe

172.16.1.0/24network:

HQ(config-std-nacl)#10permit172.16.1.0

0.0.0.255


4. AssigntheINT_AccessACLtotheoutboundinterfaceandconfigureit

tofiltertrafficleavingtheHQrouter:


HQ(config-if)#ipaccess-groupINT_Accessout

HQ(config-if)#exit

Let'sverifywhetherdevicesonthe172.16.1.0/24networkareable

tocommunicatewithdevicesontheinternetsideofthetopology.OnPC3,performapingtesttothewebserver:



Asshownintheprecedingsnippet,PC3isabletocommunicatewiththe10.1.1.0/24networksuccessfully.

5. Next,let'sverifywhetherdevicesonthe192.168.1.0/24networkare

abletoreachdevicesonthe10.1.1.0/24network.OnPC1,perform

apingtesttothewebserver,asshownhere:


Figure13.24–Connectivityrestricted

Asexpected,ournewACLisworkingperfectly,sincedevicesonthe172.16.1.0/24networkarepermittedtoaccessandcommunicate

withdevicesonthe10.1.1.0/24network,whileallothernetworkson

theHQrouteraredenied.

6. Oncemore,wecanusetheshowipinterfacecommandtoverify

thattheACLhasbeenappliedcorrectlytotheinterfaceasintended:


Figure13.25–VerifyingACLplacementonaninterface

7. Lastly,wecanusetheshowaccess-listscommandtoverifythe

numberofhitsanACEisreceivingforanACL:

Figure13.26–VerifyingACEs

Havingcompletedthislab,youhavegainedtheessentialskillsrequiredtoconfigureandimplementstandardnamedACLsonaCiscoIOSrouter.Inthenextlab,youwillgainhands-onexperienceintermsofrestrictingaccesstoVTY


linesonarouter.

Lab–securingVTYlinesusingACLsInthislab,youwilllearnhowtouseACLstorestrictremoteaccessonyourCiscoIOSroutertoonlyspecifichostsordevicesonanetwork.Tocompletethisexercise,we'llbecontinuingfromwhereweleftoffinthepreviouslab.




TogetstartedsettingupsecureremoteaccessandimplementingACLsontheVTYlines,usethefollowinginstructions:

1. ConfigureapasswordontheHQrouterusingtheenablesecret

commandtorestrictaccesstoPrivilegeExecmode:

Router(config)#enablesecretcisco456


2. ChangethedefaulthostnameoftheHQrouter:

Router(config)#hostnameHQ

3. JointheHQroutertoadomain:

HQ(config)#ipdomain-nameccnalab.local

4. CreateauseraccountforremoteaccessontheHQrouter:

HQ(config)#usernameuser1secretsshpass

5. GenerateRSAencryptionkeystosecuretheSSHtraffic:

HQ(config)#cryptokeygeneratersageneral-keys

modulus1024

6. ConfiguretheVTYlinesontheHQroutertoacceptonlySSHconnectionsandcheckthelocaluserdatabaseforauthentication:

HQ(config)#linevty015

HQ(config-line)#transportinputssh

HQ(config-line)#loginlocal

HQ(config-line)#exit

NowthatwehaveconfiguredremoteaccesswithSSHontheHQrouter,thefollowinginstructionswilloutlinehowtocreateanACLtopermitonlyPC3toSSHintotheHQrouter.

7. CreateastandardnamedACLusingthenameSecure-VTY,asshown

here:


HQ(config)#ipaccess-liststandardSecure-VTY

8. UsetheremarkcommandtoinsertadescriptionoftheACLandthe

ACEs:

HQ(config-std-nacl)#remarkSecuringincoming

connectionsonVTYlines

9. CreateapermitstatementtoallowonlyPC3accesstotheHQrouter

andthehostcommandtospecifytheIPaddressofPC3only:

HQ(config-std-nacl)#permithost172.16.1.10

10. InsertanotherACEtodenyallotherdevicesfromestablishingaremotesessionwiththeHQrouter:

HQ(config-std-nacl)#denyany


11. Next,applytheSecure-VTYACLtotheVTYlinesontheHQrouterto

filterinboundtrafficontheVTYlines:

HQ(config)#linevty015

HQ(config-line)#access-classSecure-VTYin

HQ(config-line)#exit

12. Usetheshowaccess-listscommandtoverifythenewlycreated

ACLanditsACEsontheHQrouter:



13. Wecanusetheshowrunning-configcommandtoalsoverifythat

theACLsontherouterandtheinterface/lineshavebeenapplied:


Figure13.29–Checkingtherunning-configfile

14. Let'snowattempttoestablishanSSHsessionfromPC1toHQtoverifywhethertheSecure-VTYACLisworkingasexpected.ClickonPC1,

selecttheDesktoptab,andthenclickonTelnet/SSHClient:


Figure13.30–Telnet/SSHClient

15. InserttheIPaddressoftherouter,choosetheSSHprotocol,andsettheusernameasshownintheprecedingscreenshot.TheHQrouterwilldenytheconnectionfromPC1oranydevicethatislocatedonthe192.168.1.0/24network.

ThefollowingsnippetshowsthattheHQrouterhasterminatedtheSSHsessionbecausetheACLontheVTYlinesrestrictedaccesstotherouter:


Figure13.31–Sessionterminated

16. ThefollowingscreenshotillustratesanattempttoestablishanSSHsessionfromPC3totheHQrouter:


Figure13.32–Remoteaccess

Asshownintheprecedingscreenshot,PC3isabletoremotelyconnecttotheHQrouter.

17. Lastly,wecanusetheshowaccess-listscommandtoverifythe

ACLsandtheirentriesonarouter:


Figure13.33–VerifyingACEs

Havingcompletedthislab,yougainedthehands-onskillstoimplementACLstosecuretheVTYlinesonaCiscoIOSrouter.Inthenextsection,wewilltakeadeepdiveintolearningaboutthecharacteristicsandusecasesofextendedACLs.

WorkingwithextendedACLsExtendedACLsaresometimesthepreferredchoiceastheyallowyoutofilterspecifictraffictypescomparedtostandardACLs.ExtendedACLsusethefollowingrangeofnumbers:

100to199

2000to2699

TocreateanumberedextendedACLonaCiscoIOSrouter,usetheglobalconfigurationaccess-listscommand,followedbyanumberwithinthe

rangeof100to199or2000to2699onthedevice.


CreatinganumberedextendedACLThefollowingisthefullsyntaxusedtocreateanumberedextendedACL:

Router(config)#access-listaccess-list-number[

deny|permit|remark]protocol[sourcesource-

wildcard][operatorport][port-numberorname]

[destinationdestination-wildcard][operatorport]

[port-numberorname]

ThefollowingisadescriptionofthenewsyntaxusedwithinanextendedACL:

protocol:Specifiestheprotocoltype,suchasIP,ICMP,TCP,andUDP.

operator:Usedtocomparethesourceordestinationports.Theeq

operatormeansequal,gtmeansgreaterthan,ltmeanslessthan,neq

meansnotequal,andrangeallowsyoutospecifyarangeofports.

port:Allowsyoutoindicateasourceordestinationportnumber.

ThefollowingaresomeexamplesofnumberedextendedACLs:

ThefollowingcommandwilldenyallFTPtrafficfromthe192.168.1.0/24sourcenetworkthatisgoingtoanydestination:

Router(config)#access-lists100denytcp

192.168.1.00.0.0.255anyeq20

Router(config)#access-lists100denytcp

192.168.1.00.0.0.255anyeq21

ThefollowingcommandwillblockallICMPtrafficoriginatingfromthe


172.16.1.0/24networkthathasadestinationof10.0.0.0/8:

Router(config)#access-lists101denyicmp

172.16.1.00.0.0.24410.0.0.00.255.255.255

Next,let'stakealookathowtoimplementanamedextendedACL.

ImplementinganamedextendedACLSinceanumberedextendedACLdoesnotcontainadescriptionunlessacommentisinsertedusingtheremarkcommand,thenetworkengineerwill

haveabitofdifficultyunderstandingthepurposeofit.Ontheotherhand,ifanetworkengineercreatesanamedextendedACL,theycanuseadescriptivenametoimprovehumanreadability.

TocreateanamedextendedACL,takethefollowingsteps:

1. EnterglobalconfigurationmodeandusethefollowingsyntaxtocreateanamedextendedACL:

Router(config)#ipaccess-listextendedname

Youwillthenenteranewmode,extended(ext)namedACL(nacl)

configurationmode.

2. Next,usethefollowingsyntaxtocreateACEswithintheACL:

Router(config-ext-nacl)#[deny|permit|

remark]protocol[sourcesource-wildcard]

[operatorport][port-numberorname]

[destinationdestination-wildcard][operator


port][port-numberorname]

ThefollowingsnippetshowsanexampleofcreatingandapplyinganamedextendedACL:

Figure13.34–CreatinganamedextendedACL

Additionally,youcanusevariouskeywordsratherthanspecifyinganactualTCP/UDPportnumberaftertheoperator(eq)command.Thefollowingsnippet

showsanexampleofsomekeywordsthatcanbeusedinplaceofaTCP/UDPportnumber:

Figure13.35–Keywords


PleasekeepinmindthatthesekeywordsareonlyapplicabletoextendedACLsandtheirconfigurations.Inthenextlab,youwilllearnhowtoimplementextendedACLsinaCiscoenvironment.

Lab–implementingextendedACLsInthislab,youwilllearnhowtoconfigureanextendedACLtorestrictcertaintraffictypesbetweennetworks.Tocompletethisexercise,we'llbecontinuingfromwhereweleftoffinthepreviouslab.




TheobjectiveofthislabistofilterFTPtrafficbetweenthe172.16.1.0/24

networkandthewebserver.However,wewanttopermitonlyPC4touseFTPwhileblockingallotherswithinthenetwork.

TogetstartedsettingupsecureremoteaccessandimplementingACLsontheVTYlines,takethefollowingsteps:


1. Firstly,let'sconfiguretheFTPserviceontheserver.ClickonServer,selecttheServicestab,thenFTP,andcreateauseraccountwiththeprivilegesshownhere,andthenclickSave:

Figure13.37–FTPserverconfigurations

2. Next,let'sattempttoremotelyaccesstheFTPserverfromPC4toverifyconnectivityandthattheFTPisworkingcorrectly:


Figure13.38–VerifyingFTP

Asshownintheprecedingsnippet,weareabletoauthenticatetotheFTPserverandexecutevariousFTPcommands.

3. UsethefollowingcommandstocreateanextendednamedACLandaddadescription:

HQ(config)#ipaccess-listextendedRestrict-FTP


HQ(config-ext-nacl)#remarkRestrictingFTP

servicetoonlyPC4

4. CreateanACEwithaplacementvalueof10todenyonlyPC3from

accessinganyremoteFTPservers:

HQ(config-ext-nacl)#10denytcphost172.16.1.10

anyeq20

HQ(config-ext-nacl)#10denytcphost172.16.1.10

anyeq21

5. CreateanotherACE,usingaplacementvalueof20toallowallotherIP

traffictypesoriginatingfromthe172.16.1.0/24network:

HQ(config-ext-nacl)#20permitipanyany

HQ(config-ext-nacl)#exit

6. ApplytheextendedACLtotheinboundGigabitEthernet0/2

interfaceontheHQrouter:


HQ(config-if)#ipaccess-groupRestrict-FTPin

HQ(config-if)#exit

Pleasekeepinmindthatit'srecommendedtoapplyextendedACLsclosesttothesourceofthetraffic,whilestandardACLsaretobeappliedclosesttothedestinationofthetraffic.

7. Let'snowusetheshowaccess-listscommandtoverifytheACLs,

asshownhere:



8. Next,headonovertoPC3toverifyconnectivitytotheserverandcheckwhetherPC3isabletoaccesstheFTPservice:


Figure13.40–PC3checkingtheFTPservice

Asshownintheprecedingsnippet,ICMPmessagesandotherIPtrafficcanbesentbetweenthe172.16.1.0/24networkandanyremote

networks.However,theACLdoesnotallowFTPtrafficfromPC3toanyotherremotedevices.


9. Now,let'scheckwhetherPC4isabletoaccesstheremoteFTPserver:

Figure13.41–PC4checkingtheFTPservice

Asshownintheprecedingscreenshot,PC4isabletoaccesstheFTPserviceontheremoteserver.Thiscorroboratesthefactthatourextended


ACLisconfiguredcorrectlyandworkingasexpected.

10. Lastly,wecanverifythenumberofmatchesonourextendedACLbyusingtheshowaccess-listscommand:

Figure13.42–VerifyingACEmatches

Havingcompletedthislab,youhavegainedhands-onexperienceintermsofconfiguringandimplementingextendedACLsonaCisconetworktofiltervarioustraffictypesbetweendevicesandnetworks.

SummaryThroughoutthischapter,we'vediscussedtherolesandfunctionsthatACLsplayonanenterprisenetwork.WealsodivedintodiscussingtheoperationsofACLsonaCiscoIOSrouterandhowtheyareappliedtoaninterface.Lastly,wecoveredbothstandardandextendedACLsandhowtheycanbeusedinvarioussituations.

Havingcompletedthischapter,youhavelearnedhowtoconfigurebothstandardandextendedACLsonaCiscorouter.Furthermore,youhavelearnedhowACLsfunctionandfiltertrafficbasedontheirACEs.

Ihopethischapterhasbeeninformativeforyouandthatitwillprovehelpfulin


yourjourneytowardlearninghowtoimplementandadministrateCiscosolutionsandpreparefortheCCNA200-301certification.Inthenextchapter,Chapter14,ImplementingLayer2andWirelessSecurity,youwilllearnaboutvariousLayer2attacksandhowtoimplementmitigationtechniquesandcountermeasures.

QuestionsThefollowingisashortlistofreviewquestionstohelpreinforceyourlearningandhelpyouidentifyareasthatmayrequiresomeimprovement:

1. WhichtypeofACLallowsyoutofilterTelnettraffic?

A.Inbound

B.Outbound

C.Standard

D.Extended

2. WhichtypeofACLallowsyoutofiltertrafficbasedonitsorigin?

A.Outbound

B.Standard

C.Inbound

D.Extended

3. IfapacketdoesnotmatchanyACEswithinanACL,whatwilltherouterdo?


A.Allowthepacket.

B.Returnthepackettothesender.

C.Dropthepacket.

D.Donothing.

4. AninboundACLhaswhichofthefollowingcharacteristics?

A.Itfilterstrafficasitentersarouter.

B.Itfilterstrafficbeforeitleavesarouter.

C.Itstopsarouterfromperformingaroutelookup.

D.Itfilterstrafficafteritleavesarouter.

5. WhichcommandcanbeusedtoverifythedirectioninwhichanACLisfilteringtraffic?

A.showaccess-lists

B.showaccesscontrollists

C.showinterface

D.showipinterface

6. Whichofthefollowingwildcardmasksisusedtomatchallcorrespondingbitsinanoctet?

A.11111111


B.00000001

C.00000000

D.10000000

7. WhichACLstatementaccuratelyblocksalltrafficfromthe192.168.50.0/24network?

A.access-list20deny192.168.50.00.0.0.255

B.access-list101deny192.168.50.00.0.0.255

C.access-list20deny192.168.50.0any

D.access-list20denyany192.168.50.00.0.0.255

8. WhichofthefollowingACLstatementsblocksSSHtrafficoriginatingfromthe172.16.1.0/24network?

A.access-list101denyip172.16.1.00.0.0.255anyeq22

B.access-list101denytcp172.16.1.00.0.0.255anyeq22

C.access-list101denyudp172.16.1.00.0.0.255anyeq22

D.access-list101denytcp172.16.1.00.0.0.255eq22any


9. WhichcommandallowsyoutoapplyanACLtotheVTYlines?

A.ipaccess-group

B.access-group

C.access-class

D.ipaccess-class

10. WhichcommandallowsyoutoapplyanACLtoaninterface?

A.ipaccess-group

B.access-group

C.access-class

D.ipaccess-class


ConfiguringIPaccesslists:https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

CommonlyusedIPACLs:https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html


https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html

Accesslistcommands:https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-0/addr_serv/command/reference/ir40asrbook_chapter1.html


https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-0/addr_serv/command/reference/ir40asrbook_chapter1.html

Chapter14:ImplementingLayer2andWirelessSecurityImplementingnetworksecuritypracticesandconfigurationsshouldbelikesecondnaturetoanetworkengineer.Asaprofessional,it'simportantthatyoulearnaboutvariousLayer2threatsandhowathreatactorcantakeadvantageofvulnerabilitiesfoundwithinvariousLayer2networkprotocols.Ourjobistomaketheorganization'snetworksafeandfreefromcyberattacks.

Duringthecourseofthischapter,youwilllearnabouttheneedtouseadefense-in-depth(DiD)approachtosecurebothyourusersanddevicesonanetwork.Furthermore,youwilllearnhowtoidentifyvariousLayer2threatsandattacksthatareusedtocompromiseanorganization.Lastly,youwillgaintheknowledgeandhands-onexperiencetoimplementvariousLayer2securitycontrolstopreventandmitigatesuchattacks.


TypesofLayer2attacksonanetwork

ProtectingagainstLayer2threats

Wirelessnetworksecurity

TechnicalrequirementsTofollowalongwiththeexercisesinthischapter,pleaseensurethatyouhavemetthefollowingsoftwarerequirements:



Thecodefilesforthischapterareavailableat:https://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions/tree/master/Chapter%2014.

CheckoutthefollowingvideotoseetheCodeinAction:https://bit.ly/3coKE2Q

TypesofLayer2attacksonanetworkThroughoutyourjourney,youwillbeexposedtomanyexcitingtechnologiesandenvironments.OnesuchareaanITprofessionalneedstoknowiscybersecurityandnetworksecurity.Asanetworkengineer,youwon'talwaysbedesigningandimplementingnetworkingtechnologies,butwillalsoberesponsibleforthesecurityofthenetworkanditsusers.Today,newlyemergingthreatsaresurfacing–andwillcontinueto–ashackersaredevelopingnewstrategiesandtoolstocompromisetheirtargets.

Nowadays,hackersdon'tjusthackforfun.Somehackerscreatesophisticatedmalwaresuchasransomwaretoencryptallyourdataonyourcomputerandrequestyoupayaransomtoreleaseyourassets(data).Currently,there'sahugeshortageofcybersecurityprofessionalsintheworldtocombatthegrowingnumberofcyberthreatsontheinternet.Asanetworkengineer,youalsoplayanimportantpartinhelpingorganizationssecuretheirnetworkandpreventvarioustypesofcyberthreatsandattacks.

Inthefollowingsections,youwilllearnaboutvariousnetworkattacksandhowusingamultilayeredapproachsuchasDiDisusedtoreducetheriskofacyberattack.




https://bit.ly/3coKE2Q

NetworkattacksEachdayonvariouscybernewsmedia,youreadabouthowbothlargeandsmallorganizationshavesuccumbedtosometypeofcyberattack.AstheformerCEOofCisco,JohnChambers,oncesaidbackin2015:

Therearetwotypesofcompanies:thosewhohavebeenhacked,andthosewhodon'tyetknowtheyhavebeenhacked.

Thisstatementisveryaccurateasmanyorganizationsdonotpayagreatamountofattentiontotheirnetworksecurityposture.Somehavethemindsetthattheirorganizationis100%protectedorthattheirnetworkhasnothingvaluableforattackers.

Inreality,nosystemornetworkis100%secure.Therearemanyvulnerabilitiesthatexist–thoseweknowaboutandotherswehavenotyetdiscovered.Thegreatchallengewefaceassecurityprofessionalsistodiscoverallhiddenvulnerabilitiesbeforeathreatactorsuchasahackerhastheopportunitytodoso.

Everysystemandnetworkalwaysholdssomethingofvalue.Asmartphonehasgigabytesofvaluabledatapertainingtoitsuser,includinggeolocationdata,contactdetails,imagesandvideos,logsrelatingtoalltheiractivities,andmuchmore.Onanetwork,yournetworkdevicesandsystemsarestoringdataastheyexchangemessages.YournetworkswitchesandroutersstoreMediaAccessControl(MAC)andIPaddresses,containuseraccountsforremoteaccess,logmessagesofvarioustransactions,includingtheforwardingofframesandpackets,andsoon.Toahacker,suchdataisveryvaluable.

Tip


Keepinguptodatewiththelatestcybersecuritynewscanbesomewhatchallenging.IpersonallyrecommendcheckingTheHackerNewswebsiteforthelatestcybernews:https://thehackernews.com

Organizationsareusuallyvictimsofthefollowingcyberattacks:

Databreaches

Malware

DistributedDenialofService(DDoS)

Themostvaluableassetinanyorganizationtodayisdata.Hackersaresimplynotjusthackingforfunanymore;well,somedo,butothersareevolvingthegameintoorganizedcrime.Threatactorsareaimingtogainaccesstoyournetworkandstealyourdata.Onceanattackerisabletoexfiltratedatafromyourcomputersorservers,thehackercanpublishorsellyourorganization'sconfidentialrecordsonthedarkwebortoyourcompetitor.

Sometimes,athreatactorsuchasahackermaydevelopmalwaretocompromiseyoursystemsandnetworks.Somemalware,suchasransomwareandcrypto-malware,canholdyourdatahostage.Thesetypesofmalwarearedesignedtoexploitavulnerabilitywithinyoursystem,compromisethehostmachine,andencryptallthedataonthelocaldiskdriveexcepttheoperatingsystem.OnesuchransomwareisWannaCry,whichexploitedavulnerabilitywithintheMicrosoftWindowsoperatingsystemandtookadvantageofasecurityweaknessinSMB1.0asdefinedbyMicrosoftSecurityBulletinMS17-010.Onceasystemwascompromised,theransomwarepresentedawindowontheuser'sdesktoprequestingaransombepaidinbitcoins.


https://thehackernews.com

Importantnote

TolearnmoreaboutMicrosoftSecurityBulletinMS17-010,pleaserefertothefollowingURL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

Sometimes,threatactorsmaynotwanttogainaccessorcompromiseasystem.Somehackersmaywanttodisruptanorganization'sservicesorresources.HackersmayexecutetheirideabylaunchingaDDoSattackfrommultiplegeographicsources.Occasionally,thismayentailacoordinatedattackbyagroupofhackersorperhapsbeexecutedusingabotnet.

Tip

ToviewrecordedDDoSattacksaroundtheglobe,checkoutDigitalAttackMapusingthefollowingURL:www.digitalattackmap.com

Oneexampleofsuchaserviceisanorganization'swebsite.Sometimes,hacktivistsorganizeamongthemselvestotakedownvariouswebsitesanddisruptservicesasameansofonlineprotestingonbehalfofasocialorpoliticalcause.

Preventingalltypesofcyberattacksisverychallenging.Inthefollowingsection,wewilltakeadiveintodiscussingastrategicapproachtoreducetheriskofcyberthreatsandattacksonanetwork.

DefenseindepthHavingasinglelayerofsecuritytoprotectyourorganizationisnolonger


https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

http://www.digitalattackmap.com

efficienttostopnewlyemergingthreats.Manyorganizationsmayimplementanetwork-basedfirewallwithintheirenterprisenetworkandthinktheyarewellprotectedfromallcyberthreats,whilesomemayonlyimplementahost-basedanti-virusandhost-basedfirewallontheiremployees'devicesandthinktheyaresafe,too.Thesearejustsomeexamplesofusingasingle-layerapproachtoprotectingassetswithinanorganization.Thismethodofusingasinglecomponent,suchasanetwork-basedfirewalloranti-malware,simplynolongercutsitwhenitcomestocombattingcyberattacksandthreats.

UsingaDiDapproachiswhereamulti-layeredapproachisusedtohelpsafeguardanorganizationanditsusers.ADiDapproachensuresthatmultiplesecuritycomponentsareimplementedtoprotectallassets,includingdataandsecuringcommunicationmethods.Inadditiontousinganetwork-basedfirewallandanti-malwareprotection,howaboutimplementingemailandwebsecurityappliancestofilterbothinboundandoutboundthreats,ornetwork-basedintrusionprevention(NIPS)andhost-basedintrusionprevention(HIPS)systemstodetectanythreatsastheypassalongyournetwork?

Onerecommendedsecurityapplianceisanext-generationfirewall(NGFW).Thissecurityappliancehastheabilitytoperformstatefulpacketinspectionandapplicationvisibility/controlforallinboundandoutboundnetworktraffic.Furthermore,withtheCiscoNGFW,youcanenablethenext-generationintrusionpreventionsystem(NGIPS)moduleforaddedsecuritytogetherwithCiscoAdvancedMalwareProtection(AMP).

Withinsomecompanies,thereareemployeeswhoworkremotelyandrequireaccesstothecorporatenetwork.OnesolutionistouseeitheraVirutalPrivateNetwork(VPN)-enabledrouterorafirewallappliancewithremoteaccessVPNcapabilities.Accessingthecorporatenetworkoveranuntrustednetworkisnota


goodthing,however.Toensurethatyourremoteworkersaccessthecorporatenetworksecurely,aVPNisthesolution.

Inthefollowingsub-sections,youwilllearnmoreaboutendpointprotection,andCisco'semailandwebsecurityappliances.

EndpointprotectionEndpointsarecommonlythemostsusceptibledevicestomalwareandothercyberthreats.Endpointsarehostdevices,suchasdesktops,laptops,IPphones,andservers.Someofthesedevicesrelyontraditionalhost-basedanti-virusoranti-malwareprotection,host-basedfirewalls,andhost-basedintrusiondetectionsystems.However,thisisasinglelayerofsecurityand,withtheriseinnewerandmoresophisticatedmalware,yourequireamulti-layerapproachsuchasimplementingDiD.

Toimprovetheprotectionofendpointswithinanorganization,it'sbettertouseacombinationofvarioussecuritycomponentstoreducetheriskofacyberattack.CiscohasasolutioncalledAMPforEndpoints,which,asthenamesuggests,detectsandpreventsmalwareonendpointdevices.Tohelpprotectyourusersfromemailthreatsandattackers,theCiscoEmailSecurityAppliance(ESA)canbeimplemented,and,toprotectyouruser'sweb-basedtraffic,theCiscoWebSecurityAppliance(WSA)performswebfilteringandmalwareprotection.

CiscoEmailSecurityAppliance

Safeguardingyouremployeesfromvarioustypesofsocialengineeringattackssuchasphishingandspearphishingiscrucial.AccordingtotheSANSInstitute,


inoneoftheirreports,spear-phishingattacksaccountforapproximately95%ofattacksonanenterprisenetwork.Furthermore,CiscoTalosIntelligenceGroupalsostatedthatapproximately85%ofallemailmessagessentwerespam,asreportedin2019.

TheCiscoESAisdesignedtomonitorallinboundandoutboundemailsofanorganization.Itiscapableofblockingallknownthreatsontheinternet,providingremediationagainstthreatsthathaveevadedinitialdetectionmechanisms,blockingemailmessagesthatcontainbadormaliciouslinks,restrictingaccesstowebsitesnewlyinfectedbymalware,andalsoprovidestheabilitytoencryptoutboundemailsandprovidedataleakageprotection(DLP).

ThefollowingdiagramshowstheprocessingsequenceforallinboundemailmessagesontheESA:

Figure14.1–ESAincomingmailprocessing


ThefollowingdiagramshowstheprocessingsequenceforalloutboundemailmessagesontheESA:

Figure14.2–ESAoutgoingmailprocessing

Sometimes,acompromisedsystemmaybeattemptingtospreadmalwarebysendingemailmessageswithmaliciouscontenttoothers.Eachoutboundfilterisdesignedtopreventthespreadofanoutbreakontheinternetandpreventusersfromsendingconfidentialinformationoutsidethecompany'snetworkbymeansofDLP.

TheCiscoESAalsofiltersalloutboundmessagestoensurethatmalwareorthreatactorsarenotattemptingtospreadanymalwareordamagetheorganization'sdomainname.Additionally,theCiscoESAallowsITprofessionalstoenableDLPtopreventanyconfidentialdatafromleavingtheorganizationviaemailmessages.


CiscoWebSecurityAppliance

Protectingyouremployeesagainstweb-basedthreatsisanotherimportantpartofsecuringyourorganization.TheCiscoWebSecurityAppliance(WSA)facilitatesthemitigationofweb-basedthreatswhilecontrollinginboundandoutboundwebtraffic.TheCiscoWSAenablesyoutocontrolhowyouruserswithintheorganizationaccesstheinternet.

TheCiscoWSAprovidesthefollowingcapabilities:

Webapplicationfiltering

URLfilteringandmalwarescanning

Webaccessrestrictionsbasedontimeandbandwidthlimits

Allweb-basedtrafficleavinganorganization'snetworkissenttotheCiscoWSAbeforeitissenttotheinternet.IftheCiscoWSAdeterminesthattheoutboundtrafficissafeandthedestinationistrusted,theWSAwillforwardthetraffic.Ifthedestinationisnottrustedorisunsafe,theWSAwilldiscardthepacket.

Inthissection,youhavelearnedabouttheneedtoimplementaDiDstrategytohelpprotectyourorganizationfromvariouscyberattacksandthreats.Inthenextsection,we'lltakeadeepdiveintodiscussingvariousLayer2threatsthatareharmfultoyourinternalnetwork.

Layer2threatsNetworkprofessionalscommonlyimplementvariousnetworksecuritysolutionstokeeptheircorporatenetworksafefromthreatactors.Suchnetworksolutions


mayincludenetwork-basedfirewallappliances,IPS,andmayevenuseVPNsforremoteworkers.However,suchdevicesandcomponentsusuallyprotectdatabetweenLayer3andLayer7oftheOSImodel.

IflayerssuchasLayer2arecompromisedbyanattacker,theupperlayersarealsocompromisedaswell.ImagineascenariowhereanattackerisabletointerceptalltrafficsuchasframesatLayer2withinyourcorporatenetwork.Insuchanevent,thesecurityimplementedtoprotecttheupperlayerswillbeobsoleteinpreventingtheattack.

ThefollowingdiagramshowsboththeOSIreferencemodelandtheTCP/IPprotocolsuite:

Figure14.3–DataLinklayer


ToprotectLayer2,CiscohasincorporatedmanyLayer2attackmitigationfeaturesintheirswitches.Asanetworkengineer,it'simportantthatyoulearnaboutthevarioustypesofattacksthatoccuratLayer2andhowtoimplementsecurityfeaturesonCiscoswitchestomitigatesuchattacks.

Inthefollowingsections,youwilllearnaboutvarioustypesofLayer2attacksthatcanoccuronanenterprisenetworkandhowtoimplementcountermeasurestosafeguardyournetwork.

CAMtableoverflowSwitchesarethenetworkingdevicesthatallowustoconnectourenddevices,suchascomputers,tothenetworkandaccessresources.Additionally,switchesareabletoforwardmessages(frames)totheirdestinationbysimplyrecordingthesourceanddestinationMACaddressesfoundineachinboundmessage.Foreachframetoenteraswitch'sinterface,thesourceMACaddressispopulatedwithintheswitch'sMACaddresstable,asshownhere:


Figure14.4–MACaddresstable

Asshown,theshowmacaddress-tablecommandisusedtoviewalist

ofMACaddressesthatwerelearnedonaspecificinterfaceandVLAN.However,aswitchstoresMACaddressesonitsContentAddressableMemory(CAM)table.Toputitsimply,theCAMtabledoesnothaveinfinitestoragecapacity.EachswitchhasalimitintermsofthenumberofMACaddressestheyareabletostore.OnesuchexampleisaCiscoswitch,whichmaybeabletostore8,000addresses,whileanothermodelmaybeabletostoremore.CiscoIOSswitcheshaveadefaultaging/inactivitytimerof300seconds(5minutes)foranyMACaddresseswithintheCAMtable.IfaswitchdetectsnoactivityfromaMACaddressafter300seconds,itwillautomaticallyremoveitfromtheCAM


tabletomakestorageavailablefornewaddresses.

ThefollowingsnippetshowsanexampleofthesizeoftheCAMtableforaCiscoIOSvL2switch:

Figure14.5–CheckingCAMtablecapacity

KeepinmindthatnotallmodelsofCiscoswitcheshavethesamecapacityofstorageontheirCAMtable.Eventhoughthefigureseemstobeverylargeintheprecedingsnippet,itisstillafinitenumber.OnevulnerabilitythatexistsisifaswitchreceivesmoreMACaddressesthanitcanpossiblystore,itwillbegintofloodallinboundmessages(frames)outofallports.Technicallyspeaking,theswitchbecomesahubonthenetwork.

AttackerscanfloodunsolicitedframeswithfakesourceMACaddressesintoaswitchtofilltheCAMtable.WhentheCAMtableisfilled,theattackerdoesnotstoptheattack.Theswitchwillbegintoforwardallinboundtrafficoutofallotherinterfaces.Theattackercancaptureallnetworktrafficthatisbeingforwardedoutoftheswitch.ThisisknownasaCAMTableOverflowattack.

Importantnote


SinceeachinterfacecanbeassignedtoaVirtualLocalAreaNetwork(VLAN),ifanattackercanfloodunsolicited,bogusframesintoaswitchduringaCAMtableoverflowattack,theswitchwillonlyforwardtraffictoallotherportsonthesameVLAN.

Thefollowingdiagramshowsanexampleofanetworkimplantinjectingbogusframesintoaswitch:

Figure14.6–CAMtableoverflow

Intheprecedingdiagram,theattackerhasimplantedaRaspberryPiwithKaliLinuxandisusingspecialtoolssuchasmacoforyersiniatofloodthe

switchwithunsolicitedframes.

Thefollowingsnippetshowsmacofgeneratingbogusframes:


Figure14.7–Themacoftool

Duringtheattack,theswitch'sCAMtablewillexceeditslimitationandbeginfloodingallincomingtrafficoutofallotherinterfaces.Inthediagram,wecanseethatPC2issendingtraffictotheswitch,buttheswitchisforwardingittounintendeddestinationsandtheattackerisabletocapturePC2'straffic.

VLANattacksBydefault,eachinterfaceonaCiscoIOSswitchusestheDynamicTrunkingProtocol(DTP)toautomaticallynegotiatetheinterfacemodewithaconnectiontootherdevices.InChapter5,ImplementingVLANs,Layer2DiscoveryProtocols,andEtherChannels,wediscussedDTPinfurtherdetailandhowitisappliedtoautomaticallynegotiateeitheranAccessorTrunkinterfaceon

Ciscoswitches.SinceallinterfacesonaCiscoIOSswitchusethedefaultmodeasdynamicauto,anattackercanusetheirmachineandcreatean

unauthorizedtrunkbetweentheattacker'smachineandtheswitch.


Thefollowingdiagramshowshowanattackerhasenabledanunauthorizedtrunkonasmallnetwork:

Figure14.8–UnauthorizedTrunk

Asshownintheprecedingdiagram,theattackerwillbeabletoaccessanyVLANsontheswitch.Furthermore,theattackerisabletosendandreceivetrafficonanyVLANsontheswitch.ThisisknownasaVLANHoppingattack.

Thefollowingsnippetshowshoweasilyanattackercanattempttoenabletrunkingusingatoolsuchasyersinia:


Figure14.9–YersiniaDTPattacks

Inanotherscenario,anattackercaninsertanotherVLANtaginanalreadytaggedframe.ThisisknownasVLANDoubleTagging.Insimpleterms,theattackerembedstheirown802.1Qtagwithinaframethatalreadyhasan

802.1Qtag.Togetabetterunderstandingofhowthisattackworks,let'stakea


closerlookatthefollowingdiagram:

Figure14.10–VLANdoubletagging

Basedontheprecedingdiagram,thefollowingisthesequenceofactionsthatoccursonthenetwork:

1. Instep1,theattackersendsadouble-taggedframetoSW1.TheoutertagoftheframecontainstheVLANIDoftheinterfacetheattackerisconnectedto,whichisNativeVLAN(99).Theinner802.1Qtag(30)of

theframeisalsoinsertedbytheattacker.

2. Instep2,whenSW1receivesthedouble-taggedframe,itinspectsonlytheoutertag(VLAN99)andforwardstheframeoutofallVLAN99

interfacesafterremovingtheoutertag(99).TheinnerVLANtag,VLAN

30,isstillintactandwasnotinspectedbythefirstswitch.


3. Instep3,whenSW2receivestheframe,itinspectstheinner802.1Qtag

thatwasinsertedbytheattacker(VLAN30).Theswitchwillthen

forwardtheframetothetargetVLANbyfloodingitoutofallVLAN30

interfacesordirectlytothetargetmachineiftheMACaddressofthetargetisknown.

InaVLANdoubletaggingattack,thetransmissionisalwaysunicast.Thisattackworksonlyiftheattacker'smachineisconnectedtoaninterfacethatisassignedthesamenativeVLANasthetrunkinterfaces.Additionally,thisattackallowstheattackertocommunicatewithatargetonaVLANthatisrestrictedorblockedbysecuritycontrolsonthenetwork.

TopreventbothVLANhoppingandVLANdoubletaggingattacks,adheretothefollowingrecommendations:

Makesurethatyoudisabletrunkingonallyouraccessportsontheswitches.Todothis,usethefollowinginterfacemodecommandonyouraccessports:

Switch(config)#interfaceGigabitEthernet0/1


MakesurethatyoudisableDTPonallinterfacesbyusingthefollowinginterfacemodecommand:


Switch(config-if)#switchportnonegotiate

Configureyourtrunkinterfacesmanuallybyusingthefollowinginterfacemodecommand:



Switch(config-if)#switchportmodetrunk

MakesurethatthenativeVLANisusedonlyonyourtrunklinks.

MakesurethatyoudonotuseVLAN1asthenativeVLAN.

InChapter5,ImplementingVLANs,Layer2DiscoveryProtocols,andEtherChannels,thelabsfoundwithinthechapterutilizedalltheaforementionedrecommendationsasgoodpractice.Feelfreetorevisitthechapterandthelabstogainhands-onexperiencebyapplyingtheseconfigurationsinaCiscoenvironment.

DHCPattacksInChapter10,ImplementingNetworkServicesandIPOperations,youlearnedaboutavarietyofIPservices,includingtheDynamicHostConfigurationProtocol(DHCP),anditspurposeandoperations.SimilartomanyTCP/IPnetworkprotocols,DHCPwasnotdesignedwithsecuritymechanisms.Onanetwork,anattackercanperformtwotypesofDHCPattacks.Theseareasfollows:

DHCPstarvation

DHCPspoofing

InaDHCPstarvationattack,thegoaloftheattackeristocreateadenialofservice(DoS)foranyclientmachinethatisrequestingIPconfigurationsfromaDHCPserver.Theattackercanuseatoolsuchasyersiniatogenerate

unsolicitedfakeDHCPdiscovermessageswithspoofedsourceMACaddresses.


WhentheDHCPserverreceiveseachDHCPdiscovermessage,itwillattempttoprovideanavailableIPaddressfromitsDHCPpool.ByfloodingtheDHCPserverwithhundredsoreventhousandsofbogusDHCPdiscovermessages,theDHCPpoolwilleventuallybeexhausted.Therefore,anyconnectedclientmachinethatrequiresaleaseIPaddresswillbedeniedandwon'tbeabletocommunicateonthenetworkwithoutavalidIPaddress.

ThefollowingscreenshotshowsvariousDHCPattacksthatcanbeperformedusingyersinia:


Figure14.11–Yersiniainterface

Asindicatedintheprecedingscreenshot,window1allowsapenetrationtesteroranattackertoexecutevarioustypesofDHCPattacksonanetwork.Window2allowsyoutofurthercustomizethesourceDHCPmessagesfromtheattackermachine.


InaDHCPspoofingattack,theattackerinsertsarogueDHCPserveronthenetworktoprovidefalseIPconfigurationstolegitimateclients.ArogueDHCPservercanprovidethefollowingtoclients:

Incorrectdefaultgateway:Thiswillcauselegitimatehoststoforwardtheirinternet-basedtraffictotheattacker'smachineandcreatetheeffectofaman-in-the-middleattackaswell.

IncorrectIPaddressing:AnincorrectIPaddressandsubnetmaskisassignedtoclientsonthenetwork.AnincorrectIPaddressand/orsubnetmaskwillpreventahostfromcommunicatingwithotherdevices.

IncorrectDNSserver:ByprovidingclientswitharogueDNSserver,theattackercancontrolthehostnametoIPaddresslookupinformation.Thus,clientscanberedirectedtomaliciouswebsites.

TogetabetterunderstandingofwhatoccurswhenanattackerconnectsarogueDHCPservertoanetwork,let'stakealookatthefollowingdiagramandscenario:


Figure14.12–RogueDHCPserver

Basedontheprecedingdiagram,thereisalegitimateDHCPserverandtheattackerhasconnectedarogueDHCPservertothesamenetwork.Thefollowingisthesequenceofeventsthatwilltakeplace:

1. WhenPC1connectstothenetwork,itwillbroadcastaDHCP

Discovermessage.

2. BoththelegitimateandrogueDHCPserverswillreceivethisDHCP

DiscovermessagefromPC1.


3. BoththelegitimateandrogueDHCPserverswillrespondwiththeirDHCP

OffermessagecontainingIPconfigurations.

4. PC1willrespondwithaDHCPRequesttothefirstDHCPoffer

messageitreceives.PC1willaccepttheIPconfigurationsfromthefirstDHCPoffermessage.Therefore,ifPC1receivesaDHCPOffer

messagefromtherogueDHCPserverfirst,itwillrespondwithaDHCP

Request(broadcast).

5. BoththelegitimateandrogueDHCPserverswillreceivethebroadcastDHCPRequestmessagefromPC1andonlytherogueDHCPserver

willrespondwithaunicastDHCPAcknowledgementmessage.The

legitimateDHCPserverwillceasetocommunicatewithPC1,simplybecausePC1acceptedtheIPconfigurationsfromtherogueDHCPserverandhasestablishedtrustwiththedevice.

Additionally,anattackercanuseatoolsuchasyersiniatocreatearogue

DHCPserveronacorporatenetwork.Inthelatersectionsofthischapter,youwilllearnhowDHCPsnoopingcanbeusedtopreventbothDHCPstarvationandDHCPspoofingattacksonacorporatenetwork.

ARPattacksAswehavelearnedthroughoutthisbook,theAddressResolutionProtocol(ARP)isaLayer2protocolthatisdesignedtoresolveanIPaddresstoaMACaddress.AsmentionedinChapter1,IntroductiontoNetworking,switchesareusedtoconnectenddevicessuchasPCsandserverstothenetwork.ARPisneededasalldeviceswithinasubnetorLANforwardmessagestotheirdestinationbyusingtheMACaddressoftheintendedrecipient.


Importantnote

IPaddresseswithintheLayer3headerofpacketsareutilizedwhenahostisattemptingtocommunicatewithanotherdeviceonadifferentsubnetornetwork.

Wheneverahostwantstosendamessagetoanotherdeviceonthesamenetwork,ifthesenderdoesnotknowtheMACaddressofthedestinationdevice,itwillbroadcastanARPRequestmessage.TheARPrequestcontainsthe

destinationdeviceIPaddressandissenttoalldevicesontheLANorsubnet.ThemessageissimplyarequestfortheMACaddressofthedestinationdevice.TheARPrequestmessageisreceivedandprocessedbyalldevicesonthesubnet.However,onlythedevicewiththematchingIPaddresswillrespondwithanARPReplycontainingitsMACaddress.

SimilartootherTCP/IPnetworkprotocols,theARPwasnotdesignedwithsecurityinmind.HostdevicessuchascomputersareabletosendunsolicitedARPreplies.TheseareknownasGratuitousARPs.AnattackercansendagratuitousARPmessagetoahostonthesamesubnet.ThemessagewillcontainaMACaddressandIPaddressmapping,whichnotifiesthedestinationdevicetoupdatetheirARPtable.

ThefollowingistheARPcacheonaWindowsoperatingsystem:


Figure14.13–ARPcache

Asshownintheprecedingsnippet,thehostdevicewillonlypopulateitsARPcachewithadeviceithasrecentlyexchangedmessageswith.AnattackercansendspoofedMACaddressesusinggratuitousARPmessagestoclientsonanetwork,therebycausingthemtoupdatewithARPtablesautomatically.Asaresult,theattackercantrickclientsintothinkingtheattacker'smachineistheirdefaultgatewayandcreateaman-in-the-middleattack.

TogetabetterunderstandingofARPspoofing,let'stakealookatthefollowingscenario:


Figure14.14–AnARPattack

Basedontheprecedingdiagram,anattackerconnectstothenetworkandattemptstosendgratuitousARPmessagestoPC1andR1.TheobjectiveistoinformPC1thattheMACaddressofR1hasbeenupdatedtoCC-CC-CC-CC-

CC-CC.ThiswillcausePC1toupdateitsARPtableandalltrafficthatis

destinedfor192.168.1.1willbesenttotheattacker'smachine.

Importantnote

WhenanattackerisattemptingtocauseavictimtoupdatetheirARPcachewithfalseARPentries,thisisreferredtoasARPPoisoning.

Additionally,thesamethingisdonetoR1astheattackertrickstherouterintothinkingthatPC1'snewMACaddresshasbeenupdatedtoCC-CC-CC-CC-


CC-CC,asshownhere:

Figure14.15–ARPspoofing

ThiswillensurethatalltrafficbetweenPC1andR1willbesenttotheattacker'smachineandviceversa.ThefollowingdiagramshowstheeffectofARPspoofinginchainingaman-in-the-middleattack:


Figure14.16–Man-in-the-middleattack

Inthisattack,allthevictim's(PC1)trafficwillbeinterceptedandcaptured.Ifanysensitivedataisbeingexchanged,themessageswillbecompromised.

Spanning-treeattacksOnaswitchnetwork,theSpanningTreeProtocol(STP)isusedtopreventLayer2loops.Itdoesthisbyelectingarootbridge,whichwilltheninstructallotherswitcheswithinthesameVLANtoblockcertainportswhileleavingothersinaforwardingstate.

Importantnote


Ifyouwishtorecapthetopicsonspanning-tree,pleaseseeChapter6,UnderstandingandConfiguringSpanning-Tree..

InChapter6,UnderstandingandConfiguringSpanning-Tree,wediscussedthevitalroletherootbridgeplaysonthenetwork.OnekeypointtoalwaysrememberisthattherootbridgealsoactsasthecentralreferencepointforalltrafficwithinaVLAN.However,onceagain,STPisanotherLayer2networkprotocolthatwasnotdesignedwithsecuritymechanisms.AnattackercansimplyconnecttheirmachinetoaswitchandinjectcustomizedSTPBridgeProtocolDataUnits(BPDUs)withalower-priorityvalue.Iftheattackissuccessful,theSTPtopologywillchange,makingtheattackermachinethenewrootbridgeandcentralreferencepointonthenetwork.Furthermore,iftheattacker'smachineistherootbridge,theattackercancapturealltrafficontheVLAN,therebyactingasaman-in-the-middleonthenetwork.

Thefollowingdiagramshowsthatanattackerisattemptingtobecometherootbridge:


Figure14.17–AnSTPattack

TopreventSTPattacks,it'srecommendedtoimplementBPDUGuardonallAccessPoints(APs)onyourswitches.InChapter6,UnderstandingandConfiguringSpanning-Tree,wecoveredhowtoimplementBPDUGuardinthelabentitledConfiguringPortFastandBPDUGuard.

CDPattacksTheCiscoDiscoveryProtocol(CDP)isaCiscoproprietaryLayer2protocolthatisdesignedtoshareinformationwithotherCiscodevicesonthesamenetwork.CDPisenabledbydefaultonallCiscodevicesandsharesinformation


suchasthedevicemodel,hostname,IOSversion,devicecapabilities,IPaddress,andeventhenativeVLAN.

CDPwasdesignedtohelpnetworkengineerswithtroubleshootinganddeterminingnetworktopology.Asanexample,imagineyouareunabletopingadirectlyconnecteddevice,butyouarestillabletoreceiveCDPmessagesfromthesamedevice.ThisisanindicationthatLayer2isoperatingproperly,butthatLayer3mayrequirefurtherinvestigation.

Importantnote

TorecaponthetopicsandoperationsoftheCDP,pleaserevisitChapter5,ImplementingVLANs,Layer2DiscoveryProtocols,andEtherChannels.

CDPmessagesaresentoutofallCDP-enabledinterfacesonadeviceevery60seconds.TheseCDPmessagesareunencrypted.SuchinformationfoundwithinaCDPmessagecanbeveryvaluabletoanattackeronthenetwork.Theattackercanusetheinformationtocreateamapofthenetworkinfrastructure,determinethetypeofdevicesonthenetwork,theircapabilities,IPaddresses,andsoon.

ThefollowingscreenshotshowsthecontentsofaCDPmessageusingWireshark:


Figure14.18–CDPmessagesonWireshark

Intheprecedingscreenshot,theCDPmessageswerecapturedwithaCiscoIOSvrouterandaCiscoIOSvL2switch.Thebodyofframe#7containssensitive

informationpertainingtotheCiscoIOSvrouteronthenetwork,suchasitsmanagementIPaddressandIOSversion.SincetheCDPwasnotdesignedwithsecurityinmind,anattackercanalsoinjectfakeCDPmessagesintoanetworkwithfakeinformation.

TomitigatesuchavulnerabilitywithintheCDP,observethefollowingguidelines:

DisabletheCDPgloballyonyourdeviceusingthenocdprun

command.

EnabletheCDPoninterfacesthatareconnectedtootherCDP-enableddevices.

CDP-enabledinterfacesshouldonlybeconnectedtoothernetworkingdevicesandnotenddevices.

CDPmessagesshouldnotbesenttotheinternetoryourISP.

Furthermore,theLinkLayerDiscoveryProtocol(LLDP)isalsovulnerabletothesametypeofattacksastheCDP.TodisabletheLLDPglobally,usetheno

lldpruncommandwithinglobalconfigurationmode.TodisabletheLLDP

onaninterface,useboththenolldptransmitandnolldpreceive

commandsontheinterfacemode.

Duringthissection,youhavelearnedaboutvariousLayer2threatsandattacks


thatcanoccurwithinanorganization'snetwork.Inthenextsection,youwilldiscovervariousswitchsecuritycontrolstopreventavarietyofLayer2attacks.

ProtectingagainstLayer2threatsQuiteoften,manyorganizationsthinkcyberthreatsandattacksoriginatefromoutsideoftheirorganization,suchastheinternet.However,someofthesethreatsandattackscanoccurfromwithin.Thesethreatscanbeintheformofaninnocentemployeeconnectinganunauthorizeddevicetothenetwork,suchasaswitchorevenawirelessrouter,oradisgruntledemployeewhowantstotakedownthecompany'snetworkinfrastructureforpersonalreasons.Yourresponsibilityasanetworkengineerisnotonlytodesignandbuildnetworksforconnectivitybutalsotoensurethesecurityofthenetwork.

Inthissection,youwilllearnhowtoimplementsecuritycontrolsonyourswitchestopreventvariousLayer2attackssuchasthosementionedintheprevioussections.

PortsecuritySometimes,whenimplementinganewlyconfiguredswitchonaproductionnetwork,thenetworkengineermayhonestlyforgettosecureanyunusedinterfaces/portsontheswitch.Leavingunusedportsactiveislikeadoorwaythatiswideopen,enablinganyonetoaccessyourproperty.Sometimes,whenimplementingaswitch,notallportsareinuse.ItisrecommendedtodisableallunusedportstopreventanyunauthorizedaccesstotheLayer2network.

Tip


Disableallinterfacesonaswitchandonlyenablethosethatarerequired.

TosecureanyunusedportsonaCiscoIOSswitch,usetheshutdown

commandwithininterfacemode:

Figure14.19–Securinganunusedport

Theshutdowncommandchangestheinterfacetoanadministrativelydown

state,whichwilldisabletheelectricalcircuitryonthatinterfaceonly.However,ifyouhavetodisablearangeofinterfaces,youcanusetheinterface

rangecommand,asshownhere:


Figure14.20–Disablingarangeofinterfaces

Intheearlierpartsofthischapter,wediscussedmanytypesofLayer2attacks,oneofwhichwastheCAMtableoverflowattack,whichisdesignedtoexhaustthestoragecapacityofaswitch'sCAMtable.CiscohasimplementedasecuritycontrolknownasPortSecuritytolimitthenumberoftrustedMACaddressesthatareallowedonaswitch'sinterface.

Asanetworkengineer,thisfeatureallowsyoutoeithermanuallyconfiguretrustedMACaddressesperinterfaceorallowstheswitchtodynamicallylearnalimitednumberofMACaddresses.Whenportsecurityisenabledonaninterface,thesourceMACaddressesofallinboundframesarecomparedtoalistofsecuresourceMACaddresses.Byimplementingportsecurity,youcancontrol


whichdevicesareabletoconnecttoaninterfaceandyournetwork.

Beforeenablingportsecurityonaninterfaceorarangeofinterfaces,ensurethattheinterface(s)arenotusingthedefaultDTPmode,dynamicauto,since

portsecuritywillnotwork.EnsurethatyourinterfaceisstaticallyconfiguredaseitheranAccessportforenddevicesoraTrunkport.

Toenableportsecurityonaninterface,usethefollowingcommands:

Switch(config)#interfacefastEthernet0/1


Switch(config-if)#switchportport-security



Toverifytheportsecuritystatusonaninterface,usetheshowport-

securityinterfacecommand,asshownhere:


Figure14.21–Verifyingtheportsecurityinterfacestatus

Wecandeterminethefollowingkeypointsfromtheprecedingscreenshot:

PortsecurityisenabledontheFastEthernet0/1interface.

TheviolationmodeissettoShutdown.

ThemaximumnumberofsourceMACaddressesthatarepermittedonthisinterfaceis1.Ifmorethanonedeviceisconnectedtothisinterface,

theviolationwillbetriggeredandtheinterfacewillbetransitionedintoanerror-disabledstate.

Currently,nosourceMACaddressesarelearnedontheinterface.Ifadeviceconnectsandsendstraffictothisport,theswitchwillautomatically


addthesourceMACaddressasasecureMACaddress.

Importantnote

Whenportsecurityisturnedon,thedefaultconfigurationsareasfollows:themaximumnumberofsecureMACaddressesis1,thedefaultviolationmodeisshutdown,andstickyaddresslearningisdisabled.

LimitingthenumberofMACaddressesallowedonaninterfacecanpreventunauthorizeddevicesfromconnectingtothenetworkandpreventamalicioususerfrominjectingunsolicitedframesintoaswitch.TolimitthenumberofMACaddressespermittedonaninterface,usethefollowingsyntax:

Switch(config-if)#switchportport-securitymaximum

number

TheremaybeasituationthatrequiresyoutomanuallyconfigureastaticMACaddressonaswitchinterface.Tostaticallyassign/associateasecureMACaddressonaswitchport,usethefollowingsyntax:

Switch(config-if)#switchportport-securitymac-

addressmac-address

ManuallyconfiguringasecureMACaddressonaninterfaceensuresthatonlytheenddevicewiththatsameMACaddressispermittedtoconnectonthesameinterfaceandsendtraffic.However,thistaskcanbeveryoverwhelmingifyouhavetodothisonallswitchesfortheentireorganization.OnemethodistoconfiguretheswitchtodynamicallylearnthesourceMACaddressesoneachinterfaceandstorethemontherunningconfiguration.


TodynamicallylearnandstorethesourceMACaddressesonaninterface,usethestickycommandwiththefollowingportsecuritysyntax:


addresssticky

ThesourceMACaddresseslearnedusingthestickycommandwillbe

associatedwiththeinterfaceonlyandwillbesavedinrunning-config.If

theswitchlosespowerorisrebooted,thesecureMACaddresswillbelost.Therefore,makesurethatyousavetheconfigurationstoNVRAM(startup-

config).

ThefollowingisanexampledemonstratinghowtoconfigureportsecurityonaninterfacetolimituptotwosecureMACaddresses,staticallyconfigureonesecureMACaddress,andenabledynamiclearningforadditionalsecureMACaddresses:

Switch(config-if)#interfaceGigabitEthernet0/1



Switch(config-if)#switchportport-securitymaximum2


addressB881.98D3.B223


addresssticky




Thefollowingscreenshotverifiesourportsecuritystatusandconfigurationsontheinterface:

Figure14.22–Verifyingtheportsecurityinterfacestatus

Asshownintheprecedingscreenshot,asecuresourceMAC(LastSourceAddress)addresshasbeendynamicallylearnedontheinterfaceandontheVLAN.Furthermore,youcanalsousetheshowport-securitycommand

toverifystatisticsonallsecureinterfacesandthenumberasshownhere:

Figure14.23–Verifyingportsecuritystatistics


Importantnote

ToviewthetotalsizeoftheCAMtableonaCiscoIOSswitch,usetheshow

macaddress-tablecountcommand.

Sincethestickycommandwasusedtodynamicallylearnandstoresource

MACaddresses,theshowrunning-configcommandshowsyousticky

MACaddresses,ifany,asshowninthefollowingcodesnippet:

Figure14.24–VerifyingstickyMACaddresses

WhenthemaximumnumberofsecureMACaddresseshasbeenlearnedonaninterface,ifanyframeswithanewsourceMACaddressaresenttoasecureport,aviolationwilloccur.TheremaybetimeswhenyouneedtomanuallyremoveasecureMACaddressfromasecureinterfacewithoutdeletingtheexistingsecureMACaddresses.Forthistask,theportsecurityagingfeatureallowsustoconfigureaninterfacewithanagingtimelimittoensurethatoldsecureMACaddressesremainwhilenewMACaddressesareadded.

Theportsecurityusesthefollowingtypesofagingonasecureinterface:


Absolute:SecureMACaddressesaredeletedafteradefinedagingtime.

Inactivity:SecureMACaddressesaredeletedonlywhentheyareinactiveforadefinedagingtime.

Toconfigureportsecurityagingonasecureinterface,usethefollowingsyntax:

Switch(config-if)#switchportport-securityaging{

static|timetime|type[absolute|inactivity]

}

Thefollowingisadescriptionofeachparameterfortheportsecurityagingcommand:

static:EnablesagingforasecureMACaddressthatisstatically

configuredontheinterface.

timetime:Allowsyoutospecifytheagingtimeontheinterface.The

timerangesbetween0–1440minutes.Ifthetimeissetto0,agingis

disabledontheinterface.

typeabsolute:SecureMACaddressesageoutandareremovedfrom

thesecureaddresslistontheswitchwhenthespecifiedtimeismet.

typeinactivity:SecureMACaddresseswillageoutonlyifthereis

notrafficfromasecureMACaddressforthespecifiedtime.

ThefollowingcommandsareanexampleofdemonstratinghowtosecureMACaddressestoageoutafter5minutesofinactivityonaninterface:

Switch(config)#interfacegigabitEthernet0/1




Switch(config-if)#switchportport-securityaging

time5

Switch(config-if)#switchportport-securityaging

typeinactivity


Usingtheshowport-securityinterfacecommand,you'llnoticethat

AgingTimehasbeenchangedto5mins,andAgingTypehasbeen

changedtoInactivity,asshownhere:

Figure14.25–Verifyingportsecurityagingconfigurations

IfasecureportreceivesasourceMACaddressthatisdifferentfromthelistof


secureMACaddresses,aviolationwillbetriggeredandtheinterfacewilltransitionintoanerror-disabledstate.Thefollowingarethethreedifferentviolationmodeswhenconfiguringportsecurity:

shutdown:Thisisthedefaultviolationmode.Ifaviolationoccurs,the

portchangestoanerror-disabledstate.Theviolationcounterisincreased.Tore-enabletheinterface,thenetworkengineermustfirstusetheshutdowncommand,waitafewseconds,andthenusetheno

shutdowncommandwithintheaffectedinterface.

restrict:Ifaviolationoccurs,thismodedropsanymessagewithan

unknownsourceaddress.Thesecurityviolationcounterincreasesandasyslogmessageisgenerated.

protect:Ifaviolationoccurs,thismodewilldropanymessagewithan

unknownsourceaddress.However,itdoesnotincreasethesecurityviolationcounter,nordoesitsendasyslogmessage.Thismodeisconsideredtobetheleastsecureofthethreeviolationmodes.

Toconfigureaportsecurityviolationonaninterface,usethefollowingsyntax:

Switch(config-if)#switchportport-securityviolation

shutdown|restrict|protect

Thefollowingisanexampleofconfiguringtherestrictviolationonan

interfacewithportsecurity:





Switch(config-if)#switchportport-securityviolation

restrict


Usingtheshowport-securityinterfacecommand,youcanseethat

theviolationmodehaschangedtoRestrict,asshowninthefollowing

screenshot:

Figure14.26–Verifyingviolationmodes

Inthenextsection,youwillgainhands-onexperienceintermsofimplementingportsecurityonaCiscoIOSswitch.

Lab–implementingportsecurity


Inthislab,youwilllearnhowtoimplementportsecuritytolimitthenumberofsecuresourceMACaddressesthatarepermittedontheinterfacesofaCiscoIOSswitch.Togetstarted,we'llbeusingtheCiscoPacketTracerapplication,whichallowsustosimulateaCiscoenvironment.Forthislab,pleasebuildthefollowingnetworktopology:

Figure14.27–Portsecuritylabtopology

Ensurethatyou'veassignedtheIPaddressestoeachdeviceaccordingtothefollowingIPaddresstable:


Figure14.28–IPaddressscheme

Eachcomputer–PC1,PC2,andtheAttackerPC–isusingtheirFastEthernet0(Fa0)interfacetoconnecttoSW1.

Nowthatyourlabisready,usethefollowinginstructionstoimplementportsecurity:

1. OnSW1,enableportsecurityontheFastEthernet0/1and

FastEthernet0/2interfacesusingthefollowingcommands:

SW1(config)#interfacerangeFastEthernet0/1-

FastEthernet0/2

SW1(config-if-range)#switchportmodeaccess

SW1(config-if-range)#switchportport-security

2. Configurethesecureportstopermitamaximumofonedeviceperinterface:


maximum1

3. ConfigurethesecureportstodynamicallylearnandstoresecuresourceMACaddressesontherunningconfigurationfile:



mac-addresssticky

4. Next,enablethesecureportsonlyandexit:



5. Secureanyunusedportsontheswitch:


FastEthernet0/24

SW1(config-if-range)#shutdown



-GigabitEthernet0/2

SW1(config-if-range)#shutdown


6. PingbetweenPC1andPC2toensurethattheirsourceMACaddressesarelearnedandstoredontherunningconfigurationfile.Usetheshow

port-securityinterfacecommandtovalidatethe

configurationsonyourinterfaces:


Figure14.29–Validatingportsecurity

Asshownintheprecedingscreenshot,portsecurityisenabledontheinterface,theviolationmodeissettoShutdown(default),agingis

Disabled,themaximumnumberofsecureMACaddressesallowedon

theinterfaceis1,thetotalnumberofsecureMACaddresseslearnedis1,

stickyisEnabledandhasstoredoneaddressonrunning-config,

andthelastMACaddresslearnedis0001.C9BA.5B83onVLAN1.

7. Next,usetheshowrunning-configcommandtoviewtheport

securityconfigurationsandthestickyaddressesthatareautomaticallyaddedtotherunningconfiguration:


Figure14.30–Verifyingthestickyaddress

Asshownintheprecedingscreenshot,PC1'sMACaddressisboundtoFastEthernet0/1andPC2'sMACaddressisboundto

FastEthernet0/2.

8. Next,let'striggeraviolationofthenetwork.ConnecttheattackerPCtoFastEthernet0/2onSW1.Then,attempttopingfromtheAttacker

PCtoPC1,asshownhere:


Figure14.31–Triggeringaviolation

9. Asexpected,sincetheattacker'ssourceMACaddressdoesnotmatchthesecureMACaddressonFastEthernet0/2,thetrafficisnotpermitted

andtheinterfacehasbeendisabled,asshownhere:


Figure14.32–Verifyingviolation

TheportstatushasbeenchangedtoSecure-shutdown,theattacker's

sourceMACaddressisshown,andtheviolationcounterhasincreasedto1.

10. Toverifywhichinterfacesareinanerror-disabledstate,usetheshow

interfacesstatuscommand:

Figure14.33–Verifyingerror-disabledinterfaces

Anotherusefulcommandtoverifywhetheraportisinanerror-disabled


stateistheshowinterfacescommand.

11. Lastly,let'sfixtheissuebyphysicallyreconnectingPC2toFastEthernet0/2onSW1andre-enablingtheinterfaceusingthe

followingcommands:


SW1(config-if)#shutdown


SW1(config-if)#exit

Havingcompletedthislab,youhavegainedthehands-onskillstoimplementportsecurityonaCiscoenvironment.Inthenextsection,youwilllearnhowtomitigateandpreventrogueDHCPserversonanetwork.

DHCPsnoopingDHCPsnoopingisasecurityfeatureavailablewithinCiscoIOSswitchesthatallowsyoutopreventandmitigateagainstrogueDHCPservers.DHCPsnoopingisnotdependentonsourceMACaddressesascomparedtoportsecuritybutratherdetermineswhetherDHCPmessagesareoriginatingfromatrusteddeviceortrustedsourceonthenetwork.WithDHCPsnoopingimplementedonacorporatenetwork,itcanfilterDHCPmessagesandperformratelimitingonDHCPmessagesfromuntrustedsources.Ratelimitingisusedtocontrolthenumberofmessagesenteringadevice'sinterface.

Onaprivatenetwork,devicessuchasrouters,servers,andswitchesareconsideredtobetrusteddevices.Theyaretrusteddevicessimplybecauseyou,as


anetworkengineer,haveadministrativecontroloverthesenetworkingdevices.However,devicesthatareoutsideofyournetworkareconsideredtobeuntrusted.WhenDHCPsnoopingisenabled,allportsareuntrustedbydefault.

Importantnote

SinceDHCPclientsareexpectedtosendonlyDHCPDiscoverandDHCP

Requestmessagestoanuntrustedport,ifanuntrustedportreceivesaDHCP

OfferorDHCPAcknowledgementmessage,thenaviolationwilloccur.

Atrustedportmustbeexplicitlyconfiguredbythenetworkengineer.Additionally,allaccessportsshouldbeuntrustedsimplybecausetheaccesslayeriswhereanattackercaninserttheirrogueDHCPserver.Trustedinterfacesshouldbetrunkinterfacesandportsthatareconnectedtotheorganization'sDHCPserver.

Importantnote

Onatrustedport,DHCPOfferandDHCPAcknowledgementmessages

arepermitted.

WhenDHCPsnoopingisenabled,theswitchcreatesaspecialtableknownasaDHCPsnoopingbindingtable.ThistablekeepsatableofsourceMACaddressesofdevicesthatareconnectedtountrustedportsandtheirIPaddressesthatwereassignedbythelegitimateDHCPserver.TheMACaddressesandIPaddressesareboundtogether.

ToconfigureDHCPsnooping,observethefollowingsteps:


1. Usetheipdhcpsnoopingcommandwithintheglobalconfiguration

modetoturnonDHCPsnooping.

2. Configuretrustedinterfacesbyusingtheipdhcpsnoopingtrust

commandwithintheinterfacemode.

3. Configureratelimitingonuntrustedportsusingtheipdhcp

snoopingratelimitnumbercommand.Specifyanumberfor

packetspersecond(pps).

4. AssignDHCPsnoopingforeitherasingleVLANorarangeofVLANsbyusingtheipdhcpsnoopingvlanvlan-idcommandinglobal

configurationmode.ThefollowingisanexampleofenteringmultipleVLANsinthecommand:ipdhcpsnoopingvlan5,15,20-22.

Inthenextsection,youwillgainhands-onexperienceintermsofimplementingDHCPsnoopingtopreventandmitigaterogueDHCPserversinaCiscoenvironment.

Lab–implementingDHCPsnoopingInthislab,youwilllearnhowtoimplementDHCPsnoopingtopreventandmitigaterogueDHCPserverandDHCPattacksonanetwork.Thislabissimplyanextensionofthepreviousexerciseonimplementingportsecurity.Forthislab,ensurethatyouaddtheadditionaldevicestothefollowingnetworktopology:


Figure14.34–DHCPsnoopinglabtopology

Makesurethatyou'veassignedtheIPaddressestoeachdeviceaccordingtothefollowingIPaddresstable:

Figure14.35–IPaddressingscheme

Pleaseobservethefollowingguidelineswhenexecutingthislabtoensurethatyouobtainthesameresults:

ManuallyconfigureGigabitEthernet0/2onSW1andSW2asa

trunkportandenabletheinterface.


Nowthatyourlabisready,usethefollowinginstructionstoconfigureDHCPsnooping:

1. OnSW1,usetheipdhcpsnoopingcommandtoenableDHCP

snooping,asshownhere:

SW1(config)#ipdhcpsnooping

2. ConfigureGigabitEthernet0/2asatrunkportandasatrusted

portusingthefollowingcommands:



SW1(config-if)#ipdhcpsnoopingtrust


SW1(config-if)#exit

3. AssignDHCPsnoopingtotheVLANinuse,VLAN1,usingthe

followingcommand:

SW1(config)#ipdhcpsnoopingvlan1

Tip

AnetworkmaycontainDHCPrelayagentsthatwillinsertinformationaboutthemselves(option82)beforeforwardingaDHCPDiscover

messagetotheDHCPserver.WhenDHCPsnoopingisenabled,itpreventstheforwardingoftheDHCPmessagesviarelayagents.TopreventDHCPrelayoption82informationfrombeinginsertedinthe


DHCPrelaymessages,youcanusethenoipdhcpsnooping

informationoptioncommandwithintheglobalconfiguration

mode.

4. Next,usethefollowingcommandtoenableDHCPsnoopingonSW2:

SW2(config)#ipdhcpsnooping

5. ConfigureGigabitEthernet0/1,GigabitEthernet0/2,and

FastEthernet0/1asatrustedportbyusingthefollowing

commands:


-GigabitEthernet0/2

SW2(config-if-range)#switchportmodetrunk

SW2(config-if-range)#ipdhcpsnoopingtrust




SW2(config-if)#ipdhcpsnoopingtrust


SW2(config-if)#exit

6. AssignDHCPsnoopingtotheVLANinuseonSW2andVLAN1by

usingthefollowingcommand:

SW2(config)#ipdhcpsnoopingvlan1


7. ClickonthelegitimateDHCPserver,andselecttheServicestab|DHCP.MakesurethatyouenabletheserviceandassigntheIPdetailstocreateaDHCPpoolontheserver,asshownhere:

Figure14.36–ConfiguringthelegitimateDHCPserver

MakesurethatyouconfigurealltheIPaddresses:DefaultGateway=172.16.1.1,DNSServer=8.8.8.8,StartIPAddress=


172.16.1.10,SubnetMask=255.255.255.0,WLCAddress=

172.16.1.40,andthenclickonSave.TheWLCaddresswillbeused

inthenextlabonwirelesssecurity.

8. ConfiguretherogueDHCPserverusingthefollowingsettings:

Figure14.37–RogueDHCPserversettings

9. Next,enableDHCPonbothPC1andPC2,asshownhere:


Figure14.38–VerifyingthePC1IPaddress

IfyoudisconnectthelegitimateDHCPserverfromthenetwork,youwillnoticethatPCsdonotreceiveanyIPaddressconfigurationsfromtherogueDHCPserver.

10. Next,usetheshowipdhcpsnoopingcommandtoverifywhether

DHCPsnoopingisenabledontheVLAN,andOption82isenabled.

Additionally,thiscommandallowsyoutoverifybothtrustedanduntrustedinterfacesonthelocalswitch:


Figure14.39–VerifyingtheDHCPsnoopingstatus

11. Lastly,useshowipdhcpsnoopingbindingtoviewtheDHCP

snoopingbindingtable:

Figure14.40–ViewingtheDHCPsnoopingbindingtable

Havingcompletedthislab,youhavegainedthehands-onskillstoimplementDHCPsnoopingtopreventandmitigateDHCPattacksinaCiscoenvironment.Inthenextsection,youwilllearnhowtomitigateandpreventIPspoofingandman-in-the-middleattacksonanetwork.


DynamicARPinspectionDuringaman-in-the-middleattack,anattackerusesARPspoofingtosendanunsolicitedARPmessagewiththeirsourceMACaddresswiththeIPaddressofadefaultgatewaytootherhostsonthenetwork.ByimplementingaDynamicARPinspection(DAI)onCiscoIOSswitches,youcanpreventandmitigateARPspoofingandman-in-the-middleattacksonyourenterprisenetwork.ADAIensuresthatonlylegitimateARPrequestsandARPrepliesaresentonthenetwork.

ToensurethataDAIiseffectiveonanetwork,aDAIrequiresDHCPsnoopingtobeconfiguredandenabledontheswitchaswell.WithDHCPsnoopingandaDAIenabled,theypreventARPattacksbymeansofthefollowing:

PreventingARPrequestandARPreplymessagesonuntrustedinterfaces

InterceptingallARPmessagesonuntrustedinterfaces

ValidatingallinterceptedmessagesthatcontainavalidIP-to-MACaddressbinding.

DiscardingandloggingallARPreplymessagesthatareoriginatingfrominvalidsources.

Wheneveraviolationoccurs,theinterfacetransitionsintoanerror-disabledstate.

Importantnote

Allaccessportsonaswitchshouldbeconfiguredasuntrustedinterfaces.


Alltrunkportsthatareconnectedtootherswitchesorroutersshouldbeconfiguredastrustedports.

ToconfigureaDAI,observethefollowingsteps:

1. EnableDHCPsnoopingbecauseaDAIrequirestheDHCPsnoopingbindingtabletovalidateIP-MACaddresses.Usetheipdhcp

snoopingcommandinglobalconfigurationmode.

2. AssignDHCPsnoopingtoaVLAN,usingtheipdhcpsnooping

vlanvlan-idcommandinglobalconfigurationmode.

3. Configurethetrunklinksastrustedinterfaces,andusetheipdhcp

snoopingtrustcommandandtheiparpinspectiontrust

commandininterfacemode.

4. EnableaDAIontheVLAN,andusetheiparpinspectionvlan

vlan-idcommandinglobalconfigurationmode.

ADAIalsohasthecapabilitytoinspectboththesourceordestinationMACandIPaddressesofeachmessage.Itdoesthisbyusingthefollowingcommand:

Switch(config)#iparpinspectionvalidate[src-mac

|dst-mac|ip]

ThefollowingisadescriptionofeachparameterfortheARPinspectioncommand:

src-mac:EnablesaDAItocheckthesourceMACaddressintheLayer

2headeragainstthesender'sMACaddresswithintheARPbody.


dst-mac:ADAIchecksthedestinationMACaddressintheLayer2

headeragainstthetarget'sMACaddresswithintheARPbody.

ip:ADAIcheckstheARPbodyforanyinvalidIPaddresses,suchas

0.0.0.0,255.255.255.255,andallmulticastIPaddresses.

Inthenextsection,youwillgainhands-onexperienceintermsofimplementingaDAIinaCiscoenvironment.

Lab–implementingaDAIInthislab,youwilllearnhowtoimplementaDAItopreventandmitigateIPspoofingandman-in-the-middleattacksonanetwork.ThislabissimplyanextensionofthepreviousexerciseonimplementingDHCPsnooping.Forthislab,we'llbeusingthesamelabtopologyfromthepreviousexercise:


Figure14.41–DAIlabtopology

SincewealreadyhaveDHCPsnoopingimplementedfromthelastlabexercise,we'llproceedtoapplyonlytheDAIconfigurationsonthenetworkbyusingthefollowingsteps:

1. OnSW1,configuretheuplink(trunk)interfaceasanARPtrustedport:


SW1(config-if)#iparpinspectiontrust

SW1(config-if)#exit

2. EnableaDAIonVLAN1:


SW1(config)#iparpinspectionvlan1

3. ConfigureaDAItoinspectboththesourceordestinationMACandIPaddressesofeachmessageonSW1:

SW1(config)#iparpinspectionvalidatesrc-mac

dst-macip

4. OnSW2,configurethetrunkinterfacesandtheportconnectedtothelegitimateDHCPserverasARPtrustedports:

SW2(config)#interfacerangegigabitEthernet0/1

-gigabitEthernet0/2

SW2(config-if-range)#iparpinspectiontrust



SW2(config-if)#iparpinspectiontrust

SW2(config-if)#exit

5. EnableaDAIonVLAN1:

SW2(config)#iparpinspectionvlan1

6. ConfigureaDAItoinspectboththesourceanddestinationMACandIPaddressesofeachmessageonSW2:

SW2(config)#iparpinspectionvalidatesrc-mac

dst-macip

7. UsetheshowiparpinspectioncommandtoverifyARP


inspectionstatistics,asshownhere:

Figure14.42–VerifyingARPinspectiondetails

8. Lastly,theshowiparpinspectionvlancommandcanbeused

toverifywhetheraDAIisinspectingbothsourceanddestinationMACandIPaddressesofeachmessage:


Figure14.43–VerifyingadditionalARPinspectionconfigurations

Havingcompletedthislab,youhavegainedthehands-onexperienceandskillsrequiredtoimplementaDAItopreventandmitigateIPspoofingandman-in-the-middleattacksinaCiscoenvironment.Inthenextsection,youwilllearnhowtosecureawirelessnetwork.

WirelessnetworksecurityManyorganizationsimplementawirelessnetworktosupportthemobilityoftheirusers.ImplementingaWirelessLAN(WLAN)offersconveniencetouserswithmobiledevices,therebyallowingthemtoroamaroundthebuildingandworkfromanywhere.WithaWLAN,itisopentoanyonewithintherangeofthewirelesssignalgeneratedbytheAPsandthecorrectusercredentialstoaccessthecorporatenetwork.WLANscreateanentirelandscapeofthreatsandattacksbythreatactorsandevendisgruntledemployees.


Thefollowingaresomeofthethreatsposedtoawirelessnetwork:

Athreatactorcanintercepttrafficonawirelessnetwork.Thethreatactordoesnotneedtobewithinthebuilding,butratherwithintherangeofthewirelesssignal.It'srecommendedthatallwirelesstrafficshouldbeencryptedtopreventanyeavesdropping.

Anintrudermaybepresentonthewirelessnetwork.Thisissomeonewhoisnotauthorizedtoaccessthewirelessnetworkorresources.

AthreatactorcancreateaDoSattacktopreventlegitimateusersfromaccessingthewirelessnetwork.

Athreatactorcansetupaneviltwinorrogueaccesspointtocapturelegitimateusers'traffic.

ArogueaccesspointiswhereanattackersetsuptheirownAPoutsidethetargetorganization,butcloseenoughforitswirelesssignaltobereachablebyemployees.Ontherogueaccesspoint,theattackeraddsaninternetconnectionandimplementspacketcaptureandothermalicioustoolstointerceptandcapturetraffic.TheideaofimplementingarogueaccesspointistotrickvictimsintoconnectingtotheAPownedbytheattackerandtocapturesensitivedata.

TheEvilTwinisanAPinstalledwithinthecorporatenetworkbyathreatactor.Alluserswhoareconnectedareabletoaccessthecorporateresources,buttheirtrafficisinterceptedandcapturedbytheAPownedbythethreatactor.

Tip

Tolearnaboutwirelesssecuritypenetrationtesting,youcancheckoutmybook,


https://www.packtpub.com/networking-and-servers/learn-kali-linux-2018

LearnKaliLinux2019,byGlenD.Singh,publishedbyPacktPublishingatthefollowingURL:https://www.packtpub.com/networking-and-servers/learn-kali-linux-2018.Thebookalsocoversvariousaspectsofethicalhackingandpenetrationtesting.

OnemethodofreducingthepossibilityofhidingyourwirelessnetworkisdisablingtheServiceSetIdentifier(SSID)broadcast.Thisfeaturedoesnottotallyprotectyournetworkfromathreatactor,sincetherearetechniquesfordiscoveringahiddenwirelessnetwork,butitdoesreducethepossibilitythatanovicehackermaynotdetectit.WhentheSSIDbroadcastisdisabled,thewirelessrouterorAPwillnotsendtheSSIDwithinitsbeaconmessages.

ThefollowingscreenshotisanexampleofhowtodisabletheSSIDbroadcastonaLinksys160Ndevice:


Figure14.44–DisablingSSIDBroadcast

Additionally,youcanenableMACaddressfilteringtocreateanACLofpermittedordenieddevices.ThefollowingscreenshotshowsanexampleoftheMACfilteringinterfaceonaLinksys160Nwirelessrouter:


Figure14.45–MACfiltering

KeepinmindthatanexperiencedhackercanfindwaystobypassMACfilteringcontrolsonawirelessnetwork.However,it'sbettertohavesomesecurityonyournetworkratherthanhavingnosecurityatall.Inthenextsection,youwilldiscovervariousmethodsofauthenticationthatcanbeimplementedonawirelessnetwork.

AuthenticationmethodsAwirelessrouterorAPprovidesafewoptionstoconfigurehowusersareauthenticatedontothenetwork.OnemethodisOpenAuthentication,whichdisablesanyauthenticationmechanismsonthewirelessdevice.Thismethod


allowsanyonetoconnecttothewirelessnetworkfreely.Anauthenticationmethodsuchasthisiscommonlyusedinshoppingmalls,coffeeshopsandrestaurants,andpublicareas.

Importantnote

WPA3iscurrentlytheonlywirelesssecuritystandardthatencryptsmessagesonanopennetworkusingOpportunisticWirelessEncryption(OWE).ThistechnologyallowstheencryptionoftrafficbetweentheclientandtheAPonanopennetwork.ThistypeofimplementationisusefulforpublicWi-Fideployments.

AnothermethodinvolvestheuseofSharedKeyAuthentication.Thismethodisalsoreferredtoasapre-sharedkey(PSK).WithPSKauthentication,thewirelessrouterisconfiguredwithapassphraseforthewirelessnetwork,soanyoneattemptingtoaccessthewirelessnetworkwillbepromptedtoprovidethecorrectpre-sharedkey.TherearevariouswirelesssecuritystandardsthatusePSK.Theseareasfollows:

WiredEquivalentPrivacy(WEP):WEPisthefirstofficialstandardusedtosecuredatatransmissionusingtheRivestCipher4(RC4)encryptionalgorithmonanIEEE802.11network.Duetovarious

securityvulnerabilitiesfoundinthisstandard,itisnolongerrecommended.

Wi-FiProtectedAccess(WPA):ThisstandardusesWEPwithamoresecureencryptionalgorithmknownasTemporalKeyIntegrityProtocol(TKIP).TKIPappliesauniquekeytoeachpacketonthewirelessnetwork,thusmakingitdifficulttocompromise.TKIPalsovalidatesthe


integrityofeachmessagebyusingMessageIntegrityCheck(MIC).

WPA2:WPA2iscurrentlytheindustrystandardforsecuringIEEE

802.11networks.ThisstandardusestheAdvancedEncryption

Standard(AES)fordataencryption,whichisalotstrongerthanthosepreviouslymentioned.AESusestheCounterCipherModewithBlockChainingMessageAuthenticationCodeProtocol(CCMP),whichenablesthedestinationdevicetovalidateconfidentialityandintegrity.

WPA3:Asofthetimeofwritingthisbook,WPA3isthelatestwirelesssecuritystandard.WPA3usesthemostup-to-datesecurityprotocolsanddiscontinuesoutdatedandlegacyprotocols.WPA3usesSimultaneousAuthenticationofEquals(SAE)tomitigatevulnerabilitiesfoundinWPA2.WPA3usestheCommercialNationalSecurityAlgorithm(CNSA)inWPA3-Enterpriseauthentication.

Thefollowingscreenshotshowsanexampleofconfiguringtheauthenticationmethodsonawirelessrouter:


Figure14.46–Authenticationmethods

WPAandWPA2usetwoadditionalauthenticationmethods.Theseareasfollows:

Personal:ThismethodiscommonlyusedonahomewirelessnetworkandallowsyoutoconfigurethePSKdirectlyonthewirelessrouter.

Enterprise:ThismethodallowsyoutoassociatethewirelessrouterwithaAAAserver.ThewirelessrouterdoesnothandletheauthenticationofusersonthenetworkbuthandstheresponsibilityovertotheAAAserver(RADIUSorTACACS+).

Havingcompletedthissection,youhavelearnedaboutvariouswirelesssecuritythreatsandsecuritymechanisms.Inthenextsection,youwilllearnhowtoimplementawirelessnetworkandapplywirelesssecurity.


Lab–implementingwirelesssecurityusingaWLCInthislab,youwilllearnhowtoimplementwirelesssecurityusingaCiscoWirelessLANController(WLC).ThislabissimplyanextensionofthepreviousexerciseonimplementingadynamicARPinspection.Forthislab,ensurethatyouaddadditionaldevicestothefollowingnetworktopology:

Figure14.47–Wirelesssecuritylabtopology

Pleaseobservethefollowingguidelineswhenexecutingthislabtoensurethatyouobtainthesameresults:


FortheWLC,usetheCisco2504controller.OnCiscoPacketTracer,clickonNetworkDevices|WirelesstoselecttheCisco2504controller.

FortheLightweightAccessPoints(LAPs),usetheLAP-PTdevices.ThefollowingscreenshotshowsthelocationofboththeWLCandLAPsontheCiscoPacketTracerapplication:

Figure14.48–Wirelesscomplements

Thenumberedlabelsintheprecedingdiagramshowthebuttonstoclickon.

Nowthatyourtopologyisready,usethefollowinginstructionstosetuptheWLCandimplementawirelesssectiononthenetwork:

1. ClickontheWLC,andthenselecttheConfigtab|Managementinterfacetoassignthefollowingaddresses,asshowninthefollowingscreenshot:


http://172.16.1.40

Figure14.49–WLCIPconfigurations

2. Next,clickonPC1,selecttheDesktoptab,andthenopenWebBrowser.EntertheURLhttp://172.16.1.40andclickonGotoloadthe

WLChomepage.

3. Createausername,admin,setapassword,Cisco123,andthenclick

Start,asshownhere:


http://172.16.1.40

Figure14.50–WLCwelcomepage

4. ConfigurethemanagementIPaddress,subnetmask,anddefaultgateway,asshownhere:


Figure14.51–ManagementIPontheWLC

TheIPsettingsarethesameasdefinedinstep1.ClickNexttocontinue.

5. Onthenextpage,createawirelessnetworkname,WLAN-Corp,setthe

securityasWPA2-Personal,andthepassphraseascisco456,as

shownhere:


Figure14.52–CreatingawirelessnetworkonWLC

6. Next,youwillbeaskedtoconfigureavirtualIPaddressthatallowstheLAPstocommunicatewiththeWLConthenetwork.LeavethisconfigurationasthedefaultandthenclickNext:


Figure14.53–VirtualIPconfigurationonWLC

7. Next,theWLCwillpresentasummarypagewiththeconfigurationsyouhavemade.ClickApply.TheWLCwillreboot.ToaccesstheWLCafterithasrebooted,usetheURLhttps://172.16.1.40.

8. WhiletheWLCisrebooting,clickoneachLAPanddragthepoweradapter(1)tothepowerinterface(2),asshownhere:


https://172.16.1.40

Figure14.54–ConnectingapoweradaptertotheAP

Bydefault,LAPsdonothavepower.ConnectingthepoweradapterviaCiscoPacketTracerwillsupplypowertothedevice.

9. Weneedtore-enabletheinterfacesassociatedwiththeLAPsonSW1.Usethefollowingcommandstoenabletheinterfaces:


FastEthernet0/24



Theinterfacesmaytakeafewsecondsbeforetheytransitionintoaforwardingstate.


10. It'snowtimetotestwhetherthewirelessnetworkisconfiguredproperlybyconnectingamobiledevice.OnCiscoPacketTracer,clickonEndDevicesanddragthesmartdevice(suchasaphone)neartoanLAP.

11. Clickonthesmartdevice(phone),selecttheConfigtab|Wireless0interface,andapplythefollowingsettings:SSID:WLAN-Corp;

Authentication:WPA2-PSK;andPSKPassPhrase:cisco456,as

shownhere:


http://172.16.1.40

Figure14.55–Wirelessconfigurationonasmartdevice

Afterapplyingthewirelessconfigurations,thesmartdevicewillautomaticallyassociateitselfwithoneoftheLAPsandreceiveanIPaddressfromtheDHCPserveronthenetwork.IfthesmartdeviceobtainsanAPIPAaddress(169.254.x.x),simplytogglebacktoStaticandDHCPagain.This

sometimeshappensonanetworkwhentheDHCPDiscovermessagewasnotsuccessfullydeliveredtotheDHCPserveronthenetwork.

Lastly,wecanvalidatetheIPconfigurationsonthesmartdevice.ClickontheDesktoptab|CommandPromptandexecutetheipconfigcommand,as

shownhere:

Figure14.56–ValidatingIPconfigurations


Havingcompletedthissection,youhavegainedhands-onexperienceofimplementingaCiscoWLCandLAPs,andimplementedwirelesssecurityinaCiscoenvironment.

SummaryDuringthecourseofthischapter,youhavelearnedabouttheneedtouseamulti-layeredapproachknownasDefense-in-Depthtoimprovethesecuritypostureofyournetworkandorganization.Furthermore,youhavelearnedhowthreatactorscanusevariousLayer2threatsandattackstocompromiseourenterprisenetwork.Next,wecoveredhowtoimplementLayer2securitycontrolsonyourCiscoIOSswitchestopreventandmitigateLayer2attacksandwirelesssecuritytosecureyournetwork.

IhopethischapterhasbeeninformativeforyouandwillprovehelpfulinyourjourneytowardlearninghowtoimplementandadministerCiscosolutionsandpreparefortheCCNA200-301certification.Inthenextchapter,NetworkAutomationandProgrammabilityTechniques,youwilllearnhowautomationandprogrammabilitycanimproveefficiencyinnetworkdeploymentandmanagement.

QuestionsThefollowingisashortlistofreviewquestionstohelpreinforceyourlearningandhelpyouidentifyareasthatrequiresomeimprovement:

1. Whichofthefollowingisatypeofmalwarethatisdesignedtoencryptyourdata?


A.Worm

B.Ransomware

C.Polymorphic

D.Trojan

2. Asecurityprofessionalimplementsmultiplesecuritycomponentstoimprovethesecuritypostureoftheorganization.Whatisthesecurityprofessionaltryingtodo?

A.Installanti-malwareonalldevices.

B.Installhost-basedfirewallsonallenddevices.

C.Implementemailsecurity.

D.ImplementDefenseinDepth.

3. Athreatactorisattemptingtoforceaswitchtofloodallitsinboundtrafficoutofallotherports.Whattypeofattackisthethreatactorperforming?

A.IPspoofing

B.CAMtableoverflow

C.Man-in-the-middle

D.ARPspoofing

4. AnotherattackerisattemptingtogainunauthorizedaccesstoaVLAN.Whattypeofattackisbeingperformedbytheattacker?


A.An802.1Qattack

B.ADTPattack

C.VLANhopping

D.VLANdoubletagging

5. WhichcommandisusedtodisableDTPonaninterface?

A.switchportnonegotiate

B.switchportmodeaccess

C.switchportmodetrunk

D.noswitchportdtp

6. AnattackerisattemptingtoconnectarogueDHCPserveronthenetwork.Howcansuchanattackbeprevented?

A.ImplementaDAI.

B.Shutdowntheinterface.

C.Portsecurity.

D.DHCPsnooping.

7. Whenportsecurityisenabled,whichisthedefaultviolationmode?

A.Protect


B.Error-disabled

C.Shutdown

D.Restrict

8. WhichcommandcanbeusedtoenableaDAItoinspectboththesourceanddestinationMACandIPaddressesofeachmessage?

A.iparpinspectionvalidatesrc-macdst-mac

B.iparpinspectionvalidatesrc-macdst-macip

C.iparpinspectionvalidatesrc-macip

D.iparpinspectionvalidateenable

9. Whichsecurityapplianceshouldyouusetofilteremailtraffic?

A.CiscoUmbrella

B.CiscoNGIPS

C.CiscoNGFW

D.CiscoESA

10. Whichistheleastsecureviolationmodeinportsecurity?

A.Protect

B.Error-disabled

C.Shutdown


https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html



D.Restrict


Configuringportsecurity:https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html

ConfiguringDHCPsnooping:https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

ConfiguringaDAI:https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dynarp.html





https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dynarp.html

Inthissection,youwillbeintroducedtonetworkprogrammability.ThisisanewskillCiscorecommendsforeachexistingandnewnetworkengineerinthefield.Additionally,youwilldiscoverthemanybenefitsofimplementingtechniquesthatwillassistinnetworkmanagement,suchasautomation.


Chapter15,NetworkAutomationandProgrammabilityTechniques

Chapter16,MockTest1

Chapter17,MockTest2


Section6:AutomationandProgrammability


Chapter15:NetworkAutomationandProgrammabilityTechniquesIn2019,Ciscomadeahugeannouncementrelatedtotheircertificationtracksandexaminationstructure.OnenotableupdateistheinclusionofautomationandprogrammabilitywithintheCCNA,CCNP,andCCIEcertificationtracks.You'reprobablywondering,whatdoesthismeanforcurrentandnewnetworkengineers?Toputitsimply,automationandprogrammabilityarebeingintegratedintonetworkengineering,thuscreatinganewtypeofnetworkprofessionals,referredtoasnetworkdevelopers.

Duringthecourseofthischapter,youwilllearnhowprogrammabilityandautomationarebeingintegratedintonetworkengineering.Furthermore,youwillgainknowledgetohelpyouunderstandthevariousdataformatsofprogramminglanguagessuchasJSON,YAML,andXML.


Understandingautomation

Understandingdataformats

UnderstandingAPIs

Understandingnetworkconfigurationmanagement

Understandingintent-basednetworking

Understandingautomation


Automationisanyprocessthatisself-drivenwithouttheneedforhumanintervention.Inmanymanufacturingplantsaroundtheworld,machines(orrobots)areusedduringthebuildingandassemblyprocess.Imagineacarmanufacturerusingmachinesthatcanoperateona24/7/365continuousschedulethatisbeingcontrolledbyacomputer.Thecomputerprovidestheinstructionsforthemachinestointerpretandexecuteonthemanufacturingline.Thesemachinesareabletoworkcontinuouslywithouttheneedtostopandrest,andtheycanperformjobsinaprecisemannerwithouterrorsorfaults.Havingmachinesinaproductionlineremovestheneedforhumanworkersashigherproductionoutputisachievedwhilereducingtheriskofhumanerroronthejob.

Automationwasmostusedwithinmanufacturingplants,whereitwasmoreeffectivetoimplementmachinestoperformcertaintasksandwheretheworkingenvironmentmaybehazardoustohumans.Today,automationhasbeenexpandingtomanyindustries,includingInformationTechnology(IT).Anexampleishomeautomation,whereyoucanuseaRaspberryPiwithitsnativeoperatingsystemandthePythonprogramminglanguage,alongwithafewothercomponents,toautomatevariousprocesseswithinthehome.Automationissuchanawesometopictolearnabout,especiallyasmanytaskswithinourjobsinnetworkengineeringandevenotherareasofITcanbenefitalotfromit.

Haveyouwonderedhowonesystemisabletocommunicatewithanothersystem?Let'suseascenariowherethecomputersystemismanagingthemachinesthatbuildcarsonaproductionline.Boththecomputersystemandthemachinesaredifferentsystemsaltogether–theyarenotdesignedwiththesameoperatingsystemorapplications,sonatively,theyarenotabletoworktogether.Fromourpointofview,itwouldseemthecomputersystemisabletocommunicatefluentlywiththemachinesandviceversa,astheyareexecuting


thetasksascoordinatedbythecomputer.Whenthecomputersendsinstructionstothemachines,theycanconnectalltheinstructionsthatarereceivedandthenusethemtoperformagivenaction.Thecomputermustsendtheinstructionsusingastructureddataformat,whichwillcontainalltheinformationthemachinesneedtounderstandforthetaskandtoperformtheirjobs.Inthenextsection,youwilllearnaboutthesedataformatsindetail.

UnderstandingdataformatsLet'simaginetherearetwodifferentsystemsonanetwork,suchasacomputerandarouter.Thecomputerwantstosharedatawiththerouterbutsincethesearetwodifferentdevicesaltogether,theroutermaynotunderstandorbeabletointerpretthemessageitreceivesfromthecomputer.Tosolvethisissue,dataformatsareusedtoensurethedatathatisbeingexchangedbetweenthesystemsispresentedinaformatthatiseasilyunderstoodbyanothersystem.ThinkofadataformatastwopeoplewhobothspeakdifferentlanguagesusingacommonlanguagesuchasEnglishsothattheinformationthat'sbeingexchangedcanbeeasilyunderstoodbyboth.

Dataformatsgoastepfurthertoensurecomputers,networkdevices,andapplicationsareallabletounderstanddatathatisbeingsharedbetweenthem.Asanexample,let'stakealookatasimplewebpagewrittenintheHypertextMarkupLanguage(HTML),asshowninthefollowingscreenshot:


Figure15.1–HTMLcode

HTMLisknownasoneofthestandardmarkuplanguagesusedtocreatewebpages.ThedataformatofHTMLensuresanapplicationsuchasawebbrowsercanreadandunderstandthedataeasily.Additionally,beingastructureddataformatallowsushumanstoreadandunderstandmostofthedata,asshownintheprecedingsnippet.Noticehowthedataispresentedbetweentags(elements)andthatthetitleofthewebpageisplacedbetweenthe<title></title>

tags.ThisformatisusedthroughouttheremainderoftheHTMLcodeandisanexampleofastructureddataformat.

ThefollowingscreenshotshowshowtheprecedingHTMLcodeisrenderedwithinawebbrowser:


Figure15.2–HTMLwebpage

Dataformatsareveryimportanttounderstandastheyplayavitalroleinnetworkautomationandprogrammability.Thefollowingarevariousdataformatsthatareusedinmanycomputerapplicationstoassistwithautomationandprogrammability:

eXtensibleMarkupLanguage(XML)

JavaScriptObjectNotation(JSON)

YAMLAin'tMarkupLanguage(YAML)

Thesedataformatsarenotjustforsystemsandapplicationstounderstand,butbeingastructureddataformatalsoallowshumanstoreadandinterpretthedataandvaluesjustasthesystemdoes.

Dataformatsusethefollowingrulesandstructures:

JSON,XML,andYAMLuseakey-valuepairtorepresentdata.keyis

alwaysontheleftanditisusedtoidentifythedata.valueisalwayson

therightandthevalueistheactualdataitself.Additionally,thekeyand


valuearealwaysseparatedusingacolon(:)intheformofkey:value.

Similartoprogramminglanguages,varioussyntaxesareusedwithdataformats.Thesearesquarebraces[],curvebraces(),curlybraces{},

commas,quotationmarks,whitespaces,andevenindentations.

Theobjectswithinadataformatcanbecharacters(a-z)orstringssuchaswords,lists,andarrays.

Overthenextfewsections,youwilllearnandunderstandthecharacteristicsofJSON,XML,andYAMLandhowdataisformattedusingeachofthesedataformats.

eXtensibleMarkupLanguageTheXMLdataformatisdesignedfortheinternetasitcloselyresemblesHTML.ThechallengewithformattingdatausingXMLisinthedifficultyitpresentstousashumansinreadingandunderstandingthedata.ThisisbecausetheXMLdataformatwasreallydesignedtotransportorcarrydatafromonesystemtoanother,nottopresentordisplayittohumans.

ThefollowingaretheimportantguidelinesthatshouldbeusedwhenformattingdatawithXML:

XMLusestagstostructureitsdata.Thesetagsusethefollowingformat:<key>value</key>.

XMLhasthecapabilitytouseattributeswithakey-valuepair,suchas<keyname="MyName">value</key>.


AllwhitespacesusedwithinXMLdataareignored.

Bothconfigurationfilesandwebsites'sitemapsuseXML.

Tip

Ifyou'reinterestedinlearningmoreabouttheXMLdataformat,pleaseseetherelevantpageontheW3Schoolssiteathttps://www.w3schools.com/xml/default.asp.

ThefollowingsnippetshowsasimplenotewrittenintheXMLdataformat:

Figure15.3–XMLdataformat

Asshownintheprecedingsnippet,oneachline,thevaluesareplacedbetweentheircorrespondingkeys.Additionally,somelineswithinthedataformatareindentedtoimprovereadabilitybyhumans,butthisisnotmandatoryforsystemsandapplications.XMLisalsousedtostore,transfer,andreaddatabetweensystemsandapplications.


https://www.w3schools.com/xml/default.asp

JavaScriptObjectNotationJSONisanotherhuman-readabledataformatthatisusedbysystemsandapplicationstostore,transfer,andreaddata.JSONhasgainedalotofpopularityduetoitsusecaseswithmanywebservicesandApplicationprogramminginterfaces(APIs)toretrievedatafrompubliclyaccessibledevices.

TobetterunderstandtheJSONdataformat,let'stakealookattheoutputfromtheshowinterfaceGigabitEthernet0/1commandonaCiscoIOS

router:

GigabitEthernet0/1isup,lineprotocolisup

(connected)

Description:ConnectedtoWideAreaNetwork(WAN)

Internetaddressis172.16.1.1/24

Theprecedingoutputisprovidedviathecommand-lineinterface(CLI)weareaccustomedtowhenworkingwithCiscodevices.TheprecedingoutputcanberepresentedinJSONdataformatasfollows:


Figure15.4–JSONdataformat

Asshownintheprecedingsnippet,eachkey-valuepaircontainsadifferentpieceofdataaboutthedevice'sinterfacesuchasitsname,itsdescription,whethertheinterfaceisenabledordisabled,andtheIPaddressandsubnetmask.

TobetterunderstandhowdataisformattedinJSON,let'stakealookatthefollowingcharacteristics:

JSONusesahierarchicaltreestructurethatcontainsnestedvaluesandobjects.

JSONusescurlybraces{}tocontain/holdobjects.


JSONusessquarebraces[]tocontain/holdarrays.Anarrayisusedto

representalistofdatainprogramming.Anexampleofalistisashoppinglist.

DatarepresentedinJSONiswrittenusingakey-valuepair.Thesekey-valuepairsarewritteninthekey:"value"format.Acolonisusedtoseparatethekeyandthevalue.

Whitespacesareignoredbutusedtoimprovehumanreadability.

ThefollowingarekeypointstohelpyouinterpretJSON:

Allkeysarewrittenwithindoublequotationmarks.Valuesmustbeeitherotherobjects,arrays,strings,numbers,orBooleanexpressions.Thefollowingisanexampleofakey-valuepairinJSON:

{"certification":"CCNA200-301"}

Sincethekey-valuepairisalsoenclosedincurlybraces,theentireformatisknownasaJSONobject.

Youcanhavemorethanonekey-valuepairwithinasingleobject.Acommaisusedtoseparateeachkey-valuepairfromtheothers.

Akeymaycontainmorethanonevalue.Thinkofitlikealistofitemsforshopping–intheprogrammingworld,thisisknownasanarray.Anarrayisdefinedasanorderedlistofvaluesenclosedinsquarebraces[].

Eachvaluewithinakeyisseparatedbyacomma.Eacharraywithinanobjectisalsoseparatedbyacomma.

ThefollowingisanexampleofalistofITcertificationsrepresentedinJSON:


Figure15.5–AnarrayinJSON

Fromtheprecedingsnippet,wecandeterminethefollowing:

ThekeyinthiscodeisITCerts.

Squarebraces[]areusedtocreateanarray(alist)ofthreeobjects.These

threeobjectsareNetworking,Cybersecurity,andNetworkDeveloper.

Eachobjectisenclosedwithacurlybrace{}andseparatedbyacomma.

Thelastobjectwithinthearraydoesnotendwithacommasimplybecauseit'sthelastitemonthelist.

Eachobjectcontainsonekey-valuepair.


Tip

Ifyou'reinterestedinlearningmoreabouttheJSONdataformat,pleaseseethefollowingpageontheW3Schoolssiteathttps://www.w3schools.com/js/js_json_intro.asp.

AsyoumayhavenoticedwithJSON,it'sanotherhuman-readabledataformatforrepresentingandexchangingdatabetweensystemsandapplications.

YAMLAin'tMarkupLanguageYAMLisanotherhuman-readabledataformatthatisalsousedtostore,transfer,andreaddatabetweensystemsandapplications.ThefollowingarethecharacteristicsofYAML:

YAMLusesaveryminimalisticformat,thusmakingitsupereasytoreadandwrite.

YAMLusesindentationstodefinethedatastructurewithouttheneedforcommasorbracesofanykind.

WhitespacesareusedtodefinethestructureoftheYAMLfile.

YAMLusesadash(-)torepresentsalistofitemswithinanarray.

It'snewerthanXMLandJSONandisgaininginpopularity.

Let'stakealookatthefollowingJSONdata:


https://www.w3schools.com/js/js_json_intro.asp

Figure15.6–JSONdataformat

Now,let'stakealookatthesamedatawritteninYAMLformat,asfollows:

Figure15.7–YAMLdataformat

Noticehowkey-valuepairswritteninYAMLdonotuseanycommandsorquotationmarksandthateachobjectwithinthearrayisindicatedusingadash(-

).


Tip

Ifyou'reinterestedinlearningmoreabouttheYAMLdataformat,pleaseseethefollowingpage:https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html.

YAMLhasbecomethepreferreddataformatinthenetworkingindustry,simplybecauseitisveryeasytounderstandforhumansandsystemsalike.

Havingcompletedthissection,youhavegainedtheessentialskillstointerpretvariousdataformatssuchasXML,JSON,andYAML.Inthenextsection,youwilldiscoverthevitalrolethatAPIsplayinanetwork,especiallyinnetworkdevelopmentandoperations.

UnderstandingAPIsAnAPIallowsdataformatstobesharedbetweendifferentsystemsordevices.APIssimplyallowanapplicationtosendandretrievedatafromanothersystem.APIsareusedalmosteverywhere,fromcloudservicessuchasMicrosoftAzureandAmazon'sAWStosocialmediaplatformssuchasFacebook.

TounderstandhowAPIsoperate,let'simagineyouvisityourfavoriterestauranttohaveadine-indinnerwithyourfamilyorsignificantother.Attherestaurant,youaregivenamenusothatyoucanchooseyourmealbeforeit'spreparedinthekitchen.Asacustomer,youwon'tbeallowedtovisitthekitchentoretrieveyourmealwhenit'sready–awaiterorwaitressisassignedthisrole.Whenyou(theuser)arereadytoplaceyourorder,therequestismadeviathewaiter/waitress(API),whichisknownasanAPIcall.Thewaiter/waitressthengoestothekitchenwithyourorder(therequest).Whenthefood(data)isready,


thewaiter/waitress(API)deliversittoyou(theresponse).

ThefollowingdiagramshowstheconceptofanAPIretrievingdatafromasystemforauser:

Figure15.8–APIoperations

YoucanthinkofanAPIasasortofmessengerthat'susedtorequestandretrievedatafromasystemoranapplication.Whenonesystemrequestsinformationfromanothersystem,anAPIcallisusedtomaketherequest.Now,let'slookatthedifferenttypesofAPIs.

TypesofAPIsVarioustypesofAPIsareusedforspecificscenarios.EachtypeofAPIhasitsownuniquepurposeandrole.ThefollowingisalistofvarioustypesofAPIs:

Open/publicAPIs:OpenorpublicAPIsaredesignedtobeusedwithoutanyrestrictionsonasystem.AnexampleofapublicAPIistheYouTubeDataAPI,whichallowsapersontoaddYouTubefunctionalitytotheirapplicationorwebsite.

Internal/privateAPIs:AninternalorprivateAPIisusedwithinan


organizationbyitsemployees.AnexampleofthisisaninternalAPIthatcanallowauthorizedpersonsfromthesalesteamtoaccess/retrieveinternalsalesinformationontheirsmartdevices.

PartnerAPIs:ThistypeofAPIisusedbetweendifferentorganizationsorcompanies.Anorganizationisgivenauthorization(permissionfromanothercompany)tousetheAPItoretrievedatafromtheirapplicationorsystem.Asanexample,yoursmartphonemayhaveaweatherwidgetthatusesanAPItoretrieveweatherforecastdatafromanonlineserver.

Next,wewilltakeadiveintoRepresentationalStateTransfer(REST)APIs.

RESTfulAPIsARESTAPIusesHTTPtosendorretrievedataforthesystemorapplication.Beforedivinginfurther,it'simportanttounderstandthefundamentalsofHTTPcommunicationbetweenaclientdevicesuchasacomputerandthewebserver.Foraclientdevicetointerfacewithawebserver,astandardwebbrowserisrequiredtoallowtheusertoviewwebpagesinahuman-readableformat.Whenauserwantstoviewawebpage,theuseropenstheirpreferredwebbrowser,whichthenuseseitherHTTPorHTTPSecure(HTTPS)torequest(HTTPGET)thewebpagefromthewebserver.

Thefollowingdiagramshowsaclientmachinerequestingawebpagefromaserver:


Figure15.9–HTTPoperation

WhentheserverreceivestheHTTPGETmessage,itwillrespondwithanHTTPstatuscodeof200andreturnthewebpagetotheclient.HTTPusesvariousstatuscodesthatcanbeusedduringtroubleshooting.However,anHTTPstatuscodeof200simplymeanstherequestissuccessfulandthattheserverwillprovidethedata.

RESTAPIsaretypesofAPIthatoperateontopofHTTP,whichmeansitdefinestherulesandinstructionsthatdeveloperscanusetoexecutetasks,suchasrequestingdataorupdatingormodifyingrecordsonasystemorapplication.AllofthisisdoneusingHTTPprotocolmessagessuchasGETandPOST.

ImportantNote

AnHTTPGETmessageisusedtorequestdatafromadevicesuchasaserver,whiletheHTTPPOSTmessageisusedtoupdateinformationonaserver.

APIsthatabidebytherulesandguidelinesoftheRESTstructurearereferredto


asRESTfulAPIs.ThefollowingcharacteristicsmustbemetforanAPItobeconsideredRESTful:

ARESTfulAPIusesaclient-servermodel.Theclientdeviceistypicallythefrontend,wheretheusercaninterfacewiththeserver.Theserverisresponsibleforbackendoperationssuchashostingapplicationsandservers,aswellasstoringdata.Thebenefitofusingthismodelisthatitallowseachdevicetooperateindependentlyfromeachother,meaningthateithertheclientortheservercanbereplaced.

RESTfulAPIsarestatelessbynature.Beingstatelessmeanstheserverdoesnotstoreanydatabetweenrequestsfromanyclients.Allthesessioninformation,suchasstates,arestoredonlyontheclientmachine.AnexampleisifaclientsendsanAPIcalltoaserveraskingWhatistheweatherliketoday?,andtheserverrespondswiththedata.IftheclientsendsasecondAPIcall,suchasafollow-uptothepreviousrequestsuchasWillitbehotorcold?,theserverwillnotbeabletorespondtothesecondrequestsimplybecauseitdoesnotkeeptrackofanystates.

RESTfulAPIsareconsideredtobecacheable.Sincetheserverisunabletostoreanysessionstates,informationsuchasresponsescanbecachedontheclient-sidesimplytoimprovetheoverallperformanceofthecommunicationbetweentheclientsandtheserver.

SinceRESTfulAPIsuseHTTPtorequestandrespondtomessagesbetweensystems,it'simportanttounderstandthevariousHTTPmethods,suchasPOST,

GET,PUT/PATCH,andDELETE.ForHTTPtorequestaresource,itneedsto

knowwheretheresourceislocated,suchasawebpageonawebserver,whichisreferredtobyaUniformResourceIdentifier(URI).AnexampleofaURIis


https://www.netacad.com/courses/packet-tracer

https://www.netacad.com/courses/packet-tracer.Webservicesoftensupportvariousdataformats,suchastheonesmentionedintheprevioussection;thatis,XML,JSON,andYAML.Whenaclientmachinewantstorequestawebpage,itwillsendanHTTPGETmessagetotheURIand,ifsuccessful,theserverwillrespondwiththeHTTP200statuscodeandthewebpageinHTML.

RESTfulAPIsuseHTTPmethods(verbs)suchasPOST,GET,PATCH,andDELETEtosendandretrievedataformatsbetweentheclientandserver.TheseHTTPmethodsalsocorrespondtoRESTfuloperationssuchasCreate,Read,Update,andDelete(CRUD).

Thefollowingtableprovidesaside-by-sidecomparisonofCRUDoperations:

Figure15.10–CRUD

Whenaclientmachinerequests(HTTPGET)datafromasystemsuchasaserver,aslongastheclientusesaproperlystructuredJSONrequest,theserverwillrespondwiththeJSONdata.TheJSONdataintheresponsecanthenbepresentedinaclient-sideapplication.

ForaRESTfulAPItointeractperfectlywithasystemorapplication,it'simportantthattheRESTfulAPIcorrectlyidentifieswebresourcesusingaURI.


AURIhasthefollowingtwospecifications:

UniformResourceName(URN):AURNisusedtoidentifyonlythenamespaceofaresource.Anexampleofaresourceisawebpage,image,ordocumentwithoutspecifyingaprotocolsuchasHTTPorHTTPS.AnexampleofaURNiswww.cisco.com/c/en/us/index.html.

UniformResourceLocator(URL):AURLisabitsimilartoaURN,exceptthatitisusedtospecifythelocationofaresourceonanetworkandspecifiesaprotocol.TherearemanyapplicationlayerprotocolssuchasHTTP,HTTPS,FTP,SFTP,andsoon.AnexampleofaURLishttps://www.cisco.com/c/en/us/index.html.

Additionally,aURIismadeupofthefollowingcomponents:

Protocol(scheme):Theprotocolsimplydefinestheapplicationlayerprotocolthatisusedbyanapplicationtoaccessaresource.ExamplesofprotocolsareHTTPandHTTPS.

Hostname:ThehostnamesimplydefinestheFullyQualifiedDomainName(FQDN),suchaswww.cisco.com.

Pathandfilename:Thepathandfilenameidentifythelocationandnameoftheresource.Anexampleofapathandfilenameis/c/en/us/training-events/training-

certifications/certifications/associate/ccna.html.

Fragment:Afragmentidentifiesaspecificareaonawebpage.Anexampleofafragmentis#~exams.

ThefollowingisanexampleofaURIcontainingallthecomponentsmentioned


http://www.cisco.com/c/en/us/index.html

https://www.cisco.com/c/en/us/index.html


here:

https://www.cisco.com/c/en/us/training-events/training-certifications/certifications/associate/ccna.html#~exams

IfyouclickorvisittheprecedingURI,itwillcarryyoutotheexaminationsectionoftheCCNApageontheCiscowebsite.

Asanotherexample,thefollowingshowsaRESTfulAPIrequestbeingsentfromaclienttoCiscoDNACentertorequestdataonanyinterfacewithanIPv4addressof10.10.22.253.ThisURIisasfollows:

https://sandboxdnac.cisco.com/dna/intent/api/v1/inte

rface/ip-address/10.10.22.253

TheserverrespondedinJSONdataformat,thusprovidingthefollowingresponse:


https://sandboxdnac.cisco.com/dna/intent/api/v1/interface/ip-address/10.10.22.253

https://sandboxdnac.cisco.com/dna/intent/api/v1/interface/ip-address/10.10.22.253

Figure15.11–ResponseinJSONdataformat

CiscoDNACenterreturnedalldataabouttheinterfacethatwasassignedthe


specificIPv4address,asstatedintheURI.Asshownintheprecedingsnippet,youcanreadandinterpretalmostalltheinformationpresentedinJSON,simplybecauseJSONisahuman-readabledataformat.

TheRESTfulAPIrequestconsistsofthefollowingparts:

APIserver:IdentifiestheAPIserverwithintheURL.TheAPIserverishttps://sandboxdnac.cisco.com.

Resources:Identifiestheresourcesthatarebeingrequestedbytheclient,suchas/dna/intent/api/v1/interface/ip-

address/10.10.22.253.

Query:Thequeryisusedtospecifythedataformatandthedatathattheclientisrequestingfromtheserver.Aquerycanincludetheformat,whichindicateswhethertherequestisXML,JSON,orYAML.Additionally,aquerycancontainakey,whichisusedtoidentifyanAPIkeytoauthenticatetheclienttotheserver.Lastly,thequerymayalsocontainparameters,whichareusedtosendspecificinformationfromtheclienttotheserver.ThishelpstheAPIknowexactlywhattoreturntotheclient.

ImportantNote

Systemsthatofferpubliclyaccessibleinformation,suchasGoogleMaps,allowausertogenerateapublicAPI(key)ontheirplatformtousetheservices.Thesekeysprovideaformofauthenticationbetweentheclientandtheserver,whichcreatesanumberofbenefits.ItallowstheservertotrackthenumberofpersonsusingtheAPI,limitthenumberofrequests


https://sandboxdnac.cisco.com

beingsentbyusers,captureandkeeptrackofthedatarequestedbytheclients,andgatherinformationaboutthepeopleusingtheAPI.

ForausertomakeaRESTfulAPIrequesttoasystem,theusercanuseoneofthefollowingmethods:

Developerwebsite:Manyonlineapplicationvendorsusuallyhaveadeveloperwebsitewheretheyoftenmaintainandpublishprocedures,outlininghowuserscancreateandusetheirsystemswithAPIs.AnexampleistheCiscoDevNetwebsite(https://developer.cisco.com),whichcontainsalargeamountofAPIdocumentationforvariousCiscoplatforms.

POSTMAN:ThistoolallowsausertointeractwithasystemusingvariousHTTPverbstoperformactionssuchasCRUD.POSTMANalsoallowsausertoconstructandsendRESTfulAPIrequestswithadditionalqueryparameterssuchaskeysandformattype.TolearnmoreaboutPOSTMAN,pleaseseehttps://www.postman.com.

Python:ThisprogramminglanguageallowsadevelopertointegrateaRESTfulAPIintotheircodetoperformactionssuchasautomation.

Networkoperatingsystems:NetworkoperatingsystemsusevariousprotocolssuchasNETCONFandRESTCONF,whichallowanetwork

developertointeractwithanetworkdeviceviaanAPI.TheNETCONF

protocolallowsausertoperformnetworkconfigurations,whileRESTCONFallowstheapplicationtoformatthedatathat'spassed

betweentheclientandservermachines.


https://developer.cisco.com

https://www.postman.com

ImportantNote

Tolearnmoreaboutnetworkprogrammability,checkoutthefreecourseonCiscoDevNetathttps://developer.cisco.com/video/net-prog-basics/.

Havingcompletedthissection,youhavegainedtheskillstoidentifyandunderstandthepurposeandrolethatRESTfulAPIsplaywhenyou'reaccessingdatabetweendifferentsystems.Inthenextsection,youwilllearnaboutconfigurationmanagementtools.

UnderstandingnetworkconfigurationmanagementAtthebeginningofthischapter,wediscussedautomationandhowithelpsus,asnetworkengineers,workmoreefficientlywhenconfiguring,deploying,andtroubleshootingissuesonalargenetwork.Animportantfactorwithnetworkautomationisthatitsavesusalotoftimefromperformingmanualtasksonournetworkdevices.Whenbecominganetworkdeveloper,it'simportanttounderstandhowvariousconfigurationmanagementtoolscanimprovehowweautomateconfigurationsonourswitches,routers,firewalls,andmanyothernetworkdevices.

Inatraditionalscenario,anetworkengineerwillaccessandmanageanetworkdevicesuchasarouterorswitchviaaCLI.Thisishowwealllearnedtomanageourdevices–ifthereisachangethatneedstobemadeonthenetwork,weneedtologintotheCLIandmanuallymakethischange.Asthismethodhasworkedformanyyearsandit'stheprimarymethodbywhichwedothings,it'salsovulnerabletohumanerror,whereapersonmaymisconfigureadevice,anditcan


https://developer.cisco.com/video/net-prog-basics/

equallybeverytime-consumingifthenetworkengineerhastoapplythesameconfigurationstomultipledevices.Sometimes,youmaythinkthatcopyingandpastingtheconfigurationsbetweendevicesisaformofautomation,butinreality,itisstillamanualandtime-consumingtask.

InChapter10,ImplementingNetworkServicesandIPOperations,wecoveredthefunctionalityandusecasesoftheSimpleNetworkManagementProtocol(SNMP).Thisprotocolallowsus,asnetworkengineers,tomanagevariousdevicesonournetwork,suchasdesktopscomputers,servers,networkingdevices,andsecurityappliances,allonanIP-basednetwork.AnetworkengineerwilldefinitelyneedaNetworkManagementStation(NMS),whichwillfunctionastheSNMPmanagertointeractwiththeSNMPagentsonthenodes(desktops,switches,andsoon).WithSNMP,wecanupdateconfigurationsonnetworkdevices;however,it'snotrecommendedtouseSNMPforsuchatasksimplyduetothesecurityvulnerabilitiesthatcanbefoundwithintheprotocolsuite.SNMPisalsousedtoretrieveinformationaboutdevices,whichcanhelpnetworkingprofessionalsgatherusefuldatasuchasstatisticsandperformancedetailsondevices.ThismakesSNMPbetterfornetworkmonitoringthanautomatingdeviceconfiguration.

WithAPIs,anetworkdevelopercanquicklyautomateconfigurationsanddeploydevicesmoreefficientlyoveranetwork.Imaginethat,withAPIs,youcanuseautomationconfigurationtoolstoconfigurechangesonmultipledevicessimultaneously,withouthavingtomanuallylogintoeachdeviceindividually.Withconfigurationmanagementtools,youcanuseRESTfulAPIstoautomateconfigurationonallyourdeviceswithinyourorganization.Thesetoolswillhelpyoutomaintainconsistencybetweensystemandnetworkdeviceconfigurations,includingsecuritysettings,IPprotocolsettings,interfaceconfigurations,andso


on.

Thefollowingisalistofseveralconfigurationmanagementtools:

Ansible

Chef

Puppet

ThefollowingarethecharacteristicsofAnsible:

CreatedbyRedHat.

WorkswiththePythonprogramminglanguageandYAMLdataformat.

Itisagentless.Thismeansanagentisnotrequiredtobeinstalledorconfiguredonanetworkdevicethatyouwanttocontrol.Beingagentlessallowstheusertopushconfigurationstoanodeonanetwork.

YoucanmanageanynumberofdevicesusingAnsible.Asthenetworkgrows,youcandesignateadedicatedmachinetoworkasanAnsiblecontroller.SinceAnsibleisagentless,anydevicecanbeacontrolleronthenetwork.

Alltheinstructionsarecreatedusingaplaybook.

ThefollowingarethecharacteristicsofChef:

ChefusestheRubyprogramminglanguage.

AnagentisrequiredtobeinstalledonthedeviceyouwanttomanagewithChef.Beingagent-based,thenodewillpullconfigurationsfromthe


Chefmaster.

ThedevicethatmanagesallthenodesorsystemsonanetworkisknownasaChefmaster.

Alltheinstructionsarecreatedinacookbook.

ThefollowingarethecharacteristicsofPuppet:

PuppetusestheRubyprogramminglanguage.

Puppetsupportsbothagent-basedandagentlessnodes.

APuppetmasterisusedtocontrolallthesystemsanddevicesonthenetwork.

Allinstructionsarewritteninthemanifest.

Havingcompletedthissection,youhavelearnedaboutvariousconfigurationmanagementtoolsandhoweachtoolisdifferentfromtheother.Inthenextsection,wewilltakeadeepdiveintointent-basednetworking(IBN)andCisco'sDigitalNetworkArchitecture(DNA)Center.

Understandingintent-basednetworking

Overthecourseofthischapter,youhavelearnedaboutmanyamazingtechnologiesthatallworktogethertohelpyou,asanetworkengineer,automatemanytasksonyourenterprisenetwork.Inthissection,wewilldiscusstwoadditionalpiecesoftechnologythatbringeverythingtogetherfornetworkautomation.TheseareknownasIBNandCiscoDNACenter.

Inthepast,networkengineerswouldimplementaconceptknownasaSoftware-


DefinedNetwork(SDN)tovirtualizeanetworkandprovideanewmethodtooffernetworkadministrationandmanagementtasks.WithSDNs,thegoalwastoensurenetworkoperationstasksweremadesimpleandstreamlinedfornetworkengineers.

Withinnetworkdevices,therearethreelogicalplanesthatexistwithintheoperatingsystem.Eachplanehasauniqueroleandfunctiononthenetwork.Thefollowinglistprovidesdescriptionsofeachplane:

Managementplane:Thisplaneisresponsibleforallowinganadministratortomanageadevice.Asatypicalnetworkengineer,wewouldusevariousprotocolssuchasSecureShell(SSH),HTTPS,TrivialFileTransferProtocol(TFTP),andSNMPtohelpusmanageourdevices.Thismanagementplanesimplydefineshowwecanaccessanetworkdevice.

Dataplane:Thisplaneisresponsibleforsendingandreceivingmessagesonanetworkdevice.It'sliketheforwardingplaneonthedeviceitself.

Controlplane:Thisplanecontrolstheentirenetworkdeviceandhowitoperates.Thisisthebrainofthedevice.Layer2andevenLayer3forwardingmechanisms,routingprotocols,IPv4andIPv6routingtables,Spanning-TreeProtocol(STP),andsoonallexistinthecontrolplane.

Sinceeachdevicehasalltheseplanes,eachdevicecanthinkandmakeforwardingdecisionsontheirownwhileoperatingonaproductionnetwork.Asanexample,anOpenShortestPathFirst(OSPF)-enabledrouterisabletomakeitsforwardingdecisionsforinboundpacketsindependently,andallOSPF-enabledrouterswithinasingleareaareabletoestablishneighboradjacenciesinordertoexchangeinformationwitheachother.EnablingOSPFonarouterdoes


nothappenautomatically;anetworkengineerneedstoconfigureeachrouteronthenetworkwithOSPF,andthentheywillattempttocreateneighboradjacencies.WithSDN,thecontroller-basednetworkallowsustoautomateandmanagetheoveralldeploymentandconfigurationofOSPFwithintheenterprisenetwork.

Toputitsimply,weareusinganSDNcontrollertomanagethebrainofallthenetworkdevicestogether.Therefore,thecontrolplanemovesfromtheswitches,routers,firewalls,andsoontotheSDNcontrolleronthenetwork.TheSDNcontrollerenablesacentralizedcontrolplaneforallthedevicesonthenetwork,whilethedataplaneremainsonthenetworkdevicesastheywillneedtoforwardLayer2andLayer3messages.

ThefollowingdiagramshowstheconceptofanSDNcontrolleractingasthecentralizedcontrolplaneforallthenetworkingdevicesinacorporateenvironment:


Figure15.12–SDNcontroller

TheSDNcontrollercancontrolallthenodes(switches,routers,andsoon)byusingaSouthboundInterface(SBI).TheSDNcontrollerneedstousesometypeofmethodtoactuallymanagethenetworkdevices.Thefollowingisalistoftechnologiesthatthecontrolleruses:

NETCONF

OpenFlow

ACLI

SNMP

OpFlex

TheNorthboundInterface(NBI)onthecontrollerallowsus,thenetworkengineer,toaccessandcontroleverythingonthenetworkusingasinglepaneofglass.Asanetworkengineerornetworkdeveloper,youcanaccesstheNBIusingeitheraGraphicalUserInterface(GUI)orRESTfulAPIs.

ThefollowingshowstheNBIofaCiscoDNACenterinstanceontheCiscoDevNetplatform:


Figure15.13–CiscoDNACenterNBI

IBNisthelatesttechnologythatbuildsontopofSDN,whichallowsallmanualandhardware-centrictasksandoperationstobedesignedintoafullyfledgedautomatedsystemthatissoftware-centric.IBNmakesallthishappenbyusingCiscoDNACenter.WithIBN,youdonotneedtologintoyourroutersorswitchesindividuallytoconfigureAccessControlLists(ACLs)inordertoallowordenytrafficbetweennetworks,orevenmanuallyconfiguretheOSPFroutingprotocolonagroupofrouters.WithCiscoDNACenter,asanetworkdeveloper,youwon'tneedtobeworriedtoomuchabouttheactualCLIconfigurationthatweareaccustomedto.ThisisbecausewejustneedtotellCiscoDNACenterwhatourintentis,anditwillmakeithappen.CiscoDNACenter,thecentralizedbrainofthenetwork,willautomaticallyapplytheconfigurationstoallthedevicestomakeourthoughtsarealityregardinghowwewantthenetworktooperate,hencethetermintent-basednetworking.

IBNconsistsofthefollowingthreefunctions:

Translation:Thisfunctionisusedtogatherinformationaboutthebusinessintentandtranslateitintopolicies.Withthisfeature,anetworkengineerordevelopercantellCiscoDNACentertheirintentionforthenetworkandCiscoDNACenterwilltranslatethisintosupportingpoliciesforthenetwork.

Activation:ThisfunctiontakesthepoliciesitreceivedfromtheTranslationfunction,thencoordinatesthepoliciesandconfiguresthenetworkdevicessuchasswitches,routers,andsoontomeettheintentofthebusiness.


Assurance:Thisfunctionisusedtocontinuouslygatherinsightsaboutthenetwork,whichwillallowCiscoDNACentertomanageandperformanyadjustmentstothenetworkasrequired.

ThefollowingdiagramshowshowthesethreefunctionsallworktogetherinCiscoDNACenter:

Figure15.14–ThethreefunctionsofIBN

WithIBN,thenetworkinfrastructure(includingbothphysicalandvirtualdevices)isknownasthefabric.Thetermfabricisusedtodescribetheentiretopologyofanenterprisenetwork.Thefabriciseverythinginanetwork,suchasthedevices,applications,andtechnologiesusedtoforwardtrafficbetweennetworksanddevices.


Fabric,overlay,andunderlayWithSDNandIBN,theCiscoDNACentercontrollerisnottooconcernedwithhowthenetworkdevicesareinterconnectedortheprotocolstheyareusingtoforwardtrafficthroughthenetwork.InCiscoDNACenter,thecontrollerusesanoverlaytomanagethelogicaltopology.

Theoverlayreducesthenumberofnetworkdevicesanetworkengineermustmanuallyconfigureonthenetwork,andit'salsoresponsiblefortheservicesandhownetworkdevicesforwardtraffic.Toputitsimply,anetworkengineercanspecifytheirintenttoCiscoDNACenter,whichwilltranslateitintopolicies,whicharethenappliedtothedevicesonthenetworkviatheOverlayControlPlanetomakeithappen.

Thefollowingdiagramshowsatypicalphysicalnetworktopologywithouttheoverlay:


Figure15.15–Physicalnetworktopology

Basedonthephysicaltopologyshownintheprecedingdiagram,therearemultiplehopsbetweenPC1andSVR1.IfPC1wantstocommunicatewithSVR1,thetrafficcantakemanypaths.Withanoverlay,atunnelknownasaVirtualExtensibleLAN(VXLAN)isestablishedbetweenbothdevices,soPC1willseeSVR1asasinglehopawayonthenetwork.

ThefollowingdiagramshowstheconceptofaVXLANbeingestablishedbetweenPC1andSVR1overthenetwork:


Figure15.16–VXLANtunnel

WithCiscoDNACenter,thecontrollermakesitseemlikePC1andSVR1areonanetworkthatonlycontainsthosetwodevices.

ImportantNote

YoucanthinkoftheoverlayastheareawheretheencapsulationprotocolsexistbetweenacontrollersuchasaWirelessLANController(WLC)anditsLightweightAccessPoints(LAPs).BetweentheWLCandtheLAPs,there'saControlandProvisioningofWirelessAccessPoints(CAPWAP)tunnelthatallowstheWLCtomanageitsLAPs.

Theunderlayistheactualphysicalnetworkthatprovidesconnectivityfortheoverlay.Thisistypicallythephysicalnetworktopologyandincludestheswitches,routers,servers,firewalls,andsoon.Withintheunderlay,thecontrolplaneisresponsibleforforwardingtrafficbetweendevicesonthetopology.

Withinalargertopologysuchasadatacenter,suchtechnologiesareusedtoimprovetrafficflowbetweenendpointsinthenetwork.Ciscousestheir


ApplicationPolicyInfrastructureController(APIC)tomanageallthenetworkdeviceswithinthedatacenternetwork.

Thefollowingtopologyshowsatypicaldatacenternetworktopology:

Figure15.17–Spine-leaftopology

Thelowerswitches(leaves)areconnectedtotheupperlayerswitches(spines)tocreateafull-meshdesign.Thelowerlayerismadeupofaccessswitchesthatoperateasboththeaccessanddistributionlayers,andeachleafswitchisconnectedtoeveryspineswitch.Thismodel,whichisimplementingaVXLAN,allowsthenetworktoscaleeasilyandtakescareofissuesthatarerelatedtoclouddeployments.

CiscoDNACenter


CiscoDNACenterprovidesyouwiththefollowingfivekeyfunctions:

Design:Thisfunctionallowsyoutocreateanentiremodelofyourintentnetworkwithbuildingsandofficelocations.Youcanalsoincludebothphysicalandvirtualdevices,LANs,WANs,andevencloudtechnologies.

Policy:Policiesallowtheautomationofnetworkmanagement,thushelpingusreducetheoverallcostandriskwhilerollingoutnewservicesquicklyonourenterprisenetwork.

Provision:ThisfeatureenablesCiscoDNACentertoprovidenewnetworkservicesquicklyandefficientlyonthenetwork.Whetherit'sasmallerorlargerenterprisenetwork,CiscoDNACentergetsitdone.

Assurance:ThisfeatureenablesCiscoDNACentertotakeaproactiveapproachtowardmonitoringandgatheringintelligenceonthenetwork.SuchinformationhelpsCiscoDNACenterpredictpotentialnetworkissuesquickly,aswellasensurethepoliciesthatareappliedtotheunderlayarealignedtothebusinessintent.

Platform:ThisfeatureallowsanetworkengineertouseAPIstointeractbetweentheCiscoDNACenterandvendordevices.

Tip

TolearnmoreabouttheCiscoDNACenteruserinterface,pleasebesuretocheckoutthefreeCiscoDNACenteronlinesandboxfromCiscoDevNetathttps://developer.cisco.com/docs/sandbox/#!networking.

WithCiscoDNACenter,youcanimplementIBNwithinyourorganization.As


youhavelearned,withthiscontroller,youcansecurelydeploydevicesonyournetwork.Additionally,withCiscoDNACenter,youcanimplementthefollowingsolutions:

Software-DefinedAccess(SD-Access):WithSD-Access,accesstonetworkresourcesismadeavailablewithinamatterofminutestousersordevices,withoutsecuritybeingaconcern.

Software-DefinedWAN(SD-WAN):Thissolutionallowsorganizationstogainabetteruserexperiencewhenaccessingtheirapplicationsthatarehostedinthecloudorevenlocallyonanon-premisesplatform.

CiscoDNASecurity:Providesanentire360-degreeviewofallreal-timeanalyticsandsecurityintelligenceonthenetwork.Thishelpsreducetheriskofthreatswhileprotectingyourorganization.

CiscoDNAAssurance:Allowsanetworkengineertodeterminethecauseofissuesonthenetworkquicklyandprovidesrecommendedactionstoresolveissues.

Havingcompletedthissection,youhavelearnedaboutIBN,itsoperations,andthecomponentsrequiredtomakeeverythingworktogether.Additionally,youhavediscoveredhowCiscoDNACenterbecomesthebrainbehindalltheoperationsofyournetwork,aswellasthefunctionalitiesitofferstoimproveeverythingonanenterprisenetwork.

SummaryOverthecourseofthischapter,youhavelearnedabouttheneweraofnetworking,whereautomationandprogrammabilitycangreatlyhelpnetwork


engineersimprovethetimetheyspendondeploymentandconfigurationwhilereducingtheneedtomanuallyperformrepetitivetasksintheirdailyjob.Additionally,youhavegainedtheskillstounderstandvariousdataformatssuchasXML,JSON,andYAML,aswellashowtheyareusedtorequestdatafromasystemviaAPIs.

Furthermore,youhavelearnedaboutthefunctionsofvarioustypesofAPIsandthecomponentsofRESTfulAPIs.YoulearnedaboutthecharacteristicsofconfigurationmanagementtoolssuchasAnsible,Chef,andPuppetandtheroletheyplaytoassistusinnetworkautomation.Then,wecoveredhowIBNandCiscoDNACentercanbeusedtohelpusfullyautomateourenterprisenetworkusingacontroller-basedmodel.

Lastly,IknowthejourneyofpreparingfortheCiscoCertifiedNetworkAssociate(CCNA)200-301examinationisn'taneasyoneandthattherearemanychallengesalongtheroadtosuccess.Iwouldpersonallyliketothankyouverymuchforyoursupportbypurchasingacopyofmybook,andcongratulationsonmakingittoendwhileacquiringalltheseamazingnewskillsbylearningaboutnetworkengineering.IdohopeeverythingyouhavelearnedinthisbookhasbeeninformativeandishelpfulinyourjourneytowardlearninghowtoimplementandadministerCiscosolutions,aswellaspreparefortheCCNA200-301certification.

QuestionsThefollowingisashortlistofreviewquestionstohelpreinforceyourlearningandallowyoutoidentifyareasthatrequiresomeimprovement:

1. Whichdataformatiscommonlyusedtocreatewebpages?


A.JSON

B.XML

C.HTML

D.YAML

2. WhichdatatypeissimilartoHTML?

A.JSON

B.XML

C.YAML

D.Python

3. Whichdatatypeisthesimplesttoreadandunderstand?

A.JSON

B.XML

C.YAML

D.Python

4. WhenusingYAML,whichsyntaxisusedtorepresentalistofitems?

A.{}

B.[]


C.()

D.-

5. WhileusingJSON,whichsyntaxisusedtorepresentalistofitems?

A.{}

B.[]

C.()

D.-

6. WhichtypeofAPIallowsavendortoaccessdatawithinanorganization'ssystem?

A.Partner

B.Open

C.Public

D.Internal

7. WhichRESTfulAPIoperationisequivalenttoanHTTPPOSTmessage?

A.PUT

B.Update

C.Request


D.Create

8. WhichcomponentofaURIidentifiesaspecificareaonawebpage?

A.Path

B.Filename

C.Hostname

D.Fragment

9. Whichconfigurationmanagementtoolusesapushfunction?

A.Ansible

B.Chef

C.Python

D.Puppet

10. WhichfunctionofCiscoDNACenterisresponsibleforconfiguringthenetworkdeviceswiththeintentionofthenetworkengineer?

A.Translation

B.Activation

C.Assurance

D.Policy



AnsibleIOSmodules:https://docs.ansible.com/ansible/latest/modules/list_of_network_modules.html#ios

CiscoDNACenterSolution:https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/dna-center/nb-06-dna-center-so-cte-en.html?oid=sowen000306

LearnJSON:https://www.w3schools.com/js/js_json_intro.asp

YAMLbasics:https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html


https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/dna-center/nb-06-dna-center-so-cte-en.html?oid=sowen000306

https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/dna-center/nb-06-dna-center-so-cte-en.html?oid=sowen000306

https://www.w3schools.com/js/js_json_intro.asp

https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html

https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html

Chapter16:MockExam1

Questions1. Whichofthefollowingnetworkprotocolsareimplementedinallmodern-

daydevices?

A.OSIModel

B.TCP/IP

C.AppleTalk

D.IPX

2. Whichtechnologywouldyouusetoextendabranchofficenetworktoanotherlocationmanymilesaway?

A.Switch

B.WLAN

C.Router

D.WAN

3. OnwhichlayerofTCP/IPdoesasegmentexist?

A.Transport

B.DataLink


C.Application

D.Network

4. WhichlayerofTCP/IPisresponsiblefordataformatting?

A.Application

B.Presentation

C.Transport

D.Network

5. WhereistheoperatingsystemlocatedonaCiscorouter?

A.NVRAM

B.HDD

C.Flash

D.SSD

6. WhatisthedefaultmethodtoaccessanewCiscoswitch?

A.VTY

B.Console

C.AUX

D.ManagementIPaddress


7. AnIPv4addressismadeupofhowmanybits?

A.28

B.30

C.48

D.32

8. YouhaveinterconnectedmanyAccessPoints(APs)ontothesamecorporateLAN.Thistypeofwirelessnetworkisknownaswhichofthefollowing?

A.BSS

B.ESS

C.SSID

D.WLAN

9. WhichcommandisusedtocreateaVLAN?

A.vlan10

B.vlansales

C.vlannumber10

D.vlannamesales

10. WhereareVLANsstoredonaswitch?


A.Flash

B.startup-config

C.running-config

D.vlan.dat

11. Packetsthatarediscardedbecausetheyarelessthan64bytesinsizeandaresmallerthantheminimumpacketsizearereferredtoaswhichofthefollowing?

A.CRC

B.Runts

C.Collision

D.Giants

12. WhichisthedefaultpriorityvaluefoundwithinaBPDUmessage?

A.4096

B.32767

C.32769

D.32768

13. WhichofthefollowingisaportroleonlyinRapid-PVST+?

A.Listening


B.Blocking

C.Discarding

D.Forwarding

14. TheSpanning-TreeProtocolisdefinedbywhichofthefollowingframeworks?

A.IEEE802.1D

B.IEEE802.1Q

C.IEEE802.1X

D.IEEE802.11

15. WhichcommandallowsyoutoviewtheMACaddressofaswitch?

A.showversion



D.showdevicemac

16. Iffaultpacketsenteraswitchinterface,whichcounterwillincreasetoinformthedeviceadministrator?

A.Giants

B.Inputerrors


C.CRC

D.Collision

17. Whichnetworktoolcanbeusedtotestend-to-endconnectivity?

A.nbtstat

B.netstat

C.traceroute

D.ping

18. Whichcommandallowsyoutoseeallroutesonarouter?

A.showipprotocols

B.showroute

C.showiproute

D.showroutingtable

19. WhichcommandisneededtoenableIPv6routing?

A.ipv6unicast-routing

B.ipv6routeenable

C.enableipv6route

D.enableipv6unicast-routing


20. WhichcommandallowsyoutocreateadefaultroutetoanISProuterthathasanIPaddressof192.0.2.1?

A.ipv4route0.0.0.00.0.0.0192.0.2.1

B.iproute0.0.0.00.0.0.0192.0.2.1

C.route0.0.0.00.0.0.0.0192.0.2.1

D.iproute0.0.0.0/0192.0.2.1

21. ThedefaultadministrativedistanceofOSPFiswhichofthefollowing?

A.90

B.120

C.110

D.170

22. Whichcommandallowsyoutoviewthelink-statedatabaseofOSPF?

A.showipospfneighbor

B.showipospf

C.showipospfneighbordetail

D.showipospfdatabase

23. WhatisthedefaultHellotimeronanOSPF-enabledinterface?


A.10

B.5

C.40

D.15

24. WhichcommandallowsyoutoverifytheHelloandDeadtimersonOSPF?

A.showipospfdatabase

B.showipospfneighbor

C.showipprotocols

D.showipospfinterface

25. YouwanttocreateaStaticNATmapbetweenaninternalcomputerwithanIPaddressof192.168.1.10andtheedgerouterhasapublicIPof

192.0.2.10.Whichofthefollowingcommandswillyouusetocreate

theStaticNATmap?

A.ipnatinsidesourcestatic192.0.2.10192.168.1.10

B.ipnatinsidesourcestatic192.168.1.10192.0.2.10

C.ipnatinsidesource192.0.2.10192.168.1.10


D.ipnatinsidestatic192.168.1.10192.0.2.10

26. AnorganizationhasasinglepublicIPaddressandmanycomputersthatrequireinternetconnectivity.WhichtypeofNATisrecommendedtoallowtheinternaldevicestoconnecttotheinternet?

A.DynamicNAT

B.StaticNAT

C.PortAddressTranslation

D.PATwithStaticNAT

27. WhichcommandallowsyoutoverifyrecentNATtranslationsonarouter?

A.showipnat


C.shownattranslations

D.showipnattranslations

28. WhichcommandallowsyoutodeterminewhetherStaticNAT,DynamicNAT,orPATisbeingusedonarouter?

A.shownat


C.shownattranslations


D.showipnattranslations

29. You'reanetworkadministratorforalargeorganizationandyouareassignedatasktoconfigurethetimeonalldeviceswithinthecompany.Whichofthefollowingmethodsisthemostefficienttocompletethistask?

A.ConfigureanNTPServeronthenetworkandconfigureallotherdevicesasNTPclientstosynchronizetime.

B.ConfigurethetimeoneachdevicewithinthenetworkandensureNTPisturnedon.

C.ConfiguretheedgerouterasanNTPclientonlyandallotherdeviceswillsynchronizetheirtimewiththerouter.

D.Alloftheabove.

30. Thedevicethathasthemostaccuratetimewithinanetworkisknownaswhichofthefollowing?

A.PublicNTPserver

B.Stratum1

C.Stratum0

D.NTPserver

31. WhichcommandisusedtorelayDHCPmessagesbetweenmachinesonanIPnetwork?


A.ipdhcphelper

B.iphelper-dhcp

C.ipdhcphelper-address

D.iphelper-address

32. WhichapplicationlayerprotocolisusedtoresolveahostnametoanIPaddress?

A.ARP

B.DNS

C.DHCP

D.ICMP

33. WhichcommandisusedtoenablesequencenumbersinSyslogmessages?

A.servicetimestamps

B.enableservice-sequence

C.enableservicesequence-numbers

D.servicesequence-numbers

34. Whichnetworkprotocolallowsyoutoperformmonitoringonallofyournetworkingdevices?

A.SNMP


B.Syslog

C.SolarWinds

D.MIB

35. Whichtypeofthreatactorusestheirhackingskillstoperformmaliciousactionstoserveasocialorpoliticalagenda?

A.Scriptkiddie

B.Hacktivist

C.Greyhathacker

D.Blackhathacker

36. Anobjectthattakesadvantageofasecurityweaknessonasystemisknownaswhichofthefollowing?

A.Vulnerability

B.Threat

C.Exploit

D.Hacker

37. Whichtypeofmalwareholdsyourdatahostageandasksforaransomtoreleasethedatabacktothevictim?

A.Worm


B.Crypto-malware

C.Trojan

D.Ransomware

38. WhichofthefollowingAAAserversiscompatiblewithmixedvendordevices?

A.RADIUS

B.AAA

C.TACACS+

D.ASA

39. WhichcommandisusedtoacceptonlySSHinboundtrafficonanetworkdevice?

A.transportssh

B.transportinputssh

C.transportinputall

D.transportacceptssh

40. Whichistherecommendedcommandtocreateasecurepasswordtopreventaccesstoprivilegemode?

A.enablepasswordcisco123


B.enablepasswordsecretcisco123

C.enablesecretcisco123

D.enablesecretpasswordcisco123

41. Whichcommandisusedtoencryptallplaintextpasswordsautomatically?

A.servicepassword-secret

B.serviceenable-password

C.serviceencryption-password

D.servicepassword-encryption

42. Whichsecuritymechanismcanbeusedtopreventanattackerfromfloodingbogusframesintoaswitch?

A.DHCPsnooping

B.IPsourceguard

C.Portsecurity

D.DynamicARPinspection

43. Anattackerisattemptingtoflipaninterfaceonaswitchintoatrunkport.Whatcanthenetworkengineerdotopreventsuchanattack?

A.switchportmodetrunk



C.switchportnonegotiate

D.switchportport-security

44. Whichofthefollowingistruewhenportsecurityisenabledonaninterface?

A.MACaddressesareautomaticallystoredintherunning-config.

B.ThedefaultviolationmodeisRestrict.

C.Stickyisenabled.

D.Stickyisdisabled.

45. WhichwirelesssecuritystandardusestheAdvancedEncryptionStandard(AES)fordataencryption?

A.WPA

B.WPA2

C.WPA3

D.WEP

46. Whichdataformatwasdesignedfortransportingdataratherthanitspresentation?

A.XML

B.YAML


C.JSON

D.HTML

47. WhichsyntaxdoesJSONusetoholdanobject?

A.()

B.[]

C.{}

D.-

48. WhichofthefollowingsyntaxisusedtorepresentalistofitemsinYAML?

A.()

B.-

C.{}

D.[]

49. WhichRESTfuloperationisusedtorequestdataonaserver?

A.GET

B.Create

C.Update


D.Request

50. UsingYAML,instructionsarecreatedinwhichofthefollowing?

A.JSON

B.Cookbook

C.Playbook

D.Manifest


Chapter17:MockExam2

Questions1. Apacketcontainswhichofthefollowinginitsheader?

A.IPaddress

B.MACaddress

C.Portnumbers

D.CRC

2. Aswitchuseswhichofthefollowingtomakeitsforwardingdecision?

A.SourceIPaddress

B.DestinationMACaddress

C.SourceMACaddress

D.DestinationMACaddress

3. Whichtransportlayerprotocoldoesnotprovideanyreassuranceofamessagebeingsentbetweenasourceanddestination?

A.TCP

B.IP


C.ICMP

D.UDP

4. WhatisthesizeofaMACaddress?

A.128bits

B.40bits

C.48bits

D.32bits

5. AnetworkengineerwantstoverifytheMACaddressonaWindowscomputer.Whichcommandcanthenetworkengineerusetoobtainsuchinformation?

A.ipconfig

B.ipconfig/all

C.ifconfig

D.netstat

6. WhenaswitchlearnsaboutaMACaddress,wheredoestheswitchstorethenewlylearnedMACaddresses?

A.Running-config

B.Flash


C.RAM

D.CAM

7. Whichdeviceisprimarilyusedtofiltermalicioustrafficbetweennetworks?

A.Router

B.Switch

C.IPS

D.Firewall

8. AnetworkengineerhasdeployedmultipleAccessPoints(APs)atvariousbranchesofanorganization.Whichnetworkcomponentwillhelpthenetworkengineertomanageallthedevices?

A.WirelessLANcontroller

B.ImplementeachAPinautonomousmode

C.Useaconsolecable

D.SetupremoteaccessusingSSH

9. IntheCisco2-Tierarchitecture,theCollapsedCorelayerismadeupofwhichofthefollowinglayers(choosetwo)?

A.Access

B.Distribution


C.Core

D.Routers

10. Whereisthestartup-configfilelocatedonaCiscoIOSrouter?

A.TFTP

B.HDD

C.RAM

D.NVRAM

11. AnetworkengineerhasjustreceivedanewCiscorouter.Whichistheprimarymethodusedtoaccessthedevice?

A.GUI

B.Console

C.AUX

D.VTY

12. WhichcommandwillshowyouasummaryofalltheinterfacesonaCiscodeviceandtheirstatuses?

A.showipinterface

B.showinterfacebrief

C.showipinterfacebrief


D.showinterfaceipbrief

13. WhichofthefollowingsyntaxesallowsyoutoconfigureabanneronaCiscoIOSdevice?

A.bannermotd%KeepOut%

B.banner%KeepOut%

C.bannermotd%KeepOut

D.bannermotd%KeepOut&

14. Whichcommandcanyouusetoverifyhowlongaswitchhasbeenpoweredon?

A.showrouter

B.showclock

C.showstatus

D.showversion

15. WhichofthefollowingIPaddressisnotroutableontheinternet?

A.172.33.1.4

B.172.32.1.3

C.172.31.1.23

D.172.15.1.5


16. AnIPv4addresscontainsatotalofhowmanybits?

A.8

B.32

C.48

D.128

17. WhatisthenumberofusableIPaddressesinthenetwork172.16.1.0/28?

A.14

B.16

C.254

D.65,534

18. WhichofthefollowingIPaddressesbelongstothenetwork192.168.1.64/27(choosetwo)?

A.192.168.1.97

B.192.168.1.80

C.192.168.1.126

D.192.168.1.94

19. WhichofthefollowingIPv4addressesisassignedtoadevice


automaticallywhenaDHCPserverisnotpresentonthenetwork?

A.169.254.1.5

B.168.254.1.5

C.192.168.1.5

D.10.10.1.5

20. WhichIPv6addressisusedwhendevicesarecommunicatingonthesamelocalareanetwork?

A.Uniquelocal

B.Globalunicast

C.Link-local

D.Anycast

21. WhichofthefollowingcommandsisusedtoenableIPv6routingonaCiscoIOSrouter?

A.ipv6routing

B.ipv6enable

C.enableipv6routing

D.ipv6unicast-routing

22. WhichAccessPoint(AP)modehasthecapabilitytoswitchtraffic


betweenanSSIDandavirtualLAN(VLAN)iftheCAPWAPtunnelisdown?

A.Bridge

B.FlexConnect

C.Local

D.Flex+Bridge

23. Whichtypeofhypervisorisinstalleddirectlyontopofthehardwareofasystem?

A.VirtualBox

B.Type2

C.Type1

D.Type0

24. Whichtypeofcloudserviceprovidestheuserwithonlytheapplication'suserinterface?

A.SaaS

B.PaaS

C.IaaS

D.Private


25. Whichtypeofclouddeliverymodelcloudinfrastructureisownedbyanotherorganizationthatrentspartofortheentiredatacentertoothers?

A.Community

B.IaaS

C.Public

D.Private

26. Whenaframeentersaswitchinterface,whichofthefollowingtagsisinsertedintothemessage?

A.IEEE802.1X

B.IEEE802.1w

C.IEEE802.1D

D.IEEE802.1Q

27. Bydefault,howmanyVLANsexistonaCiscoIOSswitch?

A.1

B.5

C.0

D.2

28. VLANsthatbelongtotheextendedrangearestoredwhere?


A.startup-config

B.NVRAM

C.running-config

D.vlan.dat

29. Whichofthefollowingcommandswillallowyoutoconfigureaninterfacetobeanaccessport?

A.switchportmodeaccess

B.switchportaccessport

C.switchportmodeaccessenable

D.switchportenableaccess

30. WhichofthefollowingcommandsallowsyoutoassignaVLANtoanaccessport?

A.switchportmodeaccessvlan10

B.switchportvlan10

C.switchportaccessvlan10

D.switchportaccessmodevlan10

31. WhichofthefollowingcommandsallowsyoutoconfigureanativeVLANonatrunk?


A.switchporttrunkallowedvlan99

B.switchporttrunkvlan99

C.switchportnativevlan99

D.switchporttrunknativevlan99

32. Whichofthefollowingisthedefaultoperatingmodeofaswitch'sinterface?

A.Access

B.Trunk

C.Dynamicdesirable

D.Dynamicauto

33. Whichcommandisusedtodisablethetrunkingnegotiationfeatureonaswitchinterface?

A.switchportmodetrunk


C.switchportnonegotiate

D.noswitchportnonegotiate

34. Whenconfiguringinter-VLANrouting,whichcommandisusedtoassociateVLAN10withasub-interface?


A.encapsulation802.1qvlan10

B.encapsulationdot1q10

C.encapsulationvlan10

D.encapsulationdot1qvlan10

35. WhichcommandallowsyoutoviewasummaryofalltheVLANsonaswitchandtheirassociatedinterfaces?

A.showrunning-config

B.showinterfacevlanbrief

C.showvlaninterfacebrief

D.showvlanbrief

36. Whichcommandwillallowyoutoviewasummaryofthetrunkinterfacesonaswitch?

A.showinterfacestrunk

B.showtrunks

C.showtrunkinterface

D.showipinterface

37. WhichcommandisusedtodisableCDPentirelyonaswitch?

A.nocdp


B.nocdpenable

C.nocdprun

D.noenablecdp

38. WhichCDPcommandwillallowyoutoobtaintheIPaddressofadirectlyconnectedLayer3device?

A.showcdpinterface

B.showcdpneighbors

C.showcdp

D.showcdpneighborsdetail

39. WhichofthefollowingcommandsisusedtoenableLLDPonaCiscodevice?

A.lldpenable

B.lldprun

C.enablelldp

D.Noneoftheabove

40. WhichofthefollowingisaninterfaceoperatingmodeforLACP?

A.Active

B.Auto


C.Desirable

D.Enable

41. Whichcommandallowsyoutoverifywhetheraninterfaceisexperiencinganyphysicalissues?

A.showinterfacestatus

B.showipinterface

C.showinterfaces

D.showversion

42. Packetsthatarediscardedbecausetheyexceedthemaximumpacketsizeareknownas?

A.Collisions

B.Runts

C.Outputerrors

D.Giants

43. Whichofthefollowingstandards/frameworksaredesignedtopreventloopsonaLayer2network?

A.IEEE802.1Q

B.IEEE802.1D


C.IEEE802.1w

D.IEEE802.3

44. ABPDUcontainswhichofthefollowingcomponents(choose3)?

A.ExtendedSystemID

B.Priority

C.BridgeID

D.MACaddress

E.Hostname

F.InterfaceID

45. Bydefault,eachswitchuseswhichofthefollowingdefaultpriorities?

A.32768

B.32769

C.4096

D.0

46. WhichversionofSpanning-TreeisenabledbydefaultonaCiscoswitch?

A.STP

B.RSTP


C.PVST+

D.Rapid-PVST+

47. WhichofthefollowingportrolesdoesnotexistinPVST+?

A.Listening

B.Forwarding

C.Learning

D.Discarding

48. WhichcommandallowsyoutoenableRapid-PVST+?

A.spanning-treeenablerapid-pvst

B.spanning-treemoderapid-pvst

C.spanning-treerapid-pvstenable

D.enablerapid-pvst

49. WhichofthefollowingcommandscananetworkengineerusetoensureaswitchiselectedasaRootBridgeonVLAN20?

A.spanning-treevlan20priority4096

B.spanning-treevlan20priority8192

C.spanning-treevlan20priority4095


D.spanning-treevlan20priority8193

50. WhichcommandwhenappliedtoaninterfacepreventsBPDUsfromentering?

A.enablespanning-treebpduguard

B.spanning-treeenablebpduguard

C.spanning-treebpduguardenable

D.spanning-treebpduguard

51. WhichfactordoesaCiscorouterusetodeterminethemostsuitableroutetoadestination?

A.Numberofhops

B.Administrativedistance

C.Bandwidth

D.Metric

52. Whichofthefollowingroutingprotocolsuseshopcountasitsmetric?

A.EIGRP

B.OSPF

C.BGP

D.RIP


53. Astaticroutehasadefaultadministrativedistanceof…?

A.1

B.0

C.90

D.5

54. WhatisthedefaultdeadtimeronOSPF?

A.15

B.180

C.40

D.120

55. Whichcommandallowsyoutoverifytheprocess-IDofOSPF?

A.showipospfinterfacesummary

B.showipprotocols

C.showipinterface

D.showipospfinterface

56. WhichcommandallowsyoutoverifytheOSPFprocess-IDonarouter?

A.showiprouteospf


B.showipprotocols

C.showospf

D.Noneoftheabove

57. Youwanttoadvertisethenetwork192.168.1.0/24usingOSPF.

Whichofthefollowingcommandswillyouuse?

A.network192.168.1.0255.255.255.0

B.network192.168.1.00.0.0.255

C.network192.168.1.0255.255.255.0area0

D.network192.168.1.00.0.0.255area0

58. YouwanttopreventOSPFmessagesfromeitherenteringorleavingaspecificinterfaceonarouter.Whichcommandwillyouuseontherouter?

A.passive-interface

B.enablepassive-interface

C.passive-interfaceenable

D.passive-interfacedefault

59. HSRPv2useswhichofthefollowingmulticastaddressestoexchangemessageswithotherHSRP-enableddevicesonthenetwork?

A.224.0.0.10


B.224.0.0.5

C.224.0.0.2

D.224.0.0.102

60. WhichofthefollowingcommandsisusedtoverifytheHSRPstatusbetweenCiscodevices?

A.showactive

B.showglbp

C.showstandby

D.showhsrp

61. WhichofthefollowingfirsthopredundancyprotocolsisnotaCiscoproprietaryprotocol?

A.GLBP

B.VRRP

C.HSRP

D.Alloftheabove

62. WhichtypeofNATallowsanorganizationtomapmultipleprivateIPaddressesontoasinglepublicaddress?

A.Portforwarding


B.StaticNAT

C.DynamicNAT

D.PAT

63. WhichofthefollowingisusedtocreateastaticNATmapwiththeinsideaddress192.168.1.10andtheoutsideaddress192.0.2.10?

A.ipnatinsidesourcestatic192.168.1.10192.0.2.10

B.ipnatoutsidesourcestatic192.168.1.10192.0.2.10

C.ipnatinsidesourcestatic192.0.2.10192.168.1.10

D.ipnatoutsidesourcestatic192.0.2.10192.168.1.10

64. WhichofthefollowingcommandswillallowyoutoseeNATtranslationsonarouter?

A.showipnatstatistics

B.shownattranslations

C.showipnattranslations

D.shownatstatistics


65. Whichofthefollowingprotocolsallowsyoutoensuretimeissynchronizedonanetwork?

A.DNS

B.ICMP

C.CDP

D.NTP

66. WhichofthefollowingportsdoesaDHCPserveruse?

A.67

B.68

C.53

D.69

67. WhichcommandallowsyoutoconfigureadefaultgatewayaspartofaDHCPpoolonaCiscoIOSrouter?

A.default-gateway

B.default-router

C.ipdefault-gateway

D.ipdefault-router

68. WhichDNSrecordisresponsibleforresolvinganIPaddresstoa


hostname?

A.NS

B.SVR

C.PTR

D.A

69. InSyslog,aseveritynameofErrorhaswhichofthefollowingseveritylevels?

A.1

B.2

C.3

D.4

70. AnSNMPmanageruseswhichofthefollowingmessagestoretrieveinformationaboutanetworkdevice?

A.Retrieve

B.TRAP

C.SET

D.GET

71. Anythingwiththemotivationtocauseharmordamagetoaperson,


system,ornetworkisknownasawhat?

A.Risk

B.Threat

C.Vulnerability

D.Exploit

72. Whichtypeofcyber-attackisfocusedontrickinghigh-profileemployeesofanorganizationintorevealingconfidentialinformation?

A.Whaling

B.Spear-phishing

C.Pharming

D.Vishing

73. WhichofthefollowingcommandsisusedtoenableAAAonaCiscoIOSrouter?

A.enableaaa-model

B.enableaaanew-model

C.aaanew-model

D.enableaaa

74. WhichcommandensurestherouteracceptsonlySSHinbound


connections?

A.transportssh

B.transportonlyssh

C.transportsshinput

D.transportinputssh

75. WhichtypeofACLwouldyouusetofilterTelnettraffic?

A.StandardACL

B.InboundACL

C.ExtendedACL

D.OutboundACL

76. WhichofthefollowingcommandswillallowyoutoassignanACLonyourremoteaccesslines?

A.ipaccess-group

B.access-class

C.access-group

D.ipaccess-class

77. WhichofthefollowingcommandswillallowyoutoassignanACLonaninterface?


A.ipaccess-group

B.access-class

C.access-group

D.ipaccess-class

78. Whichtypeofsecurityappliancecanbeimplementedtopreventmaliciousemailsfromenteringyourorganizations?

A.Anti-virus

B.IPS

C.Firewall

D.ESA

79. Anattackerisattemptingtoinjectbogusframesintoaswitch.Whichtypeofattackisthethreatactortryingtoperform?

A.Bufferoverflow

B.CAMtableoverflow

C.Packetinjection

D.DoS

80. WhichsecuritymechanismcanbeimplementedtopreventaDHCPstarvationattack?


A.switchportport-security

B.DAI

C.DHCPsnooping

D.Shuttingdowntheinterface

81. WhichofthefollowingcommandsisusedtoautomaticallylearnandstorethesourceMACaddressonaninterfaceontoRAM?

A.switchportport-securitymac-addresssticky

B.switchportport-securitysticky

C.port-securitymac-addresssticky

D.switchportmac-addresssticky

82. Whichofthefollowingisthedefaultviolationmodeforportsecurity?

A.Shutdown

B.Protect

C.Restrict

D.Administrativelydown

83. WhichofthefollowingcommandsisusedtoenableDHCPsnoopingonaswitch?

A.dhcpsnooping


B.enableipdhcpsnooping

C.ipdhcpsnooping

D.enabledhcpsnooping

84. DynamicARPinspectionisdependentonwhichofthefollowingcomponents?

A.Portsecurity

B.ThecontentsoftheCAMtable

C.TheARPcacheonthelocalswitch

D.TheDHCPsnoopingbindingtable

85. WhichofthefollowingwirelesssecuritystandardsusesTKIPforitsdataencryption?

A.WPA2

B.WPA

C.WEP

D.WPA3

86. Whichofthefollowingdataformatsisthesimplesttoreadandunderstand?

A.JSON


B.YAML

C.HTML

D.XML

87. WhichofthefollowingattributesisusedtodescribeaRESTfulAPI?

A.Stateful

B.Stateless

C.Non-cacheable

D.Easytoread

88. Whichofthefollowingconfigurationmanagementtoolsrequiresanagenttobeinstalledontheclientdevice?

A.Python

B.Ansible

C.Chef

D.Puppet

89. Whichofthefollowingarefunctionsofintent-basednetworking(choosetwo)?

A.Translation

B.Design


C.Activation

D.Policy

90. Withinadatacenter,whichcomponentisusedtomanageallthenetworkingdevices?

A.APIC

B.CiscoDNA

C.Ansible

D.Ciscocloud


Assessments


Chapter1Thefollowingaretheanswerstothereviewquestions:

1. B

2. D

3. C

4. B

5. B

6. B

7. A

8. C

9. D

10. B



1. D

2. C

3. A

4. B

5. D

6. C



1. D

2. C

3. A

4. B

5. D

6. A

7. B

8. C

9. D

10. B

11. C

12. B

13. AD

14. C



1. B

2. D

3. C

4. A

5. B

6. B

7. D

8. C

9. A

10. D



1. A

2. D

3. B

4. A

5. C

6. D



1. A

2. A

3. B

4. D

5. B,C

6. B–False

7. B–False

8. D

9. D

10. C



1. B

2. D

3. C

4. B

5. A

6. C

7. D

8. B

9. D

10. A



1. C

2. A

3. D

4. BandD

5. D

6. B

7. A

8. C

9. B

10. C



1. C

2. D

3. A

4. B

5. C

6. D

7. D

8. B

9. A

10. B



1. B

2. C

3. D

4. A

5. C

6. D

7. B

8. A

9. C

10. D



1. C

2. A

3. C

4. B

5. D

6. A

7. B

8. C

9. D

10. A


Chapter13Thefollowingaretheanswerstotheprecedingpracticequestions:

1. D

2. B

3. C

4. A

5. D

6. C

7. A

8. B

9. C

10. A



1. B

2. D

3. B

4. C

5. A

6. D

7. C

8. B

9. D

10. A



1. C

2. B

3. C

4. D

5. B

6. A

7. D

8. D

9. A

10. B


Chapter16–MockExam1ThefollowingaretheanswerstothequestionsfromMockExam1:

1. B

2. D

3. A

4. A

5. C

6. B

7. D

8. B

9. A

10. D

11. B

12. D

13. C

14. A


15. A

16. B

17. D

18. C

19. A

20. B

21. C

22. D

23. A

24. D

25. B

26. C

27. D

28. B

29. A

30. C

31. D


32. B

33. D

34. A

35. B

36. C

37. D

38. A

39. B

40. C

41. D

42. C

43. C

44. D

45. B

46. A

47. C

48. B


49. D

50. C


Chapter17–MockExam2ThefollowingaretheanswerstothequestionsfromMockExam2:

1. A

2. B

3. D

4. C

5. B

6. D

7. D

8. A

9. B,C

10. D

11. B

12. C

13. A

14. D


15. C

16. B

17. A

18. B,D

19. A

20. C

21. D

22. B

23. C

24. A

25. C

26. D

27. B

28. C

29. A

30. C

31. D


32. D

33. C

34. B

35. D

36. A

37. C

38. D

39. B

40. A

41. C

42. D

43. B

44. A,C,D

45. A

46. C

47. D

48. B


49. A

50. C

51. B

52. D

53. A

54. C

55. B

56. B

57. D

58. A

59. D

60. C

61. B

62. D

63. A

64. C

65. D


66. A

67. B

68. C

69. C

70. D

71. B

72. A

73. C

74. D

75. C

76. B

77. A

78. D

79. B

80. C

81. A

82. A


83. C

84. D

85. B

86. B

87. B

88. C

89. A,C

90. A


OtherBooksYouMayEnjoyIfyouenjoyedthisbook,youmaybeinterestedintheseotherbooksbyPackt:

LearnWireshark

LisaBock

ISBN:978-1-78913-450-6

BecomefamiliarwiththeWiresharkinterface

Navigatecommonlyaccessedmenuoptionssuchasedit,view,andfile

Usedisplayandcapturefilterstoexaminetraffic

UnderstandtheOpenSystemsInterconnection(OSI)model


https://www.packtpub.com/product/learn-wireshark/9781789134506

CarryoutdeeppacketanalysisoftheInternetsuite:IP,TCP,UDP,ARP,andICMP

Explorewaystotroubleshootnetworklatencyissues

Subsettraffic,insertcomments,save,export,andsharepacketcaptures

NetworkAutomationCookbook

KarimOkasha

ISBN:978-1-78995-648-1

UnderstandthevariouscomponentsofAnsible

AutomatenetworkresourcesinAWS,GCP,andAzurecloudsolutions

UseIaCconceptstodesignandbuildnetworksolutions

AutomatenetworkdevicessuchasCisco,Juniper,Arista,andF5


https://www.packtpub.com/product/network-automation-cookbook/9781789956481

UseNetBoxtobuildnetworkinventoryandintegrateitwithAnsible

ValidatenetworksusingAnsibleandBatfish

Leaveareview-letotherreadersknowwhatyouthinkPleaseshareyourthoughtsonthisbookwithothersbyleavingareviewonthesitethatyouboughtitfrom.IfyoupurchasedthebookfromAmazon,pleaseleaveusanhonestreviewonthisbook'sAmazonpage.Thisisvitalsothatotherpotentialreaderscanseeanduseyourunbiasedopiniontomakepurchasingdecisions,wecanunderstandwhatourcustomersthinkaboutourproducts,andourauthorscanseeyourfeedbackonthetitlethattheyhaveworkedwithPackttocreate.Itwillonlytakeafewminutesofyourtime,butisvaluabletootherpotentialcustomers,ourauthors,andPackt.Thankyou!


Contents1. ImplementingandAdministeringCiscoSolutions:200-301CCNAExamGuide2. Whysubscribe?3. Contributors4. Abouttheauthor5. Aboutthereviewers6. Packtissearchingforauthorslikeyou7. Preface

1. Whothisbookisfor2. Whatthisbookcovers3. Togetthemostoutofthisbook4. Downloadtheexamplecodefiles5. CodeinAction6. Downloadthecolorimages7. Conventionsused8. Disclaimer9. Getintouch10. Reviews

8. Section1:NetworkFundamentals9. Chapter1:IntroductiontoNetworking

1. Understandingtheevolutionofnetworkingandtheinternet2. Understandingnetworksizes–SOHO,LAN,andWAN3. Learningaboutnetworkprotocolsuites

1. OSIreferencemodel2. UnderstandingtheTCP/IPprotocolsuite

4. Understandingthefunctionsofnetworkdevices1. Hubs2. Layer2switches3. Layer3switches4. Routers5. Next-generationfirewallsandIPS6. AccessPoints7. CiscoWirelessLANController(WLC)8. Endpointsandservers9. CiscoDNA

5. Networktopologyarchitectures1. 2Tier2. 3Tier

6. Summary7. Furtherreading

10. Chapter2:GettingStartedwithCiscoIOSDevices1. Technicalrequirements2. BuildingaCiscolabenvironment

1. CiscoPacketTracer2. VirtualCCNALab3. Physicallabs

3. GettingstartedwithCiscoIOSdevices1. Bootprocess

4. AccessingaCiscoIOSdevice5. ConfiguringtheCiscoIOS

1. SettingupasmallCisconetwork6. Performingtroubleshootingprocedures7. Summary8. Questions9. Furtherreading

11. Chapter3:IPAddressingandSubnetting1. Technicalrequirements2. TheneedforIPaddressing3. CharacteristicsofIPv4

1. CompositionofanIPv4packet2. Convertingbinaryintodecimal


3. Convertingdecimalintobinary4. Transmissiontypes

4. ClassesofIPv4addresses1. PublicIPv4addressspace2. PrivateIPv4addressspace

5. SpecialIPv4addresses1. Loopbackaddress2. Test-Net3. LinkLocal

6. Subnetmask1. Networkprefix2. IdentifyingtheNetworkID

7. Subnetting1. Step1–DeterminingtheappropriateIPaddress2. Step2–Creatingnewsubnets(subnetworks)3. Step3–Assigningsubnetstoeachnetwork4. Step4–PerformingVariable-LengthSubnetMasking(VLSM)

8. IPv61. TypesofIPv6addresses

9. Lab–ConfiguringIPv6onaCiscoIOSrouter10. Lab–ConfiguringIPv6onaWindowscomputer11. Testingend-to-endconnectivity12. Summary13. Furtherreading

12. Chapter4:DetectingPhysicalIssues,WirelessArchitectures,andVirtualization1. Technicalrequirements2. Understandingnetworkswitchfunctions

1. Detectingphysicalissues2. Wirelesstechnologies3. 2.4GHzversus5GHz4. Wirelessbands5. SSID,BSSID,andESS

3. Ciscowirelessarchitectures1. Autonomous2. Cloud-based3. Split-MAC

4. APmodes5. Wirelesscomponentsandmanagement

1. Lab–accessingaCiscoWLCGUI2. Lab–configuringawirelessnetworkusingaCiscoWLC

6. Virtualizationfundamentals1. Type1hypervisor2. Type2hypervisor

7. Cloudcomputing1. Cloudservices2. SaaS3. PaaS4. IaaS5. Clouddeliverymodels

8. Summary9. Questions10. Furtherreading

13. Section2:NetworkAccess14. Chapter5:ImplementingVLANs,Layer2DiscoveryProtocols,andEtherChannels

1. Technicalrequirements2. UnderstandingVLANs

1. VLANranges2. TypesofVLANs3. Trunkinterfaces4. Inter-VLANrouting5. Lab–implementingVLANs6. Lab–creatingtrunkinterfaces7. Lab–configuringinter-VLANrouting

3. Layer2DiscoveryProtocols


1. CiscoDiscoveryProtocol(CDP)2. Link-LayerDiscoveryProtocol(LLDP)

4. UnderstandingandconfiguringEtherChannels1. Lab–implementingEtherChannels


15. Chapter6:UnderstandingandConfiguringSpanning-Tree1. Technicalrequirements2. WhatisSpanning-TreeProtocol?

1. BridgeProtocolDataUnit2. Rootbridgeandsecondaryrootbridge

3. Spanning-treestandards1. Portrolesandstates2. Determiningtherootbridgeandportroles3. PVST+4. Rapid-PVST+5. Lab–implementingRapid-PVST+onaCisconetwork6. Lab–configuringPortFastandBPDUguard


16. Section3:IPConnectivity17. Chapter7:InterpretingRoutingComponents

1. Technicalrequirements2. UnderstandingIProuting3. Componentsoftheroutingtable

1. Routingprotocolcodes2. Prefixandnetworkmask3. Nexthop4. AdministrativeDistance5. Routingmetrics6. Gatewayoflastresort


18. Chapter8:UnderstandingFirstHopRedundancy,StaticandDynamicRouting1. Technicalrequirements2. Understandingstaticrouting

1. Doweneedstaticrouting?2. Typesofstaticroutes3. Lab–configuringstaticroutingusingIPv44. Lab–configuringanIPv4defaultroute5. Lab–configuringstaticroutingusingIPv6

3. Understandingdynamicrouting1. Typesofdynamicroutingprotocols2. OpenShortestPathFirst3. Lab–configuringOSPFv24. ValidatingOSPFconfigurations

4. Understandingfirsthopredundancy1. VariousFHRPs


19. Section4:IPServices20. Chapter9:ConfiguringNetworkAddressTranslation(NAT)

1. Technicalrequirements2. ThechallengeofusingIPv4ontheinternet3. UnderstandingNAT

1. UnderstandingNAToperationandterminology4. TypesofNAT

1. StaticNAT2. DynamicNAT3. ConfiguringPAT


5. Lab–implementingNAToverload(PAT)6. Lab–implementingstaticNATwithportforwarding7. Lab–implementingdynamicNAT8. Summary9. Questions10. Furtherreading

21. Chapter10:ImplementingNetworkServicesandIPOperations1. Technicalrequirements2. UnderstandingNTP

1. Lab–configuringNTP3. UnderstandingDHCP

1. DHCPoperations2. Cisco'sDHCPconfigurations3. DHCPrelay4. Lab–configuringDHCPandDHCPrelay

4. DomainNameSystem1. DNSrootservers2. DNSrecordtypes3. Lab–configuringDNS

5. UnderstandingthebenefitsofusingSyslog1. Syslogseveritylevels2. Lab–configuringSyslog

6. SimpleNetworkManagementProtocol1. SNMPversions2. Managementinformationbase3. Lab–configuringSNMP

7. QoStrafficclassification1. QoSterminologies2. Traffictypecharacteristics3. QoSqueuingalgorithms4. QoSpolicymodels5. QoSimplementationmethods


22. Section5:SecurityFundamentals23. Chapter11:ExploringNetworkSecurity

1. Technicalrequirements2. Securityconcepts

1. TheCIAtriad2. Threats3. Vulnerabilities4. Exploits5. Attacks

3. Authentication,Authorization,andAccounting1. Lab–ImplementingAAA

4. Elementsofasecurityprogram5. Wireshark101

1. Lab–Analyzingpackets6. Summary7. Questions8. Furtherreading

24. Chapter12:ConfiguringDeviceAccessControlandVPNs1. Technicalrequirements2. Deviceaccesscontrol

1. Securingconsoleaccess2. SecuringanAUXline3. VTYlineaccess4. SecuringPrivilegeExecmode5. Encryptingallplaintextpasswords

3. VirtualPrivateNetworks1. Site-to-SiteVPNs2. RemoteaccessVPNs3. IPsec


4. Lab–Configuringasite-to-siteVPN5. Lab–ConfiguringaremoteaccessVPN


25. Chapter13:ImplementingAccessControlLists1. Technicalrequirements2. WhatareACLs?

1. BenefitsofusingACLs3. ACLoperation4. ACLwildcardmasks

1. Calculatingthewildcardmask2. ACLguidelinesandbestpractices

5. WorkingwithstandardACLs1. CreatinganumberedstandardACL2. ImplementinganamedstandardACL3. DeletinganACL4. Lab–implementingastandardnumberedACL5. Lab–configuringastandardnamedACL6. Lab–securingVTYlinesusingACLs

6. WorkingwithextendedACLs1. CreatinganumberedextendedACL2. ImplementinganamedextendedACL3. Lab–implementingextendedACLs


26. Chapter14:ImplementingLayer2andWirelessSecurity1. Technicalrequirements2. TypesofLayer2attacksonanetwork

1. Networkattacks2. Defenseindepth3. Layer2threats

3. ProtectingagainstLayer2threats1. Portsecurity2. DHCPsnooping3. DynamicARPinspection

4. Wirelessnetworksecurity1. Authenticationmethods2. Lab–implementingwirelesssecurityusingaWLC


27. Section6:AutomationandProgrammability28. Chapter15:NetworkAutomationandProgrammabilityTechniques

1. Understandingautomation2. Understandingdataformats

1. eXtensibleMarkupLanguage2. JavaScriptObjectNotation3. YAMLAin'tMarkupLanguage

3. UnderstandingAPIs1. TypesofAPIs2. RESTfulAPIs

4. Understandingnetworkconfigurationmanagement1. Fabric,overlay,andunderlay2. CiscoDNACenter


29. Chapter16:MockExam11. Questions

30. Chapter17:MockExam21. Questions

31. Assessments


1. Chapter12. Chapter23. Chapter44. Chapter55. Chapter66. Chapter77. Chapter88. Chapter99. Chapter1010. Chapter1111. Chapter1212. Chapter1313. Chapter1414. Chapter1515. Chapter16–MockExam116. Chapter17–MockExam2

32. OtherBooksYouMayEnjoy1. Leaveareview-letotherreadersknowwhatyouthink

Landmarks1. Cover2. TableofContents


200-301 CCNA Exam Guide

Documents

Transcript of 200-301 CCNA Exam Guide