ImplementingandAdministeringCiscoSolutions:200-301CCNAExamGuideCopyright©2020PacktPublishing
Allrightsreserved.Nopartofthisbookmaybereproduced,storedinaretrievalsystem,ortransmittedinanyformorbyanymeans,withoutthepriorwrittenpermissionofthepublisher,exceptinthecaseofbriefquotationsembeddedincriticalarticlesorreviews.
Everyefforthasbeenmadeinthepreparationofthisbooktoensuretheaccuracyoftheinformationpresented.However,theinformationcontainedinthisbookissoldwithoutwarranty,eitherexpressorimplied.Neithertheauthor(s),norPacktPublishingoritsdealersanddistributors,willbeheldliableforanydamagescausedorallegedtohavebeencauseddirectlyorindirectlybythisbook.
PacktPublishinghasendeavoredtoprovidetrademarkinformationaboutallofthecompaniesandproductsmentionedinthisbookbytheappropriateuseofcapitals.However,PacktPublishingcannotguaranteetheaccuracyofthisinformation.
CommissioningEditor:VijinBoricha
SeniorEditor:RahulDsouza
ContentDevelopmentEditors:RonnKurienandNiharKapadia
TechnicalEditor:SarveshJaywant
Telegram Channel : @IRFaraExam
CopyEditor:SafisEditing
ProjectCoordinator:NeilDmello
Proofreader:SafisEditing
Indexer:RekhaNair
ProductionDesigner:JyotiChauhan
Firstpublished:November2020
Productionreference:1151020
PublishedbyPacktPublishingLtd.
LiveryPlace
35LiveryStreet
Birmingham
B32PB,UK.
ISBN978-1-80020-809-4
www.packt.com
Packt.com
Telegram Channel : @IRFaraExam
Subscribetoouronlinedigitallibraryforfullaccesstoover7,000booksandvideos,aswellasindustryleadingtoolstohelpyouplanyourpersonaldevelopmentandadvanceyourcareer.Formoreinformation,pleasevisitourwebsite.
Whysubscribe?SpendlesstimelearningandmoretimecodingwithpracticaleBooksandVideosfromover4,000industryprofessionals
ImproveyourlearningwithSkillPlansbuiltespeciallyforyou
GetafreeeBookorvideoeverymonth
Fullysearchableforeasyaccesstovitalinformation
Copyandpaste,print,andbookmarkcontent
DidyouknowthatPacktofferseBookversionsofeverybookpublished,withPDFandePubfilesavailable?YoucanupgradetotheeBookversionatpackt.comandasaprintbookcustomer,youareentitledtoadiscountontheeBookcopy.Getintouchwithusatcustomercare@packtpub.comfor
moredetails.
Atwww.packt.com,youcanalsoreadacollectionoffreetechnicalarticles,signupforarangeoffreenewsletters,andreceiveexclusivediscountsandoffersonPacktbooksandeBooks.
Contributors
Telegram Channel : @IRFaraExam
AbouttheauthorGlenD.Singhisacybersecurityandnetworkinginstructor,InfoSecauthor,andconsultant.Hisareasofexpertisearepenetrationtesting,digitalforensics,networksecurity,andenterprisenetworking.Hehasmanycertifications,includingCEH,CHFI,and3xCCNA(cyberops,security,androutingandswitching).Helovesteachingandmentoringothers,andsharinghiswealthofknowledgeandexperienceasanauthor.HehaswrittenbooksonKaliLinux,KaliNetHunter,andCCNASecurity.
GlenhastrainedmanyprofessionalsinvarioussectorsrangingfromISPstogovernmentagenciesinthefieldofcybersecurity.Asanaspiringgame-changer,Glenispassionateaboutincreasingcybersecurityawarenessinhishomeland,TrinidadandTobago.
IwouldliketothankRahulNair,SuzanneCoutinho,RonnKurien,andthewonderfulteamatPacktPublishing,whohaveprovidedamazingsupportandguidancethroughoutthisjourney.Tothetechnicalreviewers,AaronCaesarandJessieJamesAraneta,thankyouforyouroutstandingcontributiontomaking
thisanamazingbook.
AboutthereviewersAaronCaesarholdsaBSc.inComputingandInformationSystemsandotherprofessionalcertificationsinnetworkingandsecurity.Hiscareerintechnologyspans16years,includingtechnicalsupportandteachingatvariousprivateandpublicsectoragencies.Currently,heisemployedatamultinationalISP,providingspecialistsupporttoawidecross-sectionofthecompany'scorporate
Telegram Channel : @IRFaraExam
customers.Aaronhasapassionforlearningaboutinformationandcommunicationtechnologiesthathecontinuestopursuedaily.
Aboveall,however,heisafather,husband,son,brother,andfriend.
Iwouldliketothankmybeautifulwife,Abbigail,forallthesupportshehasprovidedtomeduringthisprocess;andallthepeoplewhobelievedinmeandmygrowth.IwouldalsoexpressmygratitudetotheauthorandtheteamatPacktforgivingmethisgreatopportunitytocontributetothisexcellentbook.
JessieJamesisalicensedelectronicsengineerandaCiscoCertifiedNetworkAssociate.Hisexperienceandspecializationismobileandfixednetworkoperationfortelecommunications.Duringthedevelopmentofthisbook,hehasbeenworkingforEtisalatUAEasOperationsFieldSupport–FixedNetwork.
I'dliketothankGodfirst,forHisalmightyguidanceonwhateverdecisionsImade.I'dalsoliketothankPacktPublishingfortheopportunitytoreviewthiswonderfulbook.Tomyparents,siblings,relatives,friends,andmentors(youknowwhoyouare),thankyouforguidingandsupportingme.Lastly,I'dliketo
thankBoniefortheloveandsupportwhilereviewingthisbook.
PacktissearchingforauthorslikeyouIfyou'reinterestedinbecominganauthorforPackt,pleasevisitauthors.packtpub.comandapplytoday.Wehaveworkedwiththousands
ofdevelopersandtechprofessionals,justlikeyou,tohelpthemsharetheirinsightwiththeglobaltechcommunity.Youcanmakeageneralapplication,applyforaspecifichottopicthatwearerecruitinganauthorfor,orsubmityourownidea.
Telegram Channel : @IRFaraExam
Chapter1:IntroductiontoNetworking
Understandingtheevolutionofnetworkingandtheinternet20
Understandingnetworksizes–SOHO,LAN,andWAN22
Learningaboutnetworkprotocolsuites25
OSIreferencemodel25
UnderstandingtheTCP/IPprotocolsuite41
Understandingthefunctionsofnetworkdevices42
Hubs42
Layer2switches45
Layer3switches50
Routers50
Next-generationfirewallsandIPS51
Telegram Channel : @IRFaraExam
AccessPoints55
CiscoWirelessLANController(WLC)56
Endpointsandservers57
CiscoDNA58
Networktopologyarchitectures58
2Tier60
3Tier63
Summary65
Furtherreading68
Telegram Channel : @IRFaraExam
Chapter2:GettingStartedwithCiscoIOSDevices
Technicalrequirements70
BuildingaCiscolabenvironment71
CiscoPacketTracer71
VirtualCCNALab77
Physicallabs89
GettingstartedwithCiscoIOSdevices90
Bootprocess90
AccessingaCiscoIOSdevice92
ConfiguringtheCiscoIOS96
SettingupasmallCisconetwork98
Performingtroubleshootingprocedures117
Telegram Channel : @IRFaraExam
Chapter3:IPAddressingandSubnetting
Technicalrequirements122
TheneedforIPaddressing122
CharacteristicsofIPv4125
CompositionofanIPv4packet126
Convertingbinaryintodecimal129
Convertingdecimalintobinary132
Transmissiontypes137
ClassesofIPv4addresses140
PublicIPv4addressspace141
PrivateIPv4addressspace142
SpecialIPv4addresses144
Loopbackaddress145
Telegram Channel : @IRFaraExam
Test-Net145
LinkLocal145
Subnetmask146
Networkprefix146
IdentifyingtheNetworkID148
Subnetting150
Step1–DeterminingtheappropriateIPaddress152
Step2–Creatingnewsubnets(subnetworks)154
Step3–Assigningsubnetstoeachnetwork157
Step4–PerformingVariable-LengthSubnetMasking(VLSM)159
IPv6162
TypesofIPv6addresses165
Lab–ConfiguringIPv6onaCiscoIOSrouter168
Telegram Channel : @IRFaraExam
Lab–ConfiguringIPv6onaWindowscomputer170
Testingend-to-endconnectivity172
Summary172
Furtherreading173
Telegram Channel : @IRFaraExam
Chapter4:DetectingPhysicalIssues,WirelessArchitectures,andVirtualization
Technicalrequirements176
Understandingnetworkswitchfunctions176
Detectingphysicalissues178
Wirelesstechnologies187
2.4GHzversus5GHz189
Wirelessbands192
SSID,BSSID,andESS193
Ciscowirelessarchitectures195
Autonomous196
Cloud-based197
Split-MAC198
Telegram Channel : @IRFaraExam
APmodes199
Wirelesscomponentsandmanagement200
Lab–accessingaCiscoWLCGUI201
Lab–configuringawirelessnetworkusingaCiscoWLC203
Virtualizationfundamentals209
Type1hypervisor210
Type2hypervisor211
Cloudcomputing213
Cloudservices215
SaaS215
PaaS216
IaaS216
Clouddeliverymodels216
Telegram Channel : @IRFaraExam
Chapter5:ImplementingVLANs,Layer2DiscoveryProtocols,andEtherChannels
Technicalrequirements226
UnderstandingVLANs226
VLANranges232
TypesofVLANs233
Trunkinterfaces236
Inter-VLANrouting239
Lab–implementingVLANs242
Lab–creatingtrunkinterfaces248
Lab–configuringinter-VLANrouting252
Layer2DiscoveryProtocols255
CiscoDiscoveryProtocol(CDP)255
Telegram Channel : @IRFaraExam
Link-LayerDiscoveryProtocol(LLDP)257
UnderstandingandconfiguringEtherChannels259
Lab–implementingEtherChannels263
Summary265
Questions266
Furtherreading268
Telegram Channel : @IRFaraExam
Chapter6:UnderstandingandConfiguringSpanning-Tree
Technicalrequirements270
WhatisSpanning-TreeProtocol?270
BridgeProtocolDataUnit273
Rootbridgeandsecondaryrootbridge274
Spanning-treestandards277
Portrolesandstates277
Determiningtherootbridgeandportroles278
PVST+281
Rapid-PVST+286
Lab–implementingRapid-PVST+onaCisconetwork288
Lab–configuringPortFastandBPDUguard291
Telegram Channel : @IRFaraExam
Chapter7:InterpretingRoutingComponents
Technicalrequirements300
UnderstandingIProuting300
Componentsoftheroutingtable306
Routingprotocolcodes306
Prefixandnetworkmask309
Nexthop310
AdministrativeDistance311
Routingmetrics314
Gatewayoflastresort317
Summary318
Questions318
Telegram Channel : @IRFaraExam
Chapter8:UnderstandingFirstHopRedundancy,StaticandDynamicRouting
Technicalrequirements322
Understandingstaticrouting322
Doweneedstaticrouting?324
Typesofstaticroutes325
Lab–configuringstaticroutingusingIPv4332
Lab–configuringanIPv4defaultroute337
Lab–configuringstaticroutingusingIPv6340
Understandingdynamicrouting345
Typesofdynamicroutingprotocols346
OpenShortestPathFirst349
Lab–configuringOSPFv2363
Telegram Channel : @IRFaraExam
ValidatingOSPFconfigurations366
Understandingfirsthopredundancy370
VariousFHRPs372
Summary384
Questions384
Furtherreading386
Telegram Channel : @IRFaraExam
Chapter9:ConfiguringNetworkAddressTranslation(NAT)
Technicalrequirements390
ThechallengeofusingIPv4ontheinternet390
UnderstandingNAT391
UnderstandingNAToperationandterminology393
TypesofNAT395
StaticNAT395
DynamicNAT397
ConfiguringPAT399
Lab–implementingNAToverload(PAT)403
Lab–implementingstaticNATwithportforwarding406
Lab–implementingdynamicNAT409
Telegram Channel : @IRFaraExam
Chapter10:ImplementingNetworkServicesandIPOperations
Technicalrequirements418
UnderstandingNTP418
Lab–configuringNTP421
UnderstandingDHCP426
DHCPoperations426
Cisco'sDHCPconfigurations429
DHCPrelay430
Lab–configuringDHCPandDHCPrelay432
DomainNameSystem435
DNSrootservers437
DNSrecordtypes438
Telegram Channel : @IRFaraExam
Lab–configuringDNS439
UnderstandingthebenefitsofusingSyslog442
Syslogseveritylevels443
Lab–configuringSyslog445
SimpleNetworkManagementProtocol448
SNMPversions451
Managementinformationbase451
Lab–configuringSNMP453
QoStrafficclassification456
QoSterminologies458
Traffictypecharacteristics459
QoSqueuingalgorithms461
QoSpolicymodels462
QoSimplementationmethods464
Telegram Channel : @IRFaraExam
Chapter11:ExploringNetworkSecurity
Technicalrequirements474
Securityconcepts474
TheCIAtriad475
Threats478
Vulnerabilities482
Exploits495
Attacks496
Authentication,Authorization,andAccounting503
Lab–ImplementingAAA506
Elementsofasecurityprogram509
Wireshark101509
Lab–Analyzingpackets514
Telegram Channel : @IRFaraExam
Chapter12:ConfiguringDeviceAccessControlandVPNs
Technicalrequirements520
Deviceaccesscontrol520
Securingconsoleaccess520
SecuringanAUXline525
VTYlineaccess527
SecuringPrivilegeExecmode535
Encryptingallplaintextpasswords539
VirtualPrivateNetworks540
Site-to-SiteVPNs541
RemoteaccessVPNs543
IPsec544
Telegram Channel : @IRFaraExam
Lab–Configuringasite-to-siteVPN545
Lab–ConfiguringaremoteaccessVPN551
Summary558
Questions558
Furtherreading560
Telegram Channel : @IRFaraExam
Chapter13:ImplementingAccessControlLists
Technicalrequirements562
WhatareACLs?562
BenefitsofusingACLs563
ACLoperation564
ACLwildcardmasks568
Calculatingthewildcardmask569
ACLguidelinesandbestpractices571
WorkingwithstandardACLs573
CreatinganumberedstandardACL573
ImplementinganamedstandardACL575
DeletinganACL576
Telegram Channel : @IRFaraExam
Lab–implementingastandardnumberedACL576
Lab–configuringastandardnamedACL580
Lab–securingVTYlinesusingACLs583
WorkingwithextendedACLs588
CreatinganumberedextendedACL588
ImplementinganamedextendedACL589
Lab–implementingextendedACLs591
Summary596
Questions596
Furtherreading598
Telegram Channel : @IRFaraExam
Chapter14:ImplementingLayer2andWirelessSecurity
Technicalrequirements600
TypesofLayer2attacksonanetwork600
Networkattacks601
Defenseindepth603
Layer2threats606
ProtectingagainstLayer2threats621
Portsecurity621
DHCPsnooping634
DynamicARPinspection641
Wirelessnetworksecurity645
Authenticationmethods647
Telegram Channel : @IRFaraExam
Lab–implementingwirelesssecurityusingaWLC649
Summary655
Questions656
Furtherreading658
Telegram Channel : @IRFaraExam
Chapter15:NetworkAutomationandProgrammabilityTechniques
Understandingautomation662
Understandingdataformats663
eXtensibleMarkupLanguage665
JavaScriptObjectNotation666
YAMLAin'tMarkupLanguage668
UnderstandingAPIs670
TypesofAPIs670
RESTfulAPIs671
Understandingnetworkconfigurationmanagement676
Fabric,overlay,andunderlay682
CiscoDNACenter685
Telegram Channel : @IRFaraExam
PrefaceImplementingandAdministeringCiscoSolutions:CCNA200-301ExamGuideisanexcellentbookthatfocusesonarangeofCiscotechnologiesthatwillhelpyougainafirmunderstandingofnetworking,IPconnectivity,IPservices,security,networkprogrammability,andautomation.
Throughoutthisbook,youwillbeexposedtovariousnetworkingcomponentsanddiscoverhowtheyallworktogetherinanenterprisenetwork.YouwillalsolearnhowtoconfigureCiscodevicesusingthecommand-lineinterface(CLI)toprovidenetworkaccess,services,security,connectivity,andmanagement.
Duringthecourseofthisbook,youwillcomeacrossdifferenthands-onlabswithreal-worldscenariosthataredesignedtohelpyougainessentialon-the-jobskillsandexperience.Furthermore,thisbookwillguideyouandteachyounetworkingtechnologiesandsolutionstoimplementandadministerenterprisenetworksandinfrastructureusingCiscosolutions.
Bytheendofthisbook,youwillhavegainedtheconfidencetopasstheCCNA200-301examinationandbewell-versedinavarietyofnetworkadministrationandsecurityengineeringsolutions.
Telegram Channel : @IRFaraExam
WhothisbookisforThisguideistargetedateveryITprofessionallookingtoboosttheirnetworkengineeringandsecurityadministrationcareer.UsersinterestedincertifyinginCiscotechnologiesandstartingacareerasnetworksecurityprofessionalswillfindthisbookuseful.ReaderswithnoknowledgeaboutCiscotechnologiesbutsomeunderstandingofindustry-levelnetworkfundamentalswillhaveanaddedadvantage.
Telegram Channel : @IRFaraExam
WhatthisbookcoversChapter1,IntroductiontoNetworking,introducesvariousnetworkprotocols,devices,andcomponents,andnetworktopologyarchitectures.
Chapter2,GettingStartedwithCiscoIOSDevices,introducesCiscoInternetworkOperatingSystem(CiscoIOS).Youwilllearnhowtoaccessthedevice,performinitialconfigurations,andlearnhowtoverifythedevice'ssettings.Additionally,youwilllearnhowtobuildyourpersonallearningenvironmenttoreduceyourexpenditureintermsofpurchasingexpensiveequipment.
Chapter3,IPAddressingandSubnetting,coversdifferentclassesofIPaddressesandtheirassignments.Thesecondhalfofthechapterwillteachyouhowtousesubnettingtobreakdownalargenetworkintosmallersubnetworks.
Chapter4,DetectingPhysicalIssues,WirelessArchitectures,andVirtualization,coversvariousLayer1issuesandtakesadeepdiveintounderstandingCiscoWirelessArchitecturesanddeploymentmodels.Additionally,thischaptercoverstheconceptofvirtualizationandvirtualmachines.
Chapter5,ImplementingVLANs,Layer2DiscoveryProtocols,andEtherChannels,introducesyoutoVirtualLocalAreaNetworks(VLANs),configuringandtroubleshootingVLANsonaCisconetwork,settingupinter-switchconnectivitybyconfiguringTrunklinks,andconfiguringinter-VLANroutingtoallowmultipleVLANstointer-communicate.Additionally,youwilllearnhowtousevariousLayer2discoveryprotocolstomapdevicesonanetworkanduseEtherChannelstoperformlinkaggregation.
Telegram Channel : @IRFaraExam
Chapter6,UnderstandingandConfiguringSpanning-Tree,coverstheimportanceofdesigningaproperswitchnetworkshowingdevicesshouldbeinterconnectedtoensureredundancy.Furthermore,thechapterintroducesyoutoaLayer2looppreventionmechanismknownastheSpanning-TreeProtocol(STP).Youwilllearnabouttheoperations,configurations,andtroubleshootingofSTPinaCiscoenvironment.
Chapter7,InterpretingRoutingComponents,focusesontheimportanceofroutinganddiscusseshowroutersmaketheirforwardingdecisions.Youwilllearnallaboutthecomponentsoftheroutingtableandthefactorsthathelparoutertochooseapreferredpathforforwardingpacketstotheirdestination.
Chapter8,UnderstandingFirstHopRedundancy,StaticandDynamicRouting,continuesthediscussiononroutingbuttakesamoretechnicalapproach,suchasdemonstratinghowtoimplementstaticanddynamicroutingprotocolstoensureIPconnectivitybetweenmultiplenetworksinaCiscoenvironment.
Chapter9,ConfiguringNetworkAddressTranslation(NAT),focusesprimarilyonNetworkAddressTranslation(NAT).ThechapterwilltakeyoufromanintroductiontousecasesontotheconfigurationofvarioustypesofNATandtroubleshootingtechniques.
Chapter10,ImplementingNetworkServicesandIPOperations,introducesyoutovariousnetworkandIPservicesthatarerequiredonalmostallenterprisenetworksandarerequiredknowledgefornetworkengineers.ThischaptercoverstechnologiessuchasNTP,DHCP,DNS,Syslog,andQoS.
Chapter11,ExploringNetworkSecurity,discussesvarioustopics,suchascybersecuritythreatsandissuesmanyprofessionalsfaceeachday,suchasthreats,vulnerabilities,exploits,usertraining,securityawareness,and
Telegram Channel : @IRFaraExam
countermeasures.
Chapter12,ConfiguringDeviceAccessControlandVPNs,focusesonsecuringyourCiscoswitchesandroutersandconfiguringsecuredeviceaccess.Additionally,thischapterintroducesyoutoremoteaccessandhowtoconfigureVirtualPrivateNetworks(VPNs).
Chapter13,ImplementingAccessControlLists,coversACLs,whichareamandatorytopicforeveryonewhoisstartingorisalreadyinthefieldofnetworksorsecurity.ACLsareLayer3securitycontrols.Whenimplementedonaroute,theycreateafirewall-centricdevicetofilterunwantedtraffic.
Chapter14,ImplementingLayer2andWirelessSecurity,introducesyoutovariousLayer2attacksonanenterprisenetworkandexplainshowtoimplementcountermeasurestocreateasecurenetworkenvironment.
Chapter15,NetworkAutomationandProgrammabilityTechniques,broachesthefactthattheworldofnetworkingismovingtowardautomationandnetworkengineerswillnowneedtolearnhowautomationcanimproveefficiencyinnetworkdeploymentandmanagement.Thischapterintroducesyoutonetworkautomationtechniquesandprogrammability.
Chapter16,MockExam1,includesasimplemocktestcontainingquestionsthatwillhelpyoutopreparefortheCiscoCCNA200-301examinationandwillhelpyouidentifyanytopicsyouneedtospendadditionaltimelearningaboutandpracticing.
Chapter17,MockExam2,includesanothermocktestcontainingquestionsthatwillhelpyoutopreparefortheCiscoCCNA200-301examinationandwillhelpyouidentifyanytopicsyouneedtospendadditionaltimelearningaboutand
Telegram Channel : @IRFaraExam
practicing.
TogetthemostoutofthisbookAllconfigurationsweredoneusingaWindows10operatingsystemrunningCiscoPacketTracerversion7.3.0.
Ifyouareusingthedigitalversionofthisbook,weadviseyoutotypethecodeyourselforaccessthecodeviatheGitHubrepository(linkavailableinthenextsection).Doingsowillhelpyouavoidanypotentialerrorsrelatedto
Telegram Channel : @IRFaraExam
thecopyingandpastingofcode.
Aftercompletingthisbook,usingyourimagination,attempttocreateadditionallabscenariosusingCiscoPacketTracer.Thiswillhelpyoutocontinuelearningandfurtherdevelopyourskillsasanaspiringnetworkengineer.
DownloadtheexamplecodefilesYoucandownloadtheexamplecodefilesforthisbookfromGitHubathttps://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions.Incasethere'sanupdatetothecode,itwillbeupdatedontheexistingGitHubrepository.
Wealsohaveothercodebundlesfromourrichcatalogofbooksandvideosavailableathttps://github.com/PacktPublishing/.Checkthemout!
CodeinActionCodeinActionvideosforthisbookcanbeviewedathttps://bit.ly/30fYz6L.
DownloadthecolorimagesWealsoprovideaPDFfilethathascolorimagesofthescreenshots/diagramsusedinthisbook.Youcandownloadithere:http://www.packtpub.com/sites/default/files/downloads/9781800208094_ColorImages.pdf.
Conventionsused
Telegram Channel : @IRFaraExam
Thereareanumberoftextconventionsusedthroughoutthisbook.
Codeintext:Indicatescodewordsintext,databasetablenames,folder
names,filenames,fileextensions,pathnames,dummyURLs,userinput,andTwitterhandles.Hereisanexample:"Ifyouusetheshowflash:command
inprivilegemodeonaCiscoIOSswitch,youwillseethevlan.datfile."
Whenwewishtodrawyourattentiontoaparticularpartofacodeblock,therelevantlinesoritemsaresetinbold:
Branch-B(config)#iproute10.1.1.0255.255.255.0
10.2.1.5
Branch-B(config)#iproute172.16.1.0255.255.255.0
10.2.1.10
Branch-B(config)#iproute192.168.1.0255.255.255.0
10.2.1.20
Anycommand-lineinputoroutputiswrittenasfollows:
SW1(config)#interfaceFastEthernet0/1
SW1(config-if)#switchportmodeaccess
SW1(config-if)#switchportaccessvlanvlan-ID
SW1(config-if)#noshutdown
SW1(config-if)#exit
Bold:Indicatesanewterm,animportantword,orwordsthatyouseeonscreen.Forexample,wordsinmenusordialogboxesappearinthetextlikethis.Hereisanexample:"SelectSysteminfofromtheAdministrationpanel."
Telegram Channel : @IRFaraExam
Tipsorimportantnotes
Appearlikethis.
DisclaimerTheinformationwithinthisbookisintendedtobeusedonlyinanethicalmanner.Donotuseanyinformationfromthebookifyoudonothavewrittenpermissionfromtheowneroftheequipment.Ifyouperformillegalactions,youarelikelytobearrestedandprosecutedtothefullextentofthelaw.PacktPublishingdoesnottakeanyresponsibilityifyoumisuseanyoftheinformationcontainedwithinthebook.Theinformationhereinmustonlybeusedwhiletestingenvironmentswithproperwrittenauthorizationfromtheappropriatepersonsresponsible.
GetintouchFeedbackfromourreadersisalwayswelcome.
Generalfeedback:Ifyouhavequestionsaboutanyaspectofthisbook,mentionthebooktitleinthesubjectofyourmessageandemailusatcustomercare@packtpub.com.
Errata:Althoughwehavetakeneverycaretoensuretheaccuracyofourcontent,mistakesdohappen.Ifyouhavefoundamistakeinthisbook,wewouldbegratefulifyouwouldreportthistous.Pleasevisitwww.packtpub.com/support/errata,selectingyourbook,clickingontheErrataSubmissionFormlink,andenteringthedetails.
Telegram Channel : @IRFaraExam
Piracy:IfyoucomeacrossanyillegalcopiesofourworksinanyformontheInternet,wewouldbegratefulifyouwouldprovideuswiththelocationaddressorwebsitename.Pleasecontactusatcopyright@packt.comwithalinkto
thematerial.
Ifyouareinterestedinbecominganauthor:Ifthereisatopicthatyouhaveexpertiseinandyouareinterestedineitherwritingorcontributingtoabook,pleasevisitauthors.packtpub.com.
ReviewsPleaseleaveareview.Onceyouhavereadandusedthisbook,whynotleaveareviewonthesitethatyoupurchaseditfrom?Potentialreaderscanthenseeanduseyourunbiasedopiniontomakepurchasedecisions,weatPacktcanunderstandwhatyouthinkaboutourproducts,andourauthorscanseeyourfeedbackontheirbook.Thankyou!
FormoreinformationaboutPackt,pleasevisitpackt.com.
Telegram Channel : @IRFaraExam
Section1:NetworkFundamentalsThissectionintroducesyoutotheworldofnetworking,startingwithhowdevicesintercommunicate.Itthendiscussesthevarioustypesofnetworkingdevicesalongwiththeirfunctionality.Thissectionalsocoverspopularnetworkingprotocolsandservicesthatallowanetworktosharearesourcewithotherdevices.Additionally,youwilllearnaboutIPv4andIPv6addressing,andsubnettingtechniques.
Thissectioncontainsthefollowingchapters:
Chapter1,IntroductiontoNetworking
Chapter2,GettingStartedwithCiscoIOSdevices
Chapter3,IPAddressingandSubnetting
Chapter4,DetectingPhysicalIssues,WirelessArchitectures,andVirtualization
Telegram Channel : @IRFaraExam
Chapter1:IntroductiontoNetworkingBeginningajourneyinthefieldofnetworkingisanexcitingoneforeveryone.I'msureyouareinterestedinlearningabouttheoperationsofacomputerandespeciallyhowtheinternet,thelargestnetwork,functionsandgrows.Networkingisanever-demandingfieldinInformationTechnology(IT);eachday,organizationsfromhealthcareproviders,educationalinstitutions,governmentagencies,andotherindustriesarecontinuouslyexpandingandimprovingtheirnetworkinfrastructuretosupportnewerservicesandnetworktraffic.Almosteveryoneisconnectedtotheinternet.Educatorsandbusinessesareusingvariousonlinecollaborationplatformstoextendtheirreachtostudentsandpotentialcustomersinaglobalmarket.Alltheseamazingtechnologiesaremadepossiblebycomputernetworks.
TheCiscoCertifiedNetworkAssociate(CCNA)200-301certificationisdesignedtoprepareyouforassociate-levelnetworkingrolesintheITindustry.CCNAisoneofthemostpopularcertificationrequirementsforalmosteverynetworkengineeringjob,andthereisaverygoodreasonwhy.TheCCNAcertificationisafoundationallevelcertificationwithalotofessentialinformation;Iknowpartofthenamecontainstheword"associate",butthat'sjustintheCiscocertificationhierarchystructuresincethenextlevelisCiscoCertifiedNetworkProfessionalandsoon.TheCCNAisoneofthemostrecommendedcertificationsyoucanfollowtobeginyournetworkingjourney.
TheCCNAwillteachyouhowtodesign,implement,configure,andtroubleshootsmall-tomedium-sizedenterprisenetworks.Youwilllearntoefficientlyimplementnetworkaccess,IPconnectivity,IPservices,andsecuritythroughanenterprisenetwork.Additionally,gainingyourCCNAcertification
Telegram Channel : @IRFaraExam
willopenupawholenewworldofcareeropportunitiesasthecertificationitselfiswell-respectedinthenetworkingfield.
Throughoutthischapter,youwilllearnabouttheimportanthistoryofhowcomputernetworksweredevelopedandtheerabeforetheinternet.Then,wewillcovertheearlyandcurrentgenerationoftheinternetandexplorehownetworkinghasbecomepartofourdailylives.Youwilllearnaboutcommunicationtechnologiesandnetworkingprotocolsthataredesignedtohelpusconnectwithourlovedones,friends,andcolleagues.Youwillalsolearnaboutthevarioussizesofnetworksandcomponentssuchasroutersandswitches,whichmovemessagesfromonedevice,acrossanetwork,toanotherperson.Lastly,you'lllearnaboutthevariousprotocolsuitesthatarebuiltintoeachoperatingsystemandnetworkdevicethatsetstheprotocolforexchangingmessages.
Inthischapter,wewillcoverthefollowingtopics:
Understandingtheevolutionofnetworkingandtheinternet
Understandingnetworksizes–SOHO,LAN,andWAN
Learningaboutnetworkprotocolsuites
Understandingthefunctionsofnetworkdevices
Networktopologyarchitectures
Understandingtheevolutionofnetworkingandtheinternet
Telegram Channel : @IRFaraExam
Inthepre-internetage,scientists,institutions,andotherexpertswereworkingtocreateanetworkthatcouldallowthemtoconnectcomputersonaworldwidescale.Computerscientistsbeganworkingonamodel;theinitialprototypewasknownastheAdvancedResearchProjectsAgencyNetwork(ARPANET).
ARPANETwasdevelopedinthe1960s.ItwasfundedbytheUSDepartmentofDefense(DoD)withtheideaitwouldbeusedtoconnectuniversitiesandresearchcenters.Thenetworktechnologyusedonthisprototypewaspacketswitching.Thisallowedconnectedcomputerstosendandreceivedataonasinglenetwork.However,ARPANETwasnotresilientenoughtoallowmultiplechannelsofcommunicationonthenetwork.
TheUSDefenseAdvancedResearchProjectsAgency(DARPA)developedtheTransmissionControlProtocol/InternetProtocol(TCP/IP)suite,whichwasadoptedbyARPANETintheearly1980s.TheUSDODcalledittheofficialstandardcomputernetworking.WiththeadoptionofTCP/IP,ARPANETbegantoevolveintomuchlargernetworks,allowingotherorganizationstobeinterconnected,andbecamewhatwecommonlyrefertoastheinternettoday.
Theinternetisaworldwidecollectionofmanyinterconnectednetworks,suchasWideAreaNetworks(WANs)andLocalAreaNetworks(LANs).Eachorganizationorpersonwhoconnectsadevicetotheinternetsimplyextendsthenetwork(internet),sotheinternetiscontinuouslygrowingasmoredevicesaregoingonline.Laterinthischapter,wewilltakeadeeperdiveanddiscussvarioustypesandsizesofnetworktopologies.
Theinternetitselfisnotownedbyanyonepersonororganizationintheworld.However,therearemanygroupsandorganizationsthathelpmaintainthestabilityandsetstandardsforintercommunicatingontheinternetandprivate
Telegram Channel : @IRFaraExam
networks.
Asanupcomingnetworkengineer,it'sgoodtoknowalittleaboutthefollowingorganizationsandgroups:
InternetEngineeringTaskForce(IETF).Itsmissionissimplytomaketheinternetworkbetterforall.YoucanfindmoreinformationaboutIETFontheirwebsiteatwww.ietf.org.
InternetAssignedNumbersAuthority(IANA)isresponsiblefortheassignment,coordination,andmanagementofinternetprotocol(IP)addressing,internetprotocolresources,andtheDomainNameSystem(DNS)RootZone.YoucanfindmoreinformationaboutIANAontheirofficialwebsiteatwww.iana.org.
InternetCorporationforAssignedNamesandNumbers(ICANN)contributestotheinternet'ssustainabilitybycoordinatingandmanagingtheinternet'snumericalspacesandnamespacestoensureitsstability.YoucanfindmoreinformationaboutICANNontheirofficialwebsiteatwww.icann.org.
Nowthatwehavecoveredthehistoryoftheinternet,we'lllookathowvariousnetworksizesdifferinthenextsection.
Understandingnetworksizes–SOHO,LAN,andWANLet'simaginewehaveafewdevicesthatareallinterconnectedinasinglenetwork,sharingfilesbetweenthemselveswithouthavingtheuser(human)
Telegram Channel : @IRFaraExam
physicallywalkaroundwithaportablestoragedevicesuchasaflashdrivetocopyandpastefiles.Usersaccessacentralizedfileserverwithinthecompany'snetworkfromtheirlocalcomputer.
Thefollowingdiagramshowsasmallnetworkwithbothanetwork-sharedprinterandfileserver:
Figure1.1–DevicesinterconnectedtocreateasmallLAN
ThistypeofnetworkiscommonlyreferredtoasaLAN.ALANisdefinedasasmallcomputernetworkthatdoesnotexceedthephysicalspaceofahomeorasinglebuilding.Tohelpyouunderstandthis,we'regoingtouseasimple
Telegram Channel : @IRFaraExam
analogy.Let'simagineyouworkforACME,afictional-basedorganizationthathasasinglebranch.Withinthebranch(thatis,thephysicalbuilding),ACMEhasaLANthatisusedtointerconnectalltheirdevices–computers,servers,printers,andsoon.ThisLANallowsemployeestositattheirworkstationsandsenddocumentstoprintviathenetworktothelocalprinterandaccessthefileservertostoreandcopyfilesfortheirprojects.Let'scallthisofficelocationHQ.
ThefollowingdiagramshowsatypicalLANwithinterconnecteddeviceswithintheHQbuilding:
Figure1.2–AbuildingcontainingaLAN
Oneday,ACMEwantstoopenanewbranchinanothercitytoprovideservicestonewandpotentialcustomers;however,thereisachallenge.WeshallrefertothenewbranchasBranchA.Thenewlocation,BranchA,ismanymilesawayandthestaffatBranchAneedtoaccessresourcessuchastheapplicationserver,
Telegram Channel : @IRFaraExam
CustomerRelationshipManagement(CRM)database,andotherimportantresourcesthatarelocatedattheHQlocation.OnesolutionwouldbetocreateacloneoftheserversfromHQtothenewlocation,BranchA;however,thismeanseachtimenewrecordsanddataisupdatedattheHQlocation,itwilltakealongtimetoreplicatethedataontheserversatBranchA.Thismaycreateinconsistencyissueswhenemployeestrytoaccessthemostup-to-datefilesandrecordsatBranchA.
Importantnote
Inourscenario,BranchAistypicallyknownasaSmallOffice/HomeOffice(SOHO).Thistypeofnetworkisgenerallysmallerthanthemaincorporateofficeofacompany,butitenablestheuserstoconnectoraccesstheresourcesthatarecentrallysharedonthecorporatenetwork(HQ).
AbetterapproachistocreateaWAN.AWANisusedtosimplyextendaLANoveralargegeographicdistance.AcompanysuchasACMEwoulddefinitelybenefitfromusingthistechnologywithintheirorganization.ByimplementingaWANbetweentheirbranches,HQandBranchA,theserversandmainresourcescansimplystayatHQwhileemployeesarestillabletoaccesstheresources,files,andrecordsacrossthenetworkattheirBranchAlocation.
ThefollowingdiagramshowsadepictionofaWANconnectionbetweentheHQlocationandthenewbranchoffice:
Telegram Channel : @IRFaraExam
Figure1.3–AWANconnectionbetweentwobuildings
Inmoderntimes,WANsaremanagedbyserviceproviders(SP)andInternetServiceProviders(ISPs).WANscanextendyourLANbeyondcities,countries,andevencontinents.ISPsofferarangeofWANservicestotheircustomers,suchasthefollowing:
MetroEthernet(MetroE)
VirtualPrivateLANService(VPLS)
MultiprotocolLabelSwitching(MPLS)
Asasimpleexample,MetroEenablescustomersofaserviceprovidertoestablishaWANbetweenbranches,functioninglikeaveryhugeLANwithintheserviceprovidernetwork.ThismeansacompanycaninterconnectmultiplebranchesusingaMetroEservicewithintheserviceprovidernetwork.Onthe
Telegram Channel : @IRFaraExam
customer'send,thenetworkfunctionsasifitwereonalargeLAN.
AnothertypeofWANserviceisMPLS,whichprovidesuswiththefunctionalitytoextendanorganization'snetworkbeyondthelocalserviceprovider'snetwork.ImaginehavingaWANcircuitstartingfromtheHQlocationandpassingthroughmultipleISPnetworksuntiltheconnectionisterminatedataremotebranchinanothercountry.
Withthat,wehavecoveredthefundamentalsofSOHOs,LANs,andWANs.Inthenextsection,wewilllearnaboutthecomponentsthathelpusbuildandextendnetworks.
LearningaboutnetworkprotocolsuitesThankstovarioustechnologycompanies,wecanbreakdowncommunicationbarriersbetweenpeoplewhospeakdifferentnativelanguages.WecansimplyinstallanapponoursmartphonesuchasGoogleTranslateandtranslateaforeignlanguageintoourownandviceversa.
Foradevicetocommunicatewithanotheronanetwork,itrequiresasetofprotocolsoraprotocolsuite.Aprotocolsuiteisacommonformatthatdevicescanusebyfollowingasetofrulesforexchangingmessageswithotherdevicesonanetwork.Aprotocolsuiteenablesdevicestospeakacommon,universallanguagethatallowsallnetworkingdevicestounderstandeachother.
Yearsago,computermanufacturersmadetheirownprotocolsuites,which,inmostinstances,allowedonlysame-vendordevicestocommunicateandexchangedataonanetwork.SomeoftheseprotocolsuiteswereAppleTalkandNovelNetware(IPX/SPX),whichwereproprietarytothevendorandnot
Telegram Channel : @IRFaraExam
suitableforconsumersonalargescale.
ThencametheOpenSystemsInterconnection(OSI)referencemodelandtheTransmissionControlProtocol/InternetProtocol(TCP/IP)suite.Inthefollowingsubsections,wewillfurtherdiscussandcompareboththeOSImodelandTCP/IPprotocolsuite.
OSIreferencemodelTheOSIreferencemodelisaseven(7)layermodelthatwasdevelopedbytheInternationalOrganizationforStandardization(ISO)inthe1970s.Itwasintendedtobeafullyoperationalprotocolsuitetoallowalldevicesonanetworktointercommunicateusingamutuallanguage.However,itwasneveractuallyimplementedinanysystems.
Youmaybewondering,ifit'snotimplementedinanyoperatingsystemsanddevices,whyisitimportantwelearnabouttheOSIreferencemodel?EachlayeroftheOSImodelhasauniquefunctionalityassociatedwithacomputernetwork.Thisallowsnetworkengineerstobetterunderstandwhathappensoneachlayerwhenperformingtroubleshootingtasks.
DuringthedevelopmentoftheOSImodel,itwasnotedthemodelconsistedofsevenlayers.Theseareasfollows:
Layer7:Application
Layer6:Presentation
Layer5:Session
Telegram Channel : @IRFaraExam
Layer4:Transport
Layer3:Network
Layer2:Datalink
Layer1:Physical
Whyaretheresomanylayers?EachlayeroftheOSImodelhasaparticularresponsibilityforensuringadeviceisabletosuccessfullyexchangemessageswithotherdevicesonanetwork.Inthefollowingsections,wearegoingtolearntheessentialsofeachlayerandhowtheyhelpusunderstandnetworkoperations.Thisenablesustobetteridentifyandtroubleshootnetwork-relatedissuesintheindustry.
Tip
WecantakethefirstletterofeachlayeroftheOSImodeltocreateaneasy-to-rememberphrase:AllPeopleSeemToNeedDataProcessing.
Asanexample,whenadevicesuchasacomputerwantstosendamessage(data)toanotherdeviceeitheronalocalorremotenetwork,thedatahastoflowdownwardintheOSImodel,passingthrougheachlayer.Duringthisprocess,aspecificsetofrules,encoding,andformattingisapplied.Thisisknownasencapsulation.Wheneverarecipientisprocessingamessage,itgoesupward,passingeachlayer,andpartsofthemessagearestrippedaway.Thisisknownasde-encapsulation.
ThefollowingdiagramshowsthetypicalflowofamessagethroughtheOSImodelwhenonedeviceissendingamessageandanotherdeviceisaccepting
Telegram Channel : @IRFaraExam
andprocessinganincomingmessage:
Figure1.4–VisualrepresentationoftrafficflowingthroughtheOSImodel
Inthefieldofnetworking,adevicesuchasacomputercreatesaProtocolDataUnit(PDU),sometimesreferredtoasadatagram.Thisistherawdatatobesentacrossanetworktoanotherdevice.AteachlayeroftheOSImodel,thePDUhasadifferentname.ThesenamesareusedtoreferencethecharacteristicsofthePDUataparticularlayer.Inyourexam,it'simportanttousethisterminology.ThefollowingdiagramshowsatablecontainingthelayersoftheOSImodeland
Telegram Channel : @IRFaraExam
thenameofthePDUateachlayer:
Figure1.5–PDUsateachlayeroftheOSImodel
TogetabetterunderstandingabouteachlayeroftheOSImodelandthecharacteristicsofPDUsastheyarepassedbetweenlayers,wewilldiscusstheroleandfunctionofeachlayerinthefollowingsections.Let'stakeacloserlook.
Layer7–ApplicationlayerTheapplicationlayer(Layer7)istheclosestlayertotheuserwithintheprotocolsuite.Itprovidesaninterfaceforcommunicationbetweentheapplicationsrunninginalocalsystemandtheunderlyingnetworkprotocols.Tofurtherexplain,imagineyouwouldliketogetabitmoreinformationontheCiscoCertifiedNetworkAssociate(CCNA)certification.Intoday'sworld,internetaccessisreadilyavailabletous,eitheronmobiledataplansthatutilize4GandLTEtechnologiesorinternetcafesandcoffeeshopswithfreeinternetaccessvia
Telegram Channel : @IRFaraExam
theirWi-Finetwork.Whichevermethodweusetoaccesstheinternet,wealwaysneedanimportantapplication:awebbrowsertoviewwebpagesinagraphicalinterface,whichhelpsusnavigatetheinterneteasily.
Let'scontinuewithouranalogy.OneactionyoumaywanttoperformistovisitCisco'swebsiteatwww.cisco.comtoresearchtheexaminationobjectivesandbetterprepareyourselfforthecertification.
Openingyourfavoritewebbrowser,youentertheURLwww.cisco.comandhitEnter.Withinacoupleofseconds,theCiscowebsiteisdisplayedwithinthebrowser'sinterface.Lookingcloselyattheaddressbarinthebrowser,wecanseethattheHypertextTransferProtocolSecure(HTTPS)protocolhasbeeninvolvedbythewebbrowser,asshowninthefollowingimage:
Figure1.6–HTTPSprotocolusedinwebbrowser
Keepinmindthatthewebbrowserissimplyanapplicationrunningonourcomputerorsmartdevicethatallowsus,theuser,touseanapplicationlayerprotocolsuchasHTTPStoexchangemessages(encodedinweblanguages)betweenourcomputerandawebserver.ThismakestheHTTPSprotocoloneofmanyapplicationlayerprotocols.
Thefollowingaresomecommonlyknownapplicationlayerprotocols:
Telegram Channel : @IRFaraExam
FileTransferProtocol(FTP)
SimpleMailTransferProtocol(SMTP)
DomainNameSystem(DNS)
DynamicHostConfigurationProtocol(DHCP)
HyperTextTransferProtocol(HTTP)
InreferencetotheOSImodel,thewebbrowser(application)createstherawHTTPSmessage.Atthispoint,thePDUisknownasdata.Datahasnoadditionalencodingorformattingasitissimplytheraw(bare)messagetheapplicationhasgenerated.However,inthisstate,thePDUcanonlyberecognizedandinterpretedbyanothersimilarapplicationthatunderstandsHTTP/S.
Whentheapplicationlayerhasfinisheditsjob,itpassesthePDUontothelowerlayer,knownasthepresentationlayer.
Layer6–PresentationlayerAveryimportantfactorincommunicationishowcontentispresented.Wemustalwaystrytoensuretheformatinwhichthemessageiswrittenorspokencanbeinterpretedbytherecipientveryclearly.ImagineanambassadorwhoonlyspeaksEnglishistravelingtoaforeigncountryondiplomaticbusinesswheretheforeignnationalsdonotspeakEnglish.Thiswillbeachallengefortheambassador;itcannegativelyaffectsomeofthecommunicationthattheyhavewiththelocalsduringtheirvisit.Havingadedicatedpersonasatranslatorwillassisttheambassadorincommunicatingclearlywiththeforeignnationals.
Telegram Channel : @IRFaraExam
Wecanapplythisanalogytoanetwork.Therearemanyprotocolsthatexistbothinsideandoutsideofacomputersystem;someareonthenetworkitself,whileothersareontheoperatingsystemsofaserverordesktopcomputer.Furthermore,aspreviouslymentioned,eachlayeroftheOSIreferencemodelhasitsownsetofprotocols,whichaidinthetransmissionofdatabetweendevices.
WhenanapplicationlayerprotocolsuchasHTTPSsendstherawdatatothenetwork,itpassesthroughthepresentationlayer(Layer6),whichhastoperformsometasksbeforesendingittothelowerlayers.Thepresentationlayerisresponsibleforthefollowingfunctions:
Dataformatting
Datacompression
Dataencryptionanddecryption
Mostimportantly,dataformattingensurestherawdataispresentedorformattedintoacompatibleformatforboththelowerlayersandtherecipient'sdevice(s)tounderstand.It'sabitlikecreatingauniversallanguageonadigitalnetwork.
Let'slookatasimpleanalogytofurtherexplainthisconcept.Imaginehavingtowritealettertoafriendwhoresidesinanothercountry.Afterwritingyourletter,yousecurelyencloseitwithinanenvelopeandinsertthecorrespondencedestinationaddressbeforedroppingitofftothelocalmailcourier.Sincetheletterisintendedforinternationalshipping,thelocalcourierwillattachaninternationalshippinglabelcontainingauniversalformatfortheaddressinginformation.Thismeansthelocalcouriercompanymayneedtopasstheletterontoanothercourieruntilitreachestheintendeddestination.Duringthis
Telegram Channel : @IRFaraExam
process,eachcourierwillbeabletoreadandinterprettheinformationprintedontheuniversalshippinglabelbecauseitsformatisstandardized.ThesameappliestomessagespassingtothelowerlayersoftheOSImodel,hencetheimportanceofthepresentationlayer.
Anotherfunctionofthepresentationlayeriscompressingdatabeforeitisplacedonthenetworkanddecompressingitontherecipient'sdevice.Lastly,thepresentationlayerencryptsdatabeforetransportingitbetweenthesenderandreceiveroveranetwork.Onthereceivingdevice,thepresentationlayerisresponsibleforthedecryptionoftheencryptedmessage.
Atthepresentationlayer,thePDUisstillknownasdata.Next,thePDUispassedontothesessionlayer.
Layer5–SessionlayerThesessionlayer(Layer5)hasasimpleresponsibility.Atthislayer,therearethreemainfunctionsthatworktogetherwithadevicetoensuredatagrams(messages)canbeexchangedacrossanetwork.Theseareasfollows:
Createorbuildasessionbetweenasenderandreceiver.
Maintaintheestablishedsessionduringthetransmissionofmessagesbetweenthesenderandreceiverdevices.
Terminateasessionwhenbothpartiesindicatetheynolongerwanttocommunicatewitheachother.
Keepinmindthat,atthesessionlayer,thePDUmaintainsthesamenameastheupperlayers:data.
Telegram Channel : @IRFaraExam
Layer4–TransportlayerThetransportlayer(Layer4)isresponsibleformovingdatagramsbetweentheupperlayers(applicationlayer)ontothenetworkitself.Atthetransportlayer,thePDUhasanewname,Segment.
Attheapplicationlayer,therearemanyapplications(programs)thatgeneratenetworktraffic,suchasHTTPorSMTP,atanytime.Wheneachapplicationlayerprotocolsendstheirdatagramtothenetwork,thetransportlayerhastheresponsibilityoftrackingtheseconversationsastheyoccur.
Wheneveradevicewantstosendamessageacrossanetwork,thetransportlayerpreparesthedatagram(message)andseparatesitintomanageablepiecesfordelivery.Thisisduetothefactthatnetworkingdevicessuchasswitchesandrouters,togetherwithclientmachinessuchasdesktopandserveroperatingsystems,havelimitationsregardingtheamountofdatathatcanbeputinanIPpacket.Therefore,thetransportlayerhandleshowtosegmentandreassemblethesemessagesbetweenthesenderandthereceiver.
Asmentionedpreviously,therearemanyprotocolsattheapplicationlayerthathandledataindifferentways.WebtrafficusesHTTPandHTTPS,whichisformatteddifferentlyfromemailtraffic,whichusestheSMTPapplicationprotocol.Eachprotocolisdesignedtointerpretitsowntypeoftrafficjustfine,butifforeigntrafficentersitsapplication,itwouldbemalformedandforeigninnatureandthereforebediscarded.Oneofthemostimportantrolesofatransportlayeristoensuredataispassedtothecorrespondingapplications.Inotherwords,ifawebbrowserissendingHTTP(S)traffictoadeviceonanetwork,therecipientapplicationprotocolonthedestinationdeviceisexpectedtoberunningHTTPorHTTPS,suchasawebserver.
Telegram Channel : @IRFaraExam
ThetransportlayerensureseachdatagramissenttoitscorrespondingapplicationorapplicationlayerprotocolbyassigningauniqueportnumbertothePDU,thereforecreatingatransportlayerheader.Thisprocessisknownasencapsulation.
Togetabetterunderstandingofthisprocess,let'suseasimpleanalogyofacommercialtowerwhosetenantsarevariouscompaniessharingthesamephysicalinfrastructure:thebuilding.Typically,themainpublicareaisthelobby,displayingadirectorylistingofeachcompanyandtheirfloornumber.
Let'sthinkofthebuildingasanoperatingsystem(OS).AccordingtoRFC6335,thereare65,535logicalnetworkportswithinanOS.Theseportsare
categorizedasfollows:
Figure1.7–Networkportnumberranges
Thewell-knownportsarethosethatarecommonlyusedbyapplicationlayerprotocols,whichareasfollows:
FileTransferProtocol:20,21
SecureShell(SSH),SecureCopy(SCP):22
Telegram Channel : @IRFaraExam
Telnet:23
SMTP:25
DNS:53
DHCP:68,69
HTTP:80
POP:110
IMAP:143
HTTPS:443
Eachapplicationlayerprotocol/serviceusesauniqueportthattheysendandreceivetheirtraffictypetoandfrom.Forexample,allHTTPtrafficwillbesenttoadevicerunningawebserverapplication(IIS,Apache,orNginx)withopenport80.ForHTTPStraffictoenterthewebserver,port443isthedefaultport
thatmustbeopen.
Registeredportsareusedbysoftwareandothervendorswhowanttouseaspecificportonlyfortheirapplication.Thesedynamicportsareusedtemporarilywhenadeviceissendingtrafficandaresometimesreferredtoasephemeralports.Forexample,ifaPCwantstosendtraffictoawebserver,weknowthewebserverwillhaveport80and/or443openbydefault.However,thePCmust
useasourceport.Thismeansadynamicallygeneratedport(ephemeral)between49152to65535willbeused.
Telegram Channel : @IRFaraExam
Tip
Formoreinformationofservicenamesandportnumberassignment,pleaseseethefollowingURL:https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml.
Gettingbacktoouranalogy,eachperson(datagram)whoisenteringthebuilding(OS)hastheintentionofvisitingaspecificcompany(applicationprotocol/service).Theyareinstructedtotakeaspecificelevatororstaircase(transportlayer)toreachthedestinationcompanyinthebuilding.Whentheindividual(datagram)exitstheelevatororstaircase,theyarefacedwithafewdoors(networkports)todifferentcompaniesonthesamefloor.Walkingthroughadoor(port)willcarrytheindividualtoaspecificcompany.WithintheOSImodelandTCP/IPprotocolsuite,thetransportlayerinsertsitsownheader,whichcontainsthesourceportnumberofthesenderandthedestinationportnumberoftherecipienttoensurethedatagramgoesthroughthecorrectnetworkport(doorway).Thisway,itcanreachtherelevantapplicationlayerprotocoltobeprocessed.
Thefollowingdiagramrepresentstheencapsulationofdata.Thetransportlayerinsertsourheader,whichcontainsthesourceanddestinationportaddresses:
Telegram Channel : @IRFaraExam
Figure1.8–Transportheaderinformation
Withinthetransportlayer,therearetwoprotocolsthatareresponsibleforthedeliveryofmessagesbetweenasenderandareceiveroveranetwork.ThesearetheTransmissionControlProtocol(TCP)andtheUserDatagramProtocol(UDP).
TransmissionControlProtocol
TCPisoftenreferredtoasaconnection-orientedprotocolthatguaranteesthedeliveryofamessagebetweenasenderandareceiver.Beforemessagesareexchangedbetweentwodevices,aTCPthree-wayhandshakeisestablished.
ThefollowingdiagramshowstheTCPthree-wayhandshakeprocess:
Figure1.9–TCPthree-wayhandshake
ThefollowingisalivecaptureItookwhileusingWireshark.Lookcloselyandyou'llnoticethesender,172.16.17.14(ClientA),hassentaTCP
Synchronization(SYN)packettoadestinationaddressof172.16.17.18
(ClientB).Bydefault,ClientBrespondswithaTCPacknowledgementbutadditionallywithaTCPSYNbecauseitalsowantstocommunicatewithClient
Telegram Channel : @IRFaraExam
A.Hence,aTCPSYN/ACKpacketgetsreturned.Finally,ClientAreceivestheTCPSYN/ACKpacketandrespondswithaTCPACKtoestablishtheTCPthree-wayhandshake,asshownhere:
Figure1.10–TCPthree-wayhandshakeshowninWireshark
Oncethisprocessiscomplete,whenevereachmessageisdeliveredtotherecipient,aTCPACKpacketissentbacktothesender,indicatingasuccessfuldelivery.However,ifasenderdoesnotreceiveaTCPACKresponsefromarecipientafteracertaintime,thesenderwillresendthemessageuntilaTCPACKisreceived.ThisishowTCPensuresthedeliveryofmessagesonanetwork.However,duetothehighoverheadofTCPACKpacketsonthenetwork,notallapplicationlayerprotocolsusesTCPastheirpreferredchoiceoftransportprotocol.SomeuseUDPinstead.
UserDatagramProtocol
TheUDPisaconnectionlessprotocol,knownforitsbest-effortdeliverymethods.Best-effortsimplymeanstheUDPprotocolwillsendthemessagebutwillnotprovidereassuranceduringdelivery.Thismeansthatifthemessageislostduringtransmission,UDPwillnotattempttoresendit.UnlikeTCP,itdoesnotprovideanymessagedeliveryguarantees.IfanapplicationlayerprotocolsuchasDNSusesUDPfortransportingitsmessages,thetransportlayerwill
Telegram Channel : @IRFaraExam
senditofftoitsintendeddestinationwithoutanyprioritizationoranyreliabilityduringthemessage'stransmissiononthenetwork.
UnlikeTCP,UDPdoesnotprovideanydeliveryconfirmation,thoughsomeapplicationlayerprotocolspreferUDPforitslowoverheadandspeedonthenetwork.
Layer3–NetworklayerThenetworkLayer,(Layer3)isresponsibleforthelogicaladdressonthenetworkandtheencapsulationoftheIPheader,whichaddsboththesource(sender)anddestination(receiver)IPversion4(IPv4)and/orInternetProtocolversion6(IPv6)addressestothepacket.
Thislayerprovidesthefollowingfunctions:
Logicaladdressingofenddevices
Encapsulationandde-encapsulationofdatagrams
Routing(movingpacketsbetweennetworks)
TheInternetProtocol(IP)operatesatthislayer.IPisaconnectionlessprotocol,whichmeanstheprotocolitselfdoesnotestablishasessionwitharecipientbeforeattemptingtosendorreceivemessages.InasimilarwaytotheUDPoftheupperlayer(transportlayer),itisalsosentusingbest-effortmechanisms,thusprovidingnodeliveryguaranteeforIPpackets.Lastly,IPcanfunctionindependentlyfromthemediumonthenetwork(copper,fiberoptic,orevenwireless).SinceIPdoesnothaveanyreliability,theresponsibilityofensuringpacketdeliverydependsonthetransportlayer.
Telegram Channel : @IRFaraExam
Furthermore,thenetworklayerprovidesthefunctionalityofdirectingtrafficflowsusingroutingprotocols,whichoperateusingtheIP.Atthislayer,routersoperateastheyhavetheabilitytoreadandunderstandIPaddressingandthecontentsofapacket.
WhenthePDUispasseddowntothenetworklayer,itisencapsulatedwithanIPv4oranIPv6headertoprovidelogicaladdressing,asshownhere:
Figure1.11–Packetheader
KeepinmindthatthesourceanddestinationIPaddressesdonotchangeduringtheirtransmissionbetweendevicesonanetwork.However,thereisoneexception:thesourceIPaddresschangeswhenitpassesaNAT-enabledrouter,whichisconfiguredtochangeaprivateIPv4addressintothepublicIPv4addressoftherouter'sinternet-facinginterface.WewillcoverNetworkAddressTranslation(NAT)inChapter9,ConfiguringNetworkAddressTranslation(NAT).
Atthisstate,thePDUiscalledaPacket.Inlaterchapters,we'lldiscussIPv4andIPv6ingreaterdetail.
Layer2–Datalinklayer
Telegram Channel : @IRFaraExam
Thedatalinklayer(Layer2)oftheOSImodelisresponsibleforallowingthemessagesoftheupperlayerstoaccessthephysicalnetwork.Italsocontrolshowdataisplacedandreceivedonthephysicalnetwork(media),andithandleserrordetectionandflowcontrol.Withinthedatalinklayer,therearetwosublayers.ThesearetheLogicalLinkControl(LLC)andtheMediaAccessControl(MAC).
LogicalLinkControl
LLCencapsulatesthepacketthat'sreceivedfromthenetworklayerintoaframebyaddingaLayer2headercontainingthesource(sender)anddestination(receiver)MACaddresses.Attheendoftheframe,atrailerisadded.ThetrailerofaframecontainstheFileCheckSequence(FCS).Thedatalinklayercreatesahashvaluetorepresentthecontentsoftheframe;thisisknownastheCyclicRedundancyCheck(CRC)hashvalue.TheCRCvalueislocatedintheFCSfieldofthetrailer.Therecipientdevice(s)usethisvaluetodeterminewhethertheframewascorruptedormodifiedduringitstransmissionbetweenthesenderandthereceiver.
MediaAccessControl
Foradevicetoconnectandcommunicateonacomputernetwork,aNetworkInterfaceCard(NIC)isrequired.TheNICallowsthedevicetoestablishaconnectiontothephysicalnetwork,regardlessofwhetherthemediumiscopperorfiberopticcabling,orawirelessconnectionsuchasWi-Fi.TheNICenablesadevicetoexchangemessageswithanotherdevicewhileusingthemedia(ormedium)asthehighway.
TheMACaddressis48bits(6bytes)inlengthandispresentedintheformatof
Telegram Channel : @IRFaraExam
hexadecimalvalues;thatis,0123456789ABCDEF.An
exampleofaMACaddressis12:34:56:78:9A:BC.Thefirst
24bitsoftheMACaddressareknownastheOrganizationUniqueIdentifier(OUI).TheOUIidentifiesthemanufactureroftheNetworkInterfaceCard(NIC)andthesecond24bitsareassignedbythemanufacturer.TheMACaddressisalsoknownasaburned-inaddress(BIA)sinceitishardcodedontothehardwareand,theoretically,can'tbechanged.
ThefollowingdiagramrepresentsadatagramknownastheFrame.ItcontainsbothaDataLinkHeaderandaTrailer:
Figure1.12–Frameheader
NoticethatanadditionalfieldinsertedcalledthePreamble.ThePreambleisa7-bytefieldusedonanEthernetframetoindicatethestartoftheframe,itssequencing,anditssynchronization.Beforethedatalinklayerplacesamessageonthephysicallayer,itneedstobreakitupintosmallerpiececalledbits.Eachbitwillcontaintheaddressingheaders,trailers,andthepreamble,whichcontainsasequenceforeachbit.
Thefollowingdiagramrepresentsadepictionoftwocomputers.PCAissendingsomemessagestoPCBandsincetheblocksrepresentthemessage,it
Telegram Channel : @IRFaraExam
hasbeensegmentedintosmallbits.Thesearethensentacrossthenetworktotherecipient:
Figure1.13–Bitsmovingacrossthephysicallayer
Whenthebitsarereceivedonthedestinationdevice,thesequencenumbersofeachbitwillhelptherecipientreassemblethebitsintoamessage.
TochecktheMACaddressofyournetworkadaptersonaMicrosoftWindowsoperatingsystem,usethefollowinginstructions:
1. OnyourWindowscomputer,usethekeyboardcombinationWindowsKey+RtoopenRun.
2. EntercmdandclickOK.
3. TheWindowsCommandPromptwindowwillappear;enteripconfig
/alltodisplaythecurrentsettingsofallthenetworkadaptersonyour
device.
Thefollowingscreenshotshowstheoutputafterrunningtheipconfig
/allcommand:
Telegram Channel : @IRFaraExam
Figure1.14–MACaddressonaWindowsdevice
OnMicrosoftWindows,thePhysicalAddressistheMACaddressoftheNIC.
Importantnote
Onsomeoperatingsystems,theMACaddressisshowninXX:XX:XX:XX:XX:XX,XXXX.XXXX.XXXX,orXX-XX-XX-XX-XX-XX
format.
Additionally,ifyouwouldliketodeterminethemanufacturerofthedevice,usethefollowingsteps:
1. Openyourwebbrowserandgotohttps://www.wireshark.org/tools/oui-lookup.html.Youcanenterthesearchtermmacvendorlookupto
discovermoreOUIlookupwebsitesontheinternet.
2. EntertheMACaddressoftheNICinthesearchfieldandstartthesearch.
Telegram Channel : @IRFaraExam
ThefollowingistheOUIsearchresults:
Figure1.15–MACvendorlookup
Nowthatyouknowaboutthedatalinklayer,howtodeterminetheMACaddress,andhowtoperformavendorlookup,let'stakealookatthephysicallayer.
Layer1–PhysicallayerThephysicallayer(Layer1)isusedtotransportthemessagesthatarecreatedbythehostdeviceusingnetworkmedia.Whenmessagesareplacedonthemedia,theyareconvertedintosignalssuchaselectrical,light,andradiofrequency,dependingonthemedium(copper,fiber,orwireless).Atthislayer,thePDUisknownasbits.
Telegram Channel : @IRFaraExam
Networkcomponents
Inverynetworkthereissomeformofmediathat'susedtotransportmessages(signals)betweendevices.Ethernetistheunderlyingtechnologystandardthatdescribeshowmessages(signals)aretransmittedoveracableatadefinedspeed.EthernetispartofafamilyofcommunicationstandardsdevelopedbytheInstituteofElectricalandElectronicEngineers(IEEE).
Importantnote
Specifically,EthernetisdefinedbyIEEE802.3.
Furthermore,Ethernethasstandardsforbothcopperandfiberopticcablingandsupportsspeedsrangingfrom10Megabitspersecond(Mbps)to10Gigabits
persecond(Gbps).Keepinmindthatthesespeedsmayvarybasedonvariousvariables,suchasthelengthofthecable,thetypeofcable,andwhetherthesignalsaretransmittedthroughcopperorfiber.
TherearetwomaintypesofcablingthatareusedonanEthernetnetwork:copperandfiber.Inthefollowingsections,wewilloutlinethecharacteristicsofeachtypeandtheirusecases.
Coppercablingisverycheapandeasytoimplementinalmostallenvironments.Therearetwopopulartypesofcoppercables:UnshieldedTwistedPair(UTP)andShieldedTwistedPair(STP).
Importantnote
STPcablesprovideprotectionfromelectromagneticinterference(EMI)
Telegram Channel : @IRFaraExam
comparedtotheUTPcable.However,duetothisaddedfeature,thecostofSTPcablesisabithigherbecauseametalshieldingisusedduringthemanufacturingprocessandthisneedstobegrounded.
Eachofthesecablescontainsatotalofeightcopperwires,eachofwhichhastheirowncolorcode,asfollows:
Green
Whiteandgreen
Orange
Whiteandorange
Blue
Whiteandblue
Brown
Whiteandbrown
Withcopper,thereareanumberofcablecategories.Thefollowingarethecharacteristicsofvariouscables:
Cat3:Containstwopairsoftwistedwiresandsupports10Mbpsata
maximumdistanceof100meters
Cat5:Containsfourpairsoftwistedwiresandsupportsupto100Mbps
atamaximumdistanceof100meters.
Telegram Channel : @IRFaraExam
Cat5e:Containsfourpairsoftwistedwiresandsupportsupto1,000
Mbpsatamaximumdistanceof100meters.
Cat6:Supportsupto10Gbpsfromupto37to55meters.
Cat6a:Supportsupto10Gbpsfromupto100meters.
Cat7:Supportsupto10Gbpsfromupto100meters.
Coppercablesareallsusceptibletoattenuation.Attenuationisthelossofsignaloveragreatdistance.Inthefieldofnetworking,whenadeviceissendingasignaloverthewire,thelongerthedistancethesignalhastotravel,themorelikelythesignalwilldeteriorate(getweaker)asit'smovingalongthewire.
Nowadays,ISPsarerollingoutfiber-opticcablesbetweentheirheadofficesandtheircustomers'locationstoprovideincreasedbandwidthandotherservices.Youmaybewondering,whatisfiberoptic?Fiberuseslightpulsestoexchangemessagesintheformofbits.Theselightplusesaregeneratedusinglight-emittingdiodes(LEDs)ratherthanelectricalsignalsusedintheregularnetworkcablesweareaccustomedto.Sincefibercablesuseslightpulses,thiscreatesamajorbenefitfornetworkandtelecommunicationprofessionals.
Thecorematerialafibercableismadewithiseitherglassorplastic.Theplasticcoreischeapertomanufactureandthereforethefibercableitselfischeapertothecustomer.Additionally,itislessfragilecomparedtoacablewithaglasscore.Theglasscoreallowsforhigherthroughputduetoitslessdensematerial.Keepinmindthatneitheraglassorplasticcorecanbebent;bothcorescanbebrokeneasilywithverylightforce.
Fiberhassomebenefits;forexample,muchlargerthroughputsofnetworktraffic
Telegram Channel : @IRFaraExam
canbesupported,signalscantravelalongafibercableformanykilometerswithoutexperiencingsignalloss,it'simmunetoEMIandRFI,anditallowsserviceproviderstotransportmoreservicesandbandwidthtocustomers.However,thereareacoupleofdisadvantages.Thecostoffiberisalothigherthanthecostofcoppercablesbecauseofthematerialcomposition.Also,thefragilenatureofthefiberopticcore(glassorplastic)makesthecablesusceptibletodamage.
Fiberopticcablescanoperateintwomodes:singlemodefiberandmulti-modefiber.Thefollowingarethecharacteristicsofthesetwomodes:
Single-modefiberhasthefollowingcharacteristics:
Smallcore
Suitedforlongdistances
Useslaserasthelightsource
Producesasinglestraightpathforlight
Commonlyusedtointerconnectcities
Multi-modefiberhasthefollowingcharacteristics:
Hasalargercore
Suitedforlongdistancebutshorterthansingle-modefiber
UsesLEDsasthelightsource
CommonlyusedonLANs
Telegram Channel : @IRFaraExam
Allowsmultiplepathsforlight
Withthat,wehavecoveredallthelayersoftheOSIreferencemodelindetail.Now,let'stakealookattheTCP/IPprotocolwithreferencetoeachnetworklayer.
UnderstandingtheTCP/IPprotocolsuiteAsmentionedintheearliersectionsofthischapter,theTCP/IPwasdevelopedbytheUSDepartmentofDefenseandhasbeenimplementedinallnetworkingdevicessinceitsapproval.TheprotocolsuiteiscurrentlymaintainedbytheInternetEngineeringTaskForce(IETF).
UnliketheOSIreferencemodel,thenewupdatedTCP/IPprotocolsuitehasfivelayers.Thefollowingdiagramdisplaysthefivelayers,alongwiththeiralignmenttotheOSImodel:
Figure1.16–OSImodelandTCP/IPprotocolsuitecomparison
Telegram Channel : @IRFaraExam
Tocompare,theupperlayersoftheOSImodel(application,presentation,andsession)areequivalenttotheapplicationlayer(Layer4)oftheTCP/IPprotocolsuite.ThetransportlayeroftheOSImodelremainsthesameforTCP/IP;however,thedatalinkandphysicallayersarealsoequivalenttoLayers1and2oftheTCP/IPsuite.
KeepinmindthatTCP/IPhasbeenimplementedinallnetwork-connecteddevices,rangingfromenddevicesandsmartphonestoserversandnetworkdevices.
UnderstandingthefunctionsofnetworkdevicesOnalmosteverynetwork,therearearangeofdifferentdevicesthatcanbefound,eachwithauniquefunctionandpurpose.Inthissection,wewilldiscussthefunctionsofvariousnetworkcomponents.Attheend,youwillunderstandtheroleseachnetworkdeviceplaystoensurewehaveend-to-endconnectivityoveranetwork.
Inthefollowingsubsections,wewilldiscussthefunctionsandfeaturesofaHub,Switch,Router,Firewall,IntrusionPreventionSystem(IPS),AccessPoint(AP),Cisco-basednetworkcontrollerssuchasCiscoDNAandWirelessLANController(WLC),andendpointsandservers.
HubsIntoday'sworld,youwon'treallyfindtoomanyHubsonenterprisenetworks.Hubsareaveryoldtypeofnetworkintermediarydevice,usedtointerconnect
Telegram Channel : @IRFaraExam
computers,servers,printers,andotherenddevicestocreateanetwork.However,Hubsarenowobsoleteandarenolongerrecommendedtobeusedinanynetwork.
Let'stakealookathowHubsoperateonasmallnetwork.Firstly,Hubsaredevicesusedstrictlyforrepeatinganyincomingsignalstheymayreceiveonanyoftheirphysicalinterfaces.TogetabetterunderstandingofhowHubsforwardtrafficonanetwork,takealookatthefollowingdiagram:
Telegram Channel : @IRFaraExam
Figure1.17–OperationsofaHub
Asshownintheprecedingdiagram,therearefourcomputersconnectedtoauniquephysicalinterface(port)onthehub.Inourscenario,PC1wantstosendamessagetoPC4.PC1sendsthemessagetothehubsinceit'stheintermediarynetworkdevice.Themessageissentasanelectricalsignalalongthenetworkandtothehub.Whenthehubreceivesthesignal,itrebroadcastsitoutofallotherports,excepttheincomingport.
Thismeansthemessageisalsosenttounintendeddevicesonthenetwork,whichisbothanetworkingandsecurityconcern.First,let'sunderstandtheperformanceissueswecanencounteriftherearetoomanyhubsaspartofthenetworkinfrastructure.Anysignalahubreceivesissimplyrebroadcastedoutitsotherphysicalinterfaces.Let'simaginetherearemultiplehubsbeingusedonasingleLANforabuilding,whereeachhubisusedtoextendthephysicalnetworkinordertointerconnectalldevices,suchasnetworkprinters,desktopcomputers,andservers.Eachtimeadevicesendsamessage(signal)inaHub'sinterface,itrebroadcastsitoutofalltheports.Thissamesignalwillpropagatetoalltheotherinterconnectedhubsanddothesameinthesamemanner,thuscausingunnecessarybroadcast(noise)traffic,which,inturn,willcreatenetworkcongestions.Thinkofitasaroadwaybeingfilledwithtoomanyvehicles,resultinginheavytraffic.
Thefollowingdiagramshowsthereplicationofthebroadcasttrafficthroughasmallnetwork:
Telegram Channel : @IRFaraExam
Figure1.18–BroadcastmessagescreatedbyaHub
Here,wecanseethatNodeAsendsamessagetoNodeBbutthatthesignalisbeingrebroadcastthroughouttheentirenetwork.
Whatifyouhavetwoormoredevices(nodes)transmittingmessagesatthesametimeoveraHub-basednetwork?Theresultisthesameastwovehiclescolliding;
Telegram Channel : @IRFaraExam
inanetwork,thisisknownaspacketscolliding,whichresultsinpacketsbeingcorrupted.Thismeanstoensurethereisalmostnocollision,onlyonedeviceshouldsendtheirmessageatatimeonthenetwork.Thiscreatesachallengebecausealltheenddevicesonthenetworkwillbefightingtousethemedium,thuscreatingacontention-basednetwork.
Toovercomesuchchallenges,Carrier-SenseMultipleAccesswithCollisionDetection(CSMA/CD)isusedtohelpenddevicessuchascomputerstodeterminewhetherthemediaisclear(available)totransmitdata(sendasignal).Let'suseareal-worldanalogytoexplainhowCSMA/CDworksonanetwork.Imaginethat,oneday,youareshoppinginthecityandyouwanttovisitvariousshopsandstores.Thereareroadwaysseparatingthem.Imaginetheroadwayisthemedia(wire)andyouhavetocrosstheroadtoreachtheotherstore.Beforecrossingtheroad,youlookbothways(leftandright)afewtimestoensuretherearenovehicles(signals)passingandthatit'ssafetocrossthestreet.Therefore,youarecheckingthemediatoensurenovehicles(signals)arepassing.Whenthemediaisclear,youproceedtowalkacrosstotheotherside(transmit).
CSMA/CDensuresadevicechecksthemediaforasignal.Ifasignalisfoundonthemedia,thedevicewaitsandtriesagainatalatertime.Ifthemediaisfree,thedeviceproceedstotransmititsmessageacrossthenetwork.
However,networkswitchesovercomethisissueanddevicesdonothavetocheckthemediabeforetransmittingtheirmessages.Inthenextsection,wewilllearnaboutthecharacteristicsofswitches.
Layer2switchesSwitchesareconsideredtobesmartdevicescomparedtohubs.Switchesare
Telegram Channel : @IRFaraExam
devicesthatnetworkprofessionalsusetointerconnectenddevices(PCs,printers,servers,andsoon)andextendthenetworkinfrastructure,typicallyextendingaLANwithinabuilding.Asyoumayrecall,inahub,anyincomingsignalisrebroadcastedoutallotherports.However,withanetworkswitch,thisisnolongertheoperationalstate.Withaswitch,whenadevicewantstosendamessagetoanotherdevice,theswitchdirectlyforwardsthemessagetotheintendedrecipient.
ThefollowingdiagramshowsasmallLANwherePC1istransmittingamessagetoPC4andtheswitchforwardsthemessageonlytoPC4:
Telegram Channel : @IRFaraExam
Figure1.19–Functionsofaswitch
Youmaybewondering,howisthispossible?Howdoesaswitchdeferfromahub?Howdoestheswitchdeterminewhichinterface(port)therecipientisconnectedto?Toputitsimply,switchesoperateatthedatalinklayer(Layer2)oftheOSIreferencemodel.Asyoumayrecall,atthedatalinklayer,theMACaddressesareinsertedintotheLayer2encapsulationheaderoftheframe.
Telegram Channel : @IRFaraExam
SwitchesareabletoreadtheLayer2headerinformationfoundinframesandcreateatabletotemporarilystoretheMACaddressesitlearnedaboutonitsinterfaces.ThistableisknownastheContentAddressableMemory(CAM)tableinCiscoswitches.Wheneveraframeentersaswitch'sinterface,thesourceMACaddressoftheframeisstoredintheCAMtableandisassociatedwiththeincominginterface.
TofurtherunderstandhowaswitchpopulatestheCAMtable,let'simaginewehavethreePCs,allconnectedtoanetworkswitchtocreateasmallLAN,asshowninthefollowingdiagram:
Figure1.20–Devicesinterconnectedusingaswitch
Wheneveraswitchbootsup,theCAMtableisemptybecauseitscontentisstoredinRandomAccessMemory(RAM).Therefore,thecontentislostwheneverthedeviceispoweredofforrebooted.Tobegin,theCAMtableis
Telegram Channel : @IRFaraExam
Figure1.21–ARPRequestmessage
EachdeviceontheLANwillreceivetheARPRequestmessageviaabroadcast(alldevicesontheLANreceivethesamemessage).Atthispoint,theswitchreceivestheARPRequestmessageonInterface1andpopulatesthesourceMACaddressontheCAMtable,asshownhere:
Figure1.22–CAMtable
Telegram Channel : @IRFaraExam
OnlythedevicewhohastheIPaddressof192.168.1.30willrespondwith
anARPReply,asshownhere:
Figure1.23–ARPReply
TheARPReplymessageisaunicasttransmission(devicetodevice)andissentdirectlytoPC1.KeepinmindthattheswitchreadstheframeheaderandpopulatesthesourceMACaddressintoitsCAMtable,asshownhere:
Telegram Channel : @IRFaraExam
Figure1.24–CAMtable
Additionally,theenddevicesalsohavetheirownARPcachethattemporarilyrecordsIP-to-MACbindinginformation.IftherearenomessagesbeingexchangedbetweenaMACaddressforapredefinedtimeinterval,theoperatingsystemremovesthemfromitsARPcache.OnCiscodevices,theCAMtablemaintainsadefaultinactivitytimerof300seconds(5minutes);thisvaluecan
bemodified.
Importantnote
ToviewthecontentsoftheCAMtableonaCiscoIOSswitch,usetheshow
macaddress-tablecommand.
ToviewtheARPcacheonaMicrosoftWindowsoperatingsystem,followthesesteps:
1. OpentheCommandPrompt.
2. Usethearp–acommandandpressEnter.
ThefollowingsnippetshowstheARPcache'scontentsonaWindowshostcomputeronmynetwork:
Telegram Channel : @IRFaraExam
Figure1.25–ARPcacheonaWindowsmachine
ToviewtheARPcacheonaLinuxoperationsystem,usethefollowingsteps:
1. OpentheTerminal.
2. UsethearpcommandandpressEnter.
ThefollowingsnippetshowstheARPcache'scontentsonaLinux(Debian)hostcomputeronmynetwork:
Figure1.26–ARPcacheonaLinuxmachine
Inbothsnippets,wecanseethattheARPcachecontainsbothIP-to-MACaddressbindingsoftheotherdevicesthatexchangedmessages.
NowthatwehaveanunderstandingofhowLayer2switchesfunction,let'stakealookatLayer3switches.
Telegram Channel : @IRFaraExam
Layer3switchesLayer3switcheshaveallthesamefunctionalitiesastheLayer2switches.However,thesedevicescomewithanadditionalfeature.TheycanreadtheinformationwithinanIPpacketheader,aswellasthesourceanddestinationIPaddresses.ThisenablestheLayer3switchtointerconnecttwoormorenetworkstogetherandallowsbasicroutingofIPpacketsbetweennetworks.
KeepinmindthatLayer3switchesdonothaveallthefeaturesofaCiscorouter.Inthenextsection,youwilllearnaboutthefeaturesandcharacteristicsofaCiscorouter.
RoutersArouterisadevicethatisusedtointerconnecttwoormoredifferentIPnetworks.ThesedevicesobservethedestinationIPaddresswithintheheaderofanIPpacket,thencheckitslocalroutingtableforanavailablepathtothedestination'snetworkwhenmakingitsdecisiontoforwardthepackettotherecipient.
SincerouterscanreadandunderstandIP.TheyareconsideredtobeLayer3devicesduetotheircapabilitiesofreadingIPinformationfrompackets.Withoutrouters,enddeviceswouldnotbeabletocommunicatewithdevicesresidingonanotherIPnetwork.ThefollowingdiagramshowstwoIPnetworks,192.168.1.0/24and172.16.1.0/16.Devicesonthe
192.168.1.0/24networkwillonlybeabletointercommunicatebetween
themselves;thesamegoesforthedevicesonthe172.16.1.0/24network:
Telegram Channel : @IRFaraExam
Figure1.27–Routerinterconnectingdifferentnetworks
Toallowbothnetworkstoexchangemessages,aLayer3devicesuchasarouterisrequired.Therouterisusedtointerconnectthesetwodifferentnetworkstogether.Additionally,therouteractsatthedefaultgatewayforeachofthenetworks.ThismeansthatifPC1wantstosendamessagetoPC2,themessagemustbesenttothedoorwaythatleadstoanothernetwork.Thisistherouterinthisscenario.
Asareal-worldexample,yournetworkathomeisaprivatenetworkandusestechnologiesabitdifferentlythanthosethatareusedontheISPnetworkandtheinternet.Thefollowingdiagramshowsahomenetworkthatisconnectedtotheinternet:
Telegram Channel : @IRFaraExam
Figure1.28–Internetconnectiontoahouse
Theprivatenetworkusesaverydifferentaddressspacethanwhatisusedontheinternet(publicnetwork).Toallowcommunicationbetweenthesenetworks,theISPprovidesyouwithamodem,whichhasthecapabilitiesofarouter.ThisallowstheISPnetworktointerconnecttoyourhome(private)network.Lastly,themodeminthisscenarioactsasthedefaultgatewayforallyourdevices,providingapathtotheinternet.
Nowthatyouhavelearnedaboutthefundamentalsofrouters,let'scovertheimportanceofimplementingafirewallonanenterprisenetwork.
Next-generationfirewallsandIPSAfirewallisanetworksecurityappliancethatisdesignedtofiltermalicioustraffic,bothinbound(enteringanetwork)andoutbound(leavinganetwork).Firewallshaveanimportantroletoplayinnetworksofdifferentsizes.These
Telegram Channel : @IRFaraExam
appliancestypicallysitatthenetworkperimeterofanenterprisenetwork,carefullyinspectingallincomingandoutgoingtraffic,lookingforanysecuritythreatsandblockingthem.
Togetabetterunderstandingofthebenefitsofusingafirewall,let'suseasimpleanalogy.Avehiclesuchasacarhasaphysicalcomponentcalledafirewall,whichistheplacebetweenthecabinandtheengine.Thepurposeofthiscomponentisimportantintheeventoftheengineofthecarcatchingfire;thefirewallwillpreventmost(ifnotall)thefireorheatfromenteringthecabinwherethepassengersareseated.Anotheranalogyisacastlebeingsurroundedbyamoatandasingledrawbridgethatprovidespeoplewithasingleentryandexitpoint.Intheeventanopposingsidewantstoinvadethecastle,thedrawbridgecanberaised,andthemoatwillpreventtheenemyfromentering.
Itishighlyrecommendedtoimplementafirewallonyournetwork.Theinternetcontainsmillionsofusefulresources,fromtrainingvideostocookingrecipes.However,therearemanythreats,suchasmalwareandhackers,thatroamtheinternetandattempttoinfectandcompromisesystems.Thefirewallwillactasthefirstlineofdefenseagainstthesethreats.
Thefollowingdiagramshowsthetypicaldeploymentofafirewallonanetwork:
Telegram Channel : @IRFaraExam
Figure1.29–Perimeterfirewalldeployment
Next-generationfirewalls(NGFW)aredesignedtobesuperiorinmanyways,suchasprotectingthenetworkandusersfromadvancedthreats,providingDeepPacketInspection(DPI),preventingransomwarefromenteringthenetwork,andhavingVirtualPrivateNetwork(VPN)features.
Afirewall,bydefault,willallowtrafficoriginatingfromtheinternalprivatenetworktogotoallothernetworks,suchastheinternet.However,anytrafficthatisinitiatedfromtheinternettotheinternalcorporatenetworkisblockedbydefault.Thefirewallusestheconceptofasecurityzonetohelpdeterminetheleveloftrustithasforalogicalnetwork.Whendeployingafirewall,thesecurityengineermustconfiguretheinterfacesofthefirewallasasecurityzonewithatrustlevel.
ThefollowingdiagramshowsthedefaultsecuritylevelforaCiscoAdaptiveSecurityAppliance(ASA)firewall:
Telegram Channel : @IRFaraExam
Figure1.30–Securityzonesofafirewall
TheInsideZoneisusuallyyourprivate,internalnetwork,whichissupposedtobeafullytrustedandsafeenvironmentforalldevicesinthecorporatenetwork.Thiszonewillnormallyholdasecuritylevelof100toindicateit'safully
trustedsecurityzone.ThefirewallwillallowalltrafficoriginatingfromtheInsideZonewithasecuritylevelof100toallotherzonesthathavelower
securitylevels.Theinternetasweknowitisthemostunsafenetworkinexistence,beingfilledwithextremelymaliciousmalwareandhackers,sotheinternetisusuallyassignedasecuritylevelof0asaZeroTrustzone.Anytraffic
thathasbeeninitializedfromtheinternettotheInsideZonewillbeblockedbydefaultonthefirewall.However,keepinmindthatifauserontheInsideZonehasinitializedaconnectiontotheOutsideZone,thefirewallwillallowitbydefault,andifthereisanyreturningtraffic,thefirewallwillallowitaswell.For
Telegram Channel : @IRFaraExam
example,asyouopenawebbrowsertovisitwww.google.com,thefirewallwillallowtheHTTPGETmessagetothewebserver,andthenthewebserverwillsendaresponsebacktheuser'scomputer.Inthiscase,thefirewallwillonlyallowthereturningtraffic.
Importantnote
Pleasenotethatthesecurity-levelschemesmentionedinthisbookarebasedontheCiscotechnologies.
TheDemilitarizedZone(DMZ)isasemi-trustedzonethat'sattachedtothefirewallonthecorporatenetwork.ThiszoneiscreatedtoplaceserversthatareaccessiblefromtheinternetandtheInsideZone.ThefollowingaresomeguidelinesforcreatingaDMZonyournetwork:
ThetrafficinitiatingfromtheDMZshouldnotbeallowedtoaccesstheInsideZone.
RulesshouldbecreatedonthefirewalltoallowspecifictraffictoflowtotheserverswithintheDMZonly.Ifthereisawebserver,thenincomingHTTPandHTTPStrafficshouldbesentonlytothewebserver.
EnsuretrafficinitiatingfromtheInsideZonecanaccesstheDMZ.
Lastly,thesecurityleveloftheDMZshouldbebetweenthevalueoftheInsideandOutsideZones.However,withinanorganization,theremanymultipletrustedzonesthathaveasecuritylevelcloserto100.Theremaybeadditional
trustedzones,sotheDMZshouldhaveasecuritylevelof50.
Telegram Channel : @IRFaraExam
IntrusionPreventionSystemsAnIntrusionPreventionSystem(IPS)isacomponentthatisusedtodetectandblockmalicioustraffic.Inatraditionaldeployment,theIPSapplianceusuallysitsinlineofallincomingtrafficandbehindthefirewallonthenetwork.ThistypeofdeploymentensurestheIPScaninspectalltrafficasitpassesthroughtheappliance.
ThefollowingdiagramshowsthetraditionalIPSdeploymentmodelonanetwork:
Figure1.31–TraditionalIPSdeployment
TraditionalIPSappliancesaredeployedbehindthefirewallwithinthecorporatenetwork.Theirpurposeistoinspectanytrafficandcatchbothsuspiciousandmalicioustrafficthefirewallmayhavemissed.Yearsago,theIPSappliancewasaseparatephysicaldevice.However,withtheadvancementoftechnologiesandinnovation,CiscohasintegratedtheIPSintotheirnext-generationfirewall
Telegram Channel : @IRFaraExam
appliancesasamodule.ThebenefitsofthisarealessphysicalapplianceandafirewallinterfacethatprovidesasinglemanagementdashboardforboththeCiscoIPSandfirewallall-in-oneappliance.ThisallowsafirewalladministratortoenabletheIPSfeaturewiththeuseofalicensekeyprovidedbyCiscosystems.
Next-generationIPS(NGIPS)inspectsandfilterstrafficabitdifferentlytoafirewall.TheIPSdownloadsadatabaseofmalwaresignaturesfromTALOS,Cisco'sSecurityIntelligenceandResearchGroup.Itusesthisinformationtocloselyinspectalltrafficflowingthroughittoidentifyanymalicioustraffic.Additionally,theIPScanbemanuallyconfiguredwithpredefinedrulescreatedbyasecurityengineer.Itcanalsoautomaticallylearnthebehaviorofthenetworktocatchabnormaltraffictypes.TheawesomebenefitofhavinganIPSonanetworkisthatifitdetectsanymalicioustraffic,itcanstopitinreal-time,preventingtheattack.
Tip
Ifyou'reinterestedinbuildingyourownIPSdevice,checkoutSnortatwww.snort.org.Snortisanopensourceintrusionpreventionsystemapplication.
Ontheotherhand,IDSesareconsideredtobereactivedevicescomparedtoIPSes.AnIDSisconfiguredtoreceiveacopyofthenetworktraffic,detectsecuritythreats,andsendalerts.IDSesarenotimplementedin-linewithnetworktraffic,sotheydonothavethecapabilitytostopanattackasithappensonanetwork.Furthermore,theIDSonlysendsanalertafteranattackhashappened,whichmakesitreactiveinnature.
NowthatwehavelearnedaboutthefunctionsoffirewallsandIPSes,let'stakea
Telegram Channel : @IRFaraExam
lookatadevicethatallowsustoextendawirednetworkintoawirelessone.
AccessPointsAnAccessPoint(AP)isadevicethatallowsyoutoextendawirednetworkintoawirelessfrequency,allowingwireless-compatibledevicestoconnectandaccesstheresourcesonthewirednetwork.
Thisprovidesmanybenefits,suchasthefollowing:
Increasesthemobilityofusersandroamingwithinacompound
Reducestheneedforphysicalcabling
Increaseseaseaccesstoanetwork
WirelessAPsuseawirelessradiofrequency,whichisbroadcastfromtheAPusingthe2.4GHzand/or5GHzchannels.ThisallowsmobiledeviceswithacompatiblewirelessNICtolistenonthesefrequenciesandconnecttoanAP.Mostcommonly,the2.4GHzAPsarefoundalmostoneverywirelessnetworkduetothefactitwasthefirsttypeofAPproducedandalotoforganizationsandhomeusersinvestedinthetechnology.
Importantnote
The2.4GHzchannelprovidesalowerfrequencyandgivesagreaterdistance.
Astherearesomanybuildingandhomesequippedwitha2.4GHzAP,the
radioairwaysof2.4GHzarenowaverysaturatedspace,whereeachdeviceis
tryingtotransmittheirdatatoclientswithoutcausinginterference.Thishas
Telegram Channel : @IRFaraExam
becomealmostimpossiblenow.The2.4GHzbandusesatotalof11channels;
however,itisrecommendedtousechannels1,6,and11toensurethereisno
overlapping.
Thefollowingdiagramshowstherecommendedcleanchannelsofthe2.4GHz
channels:
Figure1.32–Wirelesschannelsrange
However,eventhisrecommendationisnolongerbeneficial.AnAPcanbeusingchannel2,4,oreven8,whichwillcreateanoverlap(interference)betweenthe
recommendchannels(1,6,and11).
The5GHzfrequencyprovidesalotmorechannels,thuscreatingless
interferenceamongnearbyAccessPointsthatareoperatingonthe5GHz
frequency.Thedownsideofusing5GHzistheshortdistancethesignalcan
travel.However,thismaybeabenefit.Let'simaginethatacompanywithmultiplefloorsintheirbuildingaredeployingthe5GHzfrequencyAccess
Points;becausethe5GHzfrequencytravelsmuchshorterdistances,thismeans
Telegram Channel : @IRFaraExam
thepossibilityforoneAP'ssignaltointerfere(overlap)withanotherAPwhoisusingthesamefrequencyhasbeenreduced.
Importantnote
Inlaterchaptersofthisbook,wewilldiscusswirelessarchitecturesinmoredepth.
HavingcoveredthepurposeofusingAccessPoints,let'stakeourdiscussionabitfurtheranddescribehowtoimprovethemanagementofourcorporatewirelessnetwork.
CiscoWirelessLANController(WLC)WirelessLAN(WLAN)issimplydefinedasawirelessnetworkcontainingeitherasingleAccessPointathomeforpersonaluseoranorganizationcontainingmultipleAccessPointstoprovidewirelessconnectivitybetweenemployees'mobiledevices(smartphones,tablets,andlaptops)andthewirednetworkinfrastructure.Withtheincreaseofwirelessnetworking,alotofcompaniesareimplementingaBring-Your-Own-Device(BYOD)policytoensureanacceptablelevelofsecurityisestablishedandmaintained.However,fornetworkengineers,thismeansthewirelessnetworkneedstobeabletosupportthelargenumberofportabledevicesthatareconnectingandexchangingmessagesontheWLAN.
ThiswillresultinnetworkprofessionalshavingtoimplementarobustwirelessnetworkwithmultipleAPsthroughouttheorganization,oneachfloorandroomwhereawirelesssignalisneededorrequired.Let'simaginethatourfictionalcompany,ACMECorp,owna10-storeybuildingandthatthenetwork
Telegram Channel : @IRFaraExam
administratorshavetoimplementAccessPoints.OnekeyaspectistomaintaintheconsistencyofeachAP'sfirmware,configurations,andsecuritysettings.Imaginethat,afterthedeploymentofthewirelessnetwork,thenetworkadministratorhastomakeachangeontheWLANthatwillaffectallAccessPoints.It'sdefinitelynotefficienttologintoeachAccessPointandmanuallymakethechangesinthedevice'sconfigurationasthisistime-consumingandpronetohumanerror.
AWLCallowsasinglemanagementinterfacefortheentirewirelessnetwork.ThisdeviceenablesyoutocontrolanynumberofAPsonanetwork.Therefore,youcansimplylogintoaWLCandconfiguretheentireWLAN,providingacentralizedmanagementplatformfornetworkprofessionals.Inlaterchapters,wewillcovervariousdeploymentmodelsforAccessPointsandwirelessLANcontrollersinmoredetail.
EndpointsandserversSofar,wehavebeentalkingaboutintermediarydevicesthatconnectustoanetworkandtheinternet.However,wemustnotforgetaboutthesimpleyetcooldevicesthatallowustocommunicateonanetworkandprovideresourcestoothers:endpointsandservers.
Serversaredevicesthatrunspecializedapplicationsthatenablethemtoprovideresourcestousersonanetwork.Togetabetterideaofthefunctionalityofaserver,let'simagineyouworkforasmallbusinesswithapproximately30employees,allresidinginasinglebuilding.Eachemployeehastheirowncompany-issuedlaptopordesktopcomputerfittedwithalltherelevantsoftwareapplicationsforeachpersontocompletetheirdutiesefficiently.Eachday,
Telegram Channel : @IRFaraExam
employeesmaybecreatingnewdocumentsandfilesthathavetobesharedwithothersintheorganization;however,emailingeachfiletoauserorgroupmaynotalwaysbethebestwaytoefficientlycollaborateonaproject.
Inthiscase,acentralizedfileservercanbesetupwithinthecompany'snetworktoallowvariouspersonsorallemployeestocentrallystoretheirwork-relatedfilesonthefileserver,ratherthanstoringthemlocallyontheircomputers(endpoints).Inthisscenario,theserverishostingfilesfortheorganizationortheclient(endpoint)devicestoaccess.
Keepinmindthatclientdevices(endpoints)areusuallydevicesthatareconnectedtoanetworktoaccessaresource.Thesemightbelaptops,smartphones,tabletcomputers,desktopcomputers,andsoon.
CiscoDNATheCiscoDigitalNetworkArchitecture(DNA)isanIP-basedsoftwaresolutiondesignedbyCiscoSystemstoprovideengineerswithapplicationstheycanusetomanage,automate,andgatherintelligenceanalytics,aswellasmonitorsecurity,onaCisconetworkacrossmultipledevicesandplatforms.
NetworktopologyarchitecturesOneofthetasksyoumayhavetoperformasanetworkengineeristodesignanoptimalnetworkforacustomer.Howdowegetstartedwithplanninganddesigninganetwork?Togetstartedwithsuchatask,youneedtodeterminesomeimportantkeydetailsaboutthecustomer'sneeds.Thefollowingaresomekeyguidelinestohelpyouplanyournetwork:
Telegram Channel : @IRFaraExam
Meetwiththecustomertodeterminetheirneedsandexpectations.
Understandthebudgetthecustomerhasplannedforthesolution.
Ensureyourteamhastherightskillsetandcertifiedprofessionalstoworkontheproject.
Determinethetypeandquantityofthenetworkingdevicesrequiredfortheimplementation.
Importantnote
Pleasenotethatthesearejustafewtypicalquestions;yourplanningphaseshouldnotbelimitedtothepointsmentionedhere.
Thefirstpointisveryimportant.Asaprofessionalinthefield,youdonotwanttoassumeanythingaboutthecustomer'sneeds.Ensureyouhaveaproperdiscussionandtakenoteofexactlywhatthecustomerneedsandtheirexpectations.Ifyouthinktheserviceorsolutionshouldbeaddedontowhatthecustomerneeds,suggestittothecustomer,providingitsprosandcons,andgathertheirfeedback.
Ensureyouunderstandthebudgetfortheprojectbeforechoosingthetypeorquantityofnetworkequipmenttopurchase.Todeterminetherightdevice(s)topurchase,usethefollowingstepsasaguide:
1. GotoCisco'swebsiteatwww.cisco.com.
2. NavigatetoProducts|Networking.Here,youwillseesubcategoriessuchasSwitches,Wireless,Routers,andsoon.
Telegram Channel : @IRFaraExam
3. SelectSwitches.UnderProducts,youwillseethatCiscohasmadeitsimpleforustodeterminethetypeofnetworkswitchbasedonitspurposeonanetwork.You'llseethattherearenetworkswitchesforLANAccess,DistributionandCoreswitches,DataCenter,andevenSmall-businessswitches.
4. ClickonCatalyst1000Series.Whenthenewpageloadsup,clickonModels.Here,youwillseeanoveralldescriptionofeachmodelbelongingtotheCatalyst1000lineofproducts.However,yourresearchdoesnotstophere.
5. ScrolldownuntilyouseetheResourcesection.YouwillseetheDataSheetforthemodels;clickonit.TheDataSheetprovidestheexactspecificationsforavarietyofdeviceswithintheproductfamily.Itprovidesthetypeandnumberofphysicalinterfaces,unlinkcapacity,bandwidthcapacity,andthephysicaldimensionsandweightofthedevice.
Usingthesameconcept,otherdevicessuchaswireless,routers,andfirewallswillbeveryusefulasyoudeterminetherightmodelofdevice(s)neededforthedeploymentofaproject.
Youmaybewondering,whatabouttheactualnetworkdesign?Dowedesignallnetworksfromthegroundup?Whatmakesournetworkdesignoptimal?Toanswerallthesequestions,theexpertsatCiscoSystemshavecreatedaDesignZonecontainingtonsofDesignGuides.TheseareknownasCiscoValidatedDesign(CVD)guides.
Importantnote
Telegram Channel : @IRFaraExam
CiscoValidatedDesigncanbefoundathttps://www.cisco.com/c/en/us/solutions/design-zone.html.
KeepinmindthatthereisaCVDforalmosteverytypeofnetworkanddeploymentforvarioustypeofindustries.Thesedesignguideswillprovideyouwithguidance,recommendeddevices,designmodels,andfulldescriptionsoftheirsolutions.Suchdesignguideseliminatetheneedtoreinventthewheelwhenthereareexpertswhohavealreadycreatedbothapprovedandaccrediteddesigns.
Ciscohascreatedbotha2Tierand3Tiernetworkarchitecture,whichisrecommendedforenterprisenetworks.Inthefollowingsections,wewilldiscusseachofthesearchitecturesingreaterdetail.
2TierWhendesigningaLANforabuildingoranorganizationthathasmultiplebuildingsneareachother,weareindeeddesigningacampusLAN.WithinacampusLAN,therearemultiplenetworkswitchesthatareallinterconnected.Sometimes,intheindustry,youmayseenetworkswitchesinterconnectedinafashionofchainingoneswitchtoanother.Thisisreferredtoasdaisychainordaisychaining.
Thefollowingdiagramshowsmultipleswitchesinadaisychainmodel:
Telegram Channel : @IRFaraExam
Figure1.33–Daisychaining
ForITprofessionals,thismaybeaworkableapproachtoextendtheirlocalareanetworkswithinabuilding.However,amajordisadvantagetousingsuchadesignisthatthereisnoredundancyintheeventacableordevicefails.Afaultcableorswitchwithinthedaisychaincancauseadisruptioninnetworkoperations,whichwillaffectallthedevicesthatareconnectedtothefaultysegment.Hence,suchpracticesarenotrecommendedwhendesigningacampusLAN.
Whendesigninganetwork,ensureitishierarchicalwhencreatingvarioustierstohelpyouunderstandtherolesofeachdeviceinthenetwork.Ensurethatthedesignismodularandimprovesthenetwork'sscalability,allowingyoutoexpandthenetworkanditsserviceseasily.Considerimplementingresiliencyandflexibilitytoensuretheuserhasagreatexperiencewhiletheyexecutetheirdailytasksintheorganization.Inotherwords,youdon'twantyouruserstoexperienceanetworkfailurethatwilldisruptdailytransactions.Lastly,flexibilitywillensuretrafficisdistributedbetweenpathsanddevicesefficiently.
Importantnote
Telegram Channel : @IRFaraExam
InSection5,SecurityFundamentals,wewillcovervarioussecuritytopicsandtechniqueswecanusetoimprovethesecuritypostureofaCisconetwork.
ThisiswheretheCisco2TierarchitecturecomesintosavethedaywhendesigningaLANforabuilding–acampusLAN.Thisdesigncreatestwolayersofswitches:thedistributionlayerandtheaccesslayer.
Theaccesslayerprovidesameansofconnectingenddevices(computers,servers,printers,andsoon)tothenetwork.Attheaccesslayer,thereisnoformofredundancybetweentheenddeviceandtheaccesslayerswitch;thisisduetomostenddevicesusuallyhavingonlyasingleNICforLANconnectivity.However,eachaccesslayerswitchisconnectedtotwoormoredistributionlayerswitches,thusprovidingredundancytotheremainderofthenetwork.
Tip
ToseetheCiscoAccesslayerswitches,pleasevisitthefollowingURL:https://www.cisco.com/c/en/us/products/switches/campus-lan-switches-access/index.html.
ThefollowingdiagramshowstheCisco2Tierarchitecturewithinabuilding(campusLAN):
Telegram Channel : @IRFaraExam
Figure1.34–Cisco2Tierarchitecture
InaCisco2Tierarchitecture,thedistributionlayerisknownastheCollapsedCore.Thedistributionlayerisresponsibleforthefollowingrolesandfunctions
Telegram Channel : @IRFaraExam
onacampusLAN:
ProvidingQualityofService(QoS)toprioritizenetworktraffic
AccessControlLists(ACLs)tofilternetworktraffic
Basicroutingfunctions
ThedistributionlayeralsoprovidesredundancyforinterconnectingmultipleaccesslayerswitchestoexpandthecampusLAN.
Tip
TofindoutmoreabouttheCiscodistributionlayerswitch,pleasevisitthefollowingURL:https://www.cisco.com/c/en/us/products/switches/campus-lan-switches-core-distribution/index.html.
KeepinmindthattheCisco2Tierarchitectureistypicallyusedwithinabuilding.Thisbringsaboutthequestion,howdoweinterconnectmultiplebuildingsthateachhaveaCisco2Tierarchitecture?Onemethodistosimplyinterconnectthedistributionswitchesofonebuildingwithanother.
Thefollowingdiagramshowsmultiplebranchesinterconnectedusingthe2Tiermodel:
Telegram Channel : @IRFaraExam
Figure1.35–MultiplecampusLANs
Asyoumayhavenoticed,eachdistributionlayerswitchisconnectedtoeachotherdistributionlayerswitchineachofthecampusLANs.Asthenetworkgrowsandmorebranchoffices(campusLANs)arecreated,therewillbetoomanyinter-branchconnectionsandthedesignwillnotbeefficient.
Telegram Channel : @IRFaraExam
Tosolvethisissue,Ciscohavedesigneda3Tierhierarchicalmodel.
3TierIntheCisco3Tierarchitecture,therearethreelayers.Thereisnowacorelayer.Thecorelayerisdefinedasthehigh-speedbackboneofthenetwork.Thesecorelayerswitchesareusedtoforwardtrafficasquicklyaspossiblebetweennetworks,whicharegeographicallyseparated.Toputthissimply,thecorelayerswitchesareusedtointerconnecteachcampusLANtotheothersinamoreefficientway.
ThefollowingdiagramshowsasimplifiedversiontheCisco3Tiermodel:
Telegram Channel : @IRFaraExam
Figure1.36–Cisco3Tierarchitecture
Thecorelayerplaysavitalroleinanenterprisenetwork.Togetabetterideaofhowtheconnectionsaremadeinareal-worldscenario,let'stakealookatthefollowingdiagram:
Telegram Channel : @IRFaraExam
Figure1.37–Cisco3Tierarchitectureinterconnectingmultiplebranches
Asyoucansee,therearethreecampusLANs(branches).EachcampusLANhasitsownaccesslayerswitchesthatallowsenddevicestoaccessthenetwork.Thereisthedistributionlayer,whichprovidesredundancytotheaccesslayer,
Telegram Channel : @IRFaraExam
viamultiplepathstoeachenddevice.
Importantnote
Inthe2Tierarchitecture,thecollapsedcoreplaystheroleofboththedistributionandcorelayersasone.
ThecorelayerensureseachcampusLAN(branch)isinterconnected.Ifabranchhastosendnetworktraffictoanotherbranchoffice,thetrafficgoesuptothedistributionlayerandthentothecorelayerforforwarding.Additionally,thecorelayerconnectstotheroutersoftheenterprisenetwork.TheseroutersprovideinternetandWANconnectivity.
TheCisco3Tierhierarchyhasthefollowingbenefits:
Improvesnetworkperformance
Improvesthescalabilityofthenetwork
Createsbetterredundancybetweenpaths
Improvesnetworkmanagement
ThefollowingisasummaryofthefunctionsandcharacteristicsofeachlayeroftheCisco3Tiermodel:
Thecorelayeristhehigh-speedbackboneofthenetwork.Theseswitchesareusedtoforwardtrafficasquicklyaspossiblebetweennetworks,whicharegeographicallyseparated.
Thedistributionlayerisresponsibleforprovidingaboundaryby
Telegram Channel : @IRFaraExam
implementingaccesscontrollistsandothertypesofapplicationfiltersandpolicies.ThedistributionlayerismadeupofLayer3switches.
Theaccesslayerisusedtointerconnectenddevicessuchascomputers,printers,andservers.
Havingcompletedthissection,youarenowabletoidentifythefunctionsandpurposesofeachlayerofboththeCisco2Tier(collapsedcore)and3Tierarchitectures.
SummaryInthischapter,welearnedabouttheevolutionofnetworkingandhowtheinternetcameintoexistence.Then,welearnedabouttwoimportantprotocolmodels:theOSIreferencemodelandtheTCP/IPprotocolsuite.However,onlyTCP/IPisimplementedondevices,whichallowsmessagestobeexchangedacrossanetwork.Furthermore,welookedattherolesandfunctionsofvariousnetworkingcomponentsandhowtheyforwardmessagesbetweendevices.Lastly,wecoveredtheessentialsoftheCisco2Tierand3TierarchitecturesindetailtohelpyouunderstandhowtodesignacampusLANforanorganization.
IhopethischapterhasbeeninformativeforyouandthatitwillbehelpfulinyourjourneytowardlearninghowtoimplementandadministrateCiscosolutionsandpreparingfortheCCNA200-301certification.Inthenextchapter,GettingStartedwithCiscoIOSDevices,wewilllearnhowtoaccessandconfigureCiscoIOSdeviceswhilebuildingasmallnetwork.
Questions
Here'sashortlistofreviewquestionstohelpreinforceyourlearningandhelp
Telegram Channel : @IRFaraExam
youidentifygapsinyourknowledge:
1. WhichlayeroftheOSIreferencemodelisresponsibleforencapsulatingthephysicaladdressofadevice?
A.Internet
B.Datalink
C.Network
D.Link
2. AnemployeeusesMicrosoftOutlookontheirclientPCtosendandreceiveemailsto/fromothers.WhichisthehighestlayeroftheOSImodel?
A.Presentation
B.Internet
C.Session
D.Application
3. Thephysicaladdressofadeviceismadeupofhowmanybits?
A.32
B.42
C.48
Telegram Channel : @IRFaraExam
D.52
4. WhichlayeroftheTCP/IPprotocolsuiteisresponsibleforcomputingthechecksum(hash)anddeterminingwhetheraframeisdamaged?
A.Networkaccess
B.Datalink
C.Physical
D.LLC
5. InwhichlayeroftheTCP/IPprotocolsuitedoesroutingoccur?
A.Network
B.Internet
C.Router
D.Datalink
6. WhatdoesaCiscoswitchusetomakethedecisiontoforwardamessageacrossanetwork?
A.DestinationIPaddress
B.DestinationMACaddress
C.SourceMACaddress
D.SourceIPaddress
Telegram Channel : @IRFaraExam
7. WhichnetworkprotocolisusedtoresolvetheMACaddresstotheIPaddressofahostonthesamelocalareanetwork?
A.ARP
B.HTTP
C.TCP
D.UDP
8. Whichdeviceisusedtoextendanetworktoanotherroomorfloorofabuilding?
A.Router
B.Firewall
C.Switch
D.Hub
9. WheredoesaCiscoswitchstoreMACaddresses?
A.RAM
B.HDD
C.ROM
D.CAM
10. WhichlayeroftheCiscoCampusLANarchitectureisresponsiblefor
Telegram Channel : @IRFaraExam
interconnectingdifferentbranchoffices?
A.Router
B.Core
C.Distribution
D.Access
E.Alloftheabove
FurtherreadingThefollowinglinksarerecommendedforadditionalreading:
TCP/IPoverview:https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/linked/tcpip.htm
Cisco3Tierarchitecture:https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/campover.html
Understandingnetworkportnumbers:https://hub.packtpub.com/understanding-network-port-numbers-tcp-udp-and-icmp-on-an-operating-system/
Telegram Channel : @IRFaraExam
Chapter2:GettingStartedwithCiscoIOSDevicesYoumustbethrilledtostartyourjourneyoflearningaboutCiscotechnologies,especiallylearninghowtoimplementandadministerCiscosolutionsinanenterpriseorganization.Oneofthekeycomponentstoensureyoursuccessisgainingalotofhands-onexperiencewithtechnologies.Thishands-onexperiencewillhelpyougrasptheconceptswe'llbetalkingabouteasily,whiledemonstratingtheeffectofconfigurationsduringtheimplementationphases.However,amajorchallengeformostbeginnersisgettinghands-onexperienceduringtheirlearningandexaminationpreparationphases.AnotherconcernisgettingaccesstoCiscoequipmentafterclassroomtraininghoursorevenwhenatrainingsessionhasended.
Tosolvethesechallenges,IamdedicatingthischaptertodemonstratehowtobuildaCiscolabenvironmenttogetthehands-onexperienceyouneed,atyourconvenience.
Inthischapter,wewillcoverthefollowingtopics:
BuildingaCiscolabenvironment
GettingstartedwithCiscoIOSdevices
AccessingaCiscoIOSdevice
ConfiguringtheCiscoIOS
Performingtroubleshootingprocedures
Telegram Channel : @IRFaraExam
TechnicalrequirementsTofollowalongwiththeexercisesinthischapter,pleaseensurethatyouhavemetthefollowinghardwareandsoftwarerequirements:
Core:
Acomputer
PuTTY
Virtuallabenvironment:
CiscoPacketTracer7.3.0
GNS32.2.5
GNS3VMserver2.2.5
VirtualBox6.1
VMwareWorkstation15Pro(optional)
CiscoIOSv
CiscoIOSvL2
CiscoCSR1000v(optional)
Physicallabenvironment:
Cisco2911routers
Telegram Channel : @IRFaraExam
Cisco2960switches
1xCisco3560switchorCisco3650switch
1xCiscoconsolecable
1xRS-232toUSBconvertercable
Afewnetworkpatchcables(straight-throughandcrossover)
Thecodefilesforthischapterareavailablehere:https://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions/tree/master/Chapter%2002.
CheckoutthefollowingvideotoseetheCodeinAction:https://bit.ly/360Odeo
BuildingaCiscolabenvironmentIt'sveryimportanttogetalotofhands-onpracticewhenpursuingatechnicalCiscocertification.Youcandothisbylabbingupeverything,wherebyyoupracticebyputtingeverythingyou'velearnedforthecertificationinpracticelabsalongtheway.
Inthefollowingsections,youwilllearnaboutthevariousmethodsofbuildingaCiscoenvironmentusingbothvirtualandphysicalequipment.
CiscoPacketTracerYoumaybewondering,whatisCiscoPacketTracer?Yearsago,CiscoSystemscreatedtheirownonlinelearningplatformusingavarietyofe-learningand
Telegram Channel : @IRFaraExam
collaborationtoolsforsomeoftheircertificationprograms.Indoingso,theyalsocreatedaverylightweightnetworksimulatortoolthatallowsuserstobuild,design,andtroubleshootaCiscoenterprisenetwork.ItspurposeistoallowstudentstosharpentheirskillsetwhilelearningandpreparingfortheCCNAcertification.
Justafewyearsago,theCiscoNetworkingAcademyreleasedCiscoPacketTracertotheinternet,allowingeveryonetoofficiallydownloadandinstalltheapplicationontheirpersonalcomputers.However,now,youmustenrollintheCiscoNetworkingAcademy'sIntrotoPacketTraceronlinecourse.
Tip
TheIntrotoPacketTracercourseisdesignedtoteachyouallaboutthefunctionalityandoperationsoftheapplicationasalearner.Enrollingisbeneficialasthecoursewillshowyouhowtosimulatereal-worldnetworkingenvironmentsusingCiscosolutions.
Isitbetterthanothernetworksimulators?CiscohasdesignedCiscoPacketTracerasalightweightnetworksimulationapplicationthatallowslearnerstosharpentheirskillsetattheCCNAlevel.ThesimulatorisnotperfectcomparedtoaphysicalCiscoIOSswitchorrouter,butitprovidestheenvironmentyouneedtoconfigureandtroubleshootnetworkswithinitsinterface,allowingyoutosavemoneyonpurchasingphysicalequipment.
WhyuseCiscoPacketTracerratherthanphysicalequipment?Whileit's,ofcourse,preferabletousephysicalequipment,wemustrememberthatphysicaldevicescostmoneyandnoteveryonehasabudgettosupportthiscost.YoucandefinitelygetusedandrefurbishedCiscodevicesfromvariousonlineretailers,
Telegram Channel : @IRFaraExam
butwhenpurchasingsuchequipment,keepinmindthatyouwillnotabletoupdatetheInternetworkOperatingSystem(IOS)onthosedevicesinfuturewithouthavingaservicecontractorvalidlicensingdetailsfromCiscoSystems.CiscoIOS15hasmanynewerfeaturescomparedtoCiscoIOS12andprior.Therefore,CiscoPacketTraceristhemostefficientmethodingaininghands-onexperience,allowingyoutoputalmosteverythingattheCCNAlevelintolabs.
IfyouareconcernedwithwhethertheconfigurationsusedwithinthedevicesinCiscoPacketTracermaybedifferentfromthoseusedonthephysicalequipment,don'tworry–theconfigurationsareexactlythesame.
OneofthecoolthingsIlikeaboutCiscoPacketTracerisitsabilitytobuildanetworkandcopydeviceconfigurationsfromtheapplication,andthensimplypastethemontothecommand-lineofaphysicalCiscoIOSdevicethat'sthesamemodel.Thephysicaldevicewillaccepttheconfigurationsseamlessly.
TogetyourhandsontheCiscoPacketTracerapplication,usethefollowinginstructions:
1. Gotowww.netacad.com.
2. ClickonCoursestoexpandthedrop-downmenu.Then,selectPacketTracer.
3. Scrolldownuntilyouseetheonline,self-pacedcoursecalledIntrotoPacketTracer.Clickonit.
4. ClickonSignuptoday!.
Anewenrollmentpagewillopen.Besuretocompletetherequiredfieldstoregisterforthecourse.
Telegram Channel : @IRFaraExam
5. Onceyouhaveenrolled,logintowww.netacad.comusingyournewlycreatedusernameandpassword.
6. ClickonResourcestoexpandthedrop-downmenu.Then,clickonDownloadPacketTracer,asshowninthefollowingdiagram:
Figure2.1–Drop-downmenuoftheResourcepage
7. Next,theCiscoPacketTracerdownloadpagewillopen.Downloadtheversionspecifictoyouroperatingsystemandinstallitusingallthedefaultsettings.
NowthatyouhaveCiscoPacketTracerinstalledonyourcomputer,gothroughtheIntrotoPacketTraceronlinecourseasitcontainsalotofhelptutorials,tips,andtrickssothatyoucangetthemostoutoftheapplicationasalearner.
TogetstartedquicklywithCiscoPacketTracer,usethefollowingsteps:
Telegram Channel : @IRFaraExam
1. OpenCiscoPacketTracer.
2. Inthebottom-leftcorner,youwillseetwoshortrowsoficons.Theupperrowcontainstheparentcategoryofthenetworkcomponents,whilethelowerrowcontainsthesubcategories.Thefollowingimageshowstheparentcategory:
Figure2.2–CiscoPacketTracerdevicecategory
3. Clickoneachparentcategory,thusdisplayingthesubcategoryinthesecondrow,asshowninthefollowingimage:
Telegram Channel : @IRFaraExam
Figure2.3–SubDeviceCategory
4. Uponselectingasubcategory,you'llseesomeCiscodevicesappear,asshowninthefollowingimage:
Figure2.4–NetworkdevicesinCiscoPacketTracer
5. Toaccessadevice,selectaCisco2911modelrouteranddragittothemainlayoutinCiscoPacketTracer.
6. Next,selecttheEndDevicescategoryanddragaPContothelayout.
Telegram Channel : @IRFaraExam
7. SelecttheConnectioncategory(theonewiththelightningboltsymbol)andselecttheconsolecable.
8. ClickonthePC.Alistofavailableportswillappear.Fromhere,choosetheRS-232port.
Importantnote
WewilldiscusstheimportanceoftheconsolecableandtheRS-232portintheAccessingaCiscoIOSdevicesection.
9. Then,dragthecabletotherouter.After,clickandselecttheConsoleport.
ThefollowingdiagramshowsthetypicalconnectionthatwehaveestablishedwithinCiscoPacketTracer:
Figure2.5–PCtorouterwithinCiscoPacketTracer
10. ToaccessthecommandlineoftheCiscoIOSrouter,clickonPC.SelectDesktop|Terminal,asshownhere:
Telegram Channel : @IRFaraExam
Figure2.6–TerminalwithinCiscoPacketTracer
11. TheTerminalapplicationwillopenlikeso.ClickonOKtoaccesstheCLI:
Figure2.7–Terminalsettings
Next,youwillseethattheCiscooperatingsystemisdecompressingandthatthe
Telegram Channel : @IRFaraExam
deviceisbooting.
ThefollowingimageshowstheuserinterfaceforCiscoIOSdevices:
Telegram Channel : @IRFaraExam
NowthatyouhaveanideaofsettingupCiscoPacketTraceronyourpersonalcomputer,let'slearnhowtouseamorerobustapplicationtoemulateCiscodevices,appliances,andenddevices.
VirtualCCNALabGraphicalNetworkSimulator3(GNS3)isanemulatorformanynetworkandsecurityappliances.Itusestheofficialoperatingsystemsandfirmwareofdevicesandcreatesavirtualizedenvironment.Thisallowsyoutoruntherealoperatingsystemsofvendordevicesonyourlaptopordesktopcomputerwithouthavingtopurchasephysicaldevices.Additionally,youcanhaveaportable,software-basednetworkinglabenvironmentonthego.
WhyisGNS3betterthanCiscoPacketTracerorphysicalequipment?It'sconvenienttohavevirtualizationnetworksandsecuritydevicesrightonyourdesktopcomputer.ThebenefitofusingGNS3isthatitallowsyoutoinstalltheofficialCiscooperatingsystemsintoitsapplication,whichmeansyouwillbeabletoaccessthefullfunctionalityofthevirtualCiscorouter,switch,andfirewalldevices.
Theonlydownsidetousingvirtualizationtechnologiesisyou'llneedtohaveagoodCPUthatsupportsvirtualizationandasufficientamountofRAM.Whenyoustartavirtualmachine,inourcase,it'llbeavirtualapplianceordevice.TheyusethesameamountofRAMasaphysicaldevice.ThismeansthatifaCiscoIOSrouteruses1GBofRAM,avirtualCiscorouterwithinGNS3will
mostlikelybethesame.
AnotherdownsideofusingGNS3isthatyouwillneedtouseofficialCiscoIOSimageswithinGNS3.UnlikeCiscoPacketTracer,whichisasimulated
Telegram Channel : @IRFaraExam
environment,GNS3createsanemulatedworkingenvironmentforofficialoperatingsystems.
Importantnote
CiscoIOSimagescanbeobtainedfromCisco'swebsiteifyouhaveaservicecontractthatallowsimagedownloads,youhaveavalidlicenseagreementfromCiscoSystems,oryoupurchasethemdirectlyfromCisco.
However,thebenefitofusingGNS3isthatyougetveryclosetothereal-worldexperienceoftheactualCiscoIOSdevices.ThisincludesthetimeittakestoconvergethenetworkandhowalltheCiscocommandsworkwithoperatingsystems(theswitch,routers,firewalls,andsoon).
TosetupaGNS3environment,usethefollowinginstructions:
1. TodownloadGNS3clientandGNSVM,gotowww.gns3.comandclickonSignUptocreateauseraccountonthewebsite.
2. Aftercreatingyouruseraccount,logintothewebsite.
3. ClickonDownload.
YouwillseeaDownloadbuttonontheleft-handsideofthescreen.ClickittodownloadtheGNS3standaloneclient.Additionally,downloadtheGNS3VM(virtualmachine)byclickingtheDownloadVMforGNS3hyperlink,asshowninthefollowingimage:
Telegram Channel : @IRFaraExam
Figure2.9–GNS3downloadlinks
TheGNS3VMisrecommendedwiththeGNS3clientasitimprovesperformance.
WhenyouclickDownloadVMforGNS3,you'llbeprovidedwithmultipleoptionstodownloadavirtualimagespecifictoyourhypervisorofchoice:VirtualBox,VMwareWorkstationandFusion,VMwareESXi,andMicrosoftHyper-Vplatforms.IwouldrecommendOracleVirtualBoxasit'sareallygoodhypervisorandit'sfree.However,I'lldemonstratehowtosetuptheenvironmentusingbothOracleVirtualBoxandVMwareWorkstation.
Telegram Channel : @IRFaraExam
4. DownloadOracleVirtualBoxbygoingtowww.virtualbox.organdclickingonDownloads.ChoosetheVirtualBoxpackageforyouroperatingsystem.Oncethefilehasbeensuccessfullydownloadedontoyourcomputer,installitusingallthedefaultsettings.
5. ThisstepisoptionalasVMwareWorkstationisacommercial(paid)product.TogetVMwareWorkstationPro,gotohttps://www.vmware.com/products/workstation-pro.htmltomakeanofficialpurchaseoftheproduct.
6. InstalltheGNS3standaloneclientonyourcomputerusingallthedefaultsettingswithintheinstallationwizard.
7. Right-clickonGNS3VM,selectOpenwith,andchooseVirtualBoxorVMwareWorkstationtoimportthevirtualmachinesintothehypervisor,asshowninthefollowingimage:
Telegram Channel : @IRFaraExam
Figure2.10–GNS3VMimportoptions
8. IfyouareusingVMwareWorkstation,theImportVirtualMachinewizardwillopen.ClickImporttobegintheprocess.
ThefollowingscreenshotshowstheimportwindowonVMwareWorkstation:
Telegram Channel : @IRFaraExam
Figure2.11–VMwareWorkstationimportwindow
9. WhentheimportingprocesshasbeencompletedonVMwareWorkstationPro,clicktheEditvirtualmachinesettinglinktoadjusttheCPUandRAMonGNS3VM,asshowninthefollowingimage:
Telegram Channel : @IRFaraExam
Figure2.12–VMwareWorkstationoverview
IwouldrecommendusingthefollowingsettingsontheGNS3VM:
--Memory(RAM):8GB,
CPU:
--Numberofprocessors=1,
--Numberofcoresperprocessors=2.
Telegram Channel : @IRFaraExam
EnableanyadditionalvirtualizationfeaturesfoundontheCPUtab.
Whenyou'refinished,clickonOKtosavethesettingonVMwareWorkstationPro.
10. IfyouareusingOracleVirtualBoxtoimportGNS3VM,youwillseethefollowingwindow;clickonImport:
Figure2.13–VirtualBoxImportVirtualAppliancewindow
11. AfterGNS3VMhasbeenimportedintoVirtualBox,selectthevirtual
Telegram Channel : @IRFaraExam
machineandclickonSettingstoadjusttheCPUandRAMspecifications.
12. Next,opentheGNS3standaloneclientapplication.SelectEdittoexpandthedrop-downmenuandclickonPreferences,asshowninthefollowingscreenshot:
Figure2.14–GNS3Editmenu
13. ClickontheGNS3VMtab.Then,settheoptionsshowninthefollowingimagetoconnectGNS3clienttoGNSVM:
Telegram Channel : @IRFaraExam
Figure2.15–GNS3VMconfiguration
IfyouareusingOracleVirtualBox,setVirtualizationEngine:VirtualBox.
14. ClickApplyandthenOKtosavethesesettings.
NowthatwehaveconfiguredtheGNS3VMsothatitworkswiththeGNS3
Telegram Channel : @IRFaraExam
standaloneclient,ontheGNS3clientuserinterface,ontheright-side,underServersSummary,GNS3VMshouldappear,asshowninthefollowingscreenshot:
Figure2.16–GNS3ServersSummary
ToaddanofficialCiscoIOSimageinGNS3,usethefollowinginstructions:
1. EnsureboththeGNS3clientandGNS3VMareupandrunning.ToaddaCiscoIOSvrouterappliance,clickontheRoutericonandthenNewtemplate,asshowninthefollowingimage:
Telegram Channel : @IRFaraExam
Figure2.17–GNS3interface
2. SelectInstallanappliancefromtheGNS3serverandclickNext,asshownhere:
Telegram Channel : @IRFaraExam
Figure2.18–NewtemplatewindowinGNS3
3. SearchforCiscoIOSvtoquicklyfindthetemplateandclickInstall,as
shownhere:
Figure2.19–AppliancetemplatewindowinGNS3
Telegram Channel : @IRFaraExam
4. SelectInstalltheapplianceontheGNS3VMandclickNext,asshownhere:
Figure2.20–InstallCiscoIOSvappliancewindowinGNS3
5. TheQemubinaryoptionswillbeautomaticallyselected.ClickNext,asshownhere:
Telegram Channel : @IRFaraExam
Figure2.21–QemusettinginGNS3
SettherequiredIOSvversionbasedontheIOSvimageyougotfromCiscoandclickImport:
Figure2.22–InstallCiscoIOSvAppliancewindowonGNS3
AfterimportingtheCiscoIOSvintoGNS3VM,youshouldseethatthestatusshowsthattheimagehasbeenfound.
6. Next,selectIOSv_startup_config.imgandclickDownloadtoretrievethefilethat'srequiredtocompletetheinstallation:
Telegram Channel : @IRFaraExam
Figure2.23–InstallCiscoIOSvmissingfilestatus
7. OnceboththeIOSvandstartup-configfileshavebeenuploadedtoGNS3VM,thestatusoftheIOSvrouterappliancewillchangetoReadytoinstall.ClickNext,asshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure2.24–CiscoIOSvreadytoinstallwindowonGNS3
8. Whentheinstallationiscompleted,clickOKtoacceptthemessageofasuccessfulinstallationandclickFinishtoclosethewizard,asshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure2.25–InstallationconfirmationwindowinGNS3
ToaddaCiscoIOSvL2switchtoGNS3VM,followthesameprocedure
mentionedpreviously.Don'tforgetthatwhenyouhavereachedstep3,searchforIOSvL2insteadasit'saCiscoswitchratherthanarouter.
ToaddandaccessdeviceswithinGNS3,pleaseusethefollowinginstructions:
1. InGNS3,clickFiletoopenthedrop-downmenuandselectNewBlankProject.
2. Createaprojectnameandchoosealocationtosavetheprojectfiles.Then,clickOK.
Telegram Channel : @IRFaraExam
3. OntheleftoftheGNS3window,clicktheRoutericontoshowallavailabledevices.
4. DragthenewlycreatedrouterontothecenteroftheGNS3layout.
5. ClickthePlayicontostartthedeviceinGNS3.
ThefollowingimageshowsthePlay,Pause,andStopiconsforcontrollingthedevice:
Figure2.26–GNS3controls
Now,ontheright-handsideofGNS3,underTopologySummary,youshouldseethattheroutericonhasnowturnedgreentoindicateit'scurrentlyactive.
6. Toaccessthecommand-lineinterfaceofadevicewithinGNS3,simply
Telegram Channel : @IRFaraExam
double-clickonthedevice'sicononthemainlayout.ThiswillopenPuTTYorthedefaultTerminalprogramonyourcomputer.
7. IfyouaddmoredevicestoGNS3,youcanclicktheCableicontousethesamemethodtointerconnectdevices.
Importantnote
DuringtheinstallationoftheGNS3standaloneclient,Puttywasincludedduringtheinstallationphase.
Whenyouarefinished,besuretoclicktheStopicontopowerdownallthevirtualdeviceswithinGNS3.Additionally,closingtheGNS3clientwillautomaticallypower-offtheGNS3VMaswell.
Now,youknowhowtocreateavirtualenvironmenttosharpenyourskillsfortheCCNAcertification.Let'stakeadiveintounderstandingtherequirementsforacquiringaphysicallab.
PhysicallabsAsIalwayssay,thereisnogreaterexperiencethanusingthereal,physicalequipment.Thebenefitofusingphysicalequipment,especiallyfornetworkengineering,isthefactyouseeeverythinginaction.PleasenotethatI'mnotsayingyouwon'tseeitinavirtualizedenvironment,butthereissomethingirreplaceableaboutusingphysicalequipment–perhapsit'sthethrill.
ThefollowingisalistofdevicesIrecommendusingifyouareinterestedinbuildingaphysicallab:
Telegram Channel : @IRFaraExam
Cisco2911routers
Cisco2960switches
Cisco3560switchorCisco3650switch
1xCiscoconsolecable
1xRS-232toUSBconvertercable
Afewnetworkpatchcablesforinterconnectingdevices
Thequantityofthesedeviceswilldependonhowlargeyouwishtoscaleyourphysicallab.Ideally,havingtwodevices,suchastwolaptops,totestend-to-endconnectivityishighlyrecommended.Lastly,ensureeachCiscodeviceisrunningthelatestversionofitsoperatingsystem.Thisensurestheessentialfeaturesareavailabletoyouwhenneeded.
Havingcompletedthissection,youhavegainedtheessentialskillsyouneedtobuildyourveryownCiscolabenvironment.We'lltakeadeepdiveintolearningabouttheCiscooperatingsysteminthenextsection.
GettingstartedwithCiscoIOSdevicesNowadays,almostallelectronicdeviceshavesomeformoffirmwaretohelpthemexecutetasks.Inmostinstances,thereisanoperatingsystemthat'susedtoprovidetheuserwithalotoffunctionality.Similartoatypicallaptopcomputerorasmartphone,therearehardwarecomponentssuchasaCentralProcessingUnit(CPU),alsoreferredtoastheprocessor,thatareusedtoexecutearithmeticcalculationsandprovidecontroloverthecomputer.ThereisalsoRandom
Telegram Channel : @IRFaraExam
AccessMemory(RAM),whichisusedtotemporarilystoredatawhiletheCPUaccessesit,andthereisastorageunitwhereyoucanstoretheoperatingsystemandothertypesofdatawhilethedeviceispoweredoff.
However,withoutanoperatingsystemsuchasWindows,MAC,orevenLinux,thecomponentsofthecomputerwillnotbeabletoworktogethertoexecutefunctionsdefinedbytheuser.Toputitsimply,theoperatingsystemprovidesaprocessforcontrollingthehardwarecomponentsofthedeviceandallowsyou,theuser,totellthecomputer/devicewhattodo.
CiscoSystemscreatedtheirownproprietarynetworkoperatingsystemfortheirswitchesandrouterscalledtheCiscoInternetworkOperatingSystem(CiscoIOS).TheCiscoIOSallowsyoutoconfigureandmanagetheirdevicesviaacommand-lineinterface(CLI).
Youreadthatcorrectly–its'acommandline.Don'tbeworried–I'llsharealittleinsightintomypersonalexperience.WhenIstartedmyjourneytogetmyfirstCCNAcertificationsomeyearsago,Iwasfeelingabitapprehensive.IwasaccustomedtoGraphicalUserInterfaces(GUI)onalldevicesandthethoughtoflearningcodewascool,butatthesametime,verynewtome.However,tothisday,IloveworkingondevicesystemsanddevicesusingcommandlinesasIhaverealizedhowpowerfulCLIscanbeinanydevice.
Throughoutthisbook,I'llensureyouwillbeabletounderstandthepurposeofeachcommandweusetoexecuteafunctionandbuildanoptimalCisconetwork.
BootprocessInanycomputerormobiledevice,theoperatingsystemneedstobestoredinan
Telegram Channel : @IRFaraExam
areaofmemoryonthedevicewhenitispoweredoff.Incomputers,weuseeitheraharddiskdrive(HDD)orasolid-statedrive(SSD)toholdtheoperatingsystemandotherimportantdata(files).ThebenefitofhavinganHDD/SSDisthatwhenthedeviceisturnedofforrestarts,itscontentisnotlost.However,onaCiscoswitchorrouter,thereisnolocalharddiskdrivesorsolid-statedrives,sowhereistheCiscoIOSstored?
TheCiscoIOSisstoredinalocationcalledFlash.DatathatiswrittentoFlashmemoryisnotlostwhenthedeviceisturnedofforrebooted.
Importantnote
Thistypeofmemoryisreferredtoasnon-volatilerandomaccessmemory(NVRAM).
TogetaclearunderstandingoftheactualbootprocessofaCiscoIOSdevice,let'slookatthefollowingstages:
1. UponpoweringonaCiscodevice,aPower-onSelfTest(POST)isexecutedbythedevice'sfirmwaretocheckforthepossibilityofanyhardwarefailurepriortoloadingtheCiscoIOS.Ifeverythingseemsfine,thefirmwareloadstheBootstrap,whichislocatedinRead-onlyMemory(ROM).
2. TheBootstrapchecksintheFlashmemoryfortheCiscoIOSfile.Iffound,theCiscoIOSisloadedintoRAM.
3. IftheCiscoIOSisnotfoundintheFlashmemory,thedevicechecksforalocalTrivialFileTransferProtocol(TFTP)serveronthenetwork.Onecommonpracticeintheindustryisthatnetworkingprofessionalsremove
Telegram Channel : @IRFaraExam
theCiscoIOSfilefromthedevicesandplacethemonalocalTFTPserver.Thiscreatestheeffectthateachtimeadevicebootsup,itwillpulltheCiscoIOSacrossthenetworkfromaTFTPserverandloaditintoitsRAM.
4. IftheCiscodeviceisunabletolocateaTFTPserveronthenetwork,itloadsascaled-downversionoftheCiscoIOSintotheRAM.Thescaled-downversionprovidestheessentialfunctionsthatallowsthedeviceadministratortotroubleshootandreloadtheCiscoIOSfileintoitsFlashmemory,thereforerestoringthedeviceintoaworkablestate.
5. OncetheCiscoIOSisloadedintotheRAM,thebootstrapwillcheckthecontentsofNVRAMforpreviouslysavedconfigurationfiles;thisfileisknownasstartup-config.Ifastartup-configfileisfound,it
isloadedintotheRAM.
6. Ifastartup-configfileisnotfound,thedeviceloadsitsdefault
configurationsintotheRAMasrunning-config.
ThecontentsoftheRAMareknownasrunning-config.Thisrunning-
configarethedevice'scurrentconfigurationasthedeviceispoweredon.
However,keepinmindthatifthedevicelosespowerorgetsrebooted,thecontentofitsRAMislost.
Importantnote
running-configdoesnotautomaticallysaveintoNVRAM.Thedevice's
configurationsneedtobesavedmanuallyasthiscreatesorupdatesthestartup-configfile.
Telegram Channel : @IRFaraExam
ThefollowingisaflowcharttogiveyouabettervisualrepresentationofthebootprocessofaCiscoIOSdevice:
Figure2.27–CiscoIOSdevicebootprocess
NowthatwehavecoveredtheessentialsoftheCiscoIOSbootprocess,let'scoverthevariousmethodsapersoncanusetoaccessaCiscoIOSdevice.
AccessingaCiscoIOSdeviceUnlikeacomputerorsmartphone,anetworkintermediarydevicesuchasarouterorswitchdoesnothaveadisplayscreenthatshowsyoutheuserinterface
Telegram Channel : @IRFaraExam
formanagingtheoperatingsystem.WheneveryoupurchaseanewCiscoIOSdevice,withinthepackagingofthebox,youwillusuallyfindabluecable;thisiscalledaconsolecableorrollovercable.
Thefollowingisanimageofaconsolecable:
Figure2.28–Ciscoconsolecable
Ononeend,there'saDB-9(RS-232)interface,whichisusedtoconnecttoa
Telegram Channel : @IRFaraExam
computer'sDB-9(RS-232)port.However,modern-daycomputersand
laptopmanufacturersnolongermakedeviceswiththeseinterfaces.However,youcangetanRS-232toUSBconvertercablefromanonlineorlocal
computerstore.ThisconvertercableenablesyoutousetheconsolecableoveraUSBconnection.
ThefollowingisanimageoftheRS-232toUSBconvertercable:
Figure2.29–USBtoRS-232convertercable
Telegram Channel : @IRFaraExam
Attheotherendoftheconsolecable,you'llseethecableterminatesusingaRJ-45(registeredjack).ThisendofthecableistobeinsertedonlyintotheconsoleportoftheCiscoIOSdevice.Theconsoleistypicallylocatedatthebackofadeviceorsometimesonthefront.Forustoquicklyidentifytheconsoleport,Ciscohasprintedalabelonit.
Importantnote
ThereareadditionalmethodsforaccessingaCiscoIOSdevice,suchasSecureShell(SSH)andTelnet.Thesewillbecoveredinlatersectionsonthisbook.
Theconsoleportprovidesphysicalmanagementofthedevice.However,theconsoleportistypicallyusedtoconfigurethedevicewithinitialconfigurationsuntilit'sdeployedonthenetworkforremoteaccessmanagement.Networkprofessionalscanalsousetheconsoleportasamanagementinterfacewhenperformingmaintenanceprocedures.
ThefollowingphotoshowstheconsoleportonthebackofaCiscoIOSdevice:
Telegram Channel : @IRFaraExam
Figure2.30–ConsoleportonthebackofaCiscoIOSrouter
UponmakingtheconnectionbetweenthePCandtheCiscoIOSdeviceusingtheconsolecable,aserialconnectioniscreatedbetweenthePCandthedeviceviatheRS-232-to-USBcable.ToaccesstheCLIoftheCiscodevice,wewillneed
aterminalemulationapplicationonourcomputer.
Thefollowingisabrieflistofterminalemulationapplications:
PuTTY(free)
Telegram Channel : @IRFaraExam
SecureCRT(commercial)
TeraTerm(free)
ToaccesstheCLI,pleaseusethefollowingsteps:
1. ConnecttheconsolecabletoyourlaptopandtheCiscoIOSdevice.Thiswillcreateaserialconnection.
2. OpenControlPanelandclickonDeviceManager.
3. ExpandthePort(COM&LPT)categorytoseetheCOMinterfacebeingused.
ThefollowingscreenshotshowsthedetailslistedunderthePortscategory:
Figure2.31–DeviceManageronWindows
Atthetimeofwriting,COM3wasusedfortheserialconnection.Thisinformationwillbeusefulforthenextfewsteps.PleasekeepinmindthattheCOMportisdependentonyourcomputerandavailability.BesuretoverifytheCOMportbeforemovingontothenextstep.
4. DownloadPutty(www.putty.org)andopenit.Usethefollowingsettingsontheterminalemulationapplication:
Telegram Channel : @IRFaraExam
--ConnectionType:Serial
--SerialLine:COM3
--Speed:9600
--Databits:8
--Parity:None
--Stopbit:1
--Flowcontrol:None
ThefollowingscreenshotsshowtheuserinterfacesforbothPuTTYandSecureCRT:
Telegram Channel : @IRFaraExam
Figure2.32–PuTTYandSecureCRTinterfaces
5. ClickonOpenorConnectontheterminalemulatortoaccessthecommandlineofthedevice.
ThefollowingimageshowsthetypicalwelcomescreenwhenconnectingtotheIOS:
Telegram Channel : @IRFaraExam
Figure2.33–CLIofaCiscoIOSrouter
NowthatweyouhavelearnedhowtoaccessaCiscoIOSdeviceusingtheconsolecable,let'stakealookathowtonavigatetheCiscoIOSandlearnsomeCiscocommands.
ConfiguringtheCiscoIOSTheCiscoInternetworkOperatingSystem(CiscoIOS)isafull-fledgedoperatingsystemthatprovidesyouwithaninterfacetocontrolthehardwareand
Telegram Channel : @IRFaraExam
thedevice.TheCiscoIOShasmanysecurityfeaturestoensureyouareabletosecureanetworkenvironmentandthedeviceaswell.OnesuchsecurityfeatureisthattheCiscoIOShasmanycommandmodes.Thisseparatesthemanagementaccessinterfaceintothefollowingmodes:
UserExec
PrivilegeExec
Globalconfigurationmode
WhenyouestablishaconsoleconnectiontoaCiscoIOSdevice,youaretakendirectlyintotheUserExecmodebydefault.UserExecmodeprovidesverylimitedcapabilitiesforauserasitallowsforbasictroubleshootingandmonitoringcommandssuchaspingandtraceroute.
UserExecmodecanbeeasilyidentifiedwiththe>prompt,asshownhere:
Router>
PrivilegeExecmodeallowstheusertoperformmanymorecommandswithintheCiscoIOS.Inthismode,theusercanconfigurethesystemclock,performmanytroubleshootingor"show"commands,andaccesstheglobalconfiguration
mode.
ToaccessprivilegemodefromUserExecmode,simplyentertheenable
command.
PrivilegeExecmodecanbeeasilyidentifiedwiththe#prompt,asshownhere:
Router#
Telegram Channel : @IRFaraExam
Toexitprivilegemode,usethedisablecommand.ThistakesyoubackUser
Execmode.
GlobalConfigurationmodeallowsausertomakechangestotheentireCiscoIOS.Anyconfigurationenteredinthismodeaffectstheoperationsoftheentiredeviceimmediately.Othercommandmodesareaccessiblefromglobalconfigsuchasinterfacemodes,lineconfigurationmodes,routermode,andmanymore.Intheremainingchaptersofthisbook,youwilllearnaboutothermodesandadvancedconfigurationstohelpyoubuildanddesignanenterprisenetwork.
FromPrivilegeExecmode,youcanusetheconfigureterminal
commandtoaccessGlobalConfig.
GlobalConfigmodecanbeeasilyidentified,asshownhere:
Router(config)#
ToexitGlobalConfig,usetheexitcommand.Thiswilltakeyoubackto
privilegeexecmode.
Tip
Inanymodethatisglobalconfigorhigher,youcanuseCtrl+Zonyourkeyboardasashortcuttotakeyoubackintoprivilegeexecmode.Additionally,youcanusetheTabbuttononyourkeyboardtoautomaticallyexpandyourtypingofacommand.CiscoIOSalsoacceptsshorttypingofcommands,suchasshowipinterfacebrief,whichcanbetypedasshipintbri;
bothareacceptable.
Thefollowingdiagramprovidesavisualrepresentationofthenavigationprocess
Telegram Channel : @IRFaraExam
withintheCiscoIOS:
Figure2.34–CiscoIOSnavigationpath
NowthatyouhavelearnedhowtoperformbasicnavigationwithintheCiscoIOS,let'stakeitupanotchandbuildasmallnetworkusingCiscodevices.
Telegram Channel : @IRFaraExam
SettingupasmallCisconetworkWhenbuildinganetwork,it'salwaysrecommendedtostartwithanetworkdiagramcalledanetworktopology.Atopologyisusedtoshowthelogicalandphysicalconnectionsbetweendevicesonanetwork,aswellasbasicIPaddressingassignments.
Forourexercise,wearegoingtobuildthefollowingnetworktopology:
Telegram Channel : @IRFaraExam
Figure2.35–Lab1–networktopology
Asyoucansee,therearetwonetworks:192.168.1.0/24and
192.168.2.0/24.TheseareinterconnectedusingaCisco2911router.Each
ofthesenetworkshasaCisco2960switch(SW1andSW2)toextendtheirLAN.Additionally,eachLANhasasinglePCattachedwiththepurposeofcheckingend-to-endconnectivitywhenourlabisfullyconfiguredand
Telegram Channel : @IRFaraExam
operational.
Youcanuseeitherphysicalequipment,GNS3,orCiscoPacketTracertocompletethistask.Simplyinterconnectthedevicesasshownintheprecedingdiagram.
Theobjectivesofthislabareasfollows:
LearninghowtonavigatetheCiscoIOS
ConfiguringIPaddressesonCiscodevices
Securingadministrativeandremoteaccess
Thefollowingarethesituationswhereyoushoulduseacopperstraight-throughcable:
PCtoswitch
Switchtorouter
Switchtoserver
Thefollowingarethesituationswhereyoushoulduseacoppercrossovercable:
PCtoPC
Switchtoswitch
Routertorouter
RoutertoPC
Telegram Channel : @IRFaraExam
Routertoserver
IfyouareusingCiscoPacketTracer,yourtopologyshouldlookasfollows:
Figure2.36–Lab1–NetworktopologyinCiscoPacketTracer
Tohelpmakeyourlearningexperiencebetter,weshalldescribeanddemonstratehowtofindourwayaroundtheCiscoIOS.
Task1–LearninghowtonavigatetheCiscoIOSTolearnhowtousetheCiscoIOSandallitsfeaturesforCCNA,pleaseusethefollowinginstructions:
Telegram Channel : @IRFaraExam
1. WhenyoubootupaCiscoIOSrouterforthefirsttime,you'llreceivethefollowinginteractivemessage:
---SystemConfigurationDialog---
Wouldyouliketoentertheinitial
configurationdialog?[yes/no]:
2. TypenoandhitEnteronyourkeyboardacoupleoftimesuntilyousee
theUserExecprompt.
Importantnote
Theinteractivedialogisdesignedtohelpnon-technicalusersconfigurethedevice.However,asanupcomingnetworkingprofessional,youshouldnotusetheinteractivewizardasit'sbettertoperformmanualconfigurationsonthedevicesothatitfitsyourexpectedoutcome.Inotherwords,asmuchastheinteractivedialogmaybehelpful,itmayalsoinstallconfigurationsontothedevicethatwemaynotwant.
3. Atthispoint,youshouldbeinUserExecmode(>).ToaccessPrivilege
Execmode,usetheenablecommand,asshownhere:
Router>enable
Router#
NoticethattheCommandPrompthaschangedtoapoundorhashsymbol(#).
4. TogobackintoUserExec,usedisabletorevertbacktotheprevious
commandmode,asshownhere:
Telegram Channel : @IRFaraExam
Router#disable
Router>
TheCiscoIOSisabletotemporarilystorethemostrecentcommandsexecutedonthedevice.UsingtheUpandDownkeysonyourkeyboardwillallowyoutocyclethroughrecentlyusedcommandsforyourcurrentcommandmode.Therefore,ifyouareinPrivilegeExec,youwillonlybeabletoseethemostrecentcommandsthatareusedwithPrivilegeExec.
5. AnothercoolfeatureisthattheCiscoIOShastheabilitytorecognizeaCiscoIOScommandbysimplytypingthemodepartofthecommanditself.Tofurtherunderstandthisconcept,inUserExecmode,typethefollowingcommandandhitEnter:
Router>en
Router#
NoticethattheCiscoIOSacceptstheencommandasenableand
carriesyoutoPrivilegeExecmode.
6. Next,let'slearnhowtousebothcontext-sensitivehelpandthe
commandsyntaxcheckerfeature.Todeterminethecorrectsyntaxofacommand,typepartofthecommandandenteraquestionmark(?)right
after.
Thefollowingisanexampleofacontext-sensitivehelpthat'susedtodeterminewhatcommandsbeginwitheninUserExecmode:
Router>en?
Telegram Channel : @IRFaraExam
enable
Router>
TheCiscoIOSprovidesalistofcommandsthatbeginwithenandreturn
youtoyourcurrentcommandmode.Inourexample,enableistheonly
CiscoIOSthatbeginswitheninUserExecmode.Thisishelpfulifyou
haveforgottenthespellingorthecorrectsyntaxtouseduringdeviceconfiguration.
Toexplorethisfurther,headonovertoPrivilegeExecmodeontherouter.Asmentionedpreviously,thismodeallowsustoexecutealotoftroubleshootingcommands.Thesecommandsusuallybeginwithshow,
followedbyadditionalcommands.
7. Toseealistofavailablesyntaxthatgoesaftertheshowcommand,place
a?aftershow.Thefollowingisanexampleoftheexpectedresults:
Router#show?
aaaShowAAAvalues
access-expressionListaccess
expression
access-listsListaccesslists
acircuitAccesscircuitinfo
adjacencyAdjacentnodes
aliasesDisplayalias
commands
Telegram Channel : @IRFaraExam
ThefollowingaresomeguidelinesforconfiguringahostnameonaCiscoIOSdevice:
Ensuretherearenospacesintheactualhostname.
Thehostnameshouldnotbelongerthan64characters.
startwithaletter.
Hostnamescanendwithaletterornumber.
Let'schangethehostnameoneachdevicesothatitmatchesthenetworktopologyshowninFigures2.35and2.36.Usethehostnamecommand,shown
asfollows,tochangethedefaulthostnamesforeachofthecorrespondingdevices:
SW1
Switch>enable
Switch#configureterminal
Switch(config)#hostnameSW1
SW1(config)#
SW2
Switch>enable
Switch#configureterminal
Switch(config)#hostnameSW2
SW2(config)#
Telegram Channel : @IRFaraExam
R1
Router>enable
Router#configureterminal
Router(config)#hostnameR1
R1(config)#
Asyoumayhavenoticed,anycommandenteredinglobalconfigurationmodetakeseffectimmediately.Inthisexercise,thechangetookeffectimmediatelyafterexecutingthehostnameconfigurationoneachdevice.
Task3–ConfiguringIPaddressesonCiscodevicesBeforeplacinganIPaddressonaninterface,it'srecommendedtocheckboththenumberandtypeofinterfacesavailableonadevice.Ontherouterandswitches,wecanverifythetypeandnumberofinterfacesavailableonthedevicebyusingtheshowipinterfacebriefcommand,asshownhere:
Figure2.37–SummaryofinterfacesonaCiscorouter
Theshowipinterfacebriefcommandprovidesuswithasummaryof
eachinterface'sstatusonthedevice:
Telegram Channel : @IRFaraExam
TheInterfacecolumntellsustheinterface'stypeandportnumberonthedevice.
TheIP-AddresscolumntellsuswhethertheinterfacehasanIPaddressornot.
TheOK?andMethodcolumnstellsushowtheIPaddresswassetontheinterface,suchasDHCP,unset,andmanual.
TheStatuscolumntellsusthephysical(Layer1)statusoftheinterface.Thefollowingarealistofstatuses:
a)Up:Theinterfaceisactiveandisreceivinganincomingelectricalsignalontheinterface.
b)Down:Thenetworkcableismissingortheinterfaceisnotreceivinganincomingelectricalsignal.
c)Administrativelydown:Thedeviceadministratorhasmanuallyturnedoffthisinterface.
TheProtocolcolumndeterminestheLayer2statusoftheinterface.Therearetwostatustypes:upanddown.TheupstatustellsusthateverythingisworkingfineatLayer2.Thedownstatustellsusthereisanencapsulationissueonthelink.
Inthefieldofnetworking,youwillencountervarioustypesofphysicalinterfacesondevices.ThefollowingisabriefdescriptionofvariousinterfacesfoundonCiscodevices:
Ethernet:Operatesupto10Mbps
Telegram Channel : @IRFaraExam
FastEthernet:Operatesupto100Mbps
GigabitEthernet:Operatesupto1000Mbps
ToconfiguretheIPaddressesontherouter,usethefollowingconfigurations:
R1
R1#configureterminal
R1(config)#interfaceGigabitEthernet0/0
R1(config-if)#descriptionConnectedtoLAN1-
192.168.1.0/24network
R1(config-if)#ipaddress192.168.1.1255.255.255.0
R1(config-if)#noshutdown
R1(config-if)#exit
R1(config)#
Variousinterfacemodesareaccessiblefromglobalconfig.Noticethatweusetheinterfacecommand,followedbytheinterfacetypeandnumber.The
CommandPromptchangedtoR1(config-if)#,whichindicatesany
commandsweenterherewillonlyaffectthisspecificinterface.
Next,usingthedescriptioncommandisusefulasitwillallowyouto
identifythepurposeofaninterface.Additionally,allinterfacestatusesaresettoadministrativelydownbydefault.Usingthenoshutdowncommandin
interfacemodewillturnuptheinterface.
Typingexitwillreturnyoutothepreviousmode,globalconfig.Typingexit
Telegram Channel : @IRFaraExam
onemoretimewillcarryyoubackintoPrivilegemode.
Let'susetheshowipinterfacebriefcommandtoverifythattheIP
addresshasbeenassignedtotheinterfaceandthattheinterfacestatusisUp/Up.
Thefollowingscreenshotshowstheexpectedresults:
Figure2.38–showipinterfacebriefcommandoutput
NowthatyouarefamiliarwithconfiguringanIPaddressandasubnetmaskonarouter'sinterface,let'sconfiguretheinterfaceconnectedtothe192.168.2.0/24network.Thefollowingisalistofcommandsthatyou'll
needtocompletethistask:
R1#configureterminal
R1(config)#interfaceGigabitEthernet0/1
R1(config-if)#descriptionConnectedtoLAN2-
192.168.2.0/24network
R1(config-if)#ipaddress192.168.2.1255.255.255.0
R1(config-if)#noshutdown
Telegram Channel : @IRFaraExam
R1(config-if)#exit
R1(config)#
Oncecompleted,let'sverifythestatusofourinterfaces.ThefollowingscreenshotshowsthatwenowhavebothGigabitEthernet0/0and
GigabitEthernet0/1.EachhasanIPaddressontheircorresponding
network,andbothareintheUp/Upstatus:
Figure2.39–Verificationofsecondinterfacestatus
Furthermore,usingtheshowipinterfaceinterface-IDcommand
willprovideyouwithmoreIP-relateddetails,asshownhere:
Telegram Channel : @IRFaraExam
Figure2.40–Outputoftheshowipinterfacecommand
Intheprecedingscreenshot,youcanverifytheIPaddress,thesubnetmask,interfacephysicalstatus,andwhetheranyAccessControlLists(ACLs)havebeenplacedontheinterface.
Ifyouprefertogetmorestatisticalinformationaboutaninterface,usetheshow
interfacesinterface-IDcommand.Theoutputwillprovideyouwith
theinterfacestatus,IPaddressandsubnetmask,interfacedescription,duplexandspeedoperatingmodes,andpacketflowstatistics,asshownhere:
Telegram Channel : @IRFaraExam
Figure2.41–Outputoftheshowinterfacescommand
Lastly,youcanusetheshowrunning-configcommandtoviewthe
currentconfigurationsofthedevice.Byexpandingtheoutput,youwillseetheconfigurationsthatareexecutedundereachinterface,asshownhere:
Telegram Channel : @IRFaraExam
Figure2.42–Therunning-configoutput
Task4–ConfiguringtheSwitchVirtualInterface(SVI)CiscoIOSLayer2switchesdonotallowyoutoplaceanIPaddressontheirphysicalinterfaces.So,howdoesauserremotelymanageoraccessaswitchacrossanetwork?WithintheCiscoIOSoftheLayer2switch,youcancreateaspeciallogicalinterfacethatallowsyoutosetanIPaddressontheswitchforremotemanagement.ThislogicalinterfaceisknownasaSwitchVirtualInterface(SVI).
TocreateanSVI,usetheinterfacevlan<vlan-ID>command.This
willbothcreatetheSVIandchangethecommandmodetointerfacemode.Forourtopology,weneedtosetanIPaddressoneachofourswitches.
Telegram Channel : @IRFaraExam
Tocompletethisexercise,usethefollowingcommandstoachievethistask:
SW1
SW1(config)#interfacevlan1
SW1(config-if)#ipaddress192.168.1.10255.255.255.0
SW1(config-if)#noshutdown
SW1(config-if)#exit
SW1(config)#
Let'snotforgettoconfiguretheSVIswitch2withthefollowingcommands:
SW2
SW2(config)#interfacevlan1
SW2(config-if)#ipaddress192.168.2.10255.255.255.0
SW2(config-if)#noshutdown
SW2(config-if)#exit
SW2(config)#
NowthatyouhavelearnedhowtocreateanSVIonaCiscoIOSLayer2switch,let'stakealookatsecuringadministrativeaccessonalldevices.
Task5–SecuringadministrativeaccessBydefault,anyonecanuseaconsolecabletoaccesstheUserExecmodewithintheCiscoIOSviatheconsoleport.IfthepersonisfamiliarwithCiscoIOS
Telegram Channel : @IRFaraExam
syntax,thismaybeasecurityconcern.Thismeansthatanyonewhohasaconsolecableandphysicalaccesstothedevicewillbeabletoaccessvariousmodesandmakeunauthorizedchangestothedevice'sconfigurations.
Tosolvethissecuritychallenge,theCiscoIOShassecurityfeaturesthatallowthedeviceadministratortogainsecureaccesstotheconsoleport,VirtualTerminal(VTY)lines(remoteaccess),andPrivilegeExecmode.
Tosecureaccesstotheconsoleportonalldevices,usethefollowinginstructions:
1. AccessGlobalConfigurationmodebyusingtheconfigure
terminalcommand.
2. Toaccesstheconsoleline,usethelineconsole0commandandhit
Enter.
3. Usethepasswordactual-passwordcommandtosetapassword
undertheconsoleport.
4. Usethelogincommandtoenabletheauthenticationfeature.Without
usinglogin,apersoncanstillaccesstheconsolewithoutbeing
promptedforapassword.
Thefollowingscreenshotshowshowthecommandsshouldbeexecuted:
Telegram Channel : @IRFaraExam
Figure2.43–Securingtheconsole
TheeffectoftheconfigurationswemadeintheprecedingscreenshotwillprompttheusertoenteravalidpasswordtoaccessUserExecmodeviatheconsoleport.Thepasswordwehaveconfigurediscisco123.
Importantnote
Inareal-worldnetwork,ensureyouusemorecomplexpasswords.WhentypingapasswordwithintheCiscoIOS,it'susuallyinvisibleasasecurityfeaturetopreventanyonewithpryingeyes.
Nowthatwehavesecuredconsoleaccesstoeachdevice,let'ssecureaccesstoPrivilegeExecmodeonalldevices.
Tosecureadministrativeaccessonalldevices,usethefollowinginstructions:
1. AccessGlobalConfigurationmodebyusingtheconfigure
terminalcommand.
2. Entertheenablepasswordactual-passwordsyntaxandhit
Enter.
3. IfyougobacktoUserExecandtrytoenterPrivilegeExec,theCisco
Telegram Channel : @IRFaraExam
IOSwillpromptyouforapassword.Onceyouenterthepassword,whichyousetusingtheenablepasswordcommand,theCiscowillgrant
youaccess.
Thefollowingsnippetshowshowthecommandsshouldbeexecuted:
Figure2.44–Usingtheenablepasswordcommand
However,usingtheenablepasswordcommandisanunsecuremethod
that'susedtosecureadministrativeaccessontheCiscoIOS.Let'sseewhythisisanunsecuremethod.InPrivilegeExecmode,usetheshowrunning-
configcommandtoviewthecurrentconfigurationsonthedevice.
Thefollowingsnippetshowsthattheenablepasswordcommandsetsan
unencryptedpassword:
Telegram Channel : @IRFaraExam
Figure2.45–Unencryptedpasswordshownintherunning-configfile
It'snotrecommendedtouseenablepasswordduetothissecurity
vulnerability.However,CiscohasimplementedamoresecuremethodtorestrictaccesstoPrivilegeExecmode.Thismethodusestheenablesecret
command.
ToconfiguretheenablesecretcommandontheCiscoIOSforalldevices,
usethefollowingcommands:
R1(config)#enablesecretcisco789
Let'sverifyourconfigurationsbyviewingrunning-configonthedevice:
Telegram Channel : @IRFaraExam
Figure2.46–running-configcontainingencryptedandunencryptedpasswords
YoumaybewonderingwhichofthesepasswordswillworkwhenmovingfromUserExecmodetoPrivilegeExecmode.Wouldeitherpasswordworkorjustone?Theanswerissimple:enablesecrettakesprecedenceinthis
situation,andthereforeenablepasswordisobsoleteonthedevice.
It'sgoodpracticetoalwaysuseenablesecretwhensecuring
administrativeaccess.However,inasituationwheretherearebothenable
secretandenablepassword,suchasisthecasehere,it'srecommended
toremovethelesssecureconfigurationsfromrunning-config.
ImportantNote
Toremoveacommandfromrunning-config,usethenegatedformofthe
command,suchasusingno,followedbytheremainderofthecommand.
Toremoveenablepasswordfromrunning-config,usethefollowing
command:
R1(config)#noenablepassword
Ifyoucheckrunning-config,you'llnoticeenablepasswordhasbeen
Telegram Channel : @IRFaraExam
removed.Ensureyouhavesecuredadministrativeaccesstoeachdevicebeforemovingontothenexttask.
Task6–SettingabannerHavingalegalnotificationsuchasawarningbannerthat'sdisplayedwheneveranyoneadministrativelyconnectstoyournetworkdevicesisrecommended.Suchlegalnotificationscanbeusedasanofficiallegalwarningforanyonewhoisattemptingorgainingunauthorizedaccesstoadeviceonacorporatenetwork.
Tosetalegalnotification,wecanusethebannermotdcommand,followed
bythelegalnotice.Tosetabannertobedisplayedwheneveranyoneestablishesaconnectiontothedeviceviaanyaccessmethods,usebannermotd,as
shownhere:
R1(config)#bannermotd%OnlyAuthorizedAccessis
permitted!!!%
Whenusingthebannercommand,youneedtoinsertbothopeningandclosing
delimiters,suchasspecialcharacters(@,#,$,%,^,&),beforeandafterthe
actualbannermessage,whichareusedtoindicateeverythingbetweenthedelimitersistheactualbannermessagetobedisplayedonalogonscreen.
Thefollowingsnippetindicatesthatthebannerisdisplayedwhenestablishinganewconsoleconnection:
Telegram Channel : @IRFaraExam
Figure2.47–Warningbanner
Nowthatyouhavelearnedhowtoconfigureawarningdisclaimer(banner)onaCiscoIOSdevice,let'stakealookatsettingupremoteaccess.
Task7–SettingupsecureremoteaccessAfterperformingyourinitialconfigurationsonyourdevice,it'stimetoplaceitonyournetwork.Whenadeviceisonthenetwork,itmaynotalwaysbeconvenienttomanagethedeviceviatheconsoleport.Attimes,asanetworkingprofessional,youmaynotbeclosetoyourdevice;perhapsthedeviceislocatedinanothercountry.Remoteaccessallowstheadministratortoremotelyconnectandmanagethedevicewhilebeingatanotherlocation.
TherearetwomainmethodstoremotelyaccessaCiscoIOSdevice:
Telnet
SecureShell(SSH)
BothTelnetandSSHallowyoutoremotelyaccessadeviceviaaTerminal,allowingyoutogainshellaccess.However,Telnetisanunsecuremethodusedtoremotelyaccessandmanageadeviceastrafficcanbeseeninplaintext(unencrypted).SSHistherecommendedmethodforremoteaccessasallSSH
Telegram Channel : @IRFaraExam
trafficisencryptedbydefault.IfahackerisinterceptingSSHtrafficoveranetwork,theywillnotbeableseetheactualcontentsofthetrafficflowingbetweentheSSHclientandtheSSHserver(device).
SettingupTelnet
ToconfigureTelnetaccessontheVTYlines,usethefollowingcommands:
R1#configureterminal
R1(config)#linevty015
R1(config-line)#passwordclass123
R1(config-line)#login
R1(config-line)#exit
R1(config)#
Thelinevty015commandspecifiesthatweconfigureall16virtual
terminal(VTY)linesonthedevice,wherethefirstlineisVTY0.Then,weset
theTelnetpasswordasclass123andusethelogincommandtoenable
authenticationwheneverauserattemptstologin.
Next,ensureeachPCisusingthefollowingIPconfigurations:
PC1:
IPaddress:192.168.1.20
Subnetmask:255.255.255.0
Defaultgateway:192.168.1.1
Telegram Channel : @IRFaraExam
PC2:
IPaddress:192.168.2.20
Subnetmask:255.255.255.0
Defaultgateway:192.168.2.1
TotesttheTelnetconnectionwithinCiscoPacketTracer,usethefollowinginstructions:
1. ClickonPC1andselecttheDesktoptab.
2. OpentheCommandPromptandusethepingcommandtotestend-to-
endconnectivitybetweenPC1andtherouter.Then,usetheping
192.168.1.1command.
Youshouldgetthefollowingresponsefromtherouter:
C:\>ping192.168.1.1
Pinging192.168.1.1with32bytesofdata:
Replyfrom192.168.1.1–bytes=32time<1ms
TTL=255
Replyfrom192.168.1.1–bytes=32time=3ms
TTL=255
Replyfrom192.168.1.1–bytes=32time<1ms
TTL=255
Replyfrom192.168.1.1–bytes=32time<1ms
TTL=255
Telegram Channel : @IRFaraExam
Pingstatisticsfor192.168.1.1–
Packets:Sent=4,Received=4,Lost=0(0%
loss),
Approximateroundtriptimesinmilli-seconds:
Minimum=0ms,Maximum=3ms,Average=0ms
Onceyouareabletogetasuccessfulreplyfromthetargetdevice(192.168.1.1),youhaveconnectivity.
3. ClosetheCommandPromptandopentheTelnet/SSHclientonPC1.
4. ChangetheconnectiontypetoTelnet,entertheIPaddressoftherouter(192.168.1.1),andclickonConnect.
YoushouldseethebannermessagefromTask6withanauthenticationpromptrequestingtheVTYTelnetpassword.
ConfiguringSecureShell(SSH)
Asmentionedpreviously,weshouldalwaysuseSSHwhenit'savailable.Inthefollowingsteps,IwilldemonstratehowtodisableTelnet,enableSSH,andcreatealocaluseraccount:
1. ChangethedefaulthostnameontheCiscoIOSdevice.
2. Joinalocaldomainbyusingtheipdomain-name<domain>
commandinglobalconfigmode:
R1(config)#ipdomain-nameccna.local
Telegram Channel : @IRFaraExam
3. GenerateencryptionkeysfortheSSHsessionsusingthefollowingcommands:
R1(config)#cryptokeygeneratersa
Theinteractivemenuwillaskforamoduluskeysize.Theminimumis512,butit'srecommendedtouse1024orhigher.Thelargerthekeysize,
thestrongertheencryption.However,averylargekeysizecanusealotofCPUresourcesonthenetworkdevicewhenperformingencryptionanddecryptiontasks.
4. Createalocaluseraccountwithasecretpasswordusingthefollowingcommands:
R1(config)#usernameAdminsecretclass456
5. ConfiguretheVTYlinestoonlyallowSSHconnections(disablingTelnet),removetheTelnetpassword,andusethelocaluseraccountasthelogincredentials.Tocompletethisstep,usethefollowingcommands:
R1(config)#linevty015
R1(config-line)#transportinputssh
R1(config-line)#nopassword
R1(config-line)#loginlocal
R1(config-line)#exit
R1(config)#
Thetransportinputcommandcanbeusedwithall,none,ssh,or
telnettospecifythetypeofincomingtrafficontheVTYlines.
Telegram Channel : @IRFaraExam
Thefollowingisanadditionalcommandthat'srequiredwhenconfiguringremoteaccess(TelnetandSSH)onCiscoswitches.Switchesrequireadefaultgatewaythatenablesthemtohavebi-directionalcommunicationoverdifferentnetworks.Accordingtoourlabtopology,adeviceonthe192.168.1.0/24network
willnotbeabletoremoteaccessSW2andviceversa.
Tosetthedefaultgatewayontheswitchesinourtopology,usethefollowingcommands:
SW1
SW1(config)#ipdefault-gateway192.168.1.1
SW2
SW2(config)#ipdefault-gateway192.168.2.1
Task8–ConfiguringtheconsoletousethelocaluseraccountsIntheprevioustask,youlearnedhowtocreateauseraccountandenabletheVTYlinestoqueryitduringtheloginprocess.Additionally,thesamecanbedonetotheconsolelinebyusingthefollowingcommands:
R1(config)#lineconsole0
R1(config-line)#nopassword
R1(config-line)#loginlocal
R1(config-line)#exit
Telegram Channel : @IRFaraExam
Task9–DisablingdomainlookupandencryptingallplaintextpasswordsAttimes,whenyouenteranameorwordwithintheCiscoIOS,itattemptstoperformadomainnamelookup.Toabortthetranslation,usetheCtrl+Shift+^keycombinationonyourkeyboard.Additionally,youshoulddisablethedomainlookupfeaturewithintheCiscoIOSbyexecutingthefollowingcommand:
R1(config)#noipdomain-lookup
WhensettingpasswordsontheCiscoIOS,youmaynothavetheoptiontousethesecretcommandtocreateanencryptedformoftheactualpassword.This
meansyoumayhavetoresorttosettingaplaintextpassword.Toaddanadditionallayerofsecurity,usethefollowingcommandtoencryptallcurrentandfutureplaintextpasswordsautomatically:
R1(config)#servicepassword-encryption
Task10–CheckingIOSversionandsavingconfigurationsAsaCisconetworkingprofessional,it'simportanttodeterminethecurrentversionofyouroperatingsystem.Tocheckthedevice'soperatingsystemversion,usetheshowversioncommand,asshownhere:
R1#showversion
CiscoIOSSoftware,C2900Software(C2900-
UNIVERSALK9-M),Version15.1(4)M4,RELEASESOFTWARE
Telegram Channel : @IRFaraExam
(fc2)
TechnicalSupport:http://www.cisco.com/techsupport
Copyright(c)1986-2012byCiscoSystems,Inc.
CompiledThurs5-Jan-1215–41bypt_team
ROM:SystemBootstrap,Version15.1(4)M4,RELEASE
SOFTWARE(fc1)
cisco2911uptimeis5hours,23minutes,55seconds
SystemreturnedtoROMbypower-on
Systemimagefileis"flash0–c2900-universalk9-
mz.SPA.151-1.M4.bin"
--More--
Asshownintheprecedingoutput,thedeviceisusingaCiscoIOSversion15.1(4)oftheoperatingsystem.ThisinformationisusefulifyouareplanningonupgradingtoanewerversionoftheIOS.Theshowversioncommand
providesuswiththeuptimeofthedevicesinceithasbeenpoweredon.
Lastly,rememberthatalltheconfigurationchangesthataremadetoeachdevicearestoredinrunning-config.Ifanydeviceshouldlosepowerorreboot,all
theconfigurationswillbelost.Tosaverunning-configinstartup-
config,usethefollowingcommands:
R1#copyrunning-configstartup-config
Destinationfilename[startup-config]?
Buildingconfiguration...
Telegram Channel : @IRFaraExam
[OK]
R1#showstartup-config
HitEnterwhenitasksforthedestinationfilename.Thedefaultfilenameisshowninbrackets([startup-config]);there'snoneedtotypeanew
filename.Oncetheconfigurationshavebeensaved,usetheshowstartup-
configcommandtoviewitscontents.Additionally,youcanusethereload
commandinPrivilegeExecmodetorebootthedeviceandseethatstartup-
configretainstheconfigurations.
PerformingtroubleshootingproceduresAfterperformingconfigurationsonadevice,it'sgoodpracticetoexecutetherelevantshowcommandtoverifywhatyouhavedoneiscorrectandisworking
asexpected.Throughoutthisbook,wewilllearnaboutadditionalmethodsfordesigningandoptimizinganetworkusingCiscodevices,whereyouwilllearnaboutnewconfigurationsandtroubleshootingcommandstohelpyoualongtheway.
Therearetwomaintoolsthathelpustroubleshootanetworkfromtheclientside(PC):
Ping
Traceroute
Pingissimplyusedtotestend-to-endconnectivitybetweenthedevicesonanetwork.Thistoolusesthepingipaddressoftargetsyntax.The
followingisanexampleofasuccessfulconnectivitytest:
Telegram Channel : @IRFaraExam
Figure2.48–PingtestonaWindowsCommandPrompt
However,theCiscoIOSdoesnotprovideanoutputsimilartotheoneshownintheprecedingoutput.Thefollowingarethesymbolsandtheirdescriptions:
!:Successful
.:Requesttimeout
U:Destinationunreachable
ThefollowingisanexamplewhereaconnectivitytestwasdonefromR1toPC1inthelabtopology:
Telegram Channel : @IRFaraExam
Figure2.49–PingtestusingtheCiscoIOS
YounowhavetheessentialskillstoimplementCisconetworkingsolutionsforasmallnetwork.
SummaryHavingcompletedthischapter,youhavelearnedsomeamazingskillsandgottobuildyourveryownCiscolabenvironment.Mostimportantly,yougothandsonwithCiscoswitchesandrouters.Therearemanywaysyoucangetthepracticalexperienceyoudesire,byeitherpurchasingphysicalequipmentorevenbuildingafullyvirtualizedlabenvironment.KeepinmindthatCiscoPacketTracerisupdatedquiteoftenandnewfeaturesarealwaysbeingadded,alongwithmanyimprovements.
Mypersonaladviceisthatyoushouldn'tbeafraidoftryingnewthingsinyourlabenvironment.Ifyoubreakormisconfiguresomething,trytofigureoutwhatwentwrongandhowtoresolvetheissue.Networkengineeringisacontinuousprocessofdesigning,configuring,andtroubleshooting,butmostimportantly,it'saboutproblemsolvingandcriticalthinking.So,don'tbeafraid–usethehelp(?)
command,andeventrytoemulateyourhomeorofficenetworkinyourCiscolab.
IhopethischapterhasbeeninformativeforyouandishelpfulinyourjourneytowardlearninghowtoimplementandadministrateCiscosolutionsandpreparefortheCCNA200-301certification.Inthenextchapter,IPAddressingandSubnetting,wewilllearnallaboutIPaddressing,subnetting,andunderstandingVariable-LengthSubnetMasks(VLSMs).
Telegram Channel : @IRFaraExam
QuestionsThefollowingareashortlistofreviewquestionstohelpreinforceyourlearningandhelpyouidentifyareasthatrequiresomeimprovement:
1. Ifyouarecurrentlyinlineconsolemode,whichshortcutwillcarryyoubacktoPrivilegeExecmode?
A.CTRL+C
B.CTRL+X
C.CTRL+V
D.CTRL+Z
2. Whichmodeallowsyoutoexecutetheenablesecretcommand?
A.PrivilegeExec
B.UserExec
C.Globalconfig
D.Line
3. Aninterfaceisshowingasadministrativelydown.Howdoyouactivatetheinterface?
A.Noshutdown
B.Up
Telegram Channel : @IRFaraExam
C.Start
D.Noneoftheabove
4. Youaretaskedwithsettingupremoteaccessonvariousnetworkingdevices.Whichofthefollowingmethodsisbestsuited?
A.Console
B.SSH
C.Telnet
D.VTY
5. Whichofthefollowingcommandswilldisplaythebannermessage"keepout"?
A.banner#keepout#
B.bannermotdkeepout
C.bannermotd#keepout%
D.bannermotd&keepout&
6. WhichofthefollowingcommandswillsetasecurepasswordontheCiscoIOS?
A.enablepassword
B.enable
Telegram Channel : @IRFaraExam
C.enablesecret
D.secret
FurtherreadingThefollowinglinksarerecommendedforadditionalreading:
Initialdeviceconfiguration:https://www.cisco.com/c/en/us/td/docs/routers/access/800/hardware/installation/guide/800HIG/initalconfig.html
Basicrouterconfiguration:https://www.cisco.com/c/en/us/td/docs/routers/access/800M/software/800MSCG/routconf.html
Telegram Channel : @IRFaraExam
Chapter3:IPAddressingandSubnettingTheinternetactsasanenormousdigitalworld,andit'scontinuouslyexpandingwithnewusersandinternet-connecteddevicescomingonlineeveryday.Everydeviceonanetworkrequiressometypeofaddresstobeabletocommunicateandexchangemessages.Tomeetthisneed,InternetProtocol(IP)addressesarecommonlyused.
Throughoutthischapter,youwilllearnaboutthecharacteristicsofbothIPv4andIPv6addressingschemes,whilediscoveringthevarioustypesoftransmissionsthatoccuronanetwork,aswellastheimportanceofsubnetmasksandtheroletheyplayinanetwork.
Inthischapter,wewillcoverthefollowingtopics:
TheneedforIPaddressing
CharacteristicsofIPv4
ClassesofIPv4addresses
SpecialIPv4addresses
Subnetmask
Subnetting
IPv6
Lab–ConfiguringIPv6addressesonaCiscodevice
Telegram Channel : @IRFaraExam
Lab–ConfiguringIPv6addressesonaWindowscomputer
Testingend-to-endconnectivity
TechnicalrequirementsTofollowalongwiththeexercisesinthischapter,pleaseensurethatyoumeetthefollowinghardwareandsoftwarerequirements:
CiscoPacketTracer
GNS3
GNS3VM
Configurationfiles:https://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions/tree/master/Chapter%2003
CheckoutthefollowingvideotoseetheCodeinAction:https://bit.ly/3iQDXZT
TheneedforIPaddressingAcomputernetworkisabitlikeaneighborhoodorcommunity.Communitiesconsistofmanypeople,houses,schools,andbusinesses.Eachofthesehousesandbuildingshasapostal(mailing)addressthatallowsotherstosendlettersandpackagesviaacourierservicetotherecipients.Withoutamailingorpostaladdress,it'sabitchallengingforotherstosendaphysicalletterorpackagetoyou.Similarly,onacomputernetwork,eachdevicehasauniqueaddressthatisusedforsendingandreceivingmessages(signals)betweenthem.TheseaddressesareknownasInternetProtocoladdressesandaremostcommonly
Telegram Channel : @IRFaraExam
referredtoasIPaddresses.
HowdoweknowwhichIPaddressescanbeusedontheinternetandonprivatenetworks?ThereisaspecialorganizationthatmanagesbothIPv4andIPv6addresses.ThisorganizationisknownastheInternetAssignedNumbersAuthority(IANA).TheIANAisalsoresponsibleforgoverningtheusageoftheDomainNameSystem(DNS)rootdirectoriesandservicesviatheInternetCorporationforAssignedNamesandNumbers(ICANN).
Sometimearound1983,theIPv4schemewasmadeavailableforusageoncomputernetworksandtheinternet.MostoftheinternettodayisdominatedbytheIPv4addressingschemesasthepreferredmethodofcommunication.Onmanyprivatenetworks(suchashomenetworks),IPv4isstillverymuchcommonlyusedtothisday.
WhenitcomestoIPaddresses,IANAhascreatedtwoaddressspacesforIPv4.Thesearethepublicandprivateaddressspaces.Thepublicspaceisdesignedtobeusedontheinternetandonalldevicesthataredirectlyconnectedtotheinternet.Ontheinternet,eachIPaddressmustalwaysbeuniquetoensuremessages(packets)aredeliveredtothecorrectrecipientasexpected.ImagineiftwodevicesontheinternetsharedasinglepublicIPv4address;somemessagesmaybedeliveredtoonedevicewhiletheothermessagesmaybesenttotheseconddevice.Thiswouldcausemanyproblems.Tohelppreventtheseproblems,thereareRegionalInternetRegistries(RIRs)aroundtheworld.
Importantnote
TofurtherunderstandtheassignmentofIPv4networkblocks,youcanrefertotheofficialIANAdocumentationatthefollowingURL:
Telegram Channel : @IRFaraExam
https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml.
TheIANAdoesnotdirectlydistributeIPnetworkblockstoanyorganizationwhowantsinternetconnectivity.Instead,therearecurrentlyfiveRIRsintheworld,andeachRIRresponsiblefordistributingIPnetworkblockstoInternetServiceProviders(ISPs).ThefollowingisalistofeachRIRandtheirgeolocationalresponsibility:
AFRINIC:SupportsthecontinentofAfrica
APNIC:SupportstheregionsofAsiaandthePacific
ARIN:SupportstheregionsofCanada,USA,andpartoftheCaribbean
LACNIC:SupportsLatinAmericaandpartoftheCaribbean
RIPENCC:SupportsEurope,theMiddleEast,andCentralAsia
ThefollowingdiagramillustrateshowIPaddressesaredistributedacrosstheinternet:
Telegram Channel : @IRFaraExam
Figure3.1–DelegationofIPnetworkblocks
AnAutonomousSystem(AS)isaverylargecollectionofinternetroutingnetworkprefixesthataremanagedbyasingleorganization,knownasanoperator.AnISPisanexampleofanAS.EachISPhasauniqueASnumber(ASN)thatisusedtointerconnectoneAStoanother.ThisallowseachAutonomousSystemtouseBorderGatewayProtocol(BGP)toexchangeroutingupdates,aswellasnetworkwithoneanotherovertheinternet.
Telegram Channel : @IRFaraExam
Importantnote
ToviewtheASNsforeachcountry,usethefollowingURL:https://ipinfo.io/countries.
ThefollowingdiagramshowsarepresentationofmultipleASNsinterconnectedviaBGP:
Figure3.2–NetworkrepresentationofAutonomousSystemsusingBGP
EachAutonomousSystemexchangesroutingupdatesandsharestheirpublic(internet)networkswiththeirdirectlyconnectedneighbors.AsmoredevicesandAutonomousSystemsconnecttothebackboneoftheinternet,theinternetitselfcontinuestogrow.
Telegram Channel : @IRFaraExam
Importantnote
Toviewthesubmarinecablesthatconnectustotheinternet,pleasevisitwww.submarinecablemap.com.CheckingoutacablewithinthemapwillprovideyouwiththenecessaryISPsandnamesoforganizationsthatown/leaseit.
NowthatwehavecoveredtheglobalarchitectureoftheIPaddressinglandscapecomputernetworkandtheinternet,aswellasunderstoodthetwotypesofIPaddresses,let'stakeamoredetailedlookatthecharacteristicsofthefirsttype:IPv4.
CharacteristicsofIPv4Learningaboutcomputernetworkingisalwaysafascinatingtopicasitalsointroducesyoutohowcomputingdevicesinterpretdataandpresentinformation.Usingacomputerorsmartdevice,weusuallyseeaverywell-polishedgraphicaluserinterface(GUI).InMicrosoftWindows,forexample,thereisWindowsExplorer,whichhelpsusnavigatethevariousareas(locations)ofacomputereasily.Whenopeningfiles,suchaspictures,thephotoviewerapplicationpresentsuswithapictureourmindscaninterpret.However,bydefault,computersandnetworkingdevicesareunabletointerprettheobjectswithinapicture.
Whendataiswrittenontoaharddiskdrive(HDD),there'sanactuatorarmthatcontainsaread/writehead(pin),whichisusedtomagnetizeandde-magnetizeareasontheplatterstorepresentdata.Thismeansthatwhatweseeasapictureofacaronthecomputerscreenis,tothedevice,aportionoftheHDDbeingmagnetizedandde-magnetized,representingabunchof1sand0s.
Telegram Channel : @IRFaraExam
Importantnote
Nowadays,manyapplicationsusemachinelearning(ML)toactuallydetectobjectswithinapicture.OnesuchMLalgorithmisYOLO–RealTimeObjectionDetection.
Rememberthatwhenadeviceissendingamessageonanetwork,aseriesofelectricalsignalsaresentacrossthewire.Therecipientinterpretstheincomingsignalsandpresentsthemasdata.Ahighelectricalsignal(voltage)iscommonlyrepresentedasa1,whilealowvoltageisrepresentedasa0.Similarly,when
dataisbeingwrittentoanHDD,electricalsignalsareusedtomagnetizeandde-magnetizethesurfaceareasoftheplatters.Whendataisread,theread/writeheadinterpretsthemagnetizedandde-magnetizedareasthatrepresentdata,andthusthedevice(suchasacomputer)presentsinformationtoushumans.
Youareprobablywonderingwhatthe1sand0shavetodowithcomputernetworking.Justlikeeverythinginthecomputingworld,IPaddressesarewritteninbinarynotation(1sand0s).However,wehumansusuallywriteIPaddressesindecimalformatusingbase10,withnumbersintherange0–9.
AsoutlinedbyIANA,anIPv4addressis32bitsinlength,comprisedof1sand0s.ThereisatotaloffouroctetsperIPv4address.Eachoctetismadeupof8
bitsandisseparatedbyaperiodordot(.).Thisresultsin8bitsperoctetx4
octets=32bitsintotal.
TheneedtounderstandIPaddressingandsubnettingplaysavitalroleinnetworkengineering.IncorrectlyassigninganIPaddressand/orasubnetmaskwillresultinnoconnectivitybetweendevices.Inthenextsection,wewilldiveintounderstandingthecompositionofanIPv4packetandthepurposeofeach
Telegram Channel : @IRFaraExam
field.
CompositionofanIPv4packetBecominganetworkingengineeroradvancingyourskillswithinthenetworkingfieldisn'tonlyaboutlearninghowtoconfiguredevicestomovetrafficbetweennetworksmoreefficiently;understandingthecompositionandthecharacteristicsofanIPv4packetwillalsobeverybeneficialinthetroubleshootingphasesofyourcareer.
ThefollowingdiagramshowsallthefieldswithinanIPv4packet:
Figure3.3–IPv4packet
EachfieldwithintheIPv4packetplaysanimportantroleduringthetransmission
Telegram Channel : @IRFaraExam
ofamessagefromonedevicetoanother.Thefollowingarethenamesofeachfield,alongwithdescriptionsoftheirpurpose:
Version:ThisfieldisgenerallyusedtoidentifytheversionoftheInternetProtocol(IP),suchasIPv4andIPv6.Thesizeofthisfieldis4
bits.
InternetHeaderLength(IHL):ThisfieldindicateswheretheheaderendsandthedatabeginswithintheIPv4packet.Thisfieldis4bits.
DifferentiatedServicesorDiffServ(DS):ThisfieldplaysanimportantrolewhenusingQualityofService(QoS)toolsonanetwork.ThisfieldwasformerlyknownasTypeofService(ToS).Thelengthofthisfieldis8bits.
TotalLength:Thisfieldensurestheentiredatagramisnomorethan65,535bytes.Thisfieldis16bits.
Identification:AswementionedinChapter1,IntroductiontoNetworking,beforeadevicesendsadatagramtothenetwork,thedevicecreatessmallerfragmentscalledbits.Eachbitcontainsthesameaddressingdetailswithintheheader,butthepayload(data)ismadeintosmallerpieces.Thisfieldisusedtoassignavaluetoeachbitastheyaresenttothephysicalnetwork.Thevalueisusedtoassistinplacingasequencenumbertoeachbitleavingthesender.Thisallowstherecipienttousethesequencenumberduringtheprocessforreassemblingthedatagram.Thisfieldis16bits.
Flags:FlagsareusedforvariousoptionswithinanIPv4packet.TheseoptionsmayincludewhetherapacketisaSYN,ACK,FIN,orRST
Telegram Channel : @IRFaraExam
packet.Thisfieldis3bits.
FragmentOffset:Thisfieldisusedtoidentifythepositionofafragmenteddatagram.Thisfieldis13bits.
TimeToLive(TTL):Thisfieldisfoundonlyinpackets.Devicessendingpacketsonanetworkusethisfieldtosetthelifespanofthemessageasittravelsacrossanetwork.Asthepacketpassesahop(aLayer3device)alongapath,theTTLvaluedecreasesby1.Ifadevicerendersapacket's
TTLvalueto0,thatdevicediscardsthepacket.TheTTLfieldis8bitsin
length.
AsimpleexercisetoillustratehowtheTTLvalueaffectsamessageistosendamessagetoapublicIPaddress,whileusingthe-iparametertosetaTTLvalue
fortheInternetControlMessageProtocol(ICMP)message.Inthiscase,we'lluseGoogle'spublicDNSserver(8.8.8.8),asshownhere:
Figure3.4–TTLvalueexpiredinICMPpackets
Asshownintheprecedingsnippet,noneoftheICMPpacketswereabletoreach
Telegram Channel : @IRFaraExam
thedestination;thatis,8.8.8.8.ThisisbecausetheTTLvaluesofeachICMP
packetweresetto2,soeachpacketexpiredandwasdiscardedbeforetheywere
abletoreachtheintendeddestination.
Protocol:This8-bitfieldisusedtoidentifythenetworkprotocolthatadatagrambelongstoatthedestinationhost.
HeaderChecksum:Thisfieldcontainsthehashvalue(checksum)oftheheaderandis16bitsinlength.
SourceIPaddress:This32-bitfieldcontainsthesender'sIPv4address.
DestinationIPaddress:This32-bitfieldcontainsthedestination'sIPv4address.
Options:Thisfieldrangesbetween0–40bytesinlengthandisused
formanypurposes,suchasrecordroutingandsourceroutingdetails.
Havingcompletedthissection,youarenowabletoidentifyanddescribeeachfieldwithinanIPv4packet.
Inthenextsection,youwilllearntheessentialskillsinvolvedforunderstandingIPassignmentandsubnetting,byfirstlearninghowtoperformconversionsbetweenbinaryanddecimalformat.
ConvertingbinaryintodecimalLet'sstartbytakingalookatanIPv4addressinitsbinaryformat.WealreadylearnedthatanIPv4addressismadeupof32bits,consistingof1sand0s.Let's
lookatanexampleofonewritteninbinary:
Telegram Channel : @IRFaraExam
11000000.10101000.00000001.10000001
AllbinarynumbersarewritteninBase2witharadixof2.Aradixisaunique
numberusedinapositioningsystem,wherethefirstposition'svalueis0.Iknowthismaysoundabitconfusing,butoverthenextfewparagraphs,you'llfindtheconceptabitcleareraswe'llbeprovidingexamples.
Inmathematics,welearnthatA =1,whereArepresentstheradixorbase.
Let'susetheradixof2aspartofapositioningsystem,startingwith0asthefirst
position:
2 =1
2 =2x1=2
2 =2x2=4
2 =2x2x2=8
2 =2x2x2x2=16
2 =2x2x2x2x2=32
2 =2x2x2x2x2x2=64
2 =2x2x2x2x2x2x2=128
Whenitcomestounderstandingbinaryanddecimalconversionsinthefieldofnetworking,weconvertonlyoneoctetatatime,nottheentire32-bitIPv4address.Thisisthereasonourpositioningsystemstoppedattheeighthpositioninthesequence,2 .Tofurtherunderstandthepositionsystemusingbinary,thefollowingtableshowsthecalculationforeachbitwithinanoctet:
0
0
1
2
3
4
5
6
7
7
Telegram Channel : @IRFaraExam
Figure3.5–Base2table
Whenperformingconversions,alwaysrememberthatthefirstpositionisalways2 andthattheeighthpositionis2 .Thefullbinaryformatofeachpositioncanbeexpressedfurther,asfollows:
2 =00000001=1
2 =00000010=2
2 =00000100=4
2 =00001000=8
2 =00010000=16
2 =00100000=32
2 =01000000=64
2 =10000000=128
Now,let'suseourIPv4addressof11000000.10101000.00000001.10000001andconvertitintoa
decimalnumber.Toperformthisexercise,usethefollowinginstructions:
1. Placethevaluesofthefirstoctet,11000000,withinthetable,asshown
0 7
0
1
2
3
4
5
6
7
Telegram Channel : @IRFaraExam
here:
Figure3.6–Conversion–binarytodecimal(firstoctet)
Whereverthere'sabinaryvaluethat=1intheprecedingtable,theradix
valueisON.Inourtable,2 and2 areON.Thiswillprovideuswiththe
followingresults:
2 +2 =128+64=192
2. Let'srepeatthesameprocedureforthesecondoctet,10101000,to
determineitsdecimalvalue:
Figure3.7–Conversion–binarytodecimal(secondoctet)
Usingthesameprincipleof1=ONand0=OFFfortheradix,wegetthefollowingresults:
2 +2 +2 =128+32+8=168
7 6
7 6
7 5 3
Telegram Channel : @IRFaraExam
3. Let'sconvertthethirdoctet,00000001,intodecimalformatbyplacingit
intothefollowingtable:
Figure3.8–Conversion–binarytodecimal(thirdoctet)
Converting00000001intodecimal,wegetthefollowingresult:
2 =1
4. Now,convertthefourthoctetbyplacing10000001intothefollowing
table:
Figure3.9–Conversion–binarytodecimal(fourthoctet)
Wewillgetthefollowingresults:
2 +2 =128+1=129
5. Thelaststageissimplyplacingallthedecimalvaluestogether,asshown
0
7 0
Telegram Channel : @IRFaraExam
here:
11000000.10101000.00000001.10000001=
192.168.1.129
Ifalleightbitswere1swithinanoctet,whatwouldbethedecimalequivalent?We'dneedtoaddallthepowersof2rangingfrom20to27,asshownhere:
2 +2 +2 +2 +2 +2 +2 +2
Toprovideafurtherbreakdown,wegetthefollowingvaluewhenweaddallthepowersof2:
128+64+32+16+8+4+2+1=255
Thismeansthatanoctethasarangeof0–255.ThereisnoIPv4address
whosevalueisgreaterthan255inanyofitsfouroctets.Nowthatyouhave
learnedhowtoconvertbinaryintodecimal,let'stakealookatconvertingdecimalintobinary.
ConvertingdecimalintobinaryLet'sgetstartedbyconvertingtheIPaddress172.19.43.67intobinary.We
aregoingtouseasimpleeight-stepmethodthatwillguaranteetheaccuracyofthefinalresult.Intheprevioussection,Convertingbinaryintodecimal,weusedvariousradixvaluesrangingfrom20to27,andwithinoureight-stepprocess,wewillbeleveragingthesevaluesonceagain,butusingaslightlydifferentapproach:themethodofsubtraction.
Toensuretheresultsareaccurate,pleaseadheretothefollowingrules:
7 6 5 4 3 2 1 0
Telegram Channel : @IRFaraExam
Convertonlyoneoctetatatime.
Startbysubtractingthedecimalvaluefromthehighestpowerof2(2 )whileworkingyourwaydownto2 .
IfyoucansubtractadecimalvaluefromaRadixvalue,placea1to
representyes.
IfyouareunabletosubtractadecimalvaluefromaRadixvalue,placea0
torepresentyes.
Ifyougeta0,attempttosubtractthedecimalvaluefromthenext(lower)
Radixvalue.
Let'sbeginbyconvertingthefirstoctet,172,intobinaryformat:
1. Canwecarryout172–128(2 )?Yes,givingusaremainderof44.
Therefore,wegeta1.
2. Isitpossibletocarryout44–64(2 )?No;therefore,wecarry44forward
tobesubtractedfromthenextpowerof2(2 ).Therefore,wegeta0.
3. Canwecarryout44-32(2 )?Yes,givingusaremainderof12.
Therefore,wegeta1.
4. Could12–16(2 )?No;therefore,carry44forwardtobesubtractedfrom
thenextpowerof2(2 ).Therefore,wegeta0.
5. Isitpossiblefor12–8(2 )?Yes,givingusaremainderof4.Therefore,
wegeta1.
7
0
7
6
5
5
4
3
3
2
Telegram Channel : @IRFaraExam
6. Could4–4(2 )?Yes,givingusaremainderof0.Therefore,wegeta1.
7. Itispossiblefor0–2(2 )?No;therefore,wegeta0.
8. Could0–1(2 ?No;therefore,ourlastvalueis0sincethisisthelast
powerof2inthesequence.
Thefinalanswerinbinaryistakingallthe1sand0sstartingfromstep1andplacingtheminsequentialorderfromstep1to8.Therefore,thebinaryvalueof172is10101100.
Thefollowingisavisualrepresentationofall8stepsdemonstratingtheprocessweusetoconvertthedecimalvalue172intobinary:
2
1
0)
Telegram Channel : @IRFaraExam
Figure3.10–Calculationfordecimalvalue172intobinary
Let'sconvertoursecondoctet,19,intobinaryusingthesameprocedure:
1. Could19–128(2 )?No;therefore,wecarry19forwardtobesubtracted
fromthenextpowerof2(2 ).Therefore,wegeta0.
7
6
6)
Telegram Channel : @IRFaraExam
2. Isitpossiblefor19–64(2 ?No;therefore,wecarry19forwardtobe
subtractedfromthenextpowerof2(2 ).Therefore,wegeta0.
3. Could19–32(2 )?No;therefore,wecarry19forwardtobesubtracted
fromthenextpowerof2(2 ).Therefore,wegeta0.
4. Could19–16(2 )?Yes,givingusaremainderof3.Therefore,wegeta
1.
5. Isitpossiblefor3–8(2 )?No;therefore,wecarry3forwardtobe
subtractedfromthenextpowerof2(2 ).Therefore,wegeta0.
6. Could3–4(2 )?No;therefore,wecarry3forwardtobesubtractedfrom
thenextpowerof2(2 ).Therefore,wegeta0.
7. Itispossiblefor3–2(2 )?Yes,givingusaremainderof1.Therefore,we
geta1.
8. Could1–1(2 )?Yes,witharemainderof0.Therefore,wegeta1to
concludeourprocess.
Thefinalanswerinbinaryistakingallthe1sand0sstartingfromstep1andplacingtheminsequentialorderfromstep1to8.Therefore,thebinaryvalueof19is00010011.
Thefollowingisavisualrepresentationofalleightstepsdemonstratingtheprocessweusetoconvertthedecimalvalue19intobinary:
6)
5
5
4
4
3
2
2
1
1
0
Telegram Channel : @IRFaraExam
Figure3.11–Calculationfordecimalvalue19intobinary
Let'sconvertourthirdoctet,43,intobinaryusingthesameprocedure:
1. Could43–128(2 )?No;therefore,wecarry43forwardtobesubtracted
fromthenextpowerof2(2 ).Therefore,wegeta0.
7
6
6
Telegram Channel : @IRFaraExam
2. Isitpossiblefor43–64(2 )?No;therefore,wecarry43forwardtobe
subtractedfromthenextpowerof2(2 ).Therefore,wegeta0.
3. Could43–32(2 )?Yes,givingusaremainderof11.Therefore,wegeta
1.
4. Could11–16(2 )?No;therefore,wecarry11forwardtobesubtracted
fromthenextpowerof2(2 ).Therefore,wegeta0.
5. Isitpossiblefor11–8(2 )?Yes,givingusaremainderof3.Therefore,
wegeta1.
6. Could3–4(2 )?No;therefore,wecarry3forwardtobesubtractedfrom
thenextpowerof2(2 ).Therefore,wegeta0.
7. Itispossiblefor3–2(2 )?Yes,givingusaremainderof1.Therefore,wegeta1.
8. Could1–1(2 )?Yes,witharemainderof1.Therefore,wegeta1to
concludeourprocess.
Thefinalanswerinbinaryistakingallthe1sand0sstartingfromstep1andplacingtheminsequentialorderfromstep1to8.Therefore,thebinaryvalueof43is00101011.
Thefollowingisavisualrepresentationofalleightstepsdemonstratingtheprocessweusetoconvertthedecimalvalue43intobinary:
6
5
5
4
2
3
2
1
1
0
Telegram Channel : @IRFaraExam
Figure3.12–Calculationfordecimalvalue43intobinary
Forourlastoctet,let'sconvert67intobinaryusingthesameprocedure:
1. Could67–128(2 )?No;therefore,wecarry67forwardtobesubtracted
fromthenextpowerof2(2 ).Therefore,wegeta0.
7
6
6
Telegram Channel : @IRFaraExam
2. Isitpossiblefor67–64(2 )?No;therefore,wecarry3forwardtobe
subtractedfromthenextpowerof2(2 ).Therefore,wegeta0.
3. Could3–32(2 )?No;therefore,wecarry3forwardtobesubtracted
fromthenextpowerof2(25).Therefore,wegeta0.
4. Could3–16(2 )?No;therefore,wecarry3forwardtobesubtracted
fromthenextpowerof2(2 ).Therefore,wegeta0.
5. Isitpossiblefor3–8(2 )?No;therefore,wecarry3forwardtobe
subtractedfromthenextpowerof2(2 ).Therefore,wegeta0.
6. Could3–4(2 )?No;therefore,wecarry3forwardtobesubtractedfrom
thenextpowerof2(2 ).Therefore,wegeta0.
7. Itispossiblefor3–2(2 )?Yes,givingusaremainderof1.Therefore,we
geta1.
8. Could1–1(2 )?Yes,witharemainderof0.Therefore,wegeta1to
concludeourprocess.
Thefinalanswerinbinaryistakingallthe1sand0sstartingfromstep1andplacingtheminsequentialorderfromstep1to8.Therefore,thebinaryvalueof43is01000011.
Thefollowingisavisualrepresentationofalleightstepsdemonstratingtheprocessweusetoconvertthedecimalvalue67intobinary:
6
5
5
4
2
3
5
2
1
1
0
Telegram Channel : @IRFaraExam
Figure3.13–Calculationfordecimalvalue67intobinary
Havingconvertedeachoctet,let'sputeverythingtogethertoseethebinarynumbers:
Telegram Channel : @IRFaraExam
Figure3.14–Binaryanddecimalequivalents
Wecanconcludethat172.19.43.67hasabinaryvalueof
10101100.00010011.00101011.01000011.
ImportantNote
Theconversionmethodsusedwithinthischaptercanonlybeappliedtovaluesrangingbetween0–255.
LearningtoperformdecimaltobinaryconversionsisanessentialskillwhenlearningCCNAasitplaysaveryimportantroleinthelatersectionsofthischapter.Nowthatyouhavelearnedabouttheessentialsofperformingbinaryanddecimalconversions,let'stakeadiveintolearningaboutthevarioustransmissiontypesonanIPv4network.
TransmissiontypesWhenlearningaboutIPaddressing,therearemanytypesofIPv4andIPv6addressestoknowabout.Inthissection,wewilldiscussthevarioustypesofIPv4networktransmissionsandlookathowtheyareappliedtocomputernetworks.
Unicast
Telegram Channel : @IRFaraExam
Imagineyouarestandingwithinacrowdofpeoplepriortothestartofabusinessconference.Youmeetafellowcolleagueandyoustartaconversationwiththem.Thisisaunicasttypeofcommunicationasit'sonlybetweenyourselfandyourcolleague(nottheentirecrowdormultiplepeople).Similarly,onacomputernetwork,thistypeoftransmissionoccurswhereonedeviceisexchangingmessages(packets)withonlyoneotherdevice.
Onanetwork,aPCmaybesendingdatatoalocalnetworkprinterorevenuploading/downloadingfilesfromthelocalnetworkstorageserver.Thisisaone-to-onetransmission,commonlyreferredtoasaunicasttransmission.
Thefollowingdiagramshowsagraphicalrepresentationofaunicasttransmission:
Figure3.15–Unicasttransmission
MulticastUsingthesameanalogy,imaginethat,whilestandingwithyourcolleagueandhavingamutualdiscussion,threeotherpeoplejointheconversation.Now,you
Telegram Channel : @IRFaraExam
arespeakingwithfivepeopleintotalfromtheentirecrowdpresentatthebusinessconference.Atthispoint,youarehavingamulticasttypeoftransmissionasyouaresendingdatatoselectedpersons(yourcolleagueandthreeothers)fromtheentirecrowdofpeople.Inthisanalogy,wecanseethatwhenonepersonspeakstoanother,itisdefinedasatransmission.Theconceptofatransmissionisalsoappliedtoacomputernetworkwhereonedevicemaycommunicatewithoneormoredevicesatthesametime.
Thistypeofcommunicationisanexampleofaone-to-manytransmission(multicast).ThefollowingisagraphicalrepresentationofamulticasttransmissiononaPCnetwork:
Figure3.16–Multicasttransmission
MulticastIPv4addressesrangefrom224.0.0.0–239.255.255.255.
Theseaddressesaretypicallyusedbynetworkapplicationsoveranetwork.Forexample,theOpenShortestPathFirst(OSPF)version2routingprotocolusesaddresses224.0.0.6and224.0.0.5whenexchangingOSPFpackets
betweenOSPF-enabledroutersonanetwork.
Telegram Channel : @IRFaraExam
BroadcastContinuingwithouranalogy,theconferenceisabouttostart,andtheattendeesarebeingseated.However,youareoneofthespeakersduringtheconference.Whenit'syourturntospeak,youheadonovertothepodiumtoaddresstheaudience.Whilespeaking,themicrophoneandspeakersareusedtoensureyourvoiceisaudibleacrossawidespacetoensureeveryonecanhearyouatthesametime.Inthistypeofcommunication,youarespeakingonce,andyourmessageisbeingsenttoalltheattendeeswithintheconferenceroom.
Thisisknownasbroadcastonacomputernetwork,wherebyadevicesendsamessagetoallotherdevicesonthesameIPnetwork.
Thistypeofcommunicationisaone-to-alltypeoftransmission.Thefollowingdiagramshowsagraphicalrepresentationofabroadcasttransmission:
Figure3.17–Broadcasttransmission
Applicationsanddevicestakeadvantageofusingbroadcasttransmissionsto
Telegram Channel : @IRFaraExam
easilysendsignals(messages)toallotherdevicesonthesamenetwork.However,thiscanbeproblematicfornetworkperformanceifthereisahighvolumeofbroadcastmessagespropagatingthenetwork.
Additionally,trafficstormsorbroadcaststormscanoccuronanetwork.ThisiswhenahighvolumeofbroadcastmessagesarebeingsenttheLayer2broadcastMACaddress,FF:FF:FF:FF:FF:FF,eitherfromasingledeviceormultiple
devices.
DuringmytimeasanengineerwithinaregionalTelco,I'veseenbothsmallandlargeorganizationsgenerateenormousamountsofunexpectedbroadcasttraffic.Investigationsshowthesestormsariseduetomanydifferentreasons,frommaliciousapplicationsrunningontheirenddevices,tofaultyNICscreatingcorruptedframesandpackets.
ToconfigurebroadcaststormcontrolsonaCiscoIOSdevice,usethefollowingcommands:
Router#configureterminal
Router(config)#interfacegigabitethernet1/0
Router(config-if)#storm-controlbroadcastlevel1.0
Router(config-if)#storm-controlactionshutdown
Router(config-if)#exit
Theconfigurationsareplacedwithininterfacemodeandlevelranges
between0.0–100.0asapercentagevalue.Therefore,1.0means1%of
theinterface'sbandwidthsothatwhenthethresholdisreached,theinterfaceisshutdown.
Telegram Channel : @IRFaraExam
Intheprecedingconfigurations,1%oftheGigabitEthernetbandwidthis
1000MBx1%=10MB.Additionally,usingthestorm-control
actionshutdowncommandchangesthedevice'sinterfacetoerror-disable
whenthetrafficstormthreshold(1%bandwidth)isreached.
ImportantNote
Error-disable(err-disabled)meansaviolationhasoccurredontheinterfaceandthatIOShaslogicallyshutdowntheport.Thisstateisnotadministrativelydown.Administrativelyshutdownmeansaninterfacehasbeenmanuallydisabledorturnedoff.
ToconfiguremulticaststormcontrolsonaCiscoIOSswitch,usethefollowingcommands:
Router#configureterminal
Router(config)#interfacegigabitethernet0/1
Router(config-if)#storm-controlmulticastlevel1.0
Router(config-if)#storm-controlactionshutdown
Router(config-if)#exit
HavingcoveredthemostcommontypesoftransmissionsinIPv4,let'stakealookattheonlyonethatisuniquetoIPv6:Anycast.
AnycastAnycastisanIPv6technologythatfunctionsasaone-to-closesttypeoftransmission.Anycastallowsmultipleservers(ordevices)tosharethesame
Telegram Channel : @IRFaraExam
IPv6address.Theseserverscanbephysicallylocatedatdifferentgeographicallocationsaroundtheworld.Thisallowsaclient(user)toaccesstheclosestserverusingtheAnycastaddress.
Tounderstandhowthisworks,let'suseareal-worldscenario.TheDomainNameSystem(DNS)isanimportantserviceontheinternetasitspurposeistoresolvehostnamesforIPaddresses.GooglehaspublicDNSserversforbothIPv4andIPv6.TheIPv6primaryaddressforGoogle'sDNSserveris2001:4860:4860::8888.Thisisasingleaddressbutisaccessibletoany
deviceconnectedtotheinternet.However,2001:4860:4860::8888isnot
onlysetonasingledeviceontheinternet;rather,itissharedbetweenmultipleDNSserversaroundtheworldthatareownedbyGoogle.Asauser,whenyourdevicesendsamessagetotheIPv6address2001:4860:4860::8888,the
routingprotocolsandtechnologiesoftheinternetwillsendyourtraffictotheclosetGoogleDNSserverthathasthedestinationIPv6address.Hence,Anycastisaone-to-closesttransmission.
NowthatwehavecoveredtheessentialsofthefourtypesoftransmissionswithinanIPnetwork,let'stakealookatthevariousIPv4addressclassesandspaces.
ClassesofIPv4addressesWhodetermineswhichIPv4addresscanbeassignedtoourinternaldevices,andthosethataredirectlyconnectedto,orfacing,theinternet?WhentheInternetAssignedNumbersAuthority(IANA)becameentrustedwiththemanagementofIPaddresses,aportionofIPv4addressesweremadetobeusedontheinternetandonthedevicesthataredirectlyconnectedtotheinternet.Meanwhile,
Telegram Channel : @IRFaraExam
anotherportionwasassignedtobestrictlyusableonlyoninternalnetworks,suchasahomenetworkorwithinanorganization.
InIPv4,therearetwoaddressspaces.Theseareasfollows:
PublicIPv4addressspace
PrivateIPv4addressspace
Inthefollowingsections,wewilldiscusseachaddressspacesinfurtherdetail,describingthecharacteristicsandusesofbothpublicandprivateIPaddresses.
PublicIPv4addressspaceWewillfirstdiscussthecharacteristicsofthepublicIPv4space.IANAhasdividedIPaddressesintofiveclasses.EachclassofaddressescanbeassignedtoaLayer3device,suchasarouter,modem,oranydevicethatisdirectlyconnectedtotheinternet,includingafirewallappliance.
ThefollowingtableshowseachclassandtheirIPv4addressrangesforthepublicspace:
Telegram Channel : @IRFaraExam
Figure3.18–IPv4publicaddressspace
ClassesA,B,andCcanbeassignedtoanydevicethatisdirectlyconnectedtotheinternet,whileClassDisreservedformulticastcommunications.ClassEisreversedforexperimentalusage.
Importantnote
FurtherinformationontheIPv4addressspacecanbefoundathttps://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml.
Additionally,withintheClassA,B,andCnetworkranges,therearecertainnetworkblocksmissing.Thesemissingnetworkblocksfromthepublicspacearereservedfortheprivateaddressspace.
Importantnote
IPv4ClassDandClassEaddressescan'tbeassignedtoanydevices.
Telegram Channel : @IRFaraExam
EachdeviceontheinternetmusthaveauniqueIPv4publicaddress.ThisaddressisprovidedbythelocalISPandthecustomerisresponsibleforassigningittotheircompany'srouterorfirewallappliance.
Thefollowingdiagramshowsanorganizationthathasaroutertointerconnecttheirprivate,internalnetworktotheinternet–thepublicnetwork:
Figure3.19–Internetconnectivity
Asyoucansee,thepublicIPaddressisassignedtothepublic/internet-facinginterface.Inareal-worldscenario,thepublicIPaddressisprovidedbytheISPtothecustomer.Intheprecedingdiagram,CompanyXisthecustomer.TheISPusuallyprovidestheorganizationwithadefaultgateway.ThisisanIPaddresswithintheISPnetworkthatallowsCompanyXtoforwardalltheirtrafficdestinedfortheinternetviatheISP.However,residentialcustomers(homeusers)areusuallyprovidedwithamodemthatisalreadypre-configuredtoreceiveapublicIPaddressfromtheISPandthedefaultgatewayconfigurationsautomatically.
Telegram Channel : @IRFaraExam
Thesepublicaddressesareusuallysaidtoberoutableonthe
internetcomparedtoprivateIPaddresses.Inthenextsection,wewill
discusstheusageofprivateIPv4addresses.
PrivateIPv4addressspaceThereareapproximatelyfourbillionpublicIPv4addressesintheworld.Tobeexact,thisis2 thenumberofaddressesthatexistinthepublicspace.Fourbillionprobablyseemslikealot,butintoday'sworld,thisnumberofpublicIPv4addresseshasalmostcompletelybeenexhausted.Atthetimeofwritingofthisbook,almostallRIRshaveexhaustedtheirpublicIPv4addressblocks.
Overthepastdecade,therehasbeenahugeriseinmanufacturingsmarttechnologiessuchasmobiledevicesandinternet-connectedsensors.EachofthesedevicesrequiresanIPtocommunicateovertheinternet.Furthermore,cloudcomputinghasbeenskyrocketing,allowingorganizationsandindividualstodeployvirtualmachinesonthecloudeasily.ThesevirtualmachinesrequireauniqueIPaddressaswell.
So,fourbillionisn'tahugeamountofpublicIPv4addressesconsideringthattherearesomanydevices.Additionally,ifeachdeviceonaprivatenetwork(computers,servers,printers,andsoon)wereassignedauniquepublicIPv4address,eachRIRwouldhaveexhaustedtheirIPv4poolslongbefore2013.
IfdeviceswithinaprivatenetworksuchasahomeorwithinanorganizationarenotusingapublicIPv4address,whattypeofaddressaretheyusingtocommunicateontheinternet?RFC1918definesthreeclassesofIPv4
addressesthataredesignatedtobeassignedonlywithinaprivatenetwork.
32
Telegram Channel : @IRFaraExam
ThefollowingaretheprivateIPv4addressspaces:
Figure3.20–PrivateIPv4addressspace
PrivateIPv4addresses,asdefinedinRFC1918,arenon-routableonthe
internet.ThismeansanydevicethatisdirectlyconnectedtotheinternetcanonlyuseapublicIPaddress.ISPsusuallyplaceafilteronthelinkbetweentheISPnetworkandtheircustomertofilteranyIPaddressthatisnon-routableontheinternet,whicharethoseoutlinedinRFC1918.
Importantnote
FurtherdetailsonRFC1918canbefoundat
https://tools.ietf.org/html/rfc1918.
Typically,whenaresidentialorbusinesscustomersubscribestointernetservicesfortheirhomesororganizations,theISPusuallyassignsasinglepublicIPv4addresstothecustomer.Forresidentialcustomers,apre-configuredfibermodemisusuallyprovidedthatisautomaticallyassignedapublicIPv4addressfromtheISPnetwork.Ontheotherhand,forbusinesscustomers,theISPsometimesprovidethecustomerwiththepublicIPv4settingsthataretobeplacedonthe
Telegram Channel : @IRFaraExam
public-facinginterfaceofthecustomer'srouter.
IfprivateIPv4addressesarenon-routableontheinternet,howareinternaldevicesabletocommunicateontheinternet?ThereisanIPservicethatallowstherouterormodemtotranslateaprivateIPv4addressintoapublicIPv4address.ThisserviceisknownasNetworkAddressTranslation(NAT).
ThefollowingdiagramshowsaNAT-enabledrouterinterconnectingbothaprivateandpublicnetwork:
Figure3.21–NetworksegmentationofprivateandpublicIPaddressspaces
InChapter9,ConfiguringNetworkAddressTranslation(NAT),wewilldiscussthefunctionalityofvarioustypesofNATinmoredetail,aswellashowtoimplementeachvariationonaCiscoIOSrouter.
Telegram Channel : @IRFaraExam
Havingcompletedthissection,youarenowabletoidentifyIPv4addressesthatbelongtoboththepublicandprivateaddressspaces.Inthenextsection,wearegoingtodiscusstheimportanceofthesubnetmaskandhowithelpsusintheworldofcomputernetworking.
SpecialIPv4addressesIntheIPv4addressspace,therearethreespecialnetworkblocksthatarereservedforspecialusage.ThesespecialIPv4addressesareasfollows:
Loopbackaddress
Test-Net
LinkLocal
Inthissection,wewilllookateachoftheircharacteristicsandusecases.
LoopbackaddressTheloopbackrangeofanaddressisbuiltintotheTCP/IPprotocolsuite.Thisrangeofaddressesallowsanapplicationrunningonahostmachinetocommunicatewithanapplicationonthesamemachine.Toputitmoresimply,loopbackaddressesallowahostoperatingsystemtosendnetworktraffictoitself.
Thenetworkblockisreservedforloopbackandhastherange127.0.0.1/8
to127.255.255.254/8.Therefore,totestthefunctionalityoftheTCP/IP
protocolsuite,youpinganyaddressfromtheloopbackrange.Mostcommonly,networkprofessionalspingthe127.0.0.1address.
Telegram Channel : @IRFaraExam
Test-NetAccordingtoRFC3330,theblockofaddresses192.0.2.0/24to
192.0.2.255/24arecreatedforusagewithinprotocolandvendor
documentation.Assuch,theseaddressesshouldnotbeusedontheinternetviaanydevice.TheTest-Netnetworkblockisdesignedforeducationalpurposes.
LinkLocalMostcommonly,wheneveryouconnectadevicesuchasmartphoneorcomputertoanetwork,thedeviceseeksoutaDynamicHostConfigurationProtocol(DHCP),whichprovidesautomaticassignmentofIPconfigurationstothedevice.WithoutanIPaddress,asubnetmask,andadefaultgateway,yourdevicewillnotbeabletocommunicateonthelocalnetwork,andwithoutadefaultgateway,thereisnoconnectivitytotheinternet.
IntheeventthatadeviceconnectstoanetworkwherethereisnoactiveDHCPservertoprovideautomaticIPconfigurations,thedevicewillautomaticallyassignitselfaspecialaddress.ThisisknownastheAutomaticPrivateIPAddressing(APIPA)scheme.Ithasanetworkblockof169.254.0.0/16,
andtheAPIPAnetworkhastherangeof169.254.0.1/16to
169.254.255.254/16.
ThepurposeofAPIPAistoenabledeviceswithinthesameLANtoestablishatleastabasicformofcommunicationbetweenthemselvesuntilanactiveDHCPserverismadeavailable.
HavingcompletedthissectionandlearnedaboutthevarioustypesofIPv4
Telegram Channel : @IRFaraExam
addresses,let'stakealookatunderstandingthepurposeofthesubnetmask.
SubnetmaskAnIPaddressisnotcompletewithoutbeingassociatedwithasubnet(work)mask.Thesubnetmaskhasthefollowingcharacteristicsandresponsibilitiesonanetwork:
IPv4subnetmasksare32bitsinlength,whileIPv6subnetmasksare128
bits.
AsubnetmaskisusedtoidentifyboththenetworkandhostportionsofanIPaddress.
Asubnetmaskisusedtoassistusandnetworkdevicesindeterminingthetotalnumberofnetworks,aswellasthetotalusableIPaddressesthatexistonanIPsubnet.
Thesubnetmaskisusedtohelpahostdevicedeterminewhetherapacketshouldbesenttothedefaultgatewayiftheintendeddestinationisbeyondthelocalnetwork.
Aswehavelearnedintheprevioussections,therearetypicallythreeclasses(A,B,andC)ofassignableIPaddressesforbothpublicandprivateaddressspaces.Similarly,therearethreedefaultsubnetmasksforeachclassofIPv4address.
Thefollowingarethethreedefaultsubnetmasksforclass:
ClassA:255.0.0.0
ClassB:255.255.0.0
Telegram Channel : @IRFaraExam
ClassC:255.255.255.0
IfyouareusinganIPaddressfromaClassAnetworksuchas10.1.2.3,the
associateddefaultsubnetmaskwillbe255.0.0.0.AClassBIPv4address
suchas172.15.5.6willbeassociatedwiththeClassBsubnetmask
255.255.0.0,andsoonforaClassCaddressaswell.However,inalotof
situations,thecustomsubnetmasksareassignedIPaddresses.Inthenextsection,Subnetting,wewillcoverthetopicsofsubnettingandVLSM,whereyouwilllearnaboutcustomsubnetmasks.
NetworkprefixPriortostartingyourjourneyingainingyourCCNAcertification,youmayhaveseenanIPaddresssuchas10.10.1.2/8andwonderedwhatthe/8partwas
allabout.Thisisknownasthenetworkprefix.Thenetworkprefixisanotherformatthatiscommonlyusedwithinthecomputernetworkingworldtorepresentasubnetmaskinasimplifiedform.
Youareprobablywonderinghow/8isequalto255.0.0.0.Toanswerthis
question,let'stakealookatthebinaryformatofthesubnetmask:
Decimalformat:255.0.0.0
Binaryformat:11111111.00000000.00000000.00000000
Whenwritingasubnetmaskinbinary,it'salwayswrittenwithacontinuouslengthof1s.Thereareno0sbetweenany1swithinasubnetmask;the0sareplacedafterthestreamof1shasended.Lookingatthepreviousexample,thereareeight1swithinthe255.0.0.0subnetmask.
Telegram Channel : @IRFaraExam
Therefore,thenetworkprefixcanbewrittenas/8torepresentadefaultClassA
subnetmask.
Let'sdeterminethenetworkprefixforaClassBsubnetmask:
Decimalformat:255.255.0.0
Binaryformat:11111111.11111111.00000000.00000000
Inthisexample,thereareatotalof161swithinthesubnetmask.Therefore,thenetworkprefixcanbedenotedas/16.
Lastly,incalculatingthenetworkprefixforthedefaultClassCsubnetmask,wegetthefollowing:
Decimalformat:255.255.255.0
Binaryformat:11111111.11111111.11111111.00000000
Asexpected,thereare241swithinthedefaultClassCsubnetmask,sowegeta/24networkprefix.
Whenattemptingtodeterminethenetworkprefixofacustomsubnetmask,weconverteachoctetofthecustomsubnetmaskintobinary.Yourresultsshouldprovideyouwithacontinuousstreamof1s.Calculatingthetotalnumberof1swillgiveyouthe/xvalue,wherexisthenumberof1sinthesubnetmask.
Let'simagineyouhavetodeterminethenetworkprefixforthefollowing:
IPaddress:192.1.2.3
Subnet:255.255.224.0
Telegram Channel : @IRFaraExam
Performthefollowingstepstoquicklygainouranswer:
1. Convertthefirstoctetintobinary.Wewillget255=11111111.
2. Convertthesecondoctetintobinary.Wewillalsoget255=
11111111.
3. Convertingthethirdoctet,weget224=11100000.
4. Forthelastoctet,0=00000000.
5. Puttingtheentirebinarysubnettogether,weget11111111.11111111.11100000.00000000.Thereare191sin
thesubnetmask255.255.224.0,sowecansimplydenotethenetwork
prefixas/19andtheIPaddressas192.1.2.3/19.
Nowthatyouhavetheskillstocalculatethenetworkprefix,let'stakeadeeperlookatidentifyingtheNetworkID.
IdentifyingtheNetworkIDConfiguringIPaddressesandsubnetmaskstodevicesisasimpletask.However,ifeitheranIPaddressorsubnetmaskisincorrectlyassignedtoadeviceonthenetwork,thedevicewillnotbeabletocommunicatewithothers.Toillustratethistheory,thefollowingdiagramshowsacomputerthatisunabletocommunicatewiththerouter:
Telegram Channel : @IRFaraExam
Figure3.22–Smallnetwork
Consideringallthedevicesarepoweredonandtherightcablesarebeingusedtoconnecteachdevicetoanother,whatcouldbetheissue?Aswecansee,theIPaddressesandsubnetmaskseemtobecorrectastheyarejustafewIPaddressapart,butisthisreallyaccurate?Let'sdetermineifthePCandrouterbothexistonthesamelogicalnetwork.Visually,bothdevicesexistonthesamephysicalnetwork,butinthefieldofnetworks,wecanlogicallysegmentaphysicalnetworkintomultiplelogicalIPnetworks.
Inthisscenario,let'sperformsomecalculationstodetermineifthePCisonthesamelogicalnetworkastherouter,thusdeterminingtheNetworkIDforeachdevice.TheNetworkIDissimplythecommunityaddress,similartoaneighborhoodwhereeachhomesharesthesamecommunityaddresswithdifferinghouseormailboxnumbers.
TodeterminetheNetworkID,youneedtoperformalogicaloperationknownasANDingbetweentheIPaddressandsubnetmaskofadevice.
Telegram Channel : @IRFaraExam
ThefollowingarethelawsofAND:
0AND0=0
0AND1=0
1AND0=0
1AND1=1
Wecandeterminewhethertwodevicesareonthesamelogicalnetworkasfollows:
1. Convertthecomputer'sIPaddressandsubnetmaskintobinaryformatusingtheLawsofAND.WhentheIPaddressisANDagainstthesubnet
mask,theresultisknownastheNetworkID.
ThefollowingsnippetshowstheANDingprocessforPC1:
Figure3.23–NetworkIDforPC1
2. ConvertPC1'sNetworkIDintodecimal,whichdeterminesthatPC1belongstothe192.168.1.0/25network.
3. Let'sperformtheANDingoperatingontherouter'sIPaddressandsubnetmask.
Telegram Channel : @IRFaraExam
ThefollowingsnippetshowstheANDingprocessfortherouter:
Figure3.24–NetworkIDfortherouter
4. Convertingrouter'sNetworkIDintodecimal,wecandeterminethattherouterbelongstothe192.168.1.128/25network.
Inconclusion,eventhoughtheprecedingdiagramshowsthatthedevicesarephysicallyinterconnected,thisdoesnotmeanthateachdevicehasend-to-endconnectivitywiththeothers.Inourcalculation,wehaveprovedthatboththecomputerandtherouterwereondifferentlogicalnetworks,hencetheywon'tbeabletointercommunicate.Tosolvesuchissues,it'samatterofassigningthePCanIPaddressfromtherouter'snetworkorviceversa.
NowthatyouhavetheskillstodetermineNetworkIDsandhelpsolveinterconnectivityissuesonanetwork,let'slearnhowtoperformsubnetting.
SubnettingHearingthewordsubnettingcanbeabitintimidatingwhenlearninganetworking-relatedcertification.However,learningsubnettingisunavoidableonyourjourneytobecominganawesomenetworkengineer.Youmaybewondering,whatissubnettingandwhydoweneedtolearnhowtoperformthis
Telegram Channel : @IRFaraExam
taskasanetworkingprofessional?Togetabetterunderstandingoftheanswertothisquestion,let'suseasimpleanalogy.Let'simagineyouarethenetworkadministratoratacompanythathas6networks,andeachofthesenetworkshas
nomorethan50devicesthatrequireanIPaddress.
ItwouldbeeasytosimplytakeaClassCnetworkblocksuchas192.168.1.0/24andassignittothenetwork,thenchooseanotherClassC
addressblocktoassigntothenextnetwork,andsoon.Thefollowingisatypicalworkablesolutionforassigningnetworkblockstothe6networks:
Network1:192.168.1.0/24
Network2:192.168.2.0/24
Network3:192.168.3.0/24
Network4:192.168.4.0/24
Network5:192.168.5.0/24
Network6:192.168.6.0/24
Usingsuchanaddressingschemeisworkablebutitisdefinitelynotefficient.Let'stakealookatwhy.Inourscenario,eachnetworkhas50devicesorless.Todeterminewhythisisn'tasuitablesolution,let'sfirstdeterminethenumberofusableIPaddressesperClassCnetworkblockusingthefollowingformula:
UsableIPaddresses=2 -2
ImportantNote
H
Telegram Channel : @IRFaraExam
OnanIPv4network,boththeNetwork-IDandBroadcastIPaddressescan'tbeassignedtoanydevice.Therefore,wesubtract2fromthetotalnumberofIP
addressestogettheusableamountonanetwork.
SincethereareeighthostbitsinanyoftheClassCnetworks,wegetthefollowingresults:
UsableIPaddresses=2 –2
=2 –2
=256–2
=254usableIPaddressesper
ClassCnetwork
Ineffect,eachnetworkwillhaveawastageofapproximately204IPaddresses
(254–50hosts).Imagineifeveryoneassignedhugenetworkblockstotheir
networkinfrastructurewithoutbeingconcernedaboutthewastageofaddresses.Onalargerscale,ifISPsdistributedlargenetworkblockstoorganizationswhodonotrequiremorethanjustafewIPaddresses,thepublicIPv4networkblockswouldhavebeenexhausteddecadesago.
Thisbringusbacktounderstandingthereasonswhyweneedtosubnet.Theprocessofsubnettinghasthefollowingbenefits:
ToefficientlydistributeIPaddresseswiththeleastwastage
Tocreatemorenetworkswithsmallerbroadcastdomains
Whyishavingalargebroadcastdomainabadthing?Imaginethatanetworkhasapproximately300devices,andafewhostsaregeneratingunnecessary
H
8
Telegram Channel : @IRFaraExam
broadcastpackets.Alltheotherdeviceswillreceivethebroadcastmessageandprocessit.Alargebroadcastdomainwithmanyhostdevicescan,ineffect,slownetworkoperationsifthereisasignificantamountofnetworktraffic,suchasbroadcaststorms.Toputthissimply,it'slikerush-hourinthemorningorevening,wheretherearetoomanyvehiclesontheroad.Thisresultsintrafficcongestionandcommuterstakinglongertoreachtheirdestination.
Bycreatingsubnets,youcanreducethesizeofabroadcastdomain.UsingaLayer3switchorarouter,thesesubnetscanbeinterconnected,thusallowingusersanddevicestocommunicate.Subnetscanbedeterminedbythelocationofbranchesanddepartmentswithinabuilding,suchasHumanResources,Accounting,Sales,Administration,andsoon.
Tofurtherhelpyouunderstandsubnetting,let'stakeadiveintosomehands-onexercises.Togetstarted,let'screateasimplescenario.ImagineyouarethenetworkadministratorforCompanyX,afictional-basedcompanywithfourofficelocations.EachbranchhastheirownLAN,andeachbranchisconnectedtotheHQlocation.
Thefollowingdiagramshowsavisualrepresentationofthenetworktopology:
Telegram Channel : @IRFaraExam
Figure3.25–Networkdiagram
YourobjectiveistodesignanIPschemetoensuretheleastwastageandthateachbranchlocationhastheirownsubnet.Togetstartedwiththisassignment,thefollowingsectionswillguideyouthroughhowtocreateanefficientdesignforthenetworktopology.
Step1–DeterminingtheappropriateIPaddressTobegin,let'sdeterminewhichclassofIPaddressingismostsuitableforour
Telegram Channel : @IRFaraExam
networktopology.Asyoumayrecall,therearethreeaddressclasses:A,B,andC.EachclasshasauniquenumberofavailableIPaddressesbasedontheirdefaultsubnetmasks.
Tohelpusfigureoutwhichisthebestclass,let'susethefollowingformulatodeterminethetotalnumberofIPaddressesofeachclass:
TotalnumberofIPaddresses=2
Here,HrepresentsthenumberofhostbitsinanetworkID,whichis4.
Inthisstep,weareusingthesubnetmasktohelpusdeterminethenumberofIPaddressavailableinanetwork.The1sinthesubnetmasksidentifythenetworkportionofanIPaddress,whilethe0sidentifythehostportionofanIPaddress.
Thefollowingtableillustratesthedefaultsubnetsforeachclassandtheirbinaryequivalent:
Figure3.26–Subnetmasks
Let'useourformula,adjustto2 ,todeterminethetotalnumberofIPv4
addressesperclass:
ClassA=adjustto2 =16,777,216totalIPaddresses
H
H
24
16
Telegram Channel : @IRFaraExam
ClassB=adjustto2 =65,536totalIPaddresses
ClassC=adjustto2 =256totalIPaddresses
Furthermore,whenassigningIPv4addressesonanetwork,therearetwoaddressesthatcan'tbeassigned.ThesearetheNetworkIDandbroadcastaddresses.Therefore,todeterminethenumberofusableIPaddresses,youneedtosubtracttwoaddressesfromthetotalnumberofIPaddressesforanetworkblockorsubnet.
TocalculatethenumberofusableIPaddresses,usethefollowingformula:
NumberofUsableIPaddresses=adjustto2 -2
Thefollowingarethenumberofusable(assignable)IPv4addressesforthefollowingclass:
ClassA=Adjustto2 –2=16,777,214usableIPaddresses
ClassB=Adjustto2 –2=65,534usableIPaddresses
ClassC=Adjustto2 –2=254usableIPaddresses
Next,weneedtoidentifythetotalnumberofnetworkswithinthetopologyandthesizeofeachnetwork.Wehavethefollowingsevennetworks:
HQLAN:28hosts
BranchALAN:26hosts
BranchBLAN:25hosts
16
8
H
24
16
8
Telegram Channel : @IRFaraExam
BranchCLAN:15hosts
WAN1(R1-R2):2IPsareneeded
WAN2(R2-R3):2IPsareneeded
WAN3(R3-R4):2IPsareneeded
UsingaClassAisnotsuitableastherewillbeover16millionIPaddressesbeingwasted.UsingaClassBwillresultinappropriately65,000addresses
beingwasted.ThisleavesuswithusingaClassCnetworkblock(asit'sthesmallestnetworkblockavailable),with254usableIPaddresses.
ImportantNote
Keepinmindthatwhencreatingsubnets,eachnewlycreatedsubnetworkmustbeabletofitthelargestnetworkinyourtopology.
Overthefollowingsteps,wewillbeusingthesubnetmasktohelpusdeterminewhatportionofthenetworkIDorIPaddressisthenetworkportion,andwhatpartisthehostportion.
Step2–Creatingnewsubnets(subnetworks)Whencreatingsubnetworks(subnets),weneedtoconvertthebitsonthehostportionoftheaddressintonewnetworkbits.Thisprocessallowsustocreatenewnetworks(subnets)whilereducingthenumberofIPspernetwork.
Telegram Channel : @IRFaraExam
Togetstarted,let'susetheClassCnetworkblock192.168.1.0/24.When
weconvertboththeIPaddressandsubnetmask,thefollowingresultswillbeobtained:
Figure3.27–NetworkIDanddefaultsubnetmask
The1sinthesubnetmasktellsustheportionoftheIPaddressthatbelongstothenetwork,whilethe0sinthesubnetmaskindicatethehostportionoftheIPaddress.Asyoucansee,thenetworkportionoftheaddressisthefirst24bits,
whilethelast8bitsrepresentthehostportion.Remember,allthehostsona
subnetwillhavethesamenetworkportionfortheirIPaddress,whileeachhostwillhaveauniquevalueinthehostportion.
Wecanusethefollowingformulatodeterminethenumberofnetworks:
Numberofsubnets=Adjustto2
Nrepresentsthenumberofhostswearegoingtoconvertintonewnetworkbits.
Inthepreviousimage,wherethe1sstopinthesubnetmask,wecanbegintakinghoststoconvert.Let'staketwohostsandsubstituteinourformulatodeterminethenumberofnetworkswecancreate:
N
Telegram Channel : @IRFaraExam
Figure3.28–Usingtwohostbits
Whenwetakebitsofthehostportionoftheaddress,thesubnetbitsarechangedto1storepresentthenetworkportionoftheaddress.
Tocalculatethenumberofsubnets,usethefollowingformula:
Numberofsubnets=Adjustto2
adjustto2 =2x2=4subnets
Using2bitsisn'tsufficientasitonlygivesus4subnets.However,ourgoalisto
create7subnets,witheachsubnethavingthecapacitytosupportourlargest
networkof28hosts.Let'stakeanadditionalhostbitandperformour
calculationsonemoretime:
Figure3.29–Usingthreehostbits
Wedothisusingourformula,whereN=3:
Numberofsubnets=Adjustto2
N
2
N
3
Telegram Channel : @IRFaraExam
Adjustto2 =2x2x2=8subnets
Usingthe3bits,weget8subnets.Keepinmindthatwereallyneed7subnets
butusing2bitsfromthehostportionwasnotsufficient.Therefore,weneedto
usethe3bitsandmakethemintonetworkbits.Theadditionaleighthnetwork
canbereservedforfurtherusage.
Havingestablishedthat3bitsarebeingtakenfromthehostportionofthe
address,weareleftwith5hostbits.Weneedtoensurethishost'sbitsare
sufficienttocreateenoughIPaddressestofitourlargestnetworkinthetopology.Therefore,wecanusethefollowingformulatodeterminethetotalnumberofIPaddressespernetwork:
TotalnumberofIPaddress=adjustto2
adjustto2 =2x2x2x2x2=32totalIP
address
These5hostbitsgivesusatotalof32IPaddressespersubnet.However,wecannotassigntwospecificIPv4addressestoanydevice:theNetworkIDaddressandthebroadcastIPaddress.Therefore,wecanusethefollowingformulatocalculatethenumberofusableIPaddresses:
NumberofusableIPaddress=Adjustto2 –2
adjustto2 –2=32–2=30usableIPaddresses
Thismeansthat,basedonourcalculations,wewillbeabletotakethreehostsfromtheaddressandcreateatotalof8subnets.Eachoftheseeightsubnetworks
willhave30usableIPaddresses.Wenowhaveaworkablesolution.Lastly,
3
H
5
N
5
Telegram Channel : @IRFaraExam
whentakingbitsfromthehostportion,thesubnetbitsmustalsobechangedfrom0sto1s.The1srepresentthenetworkportionoftheaddress.Sincewetook3hostbits,wehaveanewsubnetmaskforeachofthenewsubnetsweareabout
tocreate.Therefore,ournewsubnetforeachofthe8networksis
255.255.255.224,withanetworkprefixof/27.
Importantnote
Keepinmindthateachtimeweperformasubnettingprocess,theoriginalnetworkisbrokendownandeachnewnetworkwecreateissmallerthantheoriginal.However,eachsubnetworkthat'screatedisofequalsize.
Beforewebegintocreatetheactualsubnetworks,pleasebesuretousethefollowingguidelines:
DonotmodifytheoriginalnetworkportionoftheIPaddress(thefirst24
bits).
DonotmodifythenewhostportionoftheIPaddress(thelast5hostbits).
Onlymodifythenewnetworkbits(the3hostbitsthatweareconverting
intonetworkbits).
Whenmodifyingthenewnetworkbits,wesimplychangethe0sinto1stocreateallthedifferentpossibilities.Thefollowingarethecalculationsusedtocreatethe8newsubnets:
Telegram Channel : @IRFaraExam
Figure3.30–Creatingeightsubnets
AlwaysremembertostartwiththeoriginalNetworkIDwhenperformingsubnetting.Inourcalculations,thefirstsubnetisthe192.168.1.0/27
network.Eachofoursubnetsisanincrementof32,andthisvalueisderived
fromourformula,whichisusedtocalculatethenumberoftotalIPaddresses.
Tip
Attimes,calculatingthebinarymaybechallenging.However,eachsubnetisequalinsize.Thismeansusingtheformula2x(xrepresentsthenumberofbits)
willprovideyouwiththeincrementalvalueforeachNetworkID.ThistechniquewillhelpyouincalculatingthenewNetworkIDs(subnets)quickly.Additionally,thelastsubnet(NetworkID)inyourcalculationalwaysendswiththelastpartofthenewsubnetmask.
Telegram Channel : @IRFaraExam
NowthatwehavecalculatedallourNetworkIDs(subnets),inthenextstep,youwilllearnhowtocalculatethenetworkrangeforasubnet.
Step3–AssigningsubnetstoeachnetworkInthisstep,wearegoingtoperformafewtasks,suchascalculatingthenetworkranges(suchasthefirstandlastusableIPaddresswiththebroadcastIPforeachnetwork).Toperformyourcalculationsefficiently,usethefollowingguidelines:
Calculateallsubnets(NetworkIDs)asyourfirsttask.
TocalculatethefirstusableIPaddress,usetheNetworkID+1
formula.Inbinary,thefirstbitfromtherightissetto1.
TocalculatethebroadcastIPaddress,usetheNextNetworkID–1
formula.Inbinary,allhostbitsarechangedto1s.
TocalculatethelastusableIPaddress,usetheBroadcastIP
address–1formula.Inbinary,allhostbitsare1sexceptforthelast
bitintheaddress.
Now,let'sapplyourguidelines,calculatethefirstsubnetrange,andassignittotheHQLANnetwork:
Telegram Channel : @IRFaraExam
Figure3.31–Subnet1range
Next,let'scalculatethesecondsubnetandassignittotheBranchALAN:
Figure3.32–Subnet2range
Next,let'scalculatethethirdsubnetandassignittotheBranchBLAN:
Figure3.33–Subnet3range
Next,let'scalculatethefourthsubnetandassignittotheBranchCLAN:
Telegram Channel : @IRFaraExam
Figure3.34–Subnet4range
Wecansuccessfullyassignthefirst4subnetstoeachoftheLANsineachrespectivelocation.However,westillneedtoassignsubnetstotheWANlinksthatareinterconnectingeachbranchtotheheadofficenetwork.Therearefoursubnetsremaining.WecantakeanythreeoftheremainingsubnetsandassignthemtoeachoftheWANlinks,butthiswillnotbeefficientaseachoftheWANlinksinthetopologyonlyrequirestwoIPaddressesontherouter'sinterfaces,asfollows:
WAN1(R1-R2):2IPsareneeded.
WAN2(R2-R3):2IPsareneeded.
WAN3(R3-R4):2IPsareneeded.
TakinganyoneofthesubnetstoassigntoanyoftheWANlinkswillresultinthefollowingwastage:
UsableIPaddresspersubnet=Adjustto2 –2
Adjustto2 –2=32–2=30usableIPaddress
ThefollowingiswhatwegetwhenusingonlytwoIPsfromasubnet:
H
5
Telegram Channel : @IRFaraExam
30–2=28IPaddresswillbewasted
WecanuseaslightlymoreadvancedtechniqueknownasVariable-LengthSubnetMasking(VLSM)tobreakasubnetdownintosmallsubnetworks.Sincewehavefourremainingsubnetsfromouroriginalcalculations,let'sreservethefollowingsubnetforfutureusage:
Figure3.35–Reservesubnets
Inthenextstep,wewillcoverhowtouseVLSMtobreaktheeighthsubnet,192.168.1.224/27,downintosmallernetworkstofitourWANlinks.
Step4–PerformingVariable-LengthSubnetMasking(VLSM)PerformingVLSMcalculationsissimplysubnettingasubnet.ForeachofourWANlinks,weonlyrequiretwousableIPaddressesoneachlink.TodeterminethenumberofhostbitsrequiredtogiveustwousableIPaddresses,usethefollowingformula:
NumberofusableIPaddresses=Adjustto2 –2
Here,Histhenumberofhostbitstakenfromtheright.
H
Telegram Channel : @IRFaraExam
Forabettervisual,let'sconverttheeighthsubnetintobinary:
Figure3.36–Binary
Ifweusethe32ndbit(1bit)onthenetworkID,192.168.1.224/27,within
ourformula–Adjustto2 –2,–theresultis0usableIPaddresses.
Therefore,1hostbitisnotsufficient.Let'suseanadditionalhostbit;thatis,adjustto2 –2=2usableIPaddresses.Nowthatwehaveaworkable
solution,wesimplyneedtopermanentlymakethelast2bits(00)fromthe
NetworkID192.168.1.224theonlyhostbits,whiletheremaininghostsare
convertedintonetworkbits.ThisisalittlebitofreverseengineeringwherewestartcalculatingthehostIPaddressfirst,followedbythenumberofnetworks.
Furthermore,wewillhavethreenewnetworkbits,whichprovideusthefollowingformula:
Numberofsubnets=Adjustto2
Adjustto2 =2x2x2=8subnets
Additionally,wecanflipthenewnetworkbitsinthesubnetmask,asshownhere:
H
2
N
3
Telegram Channel : @IRFaraExam
Figure3.37–Newsubnetmask
Hence,eachofthe8newlycreatedsubnetswillhaveasubnetmaskof
255.255.255.252,oranetworkprefixof/30.
Let'scalculatethetotalnumberofIPaddressespersubnetandournetworkincrementalvalue:
TotalnumberofIPaddress=Adjustto2
Adjustto2 =4totalIPaddresses
Here,eachnumberwillhaveonlytwousableIPaddresses,adjustto2 –2=
4–2=2.
Beforewebegintocreatethenewsubnetworksfromthe192.168.1.224/27
networkblock,pleasebesuretousethefollowingguidelines:
DonotmodifytheoriginalnetworkportionoftheIPaddress(thefirst27
bits).
DonotmodifythenewhostportionoftheIPaddress(thelast2hostbits).
Onlymodifythenewnetworkbits(the3hostbitsthatweareconverting
intonetworkbits).
Whenmodifyingthenewnetworkbits,wesimplychangethe0sinto1stocreateallthedifferentpossibilities.Thefollowingarethecalculationstocreatethe8
newsubnets:
H
2
H
Telegram Channel : @IRFaraExam
Figure3.38–NetworkscreatedviatheVLSMnetwork
Now,wehave8newnetworksthatcanbeusedforpoint-to-pointWANlinks.
Let'scalculateandassignthesubnetsaccordingly.
Let'scalculatethefirstsubnetandassignittoWAN1(R1-R2):
Figure3.39–WAN1allocation
Next,let'scalculatethesecondsubnetandassignittoWAN2(R2-R3):
Telegram Channel : @IRFaraExam
Figure3.40–WAN2allocation
Next,let'scalculatethethirdsubnetandassignittoWAN3(R3-R4):
Figure3.41–WAN3allocation
Havingallocatedthefirstthreesubnetsofthe/30networks,weareleftwith
fiveadditionalnetworks,asshownhere:
Telegram Channel : @IRFaraExam
connectedappliancestohomesecuritysystems.Theneedforinternetconnectivityisanever-increasingdemand,hencethecreationofanewaddressspace.
ThefollowingisabriefsummaryofIPv4exhaustionstatistics:
APNIC:ExhaustedinApril2011
RIPENCC:ExhaustedinSeptember2012
LACNIC:ExhaustedinJune2014
ARIN:ExhaustedinJuly2015
AfriNIC:Expectedtobeexhaustedin2019
ThisiswhereIPversion6comesin.BackinDecember1995(circa),theIANAwasentrustedtomanagetheIPv6addressingscheme(RFC1881).ThismeansthatIPv6wasdevelopedandreadyfordistributionalongtimeago.IANA,RIRs,andASwerewaitingforthelastsetofpublicIPv4addressestobeexhaustedbeforedistributingandassigningIPv6addressestocustomersandinternet-connecteddevices.
UnlikeIPv4–whichis32bitsinlengthwithapproximatelyfourbillionpublic
IPv4addresses–anIPv6addressis128bitsinlength,whichprovides
approximatelyoneundecillion(10 )addresses.EachIPv6addresshaseighthextets,eachofwhicharemadeupof16bits.Thismeans8hextetsx16bitsperhextet=128bits.
Additionally,IPv6iswrittenusinghexadecimalvaluesandnotdecimal,aswithIPv4.Hexadecimalvalueshavethefollowingrange:
36
Telegram Channel : @IRFaraExam
0123456789ABCDEF
Eachhextethastherange0000–FFFF.
TogetabetterideaofIPv6addressing,let'stakealookatthefollowingaddress:
2001:0DB8:0000:1111:0000:0000:0000:0200
Noticeeachhextetisseparatedwithacolon(:).
ThecoolthingaboutwritinganIPv6addressisthatthealphabeticalcharacters(A-F)arenotcase-sensitive.Thismeansthatregardlessofwhetheryouusealowercaseoruppercasecharacterwithintheaddress,thedevicewillacceptit.
Additionally,wewritetheprecedingIPv6addressinashortenedformat.Theleadingzeros(0s)inahextetcanberemovedastheyhavenovalue.Therefore,ifanIPv6addresshasahextetof0000,wecanuseasingle0torepresentthe
entirehextet,asshownhere:
2001:DB8:0:1111:0:0:0:200
Additionally,whentherearetwo(2)ormorehextetswithacontinuousstreamofzeros,youcansubstitutetwoormorehextetswithadoublecolon(::),as
shownhere:
2001:DB8:0:1111::200
ThisistheshortestformoftheoriginalIPv6address.Lastly,thedoublecolon(::)canbeusedonlyoncewithinanIPv6address.
ImportantNote
Telegram Channel : @IRFaraExam
ThedefaultsubnetmaskofanIPv6addressis/64.Thismeansthatthefirsthalf
ofanIPv6addressisknownastheprefix,whilethesecondhalfisreferredtoastheInterface-ID.IncomparisontoIPv4,PrefixisthenetworkaddresswhileInterface-IDisthehostaddress.
Natively,devicesassignedIPv4addresseswon'tbeabletoexchangemessageswithadevicethathasanIPv6address.ToallowintercommunicationbetweenthesetwoversionsofIP,thefollowingmethodsareused:
Dualstacking
NAT64
Tunneling:6to4and4to6
DualstackingallowsasingleNetworkInterfaceCard(NIC)tobeconfiguredwithbothIPv4andIPv6addresses.ThisallowsthedevicetousetheIPv4addresstocommunicatewithdevicesonanIPv4network,whiletheIPv6addressisusedtocommunicatewithdevicesonanIPv6network.
ThisispossiblebecausetheinternetlayerofTCP/IPisresponsibleforencapsulatingthedatagramintheappropriateIPversionbeforepassingitdowntothelowerlayeroftheTCP/IP.
ImportantNote
FurtherinformationaboutIPv6addressmanagementcanbefoundathttps://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml.
ThefollowingdiagramshowseachfieldwithinanIPv6packet:
Telegram Channel : @IRFaraExam
Figure3.43–CompositionofanIPv6packet
EachfieldwithintheIPv6packetplaysanimportantrolewhentransmittingamessagefromonedevicetoanother.Thefollowingarethenamesanddescriptionsofeachfield:
Version:ThisfieldisgenerallyusedtoidentifytheversionoftheIP,suchasIPv4andIPv6.
TrafficControl:ThisfieldplaysanimportantrolewhenusingQualityofService(QoS)toolsonanetworkandhasthesamefunctionalityastheDifferentiatedServices(DS)fieldofanIPv4packet.
FlowControl:Thisfieldisusedtoinstructareceivingroutertoprocessallpacketsthathavethesameflowlabelinthesameexactway.
PayloadLength:Thisfieldcontainsthesizeofthedataportion.
NextHeader:Thisfieldidentifiesthenetworkprotocolthatthedatagrambelongstoonthedestinationhost.
Telegram Channel : @IRFaraExam
HopLimit:ThisfieldisequivalenttotheTTLfieldwithinanIPv4packet.
SourceIPv6Address:Specifiesthesender'sIPv6address.
DestinationIPv6Address:Specifiesthedestination'sIPv6address.
Next,let'stakealookatvarioustypesofIPv6address.
TypesofIPv6addressesSimilartoIPv4,therearevarioustypesofIPv6addresseswithuniquepurposesonanIPv6network.Inthissection,wewilllookatthefollowingtypesofIPv6address:
Globalunicast
Loopback
Link-Local
Uniquelocal
Anycast
Multicast
ModifiedEUI64
Inthissection,wewillunderstandthecharacteristics,functionality,andpurposeofeachtypeofIPv6address.
Telegram Channel : @IRFaraExam
GlobalunicastSimilartousingterm"public"todescribeaninternetassignableIPv4address,intheIPv6world,thepublicaddressisreferredtoasaglobalunicastaddressandbelongstothe2000::/3networkblockofaddresses.
LoopbackThereisalsoalookbackaddressintheIPv6addressspace,whichisknownas::1/128.TheloopbackIPv6addresshasthesamefunctionalityastheIPv4
version,asmentionedintheprevious,SpecialIPv4addresssectioninthischapter.However,theloopbackaddressinIPv6isasingleaddressonly,unlikeIPv4,whichhasanetworkblock.
Link-LocalWithinanIPv6network,aninterfaceusuallyhastwoIPv6addresses:aglobalunicastaddressandaLink-Localaddress.Theglobalunicastaddressisusedwhencommunicatingbeyondthelocalnetwork.However,whenadevicewantstoexchangemessageswithanotherdeviceonthesamelocalnetwork,theLink-LocalIPv6addresstakeeffect.
Importantnote
OnaLAN,whendeviceswanttoexchangemessages,theyusesourceanddestinationMACaddressesbecauseswitchesareonlyabletoreadLayer2headerinformationsuchassourceanddestinationMACaddresses.Therefore,whenadevicewantstosendamessagebeyondtheLAN,thesenderdevicewill
Telegram Channel : @IRFaraExam
setthedestinationMACaddressofthedefaultgatewayonthemessage,andusethedestinationIPaddressastheactualdestinationdevice,suchasthewebserver.
TheIPv6Link-LocaladdressplaysthesameroleforLANcommunicationbetweendevicesthatarelogicallyconnectedtothesamenetworksegment.TheIPv6link-localaddressbelongstotheFE80::/10networkblock.Keepin
mindthatthelink-localaddressisusedforlocalcommunicationonly.
UniquelocalTheuniquelocaladdressfunctionssimilarlytoprivateIPv4addresses,whichonlyallowcommunicationonalocal(private)network.TheuniquelocaladdressblockisFC00::/7.
AnycastAsmentionedintheTransmissiontypessection,AnycastisanIPv6technologythatfunctionsasaone-to-closesttypeoftransmission.Anycastallowsmultipleservers(ordevices)tosharethesameIPv6address.
MulticastThistypeofcommunicationcanbeseenasaone-to-manytypeoftransmission.ThefollowingaretheassociatednetworkblocksforIPv6multicastaddresses:
Assigned:FF0s::/8
Solicitednode:FF02::1:FF00:0000/104
Telegram Channel : @IRFaraExam
ModifiedEUI64TheremaybeatimewhenthenetworkisusinganIPv6technologyknownasStatelessAddressAutoconfiguration(SLAAC)toprovideIPv6globalunicastaddresseswithouttheuseofaDHCPv6server.SLAACisastatelessservice,whichmeansthereisnoserver(suchasaDHCPserver)tomaintainnetworkaddressingdetails.Inotherservices,whenaDHCPserverprovidesIPaddressingdetailstoaclient,theserverkeepsarecordofthetransactionsandallocationsofIPaddresses.However,withSLAAC,thereisn'tsuchafunctionality.
Therefore,onlytheprefixportionoftheIPv6addressisprovidedtoaclient.TheInterface-IDusestheEUI-64processtocreatea64-bitaddressfromthe48-bit
MACaddressoftheclient'sphysicalinterface.
Togetabetterideaofthisoperation,let'staketheMACaddressFC-99-47-
75-CE-E0andrunitthroughtheEUI-64process:
1. SplittheMACaddressinhalfbyseparatingtheOUIportionfromthedeviceportionandconvertitintobinary:
Figure3.44–MACintobinary
2. InsertFFFEin-betweentheOUIanddeviceportion:
Telegram Channel : @IRFaraExam
Figure3.45–FFFEinsertedbetweentheMACaddress
3. FliptheUniversally/Locally(U/L)bit.Ifthebitis0,changeitto1andviceversa.TheU/Lbitistheseventhbitinthisexercise:
Figure3.46–FlippingtheU/Lbit
4. ConvertthebinarybackintohexadecimaltogettheEUI-64address:
Figure3.47–EUI-64address
Therefore,allEUI-64generatedaddresseswillalwayshaveFFFEinthe
middlesectionoftheInterface-IDofanIPv6address.PleasenotethattheEUI-
64addressisautomaticallygeneratedbythedevicewhenIPv6routingis
enabled.
Importantnote
OnCiscodevices,usetheipv6unicast-routingcommandinglobal
Telegram Channel : @IRFaraExam
3. Usetheipv6addresscommand,followedbytheIPv6addresswith
thenetworkprefix:
R1(config-if)#ipv6address2001:DB8:1:1::1/64
4. (Optional)TomanuallyconfigureaLink-LocalIPv6addressontheinterface,usethelink-localcommandaftertheIPv6address,as
shownhere:
R1(config-if)#ipv6addressFE80::1link-local
5. Enabletheinterfaceusingthenoshutdowncommand:
R1(config-if)#noshutdown
NowthatyouhavelearnedhowtoconfigureIPv6globalandLink-Localaddresses,let'stakealookathowtoverifyourconfigurationsusingCiscoIOScommands.
Usingtheshowipv6interfacebriefcommand,wecanviewa
summaryofourIPv6interfaces,alongwiththeirassignedIPv6addresses,asshownhere:
Telegram Channel : @IRFaraExam
Figure3.49-Outputoftheshowipv6interfacebriefcommand
Anothercommandwecanusetoverifythestatusofaninterfaceistheshow
ipv6interface<interface-ID>command.Thefollowingsnippet
showstheexpectedoutput:
Figure3.50-Outputoftheshowipv6interfacecommand
Furthermore,wecanverifytheconfigurationsundereachinterfacebyusingtheshowrunning-configcommand,butusingthepipe(|)parameter
followedbythesectioncommandandthesection'sname,asshownhere:
Figure3.51–Outputoftheshowrunning-configcommand
Havingcompletedthissection,youarenowabletoperformverificationon
Telegram Channel : @IRFaraExam
CiscoIOSdevicestodetermineIPv6configurations.Inthenextsection,youwilllearnhowtoassignastaticIPv6addresstoaMicrosoftWindowscomputer.
Lab–ConfiguringIPv6onaWindowscomputerNowthatyouhavelearnedhowtomanuallyconfigureanIPv6addressonaCiscorouter,let'stakealookathowtomanuallyconfigureanIPv6addressonaMicrosoftWindowscomputer.
Togetstartedwiththistask,usethefollowingsteps:
1. OpentheWindowsControlPanelandgotoNetworkandSharingCenter.
2. Ontheleft,clickonChangeadaptersettings.
3. Right-clickonyourcorrespondingnetworkadapterandselectProperties.
4. ClickonInternetProtocolversion6(TCP/IPv6)andthenclickonProperties:
Telegram Channel : @IRFaraExam
Figure3.52–Networkadapterproperties
5. UsethefollowingsettingtoassigntheIPv6address,networkprefix,anddefaultgatewayconfigurationstothePC:
Telegram Channel : @IRFaraExam
Figure3.53–IPv6settingsonPC
TheDNSserversettingscanbeadjustedtoyourpreference.IamusingaCloudflareIPv6DNSserverasmyDNSserver.
6. ClickOKtosaveyoursettings.
7. Tocheckyourconfigurations,opentheCommandPromptandusetheipconfigandipconfig/allcommandstoverifyyourIPsettings
onyournetworkadapters.
Telegram Channel : @IRFaraExam
Testingend-to-endconnectivityAfterconfiguringandverifyingyourIPv6configurations,thelastthingaprofessionalmustalwaysdoistestend-to-endnetworkconnectivitybetweendevices.
Onourrouter,let'stesttheconnectionbetweentherouterandthecomputeronourtopologyusingthepingcommand:
Figure3.54–PingresultsonCiscoIOS
Asyoucansee,wegotfiveexclamationmarks(!).Thismeanswehave
successfulrepliesfromthePC.Receivingadot(.)meansRequestTimeout,
whileUmeansdestinationunreachableontheCiscoIOS.Ifyouarenotgetting
asuccessfulconnection,double-checkyourconfigurationsandensurethecablesareconnectedtotheconfiguredinterfacesoneachdevice.
SummaryThroughoutthischapter,wehavecoveredtheessentialsforunderstandingboththeIPv4andIPv6addressspaces,demonstratedhowtoconvertanIPaddress
Telegram Channel : @IRFaraExam
intobinary,determinedtheNetworkIDofdevices,andlearnedaboutthevarioustypesofnetworktransmissions.
YoualsolearnedhowtoidentifyeachclassofIPaddress,howtoperformsubnetting,howtodescribethecharacteristicsofbothIPv4andIPv6,andhowtoconfigureandverifyinterfacesonaCiscodevice.
IhopethischapterhasbeeninformativeforyouandhasbeenhelpfulinyourjourneytowardlearninghowtoimplementandadministerCiscosolutions,inpreparationfortheCCNA200-301certification.Inthenextchapter,WirelessArchitecturesandVirtualization,wewilllearnaboutCiscowirelessarchitecturesandvirtualizationtechnologies.
FurtherreadingThefollowinglinksarerecommendedforadditionalreading:
IPaddressingandsubnetting:https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13788-3.html
ConfiguringIPv4:https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_ipv4/configuration/xe-3s/ipv4-xe-3s-book/configuring_ipv4_addresses.html
IPv6addressingandconnectivity:https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_basic/configuration/xe-3s/ip6b-xe-3s-book/ip6-add-basic-conn-xe.html
Telegram Channel : @IRFaraExam
ImplementingIPv6addressing:https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-2mt/ipv6-15-2mt-book/ip6-addrg-bsc-con.html
Telegram Channel : @IRFaraExam
Chapter4:DetectingPhysicalIssues,WirelessArchitectures,andVirtualizationComputernetworkinghasevolvedtremendouslyoverthepastdecade.Today,inorderfornetworkingtoadapttotheever-changinglandscapeoftheinternet,companiessuchasCisconotonlyproducephysicalnetworkdevicesandsecurityappliancesbutalsoworkwithvirtualizationandcloudtechnologies.
Weliveinanagewheresmarttechnologiesallowpeopletobemoreconnecteddigitallythanever.Wirelessnetworksneedtobeabletosupportthevastnumberofconnectedwirelessdevicesand,mostimportantly,beabletoefficientlytransportdatabetweenawirednetworkandawirelessone,andviceversa.
Throughoutthischapter,youwilllearnaboutphysicalissuesonanetwork,principlesofwirelesstechnologies,andhowtotransmitmessagesbetweendevices.Additionally,youwilllearnhowtoaccessanddeployaCiscoWirelessLANController(WLC)onanetworkandimplementbasicconfigurations.Lastly,youwillbeabletodescribevirtualizationandcloudcomputingtechnologies.
Hereisabreakdownofthetopicswewillcoverinthischapter:
Understandingnetworkswitchfunctionsandphysicalissues
Wirelessprinciples
Ciscowirelessarchitectures
Accesspointmodes
Telegram Channel : @IRFaraExam
Wirelesscomponentsandmanagement
Virtualizationfundamentals
Cloudcomputing
TechnicalrequirementsTofollowalongwiththeexercisesinthischapter,pleaseensurethatyouhavemetthefollowinghardwareandsoftwarerequirements:
CiscoPacketTracer:https://www.netacad.com
Wi-FiAnalyzer:https://www.microsoft.com/en-us/p/wifi-analyzer/9nblggh33n0n
UnderstandingnetworkswitchfunctionsWithnetworkengineeringcomesgreatresponsibilityandcriticalthinking.Notonlydoyouhavetoperformdeviceconfigurations,butalotofyourtimemaygointoproblem-solvingandperformingextensivetroubleshootingtechniques.Onanetwork,attimesyoumayencounterusersreportingtheyareexperiencingpoornetworkperformancesuchashighlatency.Suchissuesmaybecausedbyinterfacemisconfigurationsoraphysicalissue.
Asyouhavelearned,switchesplayavitalroleinalmostallnetworksofanysize;fromthesmall-officehomeoffice(SOHO)toalargeenterprisenetworkwithhundredsofconnecteddevices,theyarethemainnetworkintermediarydevicesthatphysicallyconnecteverythingtogether.Inthissection,wearegoingtodiscussvariousnetwork-relatedissuesthatcanaffecttheperformanceofa
Telegram Channel : @IRFaraExam
networkandhowtoresolvethem.
Inanidealenvironment,weshouldconnectonlyoneenddevicetoasinglephysicalinterfaceonaswitch.Eachphysicalinterfaceonaswitchisknownasacollisiondomain.Acollisiondomainistheareaorsegmentinwhichadevicecangenerateasignalandisheardbyallotherdevicesonthesameareaorsegment.Asimpleexampleisalldevicesconnectedtoahub;ifonedevicesendsasignaltothehub,itisbroadcastedoutofallotherports.Therefore,alldevicesconnectedtothehubmakeupasinglecollisiondomain.Layer2switchesaresmartdevicesandaredesignedtoovercomesuchissues.Switchesareabletoisolatethesignalsontheirindividualports,thereforeeachphysicalinterfacerepresentsauniquecollisiondomain.
Importantnote
Eachinterfaceonaswitchisacollisiondomain,andeachinterfaceonarouterisalsoacollisiondomain.Ifaswitchisconnectedarouter,thesharedlinkisrecognizedasacollisiondomain.
Toensuretherearenoaccidentsorcollisions,thereshouldbeonlyonedeviceconnectedtoaswitch'sphysicalport.Therefore,whenanenddevicesuchasaPCgeneratesasignal,onlytheswitch'sinterfacewillbetherecipientofthatsignal.
Thefollowingdiagramshowstheidealphysicalsetupwhenconnectingenddevicestoaswitch:
Telegram Channel : @IRFaraExam
Figure4.1–Switchinterfaces
Intheprecedingdiagram,thereareatotaloffivecollisiondomains.IfPC1generatesasignal,itisisolatedbyinterfaceFa0/1ontheswitch.WhentheframeentersFa0/1,itanalyzesthedestinationMACaddressandforwardsitonlyitsdestination.
DetectingphysicalissuesYou'reprobablythinkingthatifswitchesareabletoisolateacollisiondomaintoaninterfacelevel,thencancollisionsoccuronanetwork?Thesimpleansweriscollisionscanstilloccur,andCiscoIOSswitchesandroutersareabletogathernetworkstatistics,whichhelpsusidentifywhetherthere'sanissueinthephysicallayer.
Whatarephysicalerrorsandwhydoweneedtoidentifythem?Tohelpyou
Telegram Channel : @IRFaraExam
understandtheimportanceoffindingandeliminatingacollisionsnetwork,we'lluseasimpleanalogy.Let'simagineeachday,therearehundredsofcommuterswithinacity.Somearetravelingusingpublicservices,whileothersaredrivingavehicle.Apartfromcommuters,therearealsootherswhoaretransportingitemssuchasbuildingmaterialstoaworksite.Toensurepeopledonotdrivedangerouslyontheroadways,therearelaws,drivingregulations,andvarioustrafficsignsandlightsalongeachstreet.Therearetimeswhenanunfortunateeventmayoccur,suchastwoormorevehiclescolliding,causinganaccidentonthestreet.Thiscollisiondoesnotonlyaffectthepeoplewithinthecollisionbutalsotheotherpeoplewhohavetousethatroutetoreachtheirdestination.Sometimes,withinavehicularcollisionthevehicleisbeyondrepairandtheownerhastodiscardit.Asimilarseriesofeventstakesplaceonacomputernetwork.
Todeterminewhetherthereareanyphysicalerrorsonacollisiondomain,suchasonaswitchorarouter'sinterface,usetheshowinterfaces
interface-IDcommand.Theoutputwillprovideyouwithdetailsofboth
incomingandoutgoingtraffic.You'llbeabletoseethetypesoferrorsthatareoccurringonthephysicalinterface,thetransmittingandreceivingloadontheinterface(txloadandrxload),theencapsulationtype,andothertraffic
counters.
Importantnote
Bothtxload(transmitting)andrxload(receiving)valuesaregivenin
x/255format.Ahighxvalueintxloadsimplyindicatesthepercentageof
theinterface'sbandwidththatiscurrentlybeingusedtosendtrafficinrealtime.Forrxload,thepercentageindicatestheamountoftrafficbeingreceivedon
Telegram Channel : @IRFaraExam
theinterface.Iftxloadandrxloadare255/255,thismeanstheinterface
has100%saturationforbothinboundandoutboundtraffic.
Thefollowingsnippetshowstheoutputoftheshowinterfacescommands
onaCisco2960switch:
Figure4.2–showinterfacesoutput
Asanascentnetworkprofessional,itisimportanttounderstandtheinformationprovidedintheprecedingfigure.WeareabletodeterminethefollowingdetailsandstatusofFastEthernet0/1:
BothLayer1andLayer2(protocol)statusesareup,andthecableisconnectedtothephysicalinterface.
Telegram Channel : @IRFaraExam
Theburned-inaddress(BIA)orMACaddressoftheinterfaceis00d0.ff55.dc01.
Youareabletoseethebandwidth(BW),delay(DLY),reliability,currenttransmittingload(txload),andreceivingload(rxload)ontheinterface.
Bothspeedandduplexmodes.
Inputandoutputflowcontrol.
Thelowersectionintheoutputistheareathatprovidesuswithspecificdetailsaboutthetrafficenteringandleavingthephysicalinterface.Itisherethatyou'llbeabletodeterminewhetherthereareanyerrors,collisions,orissuesonthephysicallayer.
Commonmisconfigurationsthatcreateissuesonanetworksegmentarethematchsettingsofspeedandduplex.Speeddefinesthemaximumbandwidthsupportedonaninterface.Additionally,speedisusedtoindicatehowquicklyadeviceisabletoexchangemessageswithanotherdevice.Thinkofitasspeakingwithafriend:ifthepersonspeakstooquickly,youmaynotquiteunderstandeachword.Ifthepersonspeaksmoreslowly(intermsofwordspersecond),youwillbeabletounderstandtheconversationproperly.
Inveryolddevices,theinterfaceswereregularEthernet,whichoperatedat10
MB/s.Inmorerecentdevices,thereareFastEthernetinterfaces,suchaCisco2960switchthatoperatedat100MB/sandinnewerandcurrentdevices,we
haveGigabitEthernet,whichoperatesat1,000MB/s.
Importantnote
Telegram Channel : @IRFaraExam
Indevicespecificationsheets,youmayseethedescriptionofinterfacesas10/100/1000.ThisformatindicatesthedifferentEthernetstandardsthatare
supportedonthephysicalinterfaceofthedevice.Therefore,ifaninterfacespeedis10/100/1000,themaximumsupportbandwidthis1,000MB/s.
Howdoesspeedaffectthenetworkperformance?Ifthere'samismatchinspeedbetweentwodevices,thiswillcreatetheeffectofonedevicesendingamessagefasterthantherecipientisabletoprocess.Additionally,whenconnectingtwodevices(AandB)usingacable(copperorfiber),theirnetworkinterfacecards(NICs)needtonegotiatecommonspeedexchangemessagesbetweeneachother.TheCiscoIOSallowsyoutoconfigureoneoffouravailablesettingsontheinterface.Theseareasfollows:
10:Force10Mbpsoperation.
100:Force100Mbpsoperation.
1000:Force1,000Mbpsoperation.
auto:Enableautospeedconfiguration.
Bydefault,eachinterfaceissettoauto.Thisallowstheinterfacetodetectthe
signalsincomingfromthedeviceontheotherendofthecableandadjustthelocalinterfacewithasuitablespeed.However,therearemanytimeswhentheauto-negotiationmechanismdoesnotsetthespeedcorrectly.Let'stakealookatthefollowingdiagram,whereSW1isusingautoandSW2ismanually
configuredas1000:
Telegram Channel : @IRFaraExam
Figure4.3–Speedsettings
TheexpectedresultisSW1willauto-negotiateandadjustitsinterfaceto1,000
MB/s,butthisdoesnotalwayshappen.Sometimes,itsetsto10MB/sor100
Mb/s.Thereforeit'shighlyrecommendedtomanuallysetthespeedonallinterfacesonyourCiscodevicestopreventamismatch.
Toconfigureaninterfacetooperateataparticularspeed,usethefollowinginstructions:
1. Enterinterfacemode:
SW1(config)#interfaceGigabitEthernet0/1
2. Usetheshutdowncommandtoadministrativelyshutdowntheinterface
beforemakingadjustmentstothespeed.
3. Usethespeedcommandfollowedbytheactualspeedvalue(10,100,
1000,orauto):
Telegram Channel : @IRFaraExam
SW1(config-if)#descriptionConnectedtoSW2
SW1(config-if)#speed?
10Force10Mbpsoperation
100Force100Mbpsoperation
1000Force100Mbpsoperation
autoEnableAUTOspeedconfiguration
Let'ssayyouwanttomanuallysetthespeedto100MB/s,usethespeed
100command,asshownhere:
SW1(config-if)#speed1000
4. Thenusethenoshutdowncommandtoenabletheinterface.
5. Toverifythespeedonaninterface,usetheshowinterfaces
statuscommandtoverifythespeedsettingsontheinterface,asshown
here:
Figure4.4–InterfacestatusonSW1
Noticethespeedishardsetto1000,comparedtoallotherinterfaces,
whichareusingthedefaultsetting,auto.
Telegram Channel : @IRFaraExam
6. Additionally,let'stakealookatthecurrentoperatingstatusofSW2:
Figure4.5–InterfacestatusonSW2
Asexpected,SW2isusingallthedefaultconfigurationsoneachofitsinterfaces.ThisisindicatedwiththeautokeywordasseenintheSpeed
column.Anotherusefultroubleshootingcommandthatprovidesthecurrentoperatingstatusofaninterfaceistheshowinterfacescommand:
Figure4.6–showinterfacesoutput
Couplingtheshowinterfacescommandwithaninterfacetypeand
identifierwillprovidespecificresultstotheinterfaceonly.Intheprecedingoutput,noticethecurrentoperatingspeedis1000Mbpsonthelink.Lastly,
usingtheshowrunning-configcommandwillprovideyouwiththe
configurationsmadeforeachinterface.Toviewtheconfigurationsforaspecificinterface,youcanusethecommandsshowninthefollowingsnippet:
Telegram Channel : @IRFaraExam
Figure4.7–showrunning-configoutputfortheinterface
Anothercommonissueisamismatchinduplexsettingsbetweendevices.Whatisduplex?Duplexisacommonmethodbywhichtwodevicesexchangemessages.Inthefieldofdigitalcommunication,therearethreeformsofduplex.TheseareSimplex,Half-duplex,andFull-duplex.Simplexissimplyaone-waymethodofcommunication,suchastuningintoaradiostationonyourdailycommute.
Half-duplexiswhereonlyonedeviceisabletocommunicateatatimeoveranetwork.Anexampleofhalf-duplexcommunicationisusingwalkie-talkies,whichonlyallowonepersontospeakatatime.Anotherexampleisonacomputernetworkwhereenddevicesareconnectedtoahub.Onceagain,onlyonedeviceisabletousethemediumtoexchangemessages.
Importantnote
PleaserefertoChapter1,IntroductiontoNetworking,wherewediscussedCarrier-SenseMultipleAccesswithCollisionDetection(CSMA/CD)infurtherdetail.
Telegram Channel : @IRFaraExam
Full-duplexisthepreferredmethodthatdevicesshouldusetooperateandexchangemessageswitheachother.Full-duplexallowstwodevicestosimultaneouslyexchangemessages,unlikehalf-duplex.
TheinterfacesonCiscodevicessuchasswitchesandroutershavethefollowingduplexmodes:
Auto:Enablesautoduplexnegotiation.
Full:Forcesfull-duplexmode.
Half:Forceshalf-duplexmode.
Bydefault,theinterfacesonCiscodevicesaresettousetheautoduplexmode.
Theideaofusingautoistoallowtwodevicestonegotiatehowtheywantto
exchangemessagesbetweeneachother(half-duplexorfull-duplex).Ideally,ifyouconnecttwodevicestogetherwithdefaultconfigurations,theyaresupposedtonegotiatetheirinterfacestobothbeingfull-duplex.Therearetimeswhenthenegotiationprocessdoesnotworkproperly.Forexample,onedevice'sinterfacemaybeoperatingathalf-duplexandtheotherdeviceissettofull-duplex.Additionally,iftherearemisconfigurationsontheinterfacethatdonotallowbothdevicestooperateusingthesameduplexmode,thiswillresultinlatencyissuesandcollisionsofpacketsonthenetwork.
Thefollowingdiagramshowstwoswitcheswithamismatchinduplexsettings:
Telegram Channel : @IRFaraExam
Figure4.8–Duplexmismatch
Asanetworkprofessional,itishighlyrecommendedtostaticallyconfiguretheinterfacesonyourCiscodevicestooperateinfull-duplexmode.However,half-duplexisrecommendedwhenconnectingtoahub.
Toconfigureaninterfacetooperateinaspecificduplexmode,usethefollowinginstructions:
1. Enterinterfacemodeandadministrativelyshutdowntheinterface:
SW1(config)#interfacegigabitEthernet0/1
SW1(config-if)#shutdown
2. Usetheduplexcommandfollowedbytheduplexmode(auto,full,
orhalf):
SW1(config-if)#duplex?
autoEnableAUTOduplexconfiguration
Telegram Channel : @IRFaraExam
fullForcefullduplexoperation
halfForcehalf-duplexoperation
Let'ssayyouwanttomanuallysettheduplextofull,usetheduplex
fullcommandasshownhere:
SW1(config-if)#duplexfull
3. Thenusethenoshutdowncommandtoenabletheinterfaceandexit
interfacemode:
SW1(config-if)#noshutdown
SW1(config-if)#exit
4. Toverifytheduplexoperationmodeonaninterface,usetheshow
interfacesstatustoverifytheduplexsettingsontheinterface,as
shownhere:
Figure4.9–Duplexmodeonphysicalinterface
Ifyoulookcarefully,youshouldseethattheduplexmodeissettofull,
asperourconfigurations.Theotherinterfacesareusingthedefaultconfigurations,asindicatedbythea-fullstatusshownintheoutput.
a-fullindicatestheinterfaceisauto-negotiatedasfull-duplex.
Telegram Channel : @IRFaraExam
Importantnote
Theshowinterfacescommandallowsyoutoalsoverifytheduplex
modeonaninterface.
5. Additionally,usingtheshowrunning-configinterface
GigabitEthernet0/1commandallowsustoviewthe
configurationsappliedtospecificallytheGigiabitEthernet0/1
interfaceoftheswitch,asshownhere:
Figure4.10–ConfigurationsmadeontheGigabitEthernet0/1interface
Let'simagineauserreportsthattheyareexperiencinglatencyissuessuchasslowloadingtimeswiththeircomputerandthelocalapplicationserver.TheCiscoIOSprovidessomeveryniceanddetailedstatisticsofalltheerrorsandcollisionsthataninterfaceisexperiencing.
Usingtheshowinterfacescommand,youwillbeabletoseewhetheran
interfaceisencounteringanyerrors,collisions,orphysicalissues.Thefollowingsnippetshowsthesecondhalfoftheshowinterfacecommandfora
Telegram Channel : @IRFaraExam
physicalinterface:
Figure4.11–Checkingforphysicalerrors
Thefollowingisabriefdescriptionofeachtypeofcounteronaninterface:
Inputerrors:ThiscounterprovidesthetotalnumberoffaultypacketsthathasenteredtheinterfaceoftheCiscodevice.Thevalueisthesumofrunts,giants,nobuffer,CRC,frame,overrun,andignoredcountsontheinterface.
Runts:Thesepacketsarediscardedbecausetheyarelessthan64bytesin
sizeandaresmallerthantheminimumpacketsize.
Giants:Thesepacketsarediscardedbecausetheyexceedthemaximumpacketsize.Theyareusuallygreaterthan1,518bytesinsize.
Telegram Channel : @IRFaraExam
CRC:Cyclicredundancycheck(CRC)errorsoccurwhenthechecksumwithintheframetrailerdoesnotmatchthechecksumreceived.TheCRCvalueisstoredwithintheFileCheckSequence(FCS).
Outputerrors:Theseareasumofthetotalerrorsthathavepreventedthetransmissionofamessagefromleavingtheinterface.
Collisions:Thesearethenumberofmessagesthathavebeenretransmittedduetoacollisiononthenetwork.
Latecollisions:Thesecollisionsoccurafter512bitsor64bytesofa
framehavebeentransmitted.
Ifthesecountersareincreasing,it'sasignthatinterfaceerrorsornetworkcollisionsareoccurring.Toresolvetheseissues,usethefollowingasaguide:
Checktheduplexandspeedsettingsonbothdevicesthataresendingandreceivingmessages.
Iftheduplexandspeedconfigurationsaregood,changethenetworkcableandcheckwhetherthecountersarestillincreasing.
Ifchangingthecabledoesnotresolvetheissue,connectthenetworktoanotherinterfaceonthedeviceandcheckthecountersagain.
Attimes,afaultynetworkcableornetworkinterfacecard(NIC)cangeneratealotoferrorsandcollisions,whichthenresultsinpoornetworkperformance,suchashighlatencyandpacketloss.
Havingcompletedthissection,youhaveacquiredtheskillsrequiredtoidentifyerrorsandcollisionsinthephysicallayeroftheOSIreferencemodel.
Telegram Channel : @IRFaraExam
Additionally,youhavelearnedhowtousetroubleshootingtechniquestoresolveerrorsandcollisionsonanetwork.Inthenextsection,wewilldiscussenterprisewirelessarchitecturesanddeploymentmodels.
Wirelessprinciples
Nowadays,almostanywhereyouvisit,whetherit'sthemallorthelocalcoffeeshop,therearewirelessnetworkseverywhere.Manyorganizationshaveinvestedagreatdealinimplementingarobustwirelessinfrastructuretoensureemployees,customers,andguestshavethebestexperienceattheirestablishment.
Agreatdealofworkgoesintoensuringawirelessnetworkisabletosupportallusersandtheirtrafficloadatanytime.Thisinvolvesvarioustechnologiesandcomponents,aswellascomplicatedplansanddesigns,configurations,andtroubleshooting.Throughoutthissection,youwilllearnaboutthebackendtechnologiesusedtocreateawirelessnetworkandhowtoefficientlyconfigureourcomponentstoprovideoptimalperformanceforanenterpriseorganization.
So,whatexactlyisawirelessnetworkconnection?Inatypicallocalareanetwork(LAN),weusuallyinterconnectcomputers,IPphones,servers,andprintersusingacoppercablesuchasCat5,Cat5e,orevenCat6totherestofthenetwork.Havingawiredconnectionisadvantageousbecausetheoutercoatingofthosecoppercablesprovidesaprotectiveshieldaroundtheactualwires.However,usingphysicalwireshasitslimitationsasitdoesnotallowausertoroambetweenroomsorofficespaces.Thisiswherewirelessnetworkingprovidesuswiththeconvenienceofmobility.
AswelearnedinChapter1,IntroductiontoNetworking,weusewirelessaccesspoints(APs),whichconnecttoawirednetworktoprovideuswithawireless
Telegram Channel : @IRFaraExam
signal.Forahomenetwork,yousimplyhavetoconnectawirelessrouterorAPtoyourmodemwithsomebasicconfigurations,suchasthewirelessnetwork'sname,andsomesecuritymeasures.Inanorganization,however,itisnotassimple.ConnectingmultipleAPsrandomlywithoutconsideringanyphysicalconstraints,suchassignallevels,channelassignments,security,andcentralmanagement,cancreateaninefficientwirelessnetworktopology.
WirelesstechnologiesWeknowthatacopperorfibercablesuseelectricalorlightsignalstoexchangemessagesacrossanetwork.Wirelessnetworksoperatedifferently,however.Wirelessnetworkcomponents,suchasanAP,taketheelectricalsignal(1sand0s)receivedontheEthernetNICandconvertitintoaradiosignal,whichcompatibledevicessuchaslaptopsandsmartdevicesareabletounderstand.Thewirelesssignalisstillthesame1sand0sthataretransmittedacrossawirednetwork,butit'ssimplyencapsulatedintoanotherformat.
Withawirelesssignal,thesignalisnotdirectlyprotectedlikeitiswithacopperorfibercable.Therearelimitationstowirelesssignals,suchassecurityrisks,signalstrength,andtheoperatingfrequencies.
Weneedtounderstandthecharacteristicsofawirelesssignal.Therearealotofwirelesssignalsoperatingatdifferentfrequenciesallaroundus.Whetherit'sradiostations,walkie-talkies,householdwirelessrouters,orthesignalsgeneratedbywirelessnetworks,eachtypeofwirelesstechnologyusesadifferentradiofrequency.
Importantnote
Telegram Channel : @IRFaraExam
TheFederalCommunicationsCommission(FCC)isresponsibleforregulatingtheusageofvariousradiofrequenciesforcommunication.
TheFCCallocatedmanyunlicensedradiofrequencybands,allowingpeopleandorganizationstouseacertainradiofrequencywithoutneedingtoregisterit.Assuch,theFCCallocatedtworadiofrequencybandsforWi-Fi:the2.4GHzand
5.0GHzbands.Wecanuseeitherofthesetwofrequencies,orboth.Oneofthe
firstquestionstoaskyourselfasanascentnetworkengineeris,whichfrequencyshouldIuseandwhy?
Eachfrequencyoperatesatdifferentsignalstrengths,sometimesreferredtoasamplitude.TheamplitudedetermineshowpowerfulorweakasignalmightbeasittravelsawayfromadevicesuchasanAP.UsingasignalthathasalowamplitudewillprovideadegradednetworkperformancebetweentheAPandtheassociatedclients.Usingasignalthatprovidesaveryhighamplitudemaynotalwaysbegoodforawirelessnetworkasitcanbetoonoisyontheairwave,thuscreatingdistortion.
However,theReceiveSignalStrengthIndicator(RSSI)canbeusedtohelpusdetermineasuitableamplitudeforourwirelessnetworks.TheRSSIislikethesignalbarsshowninthecornerofoursmartphonescreens,butonacomputerornetworkdevice.TheRSSIisrepresentedusingavalueindBm,theunitusedto
measurethepowerratioindecibels(dBm)toonemilliwatt.
UsingtheWi-FiAnalyzerappfromMicrosoft,youwillbeabletoseetheRSSIvalueforyourwirelessnetwork,asshownhere:
Telegram Channel : @IRFaraExam
Figure4.12–RSSIvalue
TheRSSIvalueisalwaysgivenasanegativevalue.Whenthevalueiscloseto
Telegram Channel : @IRFaraExam
zerothesignalstrengthisgood,butasyoumovefurtherawayfromanAPtheRSSIvaluewilldecrease,whichisbadfortransmittingdataassomemessagesmaybedroppedduetosignalloss.
2.4GHzversus5GHzAtthispoint,weknowtherearetwofrequenciestochoosefrom:2.4GHzand
5GHz.Weneedtodecidewhichofthesetwofrequenciesisthebestchoiceto
implementinanenterprisenetwork.Togetabetterunderstandingofthem,let'sdissectthembothtofurtherunderstandtheircharacteristics.
Whenradiofrequenciesaretransmitting,therearewavesintheformofpeaksandvalleysmovinginacontinuousstream.The5GHzfrequencyhasashorter
wavelengthandoperatesatahigherfrequencythanthe2.4GHzfrequency.
Thismeansthatusingthe5GHzfrequencyonawirelessnetworkwillprovidemuchgreaterbandwidthcapacity;however,duetotheshortwavelengths,thesignalcannottravelveryfar.
Importantnote
Wirelessfrequenciessuchas2.4GHzand5GHzaresusceptibleto
deteriorationwhenpassingthroughobjectssuchaswallsandmetal.Inotherwords,havingalotofwallsbetweenanAPandaclient'sdevicewilldrasticallyreducethewirelesssignaland,asaresult,thewirelessnetwork'sperformance.
Thefollowingdiagramisavisualrepresentationofthe5GHzfrequency:
Telegram Channel : @IRFaraExam
Figure4.13–5.0GHzwavelength
Comparedtothe5GHzfrequency,the2.4GHzfrequencyhasamuchlonger
wavelengthbetweenpeaks,thusallowingthesignaltotravelagreaterdistancefromtheAP.However,onemajordownsideofusingthe2.4GHzfrequencyis
itsshorteramplitude,meaningitsupportsamuchlowerbandwidthcapacity.
Thefollowingdiagramisavisualrepresentationofthe2.4GHzfrequency:
Telegram Channel : @IRFaraExam
Figure4.14–2.4GHzwavelength
So,thelongerwavelengthisoneofthebenefitsofusingthe2.4GHz
frequency;however,itisalsoadisadvantageinthewirelessnetworkingworld.Let'simagineyouhavejustsetupyourhomewirelessnetworkandarereadytoconnecttotheWi-Fi.Whenyouchecktheavailablewirelessnetworks,you'reseeingyourneighbors'wirelessnetworksaswell.Thisiswheretheissuelieswiththe2.4GHzfrequency;itisverypowerfulandwillgiveyouagreatsignal
reach,butwhenthereareothernearbywirelessAPsoperatingonthesame2.4
GHzfrequencyitcreatesinterferencewithotherwirelessnetworks.
Thefollowingdiagramshowsthesignalsoftwowirelessnetworks:
Telegram Channel : @IRFaraExam
Figure4.15–Wirelesssignalsoverlapping
Tohelppreventsignaloverlaponawirelessnetwork,channelsallowustosetarangeoneitherthe2.4GHzor5GHzfrequencies.
Importantnote
ThecoverageareaofawirelesssignalisknownastheBasicServiceArea(BSA).
Therefore,ourAPcanuseafrequencyandaspecificchannelforoperation.Inthe2.4GHzworld,thereare14channelstochoosefrom,butmostofthe
channelsoverlapeachother.However,ifyouchoosechannels1,6,and11,they
willnotoverlapwitheachother.
Telegram Channel : @IRFaraExam
Importantnote
Eachchannelisbetween20–22MHzwide.Channel1inthe2.4GHz
frequencyis2.412GHz,channel2is2.417GHz,andchannel3is2.422
GHz,andsoon.
Thenon-overlappingchannelsinthe2.4GHzfrequencyarechannels1,6,and
11asshownhere:
Figure4.16–Non-overlapping2.4GHzchannels
DuetothehighnumberofAPsonlineandwithincloseproximitytoeachother,thereishighpossibilityaneighbormaybeusingthesamechannelasyouareforyourorganizationorhomewirelessnetwork.
The5GHzfrequencyintroducedfarmorechannelsthantheolder2.4GHz
frequency.Additionally,the5GHzfrequencyhasthetechnologytoperform
channelbonding,whichallows2ormore5GHzchannelstohavealarge
channelcapacity.Thefollowingpointsfurtherbreakdownhowchannelbondingworks:
Telegram Channel : @IRFaraExam
Eachchannelis20MHzinsize.
Usingchannelbonding,wecancombinetwo20MHzchannelstoforma
40MHzchannel.
Usingchannelbondingagain,wecancombinetwo40MHzchannelsto
forman80MHzchannel.
Finally,wecancombinetwo80MHzchannelsusingchannelbondingtoforma160MHzchannel.
Thebenefitofusingchannelbondingisthatitprovidesagreaterbandwidthcapacityingigabitspersecond(Gbps)onawirelessnetwork.Thisiswhyitismoreefficienttousethe5GHzfrequencywithinanorganizationwherealarge
numberofwirelessclientsneedtobesupported.
Whendesigningyourwirelessnetworkinfrastructure,ensuretherearealmostzerooverlappingfrequencies(channels)betweentheAPsinyourorganization.Additionally,betweeneachAP,ensurethereisalittleoverlapbetweensignalstoensuretherearenodeadzonesinyourwirelessnetwork.Deadzonesareplaceswhereclientswillnotbeabletodetectasignalandwillbedroppedfromthewirelessnetwork.
WirelessbandsSofar,wehavediscussedtheneedtouseanappropriatewirelessfrequencywhenimplementingawirelessnetworkandthechoicesinvolved.Nowweneedtoaddresssomeotherquestions:whomanagesthestandardofwirelessnetworkcommunication,andwhatstandardsareavailable?
Telegram Channel : @IRFaraExam
TheInstituteofElectricalandElectronicsEngineers(IEEE)introducedtheIEEE802.11standardin1997.Thisallowsvendorstodevelopwirelessinterfacecards(WICs)ondevicessuchasAPs,wirelessrouters,laptops,andmobiledevices.However,theIEEEhascreatedmultiplevariationsofthe802.11standardovertheyearswithmanyimprovements.
ThefollowingchartisasummaryofthevariousWi-Fistandardsovertheyears:
Figure4.17–Wi-Fistandards
ThemostrecentisIEEE802.11ax,sometimesreferredtoasWi-Fi6.WiththeotherversionsofIEEE802.11,theAPisonlyabletotransmitmessagestoonedeviceatatime.Thismeansifthereare50laptopsallconnectedtoandcommunicatingwithasingleAP,theAPcanonlysendtraffictoonedeviceatatimewhiletryingtodistributemessagesquicklytoeveryone.Thinkofitasamailcourierdriverwhohasmultiplepackagesforpeopleacrossthecity;theycanonlydropoffpackagestoonepersonattime.ThisissimilartohowWi-Finetworksoperate;however,IEEE802.11axfixesthisissue.
Telegram Channel : @IRFaraExam
Importantnote
FurtherinformationaboutWi-Fi6canbefoundathttps://www.cisco.com/c/en/us/products/wireless/what-is-wi-fi-6.html.
IEEE802.11axallowsanAPtoallocateadedicatedchanneltoeachclientdevice,thereforeimprovingnetworkperformancebetweenthewirelessclientsandtheAP.
SSID,BSSID,andESSWhetheryou'resettingupanAPforyourhomeoranenterprisenetwork,typicallythefirstthingtodoistochangethedefaultnetworknametosomethinguserswillbefamiliarwith.ThenameofthenetworkisknownastheServiceSetIdentifier(SSID).
WhenanAPbootsup,itbeginstosendbeaconsatpredefinedintervals.ThebeaconsareatypeofadvertisementmessagefromanAPthatcontainstheSSIDandotherparameters.Whenaclientsuchasalaptoporsmartdeviceenablestheirwirelesssettings,theyareabletoseethedetailsfromthesebeacons,suchastheSSID.IftherearemultiplenearbyAPsadvertisingtheirSSID,theywillallappearinthewirelessnetworksettingsonaclientdevice.
Whenaclientconnectstoawirelessnetwork,thisisknownasanassociation.Mostcommonly,whenweconnectoursmartdevicesorcomputerstoawirelessnetwork,thesettingsaresavedautomatically.Thisallowsustoreconnecttothesavedwirelessnetworkinthefuturewithouthavingtore-enternetworkconfigurationssuchasapassword.However,whenaclientdevicebootsup,itbeginstosendprobes.Theprobesaredesignedtosearchandestablishan
Telegram Channel : @IRFaraExam
associationwithasavedwirelessnetworkthatmaybewithinrangeoftheclientdevice.
Thefollowingdiagramshowstheprobeandbeaconadvertisements:
Figure4.18–Probesandbeacons
WhenaclientisassociatedwithanAP,itacceptsandbecomespartofeverythingtheAPisproviding.ThisisknownastheBasicServiceSet(BSS).Usingareal-worldexample,ifyourlocalcoffeeshoponlyhasoneAPprovidingwirelessnetworkcoveragefortheircustomersandapersonconnectstheirdevicetothenetwork,theirdevicenowbecomespartoftheBSS.
Inmanyorganizations,therearemultipleAPsconnectedtothesamewirednetwork,whereeachAPisusingthesameSSIDandisprovidingwirelesssignalallowinguserstoconnect.ThistypeofinfrastructureisreferredtoasanExtendedServiceSet(ESS).Ontheclient'sside,thedevicedoesnotseeindividualSSIDswiththesamename,theyseeonlyoneSSID.
TofurtherunderstandhowanESSworkslet'simaginethat,withinabuilding,therearefiveAPsandtheyareallconnectedtothesamewirednetwork,forming
Telegram Channel : @IRFaraExam
anESSforasmallorganization.EachAPisbroadcastingtheSSIDasCompany_X.AllWi-Fi-enabledclientsareseeingasingleSSID,Company_X,
insteadofseeingthesameSSIDlistedfivetimes.Whenaclientconnectstothewirelessnetwork,Company_X,itisassociatedtoanAP.Theclientknows
whichAPitisassociatedwithbyrecordingtheBasicServiceSetIdentifer(BSSID)oftheAP.
Importantnote
TheBSSIDistheMACaddressofanAP.
Inthefollowingsnippet,theBSSIDisshownfortheassociatedwirelessnetworkonaWindowsmachine:
Telegram Channel : @IRFaraExam
Figure4.19–BSSIDforawirelessnetwork
TheclienthasthechoicetoassociateitselftoaspecificAPbyusingtheBSSIDinformation.Lastly,whenaclientdeviceismovingbetweenAPswithinanESS,theclientdevicewilldisassociatefromanAPthathasaweakersignalandattempttoassociatewithanearbyAPthathasastrongersignal.Thisisknownasroaming.
Duringthedisassociationandre-associationprocess,there'satinydropinnetworkconnectivityastheclientdevicehastore-exchangenetworkingandsecurityinformationwiththeAP.
Telegram Channel : @IRFaraExam
Havingcompletedthissection,youhaveacquiredthenecessaryknowledgetounderstandanddescribehowdevicesonawirelessnetworkoperate.Inthenextsection,wewillmoveontolearningaboutvariousCiscowirelessarchitecturemodels.
CiscowirelessarchitecturesWhendesigningawirelessnetwork,oneofthemainobjectivesistoensurethenetworkisdesignedtoperformatoptimalcapacityforallusers.AcquiringAPsisassimpleaspurchasingthemfromalocalretailer.However,whenitcomestoimplementingtheAPsinanetwork,thereareafewCiscowirelessarchitecturesweneedtounderstand,aseachonehasdifferentusagescenarios,advantages,anddisadvantages.
Inthefollowingsections,wewillcovertheessentialsofthefollowingwirelessarchitectures:
Autonomous
Cloud-based
Split-MAC
Let'sgetstarted!
AutonomousInanautonomousarchitecture,eachAPisstaticallyassignedamanagementIPaddress,whichallowsthenetworkadministratortologinandconfigurethedeviceacrossthenetwork.Thisdeploymentmodelisgoodifyouhaveacouple
Telegram Channel : @IRFaraExam
ofAPstomanage.
However,inthistypeofarchitecture,eachAPisindependentlymanaged.Thismeansifyouhavetomakeauniversalchangetotheconfigurationsofthewirelessnetwork,you'llneedtologintoeachdeviceindependentlytomakethechanges.
Thefollowingdiagramshowsthetypicaldeploymentmodelfortheautonomousarchitecture:
Telegram Channel : @IRFaraExam
Figure4.20–Ciscoautonomouswirelessarchitecture
Inthenextsection,wewilllearnaboutCisco'scloud-basedwirelessnetworkarchitecture.
Telegram Channel : @IRFaraExam
Cloud-basedAsmoreAPsaredeployedonanenterprisenetwork,themanagementtaskbecomesabitchallenging.Let'simagineyouarethenetworkadministratoratacompanywithalargewirelessnetworkcontainingabout50APs.Oneday,youhavetomakeanadjustmenttothewirelessnetworkconfigurations;loggingontoeachAPindividuallyistime-consumingandinefficient.
Inacloud-basedarchitecture,aWLCsuchasCiscoMerakiisdeployedinthecloud.ThismodelallowseachAPtoreceiveamanagementIPaddress,similarlytotheautonomousarchitecture.However,theCiscoMerakicloudmodelallowstheWLCtogathernetworkandWi-Fistatistics,detectroguedevices,findradiofrequency(RF)interference,andgeneratereportseasily.Inaddition,thismodelprovidesasingledashboardthatallowsyoutocentrallymanagementallAPs.
Thefollowingdiagramshowsthetypicaldeploymentmodelforthecloud-basedarchitecture:
Telegram Channel : @IRFaraExam
Figure4.21–Ciscocloud-basedwirelessarchitecture
Inthenextsection,wewillcovertheessentialsoftheSplit-MACwirelessnetworkarchitecture.
Split-MAC
Telegram Channel : @IRFaraExam
Inthisarchitecture,bothalocalWLCandLight-weightAccessPoints(LAPs)areimplemented.ThelinkbetweenaWLCandaLAPisknownasaControlandProvisioningofWirelessAccessPoints(CAPWAP)tunnel.TheCAPWAPtunnelhandlestheencapsulationofdatabetweendevices.
TheCAPWAPtunnelallowsanAPandaWLCtobeseparatedgeographicallyandlogically,allowingdifferentvirtualLAN(VLAN)traffictobedeliveredtoaspecificAPwithouttheneedtocreateatrunkportontheswitch.TheWLChandlestheRFmanagement,clientauthentication,securitymanagement,qualityofservice(QoS),andassociationandroamingmanagementofeachLAPontheenterprisenetwork.Additionally,eachLAPmanagestheRFtransmission,MACmanagement,anddataencryption.
ThefollowingdiagramshowsarepresentationoftheCAPWAPtunnelbetweenaWLCandaLAP:
Telegram Channel : @IRFaraExam
Figure4.22–CAPWAPtunnel
TheCAPWAPtunnelrequirestwonetworkports.TheseareUDPport5246,
whichallowstheWLCtomanageeachLAP,andtheUDPport5247,whichis
usedforencapsulatingdatabetweenthecontrollerandtheAP.
Inthenextsection,wewillcoverthevariousmodesofoperatingforaCiscoAP.
APmodesCiscoAPsaredesignedtooperateineitherautonomous(independent)orlightweight(centrallymanaged)mode.UsingaWLC,youcanconfigureaLAPtooperateinthefollowingmodes:
Telegram Channel : @IRFaraExam
Local:ThisisthedefaultmodeforaLAP,whichallowstheAPtoprovideoneormoreBSSusingaspecificchannel.WhentheAPisnottransmitting,itwillscanotherwirelesschannelstodeterminethelevelofnoiseandinterferenceanddetectanynearbyrogueAPs.
Monitor:Inmonitormode,theAPdoesnottransmitanytrafficatall;however,itisabletoreceiveincomingtransmissionsfromnearbywireless-enableddevicessuchasotherAPsandclientdevices(laptops,smartphones,andsoon).ThismodeallowstheAPtofunctionasadedicatedsensorforcheckingintrusiondetectionsystem(IDS)securityevents,suchasrogueAPs,anddeterminingthepositionsofstations(clients)usinglocation-basedservices.
FlexConnect:InFlexConnectmode,theAPhasthecapabilitytoswitchtrafficbetweenanSSIDandaVLANiftheCAPWAPtunnelisdown.However,theAPneedstobeconfiguredtodoso.
Sniffer:Insniffermode,theAPdedicatesitsradiostocaptureIEEE802.11trafficfromnearbysourcesandforwardsittoacomputerrunningaprotocolanalyzersoftwaresuchasWiresharkforofflinepacketanalysis.
Roguedetector:RoguedetectormodeallowstheAPtodetectroguedevicesbycorrelatingMACaddressesfoundonthewiredIEEE802.3networkwiththosefoundonthewirelessIEEE802.11airways.
Bridge:Inbridgemode,theAPcanbeconfiguredtooperateasabridgebetweentwonetworks.Inthisconfiguration,twoormoreAPsmustbeusedinbridgemodetolink(bridge)multiplelocationstogether.
Flex+Bridge:CiscoAPscanbeconfiguredtooperateinameshnetwork.
Telegram Channel : @IRFaraExam
Inamesh,eachdeviceisconnectedtoallotherdevices.Thebenefitofusingameshnetworkisthefactthatithasfullredundancy.However,thedownsideisthatbecausethemeshgrowsasmoredevicesareadded,itbecomeschallengingtomanageandtroubleshoot.TheFlex-BridgemodeallowstheAPstooperateinthismethod.
SE-Connect:TheAPdedicatesitsradiostoenablespectrumanalysisonallwirelesschannels.ThedataissenttoacomputerrunningspectrumanalysissuchasMetaGeekChanalyzerorCiscoSpectrumExperttodiscoverthesourcesofinterference.
Inthenextsection,wewilldiscusswirelesscomponentsandmanagementtechniques.
WirelesscomponentsandmanagementAsmentionedintheprevioussection,Ciscowirelessarchitectures,autonomousdeploymentisgoodenoughiftherearejustafewAPsonthenetwork,butasthewirelessnetworkgrowsandmoreAPsareadded,managementbecomesmorechallenging.ThisiswhereLAPscomeintohelpusasnetworkprofessionals.
LAPsaredesignedtobemanagedbyaWLC.Inalargenetwork,asingleWLCisusuallyphysicallyconnectedtoanetworkswitch,whichallowstheLAPstoreachtheWLConthenetwork.Keepinmind,though,theLAPsdonothaveanyconfigurationswhenconnectedtothephysical(wired)network,thustheyaremadeavailabletotheWLCformanagement.
Importantnote
Telegram Channel : @IRFaraExam
ALAPcansupportmultipleVLANsbyusingtheCAPWAPtunnelbetweentheWLCandtheLAP.ThismeanstheAPonlyrequiresanaccesslinktoconnecttothenetworkinfrastructure.
ForyourCCNAcertification,itisimportanttounderstandthevariousinterfacessupportedbytheCiscoWLCdevice.Theseinterfacesarevirtualinterfacesthatexistwithintheoperatingsystemofthedevice.However,thesevirtualinterfacesareusuallymappedtoaphysicalportontheWLC.
Thereareseveraldifferenttypesofcontrollerportsthatcanbeconnectedtoyournetwork:
Serviceport:Thisportisusedforout-of-bandmanagementtothedevice,systemrecovery,andinitialbootfunctions.Furthermore,thisportisconnectedtoanaccessportonaswitch.
Distributionsystemport:ThisportisusedforallnormalAPandmanagementtrafficandisconnectedtoanIEEE802.1Qtrunkportonaswitch.ThisportisusuallyreferredtoasaLinkAggregationGroup(LAG)interface.LAGallowsyoutoconfiguremultipledistributionsystemportsintoasinglelogicalgroup,suchasanEtherChannelorport-grouponaswitch.LAGprovidesresiliencesuchthatifonedistributionsystemportfails,thetrafficcanberedirectedtotheremainingworkingports.
Consoleport:Thisportisusedforout-of-bandmanagementtothedevice,systemrecovery,andinitialbootfunctions.Aconsolecableisrequired.
Redundancyport:Thisportisusedwhenconfiguringanothercontroller
Telegram Channel : @IRFaraExam
toestablishhighavailability(HA).
Managementinterface:ThisinterfaceisusedformanagementtrafficsuchastrafficbetweentheAAAserver(RADIUSorTACACS+),WLC-to-WLCcommunications,andSSHandSNMPconnections.
Inthenextsection,wewillwalkthroughtheprocessofaccessingaCiscoWLC.
Lab–accessingaCiscoWLCGUIInthissection,youwilllearnhowtosetupaCiscoWLCforthefirsttimeandaccessitsgraphicaluserinterface(GUI).Tocompletethisexercise,useCiscoPacketTracertobuildthefollowingtopology:
Telegram Channel : @IRFaraExam
Figure4.23–WLCtopology
ToconfigureaCiscoWLC,usethefollowingsteps:
1. Usingaconsolecable,connectthePCtotheWLC(WLC2504)andpoweronthedevice.
2. UsingPuTTYoranotherterminalapplication,establishaterminalsessionwiththeWLC.
3. IfthereareexistingconfigurationsontheWLC,enter5–ClearConfigurationstoclearthememory.Thedevicewillrebootautomaticallyafterthecontentsarecleared.
4. Afterthedeviceisrebooted,theinteractivewizardwillaskwhetheryouwanttoterminateautoinstall.TypeyesandhitEnter.
5. TypeahostnameforthedeviceandhitEnter.
6. Next,setanAdministrativeusernameandhitEnter.
7. Next,setanAdministrativepasswordandhitEnter.
8. Next,setaManagementinterfaceIPaddressandhitEnter.ThisIPaddresswillallowyoutoremotelyconnecttothedeviceviaTelnet,SSH,andHTTPS.Use10.0.0.2/24astheIPaddressandsubnetmaskforthe
device,asshownthetopology.
9. Next,settheInterfacenetmask(subnetmask)andhitEnter.
10. Next,settheInterfacedefaultrouter(gateway)IPaddressandhitEnter.
Telegram Channel : @IRFaraExam
11. IfthereisaVLANassignedtotheswitchport,setitatthisstage.IftherearenoVLANs,simplyhitEntertoleavethedefaultsandcontinue.
12. Next,thewizardwillaskwhichofthephysicalportsontheWLCshouldassumetheroleofthemanagementinterface.Choosetheportthatisconnectedtotheswitch.
13. Next,thewizardmayaskforaDHCPserverIPaddress.IfthereisaDHCPserveravailableonthenetwork,inserttheserver'sIPaddresshere.
14. Next,theWLCwillaskyoutosetanAPmanagerIPaddress.ThisIPaddressisusedbytheWLCtomanagetheAPs.ThisaddressshouldbedifferentfromthemanagementinterfaceIPaddress.
15. TheVirtualgatewayIPaddressshouldbesetto192.0.2.1,as
recommendedbyCisco.
16. Next,setaMobility/RFgroupname.ThisisusedtoallowyoutomovebetweenAPsonthenetwork.
17. ThewizardwillthenasktoyousetanSSID,DHCPmode,staticIPaddressforclients,RADIUSserver,countrycode,IEEE802.11standards,NTPserver,andsoon.
18. Thefinalstepwillaskwhethertheconfigurationsarecorrect.Typeyes
tosaveandreboot.Additionally,youcanuseshowsysinfotoverify
theconfigurationsontheCiscoWLCdevice.
AftertheCiscoWLChasrebooted,it'snowaccessibleviathebrowseronaPCattachedonthenetwork,thusprovidingitsGUI.Inthenextsection,wewillcoverhowtoconfigureaCiscoWLCwithLAPsonanetwork.
Telegram Channel : @IRFaraExam
Lab–configuringawirelessnetworkusingaCiscoWLCInthissection,youwilllearnhowtocreateWLANs,implementsecurefeatures,configureinterfaces,andadjusttheQoSfeaturesonaCiscoWLC.
Tip
TheWLCtopologycanbebuiltwithintheCiscoPacketTracerapplication.However,you'llneedtoenabletheDHCPserviceontheservertoprovideautomaticIPaddressconfigurationstotheAPs.AssignedstaticIPaddressesareshowninthetopology.
TogetstartedsettinguptheWLCwiththeLAP,usethefollowinginstructions:
1. OnPC1,openyourwebbrowserandgototheURLoftheWLC,https://10.0.0.2orhttp://10.0.0.2.
2. Loginwiththeusernameandpasswordsetinthepreviousexercise.Onthemaindashboard,youwillseeasimilarviewshowingthephysicalportsthatarecurrentlyinusebytheWLC:
Telegram Channel : @IRFaraExam
Figure4.24–CiscoWLCdashboard
3. Ifyouscrolldownabit,you'llnoticetheWLChasauto-detectedanyavailableLAPsonthenetwork:
Figure4.25–AccessPointSummary
Telegram Channel : @IRFaraExam
4. Furthermore,ifyouclicktheWIRELESStabatthetop,you'llbeabletogetmoredetailsabouteachassociatedLAP.
5. ToconfigureinterfacesontheCiscoWLC,clickonCONTROLLER|Interfaces|Newasfollows:
Figure4.26–CreatinginterfacesonaCiscoWLC
6. WhenyouclickonNew,you'llhavetheoptiontosetanamefortheinterfaceandassignaVLANID,asshownhere:
Figure4.27–NaminganinterfaceonaCiscoWLC
7. AfterclickingonApplytocreatetheinterface,thewizardwillpresentanewscreenallowingyoutoconfiguretheVLANIdentifier,IPaddress,
Telegram Channel : @IRFaraExam
Netmask,Gateway,Primary,andSecondaryDHCPserver,asshownhere:
Figure4.28–Interfaceoptions
8. ClickApplytofinishsettingupthevirtualinterfaceontheCiscoWLC.
9. Tocreateawirelessnetwork,gototheWLANstab,settheoptiontoCreateNew,andclickonGoasfollows:
Telegram Channel : @IRFaraExam
Figure4.29–CreatingaWLAN
10. Next,setProfileNameandtheSSIDtoyourpreference,asshownhere:
Figure4.30–SettingtheSSIDname
11. ClickApplytocontinue.
12. Next,you'llbepresentedwiththeprofilemenufortheSSID.OntheGeneraltab,enabletheSSID,asshownhere:
Telegram Channel : @IRFaraExam
Figure4.31–Generaltab
13. ClickontheSecuritytabtoadjustthesecurityconfigurationsforthewirelessnetwork,asshownhere:
Telegram Channel : @IRFaraExam
Figure4.32–Securitytab
Here,youcanconfigurelayersecurityoptionsandenable802.1XauthenticationifthereisaRADIUSserveronthenetwork.
Importantnote
TheRADIUSserverhandlestheauthentication,authorization,andaccountingservicesofnetworkdevicesandusers.Onthisserver,useraccountsarecreatedandcentrallymanaged.Additionally,theRADIUSserverremovestheneedtocreateuseraccountsdirectlyontheAPsonthe
Telegram Channel : @IRFaraExam
networkastheAPswillquerytheRADIUSserverwhenauserisattemptingtologontothenetwork.
14. ToaddaRADIUSserverwithintheCiscoWLC,gotoSECURITY|AAA|RADIUS|AuthenticationandclickonNew.Anewpagewillopen,andyoucansimplysettheIPaddressoftheRADIUSserverandasecretkeyforauthentication:
Figure4.33–AddingaRADIUSserver
15. Ifthere'saRADIUSserveronthenetwork,clickontheAAAServerstabtosetaRADIUSserver,asshownhere:
Telegram Channel : @IRFaraExam
Figure4.34–RADIUSsettings
16. ToadjusttheQoSconfigurationsontheWLAN,clickontheQoStab.You'llbeabletochoosePlatinum,Gold,Silver,orBronze.
17. ClickApplytosavethesettingsforthenewlycreatedWLANnetwork.
Havingcompletedthissection,younowhavetheskillsrequiredtoconfigurevariousCiscowirelessarchitecturesandimplementaCiscoWLConanetwork.Inthenextsection,wewillcoverthefundamentalsofvirtualizationtechnologies.
Telegram Channel : @IRFaraExam
VirtualizationfundamentalsTobeginthissection,wewillstartwithasimpleanalogytohelpyouunderstandtheimportantroleandbenefitsofimplementingvirtualizationtechnologies.Let'simagineyouhaveasinglecomputerrunningMicrosoftWindows10.UponlearningmoreaboutIT-relatedtopics,youhaverealizedthathavingsomeLinuxskillsmaybeimportanttoyourcareer,butyouhaveonlyonecomputer.OneoptionistocreateapartitiononthelocaldiskdriveandinstalltheLinuxoperatingsystemonthenewpartition,creatingadual-bootsystem.Thedownsidetothisisthatonlyoneoperatingsystemwillbeabletoboot.
Itwouldbehighlyadvantageousifyoucouldhavemultipleoperatingsystemsrunningsimultaneouslyonasinglesystem,suchasyourMicrosoftWindows10andLinux,asthiswouldallowyoutoworkbetweendifferentoperatingsystemsquicklyandefficiently.Thetechnologytomakethisarealityisknownasvirtualization.
Virtualizationallowsyoutoemulatethehardwarerequirementstorunanoperatingsystem.ThinkofitascreatingacontainerandplacingLinuxinside.Thevirtualizationapplication,knownasahypervisor,isthekeycomponenttocreatethenecessaryvirtualhardwarerequirementssuchasCPU,RAM,diskdrives,I/O,andothercomponentstoemulateaphysicalcomputer.Thehypervisorallowsyoutoinstallsupportedoperatingsystemsontothevirtualenvironment.Theseoperatingsystemsarereferredtoasvirtualmachinesorguestoperatingsystems.
Importantnote
Telegram Channel : @IRFaraExam
Aguestoperatingsystemisinstalledonahypervisorapplication,whileahostoperatingsystemisinstalleddirectlyonthephysicaldevice.
Therearetwotypesofhypervisor:
Type1hypervisor
Type2hypervisor
Wewilldiscusstheminthefollowingsubsections.
Type1hypervisorAType1hypervisorismostcommonlyreferredtoasabare-metalhypervisorsimplybecauseit'sinstalleddirectlyontothehardware.Youmightbewondering,"Whatdoyoumean,directlyonthehardware?".Toagetabetteridea,let'simagineyouaregoingtobuildadesktopcomputer,soyoubuytheessentialcomponentssuchasCPU,RAM,motherboard,HDD/SSD,NIC,case,andsoon,andyouassembleallthecomponentstogethertocreateacomputer.Nowyouneedanoperatingsystemtocontrolallofthecomponents.InsteadofinstallingWindowsorLinuxonthehardware(HDD/SDD),youinstallaType1hypervisorastheoperatingsystem,whichwillstillallowyoutocommunicatewithallthephysicalhardwarecomponents.
ThefollowingdiagramshowsavisualrepresentationofaType1hypervisoranditsvirtualmachines:
Telegram Channel : @IRFaraExam
Figure4.35–Type1hypervisor
ThebenefitofusingaType1hypervisoristhateachvirtualmachinehasdirectaccesstothehardwareresourcesonthephysicalsystem.
ThefollowingisalistofType1hypervisorapplications:
Telegram Channel : @IRFaraExam
VMwareESXi(free)
Proxmox(free)
XCP-ng(free)
NowthatyouhavereadabouttheType1hypervisor,let'stakealookatthefunctionalityoftheType2hypervisor.
Type2hypervisorTheType2hypervisorisinstalledontopofahostoperatingsystem.ThistypeofhypervisorprovidesallthesameessentialfunctionsandcapabilitiesasaType1hypervisor,butitisinstalledonyourexistingoperatingsystem.ThevirtualmachinesinstalledonaType2hypervisordonothavedirectaccesstoalltheavailablehardwareresources,incontrastwithType1hypervisors.
ThefollowingdiagramshowsavisualrepresentationofaType2hypervisoranditsvirtualmachines:
Telegram Channel : @IRFaraExam
Figure4.36–Type2hypervisor
Thehostoperatingsystemhasfullaccesstothephysicalhardwareresources,whilesomeoftheresourcesaresharedwiththevirtualmachinesviathehypervisorapplication.Thistypeofhypervisorisbeneficialifyouhaveasinglecomputerandwouldliketocreatevirtualmachinesonit.
ThefollowingisalistofType2hypervisorapplications:
Telegram Channel : @IRFaraExam
OracleVMVirtualBox(free)
VMwarePlayer(free)
VMwareWorkstationPro(commercial)
VMwareFusion(commercial)
ParallelsDesktopforMac(commercial)
ImagineasystemsuchasMicrosoftWindowsServer2019onaphysicalrackserverwitha12-coreCPU,128GBofRAM,and12TBofstorage,andthe
roleoftheserveristoprovideActiveDirectory(AD)andDHCPservices.Thoseserverrolescombinedwillnotusemorethanhalfoftheavailablecomputingpower.Thus,whereasingleoperatingsystemisinstalledonaphysicaldeviceandtheoperatingsystemisnotmaximizingthefullpotentialoftheavailablehardwareresources,theCPUandRAMarehugelyunderutilized.Thisisknownasserversprawlandisamajorissueinthecomputingindustry.Usingvirtualizationtechnologieshelpssolvethisproblem.
Thefollowingscreenshotisanexampleofamachineexperiencingserversprawl:
Telegram Channel : @IRFaraExam
Figure4.37–UnderutilizedhardwareonaWindowsmachine
Thehypervisorapplicationallowsustoallocatevirtualresourcestoeachvirtualmachineasweseefit.Therefore,wecanassignvariousamountsofRAMto
Telegram Channel : @IRFaraExam
differentvirtualmachines,andlikewiseforCPUcoresandothervirtualhardwarecomponents.
ThefollowingscreenshotshowsavirtualmachinesettingswindowinVMwareWorkstationPro:
Figure4.38–VirtualMachineSettings
Asyoucanseeintheprecedingscreenshot,thehypervisorapplicationallowsyoutocustomizetheentirevirtualenvironment,allowingyoutoadd,modify,
Telegram Channel : @IRFaraExam
andremovevirtualhardwarecomponentsonavirtualmachine.
Virtualizationtechnologyhasbeenaroundinthecomputingindustryforoveradecade.Withinthelast10years,therehasbeenagrowingneedforprofessionalswhocanimplementandsupportdatacenterenvironmentstocreatecloudcomputingtechnologies.Inthenextsection,wewillexplorevariouscloudcomputingarchitectures.
CloudcomputingWhatiscloudcomputing?Cloudcomputingallowsustousecomputingresourcesthatarelocatedinsomeoneelse'sdatacenterviatheinternet.Intoday'sworld,theneedtohavephysicalserversinanorganizationisslowlydisappearing.
Havingphysicalserverswithinanorganizationhasthefollowingdownsides:
AnITteamisrequiredtoalwaysbeavailabletomanagetheservers.
Serversrequirephysicalstoragespaceinabuilding.
Theyusealotofpower(electricity).
Theygeneratealotofheatbecausethedevicesarealwayspoweredon.
Ifahardwarefailureoccursonaserver,thismaycauseadisruptioninnetworkservices.
Withcloudcomputing,anorganizationcaneliminatetheneedforphysicalserversandsimplypayforonlytheresourcesitusesfromacloudcomputingserviceprovidersuchasMicrosoftAzure,Amazon'sAWS,orGoogle'sGCP.On
Telegram Channel : @IRFaraExam
thebackendofcloudproviders,theyusealotofvirtualizationandautomationtechnologiestoquicklyspinupresourcesfortheircustomerswithinamatterofminutes.Eachapplicationandserverdeployedonacloudplatformisavirtualmachineontheprovider'sbackend.
OnesuchexampleistheemailservicesprovidedbyMicrosoftandGoogle.MicrosoftoffersOffice365andGoogleoffersGSuite;eachproviderhasaplanthatcostsaboutUSD5-6peruserpermonth.Thisallowsanorganizationtosimplypayforthenumberofemployeesthatrequireanemail.Ifanemployeerequiresadditionalservicesorstorage,theplanallowstheorganizationtosimplypayfortheadditionalserviceorfeaturesforthatuser.Thisprovidesgreaterflexibilityforemployersandorganizations.
Thefollowingarebenefitsofusingcloudcomputingtechnologies:
Cloudcomputingserviceprovidersusuallyguaranteeover99%uptimeannually.
Cloudcomputingservicesareaccessibleanywhereandanytime.
Itreducesthenumberofphysicalserviceswithinanorganization.
Cloudcomputingprovidersareresponsibleforallhardwaremaintenanceonthevirtualserversandservices.
Organizationsonlypayforwhattheyusefromaserviceprovider.
Serviceprovidersallowthecustomertoscaletheirplatformorservices.
Thoughtherearemanybenefitstousingcloudcomputing,therearealsosomedisadvantages:
Telegram Channel : @IRFaraExam
Whenusingacloudcomputingplatform,youdonothavefullcontrolofthebackendplatformasitismanagedbytheserviceprovider.
Youneedtosecureyourcloudplatformjustasyouwouldhavetosecurelocalserversinyourorganization.
Aninternetconnectionisrequiredfromtheuser'sendtoaccessresourcesonline.
Overtheyears,Ciscohasadaptedtocloudcomputingtechnologies.MostofthetimewhenwethinkofaCiscorouter,switch,orevenafirewall,wethinkofaphysicaldevice.However,therearemanyvirtualappliancessoldbyCiscothatenableyoutodeployahypervisorwithinyourorganization,yourpersonalcloudplatform,oronareputablecloudserviceproviderinfrastructure.
Tip
CheckouttheCiscoDevNetwebsitetolearnmoreabouttheircloudtechnologiesathttps://developer.cisco.com/.
Inthenextsection,youwilllearnaboutthevariouscloudcomputingservicearchitecturesanddeliverymodels.
CloudservicesAcloudcomputingproviderhasmanyservices,allofwhichusuallybelongtooneofthreeparentcategories:
Software-as-a-Service(SaaS)
Telegram Channel : @IRFaraExam
Platform-as-a-Service(PaaS)
Infrastructure-as-a-Service(IaaS)
Inthefollowingsections,wewilldescribeeachoftheseinfurtherdetail.
SaaSInaSaaSmodel,theuserisonlyprovidedwiththeapplication'suserinterfaceonthefrontend.AnexampleofaSaaSserviceisOffice365ortheGSuiteapplications,wheretheuseraccessestheapplicationstheyusesuchastheiremailinbox–SharePoint,GoogleDocs,orMicrosoftOffice365–usingawebbrowser.Theapplicationisnotinstalledontheuser'sdevice.
InaSaaSenvironment,theuserdoesnothavetobeconcernedwiththehardwareortheunderlyinginfrastructurerequiredtodelivertheapplication.Thecloudserviceproviderisresponsibleforallthetechnicalrequirements,suchasapplicationupdatesandpatchingandhardwareresources,whichensuretheapplicationisworkingproperlyfortheuser.
PaaSThePaaSmodelisdesignedtoallowtheuseraccesstoanyunderlyingapplicationssuchasprogrammingframeworksandapplicationdevelopmentenvironments.Withthismodel,theuserhasabitmorecontrolovertheworkingenvironmentthantheydowithSaaS.SomeexamplesofPaaSareAWSElasticBeanstalk,GoogleAppEngine,andMicrosoftAzure.WithPaaS,theserviceprovidersuppliestheuserordeveloperwithsoftwaretools.
Telegram Channel : @IRFaraExam
IaaSIaaSprovidestheuserwithmorecontroloverthephysicalhardwareandsoftwareresourcesonthecloudplatform,allowingtheusertomodifystoragecontainers,networkingconfigurations,andsoon.Additionally,theuserisabletodeployvirtualappliancessuchasvirtualfirewalls,routers,switches,andotherappliancesonthecloudprovider'splatform.ExamplesofIaaSprovidersareMicrosoftAzure,AWS,andGCP.
Inthenextsection,wewilltakealookatclouddeliverymodels.
ClouddeliverymodelsIntheworldofcloudcomputing,therearefourmaintypesofdeploymentmodelsforacloudinfrastructure.Theseareprivate,public,hybrid,andcommunitycloudmodels.Inthissection,wewilltakealookateachofthemtounderstandhowauserororganizationisabletoaccessresourcesacrossanetworkandtheinternet.
PrivatecloudInaprivatecloud,theorganizationownsthedatacenterandtheinfrastructurethatisusedtomanageit.Alotofcompaniesbuildtheirownlocal/internalhostdatacenter,runningalltheircriticalapplicationsfortheiremployeesandusers.Inthistypeofcloud,theorganizationisresponsibleforthemaintenanceandsupportoftheircloudplatform.
Publiccloud
Telegram Channel : @IRFaraExam
Inapubliccloud,thecloudinfrastructureisownedbyanotherorganization,whorentspartoforanentiredatacentertootherorganizationsorindividuals.ExamplesofgeneralcloudsareMicrosoftAzureandAmazon'sAWS.IfyouwanttocreateavirtualMicrosoftWindowsServer2019onthecloud,it'sassimpleasaccessingtheAzureplatform,choosingtherighthardwareconfigurationsforthevirtualmachine(CPU,RAM,SSD/HDD),andpayingforonlytheresourcesyouuse.Somecloudproviderschargeyoubytheminute,whilesomechargeperhour.
Hybridcloud
Thehybridcloudmodelconsistsofaprivateandpubliccloud.Organizationsusuallyhaveaprivatecloudhostingtheirapplicationsanddata.Theprivatecloudprovidesfasterdatatransferratesbetweentheuserswithintheorganizationasitislocallyhosted.However,theorganizationalsopaysforapubliccloudservice.Thisallowsthemtoensuretheycontinuouslyreplicatetheprivatecloudontothepubliccloudforredundancyandavailability.
Communitycloud
Thecommunitycloudmodelisatypeofdeploymentthatallowsseveralorganizationstoshareresourcesonasinglecloudprovider.Thiscanbeagrouporpartnershipofcompaniessimplysharingresourceswitheachother.
Havingcompletedthissection,younowhavetheskillstodescribeandidentifyvarioustypesofcloudtechnology.
SummaryThroughoutthecourseofthischapter,wehavediscussedtheimportanceof
Telegram Channel : @IRFaraExam
discoveringphysicalissuesthatmaycauseerrorsandcollisionsonanetwork.Havinglearnedaboutspeedandduplexconfigurationsandhowtheyaffecttrafficflow,younowhavetheessentialskillstoperformtroubleshootingatlayer1oftheOSIreferencemodel.
Additionally,wehavecoveredtheessentialprinciplesofwirelesscommunicationonanIEEE802.11network.Wehavelookedindepthathowchannelsandfrequenciesallworktogethertodelivermessagesbetweendevices.Additionally,wehavediscussedvariousCiscowirelessarchitecturesandseenthebenefitsofusingonedeploymentmodeloveranotherbasedonthesizeofthewirelessnetwork.WehavealsocoveredthestepsrequiredtoaccessanddeployaCiscoWLConanetwork.
Nowthatyouhavecompletedthischapter,youshouldbeabletodescribevariouswirelessprinciplessuchastheoperationofchannels,RFs,andSSIDs.YoualsonowhavetheskillstoimplementaCiscoWLConanetworkandconfigureWLANs,security,andQoSfeatures.Lastly,youhavelearnedabouttheimportanceofvirtualizationandtheroleitplaysincloudcomputing.
IhopethischapterhasbeeninformativeforyouandhelpsyouinyourjourneytowardlearninghowtoimplementandadministerCiscosolutionsandpreparefortheCCNA200-301certification.Inthenextchapter,Chapter5,ImplementingVLANs,Layer2DiscoveryProtocols,andEtherChannels,wewilllearnhowtosegmentyournetworktoimproveperformanceandsecurity,andimplementlinkaggregationtechnologiesanddiscoveryprotocols.
QuestionsThefollowingareashortlistofreviewquestionstohelpreinforceyourlearning
Telegram Channel : @IRFaraExam
andhelpyouidentifyareasthatrequiresomeimprovement:
1. Whatisthestandardusedtodefineawirelessnetwork?
A.IEEE802.3
B.IEEE802.15
C.IEEE802.11
D.IEEE802.16
2. Onawirelessnetwork,whatmeasurementisusedtodeterminesignalstrength?
A.Amps
B.Gbps
C.dBm
D.RSSI
3. WhichofthefollowingfrequenciesdoesanAPuses?
A.5GHz
B.6GHz
C.2GHz
D.4GHz
4. The________isknownasthecoverageareaofwirelesssignal.
Telegram Channel : @IRFaraExam
A.SSID
B.BSA
C.ESSID
D.BSSID
5. WhichofthefollowingisusedbyawirelessclienttoidentifyanAP?
A.SSID
B.BSA
C.ESSID
D.BSSID
6. WhichCiscowirelessarchitectureallowsanAPtobeindependentlymanaged?
A.Autonomous
B.Meraki
C.Split-MAC
D.Flex+Connect
7. WhatportsareusedinaCAPWAPtunnel?
A.TCP5246
B.UDP5246
Telegram Channel : @IRFaraExam
C.TCP5247
D.UDP5248
8. WhichmodedoestheAPusetocapturetraffic?
A.Flex+Connect
B.Monitor
C.Sniffer
D.SE-Connect
9. A_________isrequiredtoemulateavirtualenvironment.
A.Linux
B.MicrosoftWindowsServer
C.CPU
D.Hypervisor
10. Whichcloudserviceprovidesonlytheapplicationuserinterface?
A.IaaS
B.SaaS
C.PaaS
D.Privatecloud
Telegram Channel : @IRFaraExam
11. Whichcommandallowsyoutoseethephysicalissuesonaninterface?
A.showversion
B.showipinterface
C.showinterface
D.showinterfacefa0/1switchport
12. Whatisthedefaultoperatingspeedofaninterface?
A.1000
B.Auto
C.100
D.10
13. Whichcommandsquicklyallowyoutochecktheduplexmodeonaninterface?(Choosetwo)
A.showinterfacestatus
B.showipinterfacebrief
C.showinterfacetrunk
D.showinterfaces
14. Whichofthefollowingdescribesaframewithlessthan64bytesinsize?
Telegram Channel : @IRFaraExam
A.Giant
B.CRC
C.Runt
D.Collision
FurtherreadingThefollowinglinksarerecommendedforadditionalreading:
TheRoadtoWi-Fi6:https://www.cisco.com/c/en/us/products/collateral/wireless/e-nb-06-preparing-for-wifi-6-ebook-cte-en.html
CiscoWLCconfigurationguide:https://www.cisco.com/c/en/us/support/wireless/wireless-lan-controller-software/products-installation-and-configuration-guides-list.html
CiscoWirelessArchitecture:https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob41dg/emob41dg-wrapper/ch2_Arch.html
Telegram Channel : @IRFaraExam
ThissectionteachesyouhowtologicallysegmentanetworkbyimplementingVirtualLocalAreaNetwork(VLAN)practices,allowingmultipleVLANstoexchangedata,anddesigninganenterpriseswitchednetworkusingtheSpanning-TreeProtocol(STP).
Thissectioncontainsthefollowingchapters:
Chapter5,ImplementingVLANs,Layer2DiscoveryProtocols,andEtherChannels
Chapter6,UnderstandingandConfiguringSpanning-Tree
Telegram Channel : @IRFaraExam
Chapter5:ImplementingVLANs,Layer2DiscoveryProtocols,andEtherChannelsAsyou'rebuildingyournetwork,youwillbelearningalotaboutconfigurationsandtechniquestoensureyouhaveanoptimallyperformingnetwork.However,let'snotforgetabouttheactualengineeringaspectofcomputernetworking.TherearemanytechnologiesatalllayersoftheOSIreferencemodel,andaTCP/IPprotocolsuitethathelpsustocreateanefficientnetwork.
Throughoutthischapter,youwilllearnabouttheimportanceofsegmentingaflatphysicalnetworkintosmallerbroadcastdomainstoimprovebothnetworksecurityandtheefficiencyofnetworkperformance,usingalayer2technologyknownasVirtualLocalAreaNetwork(VLAN).YouwillalsolearnaboutthevarioustypesofVLANsanduseablerangeswithinanorganization,andhowtoimplementandestablishend-to-endconnectivitybetweendevicesanddifferentVLANsonanetwork.
Additionally,you'lldiscoverhowtomapanetworktopologybyutilizingvariouslayer2discoveryprotocols,suchasCiscoDiscoveryProtocol(CDP)andLink-LayerDiscoveryProtocol(LLDP).Lastly,you'lllearnhowtobundlemultiplephysicalportsonaswitchtoactasasinglelogicalinterfacetoprovidehigh-bandwidthlinksbetweenswitches.
Inthischapter,wewillcoverthefollowingtopics:
UnderstandingVLANs
TypesofVLANs
Telegram Channel : @IRFaraExam
ConfiguringVLANsandtrunks
Implementinginter-VLANrouting
Enablingdiscoveryprotocols
UnderstandingandconfiguringEtherChannels
TechnicalrequirementsTofollowalongwiththeexercisesinthischapter,pleaseensurethatyouhavemetthefollowinghardwareandsoftwarerequirement:
CiscoPacketTracer:https://www.netacad.com
Thecodefilesforthischapterareavailableathttps://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions/tree/master/Chapter%2005.
CheckoutthefollowingvideotoseetheCodeinAction:https://bit.ly/33WlzIG
UnderstandingVLANsInasmallLANoperatingatoptimalperformance,therearetypicallyafewdevicesexchangingmessagessimultaneously.Asanorganizationgrowstosupportmorebusinessservices,sodoesanetworktosupportmoreconnectedusersandnetworkapplications.Physically,expandinganetworkseemssimple,butwealsoneedtoconsiderthelogicaltrafficflowanditscapacitybetweendevices.Forushumans,wedon'tseetheactualtrafficflowingacrossanetworkwithoutusingtoolssuchasWireshark.
Telegram Channel : @IRFaraExam
Importantnote
Wiresharkisanetworkprotocolanalyzerthathastheabilitytodisplaytherawdetailswithinapacket.
Let'simaginethatwithinanorganization,therearehundredsofdevicesallconnectedtothesamephysicalnetwork.Ifonedevicesendsabroadcast(shoutsonthenetwork),allotherconnecteddeviceswillreceiveandprocesseachbroadcastmessage.Whatifalotmoredevicesaregeneratingbroadcastmessagessimultaneously?Thehighamountofbroadcastmessageswillbegintofloodthenetwork,causingnetworktrafficcongestion.
Additionally,withthehighlevelofbroadcastmessagespropagatingthenetwork,allotherdeviceswillbeusingunnecessarycomputingresourcestoconstantlyprocesseachbroadcastmessageadevicereceives.Havingtoomuchunnecessarytrafficonanetworkcancausedeteriorationinthenetworkperformanceandadverselyaffecttheuserexperience.Thinkofthenetworkasanation'sroadways–duringcertaintimesoftheday/night,therearefewervehicles,allowingyoutoreachyourdestinationquickly.Duringpeaktimes,ontheotherhand,suchasafter-workhours,thereismoretraffic,andittakeslongertoarriveatyourdestination.
Thefollowingaresomeimportantconcernsforanorganization:
Howdowereducetheamountofunnecessarymessages(traffic)onanetwork?
Howdoweimprovethenetworkperformance?
Thereisvoice,video,anddatatrafficthatneedstobeseparated.Howcan
Telegram Channel : @IRFaraExam
thisbedonewithoutspendingmoneyonnewequipment?
Howcanwecreateaseparatenetworkfordevicesanduserswithsimilarjobroles?
TheanswertoallthesequestionsisVLAN.WhatdowemeanbyVLAN?Howcanaphysicalnetworkbevirtualandstillsupportallconnectedusersanddevices?Thisiswherewebeginourjourneyoflearninghowtomovefromaflatlayer2networkintoamorestructuredandhierarchicalnetworkusingCiscoIOSswitches.
AVLANisavirtuallayer2networkthatprovidestheabilitytoreducethesizeofabroadcastdomain.Imagineanenterprisenetworkwithover100devicesallinterconnectedusingswitches.Whenanenddevicesendsabroadcastmessage,allotherdevicesreceiveandprocessit.Thisisreferredtoasalayer2broadcastdomain.Itissimplyalogicalsegmentthatallowsallconnecteddevicestoreachothersviathedatalinklayer.Togetabetterunderstandingofhowtoidentifybroadcastdomains,let'stakealookatthefollowingtopology:
Telegram Channel : @IRFaraExam
Figure5.1–Broadcastdomains
Whenanenddevicesendsabroadcastmessage,theswitchthatreceivesthemessagechecksthedestinationMACaddresswithintheframetomakeaforwardingdecision.Inalayer2broadcastmessage,thedestinationMACaddressisFF-FF-FF-FF-FF-FF.Therefore,theswitchwillsendtheframe
outallotherports,andifthereareotherswitchesonthesamenetwork,theytoowilldothesame.Alayer2broadcastisstoppedbyalayer3device,suchasarouter.
Reviewingthepreviousdiagram,ifPC1sendsalayer2broadcastmessage,only
Telegram Channel : @IRFaraExam
PC2,PC3,andtherouter'sconnectedinterfacewillreceiveit.Therefore,thisisonebroadcastdomain.IfR1sendsabroadcastmessageoverthelink,connectingbothR1andR2,onlyR2willreceivethebroadcastmessage,hencethisisanotherbroadcastdomain.Lastly,ifPC4sendsabroadcast,onlyPC5,PC6,andtheR2LANinterfacewillreceiveit,meaninganotherbroadcastdomain.Overall,thetopologyhasatotalofthreebroadcastdomains.
Tip
Eachportonaswitchcanbeidentifiedasacollisiondomain.Additionally,eachportonaroutercanbeidentifiedasbothacollisiondomainandabroadcastdomain.
Ratherthanusingmultipleroutersonanetworktocreatephysicalsegmentation,VLANsallowsustoperformlogicalsegmentationthroughtheCiscoIOSswitchesviasoftware.
Thefollowingdiagramshowsasinglephysicalnetworkwherealldevicesareonthesamebroadcastdomain:
Telegram Channel : @IRFaraExam
Figure5.2–Physicalnetworkinabuilding
Let'ssaytheorganizationhasthreedepartments(Sales,HR,andIT)whereacomputer/deviceofeachdepartmentresidesateachfloorofthebuilding.WecanconfigureourswitcheswithVLANstoprovidethefollowing:
Telegram Channel : @IRFaraExam
Figure5.3–NetworkwithVLANs
ApartfromimplementingVLANsusingswitches,wealsoneedtoassigneachVLANauniquesubnet,asintheprecedingdiagram.Remember,aVLANisalogicalnetworkandtherefore,eachdeviceonaVLANwillneedanIPaddresstocommunicatewithotherdevices.
Telegram Channel : @IRFaraExam
IftherearemultipleVLANsonaphysicalnetwork,howdoesthetrafficremainlogicallyseparatedfromotherVLANtraffictransferringonthesameswitches?Firstly,VLANsareassignedontheswitch'sinterfaceandanytraffic(frame)thatentersaswitch'sinterfacebecomestaggedwithanIEEE802.1Qtag,
containingtheVLANID.Theseinterfacesareknownasaccessports.OnlyoneVLANisallowedtobeassignedtoanaccessport;theonlyexceptionforhavingtwoVLANsonthesameaccessportiswhenoneVLANisadataVLANandtheotherisavoiceVLAN.Togetabetterunderstandingofhowtheswitchisolatestraffic,let'stakealookatthefollowingdiagram:
Figure5.4–VLANassignmentperinterface
IfPC1sendstraffictoFa0/1,theswitchwillinsertanIEEE802.1Qtagthat
Telegram Channel : @IRFaraExam
containsVLAN10onalltrafficenteringthatinterface.Similarly,anytrafficenteringFa0/2willbetaggedwithVLAN20.
Thefollowingdiagramisarepresentationofan802.1Qtagwithinaframe:
Figure5.5–Taggedframe
WhilethereisdifferentVLANtrafficmovingwithinandbetweenswitchesonaphysicalnetwork,theswitcheswillkeepeachVLANtrafficseparatedfromotherVLANs,hencethetermvirtuallocalareanetwork.Beforetrafficexitsanaccessport,theswitchremovestheIEEE802.1Qtaggingfromtheframe
becausetheenddeviceisnotconcernedabouttheVLANID,butratherthedatastoredintheframeitself.
TocreateaVLANonaCiscoIOSswitch,usethefollowingcommands:
SW1(config)#vlan10
SW1(config-vlan)#nameSales
SW1(config-vlan)#exit
TodeleteaVLAN,usethefollowingcommand:
SW1(config)#novlan10
Alwaysremembertoremoveaconfigurationfromrunning-config;usethe
Telegram Channel : @IRFaraExam
negatedformoftheoriginalconfiguration,suchasnofollowedbythe
remainingportionsofthecommand.
Importantnote
VLANsarenotabletocommunicatewithoneanotherbydefault.ThismeansdevicesonVLAN10arenotabletocommunicatewiththosethatareonVLAN20oranotherVLAN.Aroutercanbeusedtoperformatechniquecalledinter-VLANroutingtomovetrafficbetweenVLANsonanenterprisenetwork.
NotonlydoVLANsallowyoutocreatesmallerbroadcastdomainswhileimprovingnetworkperformance,buttherearealsoadditionalbenefits,suchasthefollowing:
Reducedcosts
Improvedsecurity
BothimprovedITefficiencyandmanagement
HowdoVLANsreducecostsonanetwork?Let'simaginethattheorganizationhasaVoice-over-IP(VoIP)network,containingalltheirIP-basedphonesandaunifiedcommunicationserver.Allvoice(andvideo)trafficusesUDPasthepreferredtransportlayerprotocolforitslowoverheadinanetwork.It'sagoodideatoensureallvoicetrafficremainsseparatefromdatatraffic.ThisisbecausedatatrafficusuallyusesTCP,whichisconnection-oriented;therefore,theroutersandswitcheswillprioritizeTCPoverUDPbydefault,andadditionally,UDPtraffichasahighchanceofbeingdiscardedoverTCPifthereisanycongestiononasegmentalonganetwork.Ratherthanimplementingaphysicallyseparatenetworkforadifferenttraffictype,agoodstrategyistoimplementaVLANfor
Telegram Channel : @IRFaraExam
allvoicetraffic.Asaresult,allvoice-relateddevices,suchasIPphones,willbeonthevoiceVLANandthevoicetrafficwillbeseparatefromalldatatraffictypes.
HowdoVLANsimprovesecurityonanetwork?Let'sthinkofanetworkwithoutVLANs.Alldevicesconnectedtoanyofthelayer2switcheswillbeabletoexchangemessageswithallotherconnecteddevicesaswell.Fromanetworkingpointofview,thisagoodthing,right?Butfromasecuritypointofview,thisisbadasthereisnosegmentationoftrafficanddevices.Thus,amalicioususercaninserttheirdeviceintothenetworkandreachallotherdeviceseasily.VLANshelpustocreatelogicallyseparatednetworksandallowustoapplyalayer3technologyontheCiscoIOSroutersknownasAccessControlLists(ACLs)tofiltertrafficbetweenVLANs.
HowcanITefficiencyandmanagementbeimprovedbyaddingVLANstoanetwork?Let'simaginethatrecentlysomeorganizationalchangestookplacewhereuserswererelocatedtootherareaswithinabuilding.Withouthavingtophysicallymoveacomputerfromoneareaofanetworktoanother,thenetworkadministrator/engineercansimplyreassigntheVLANIDontheswitch'sphysicalinterface.ReconfiguringaVLANIDtakesafewseconds,andtheconnecteddevicewillbeonanentirelydifferentnetworkoncethereconfigurationisdone.
VLANrangesVLANsareidentifiedbyanumericalvaluewithintheirconfigurationsandtheframe.However,asnetworkprofessionals,therearetwodifferentrangesofVLANsthatareavailabletous.Theseareasfollows:
Telegram Channel : @IRFaraExam
Normalrange
Extendedrange
ThefollowingarethecharacteristicsforthenormalrangeofVLANs:
TheseareVLANIDsthatrangefrom1–1005.
VLANs1002to1005arereservedforvariouslayer2technologies,such
astokenringandFiberDistributedDataInterface(FDDI)technologies.
VLANs1and1002–1005areautomaticallycreatedonCiscoIOS
switchesandcannotbedeleted.
VLANsarestoredinaspecialdatabasefileknownasvlan.datinflash
memory.
Ifyouusetheshowflash:commandinprivilegemodeonaCisco
IOSswitch,youwillseethevlan.datfile.Ifyouarefactoryrestoringa
switch,besuretousethedeletevlan.datcommandtodeletethe
VLANdatabasefile.
ThefollowingarethecharacteristicsoftheextendedrangeofVLANs:
TheseVLANsrangefrom1006to4094.
Theconfigurationsarenotstoredinthevlan.datfileascomparedto
thenormalrange.
Theconfigurationsarestoredintherunning-configfilebydefault.
Telegram Channel : @IRFaraExam
TherearefewerVLANfeaturesintheextendedrangescomparedtothenormalrange.
Let'snowhavealookatthetypesofVLANs.
TypesofVLANsTherearefivemaintypesofVLANsthatexistwithinswitches.Inthissection,wewilllearnabouteachofthesetypesofVLANsandhowtheyareusedwithinanenterprisenetwork.
Default:WhenyoubuyanewCiscoIOSswitch,itworksstraightoutofthebox.ThismeansifyoupluganydevicewithasuitableIPschemeintophysicalinterfaces,theyareabletoexchangemessagesbydefaultwithoutanyconfigurationsontheswitch.CiscoIOSswitchescontaindefaultconfigurations,butmostimportantly,allportsareassignedtothedefaultVLAN.Hence,allconnecteddevicesareabletoexchangemessages.
ThefollowingarethecharacteristicsofthedefaultVLAN:
ThedefaultVLANisVLAN1.
AllportsonaCiscoIOSswitchareassignedtoVLAN1bydefault.
ThemanagementVLANisVLAN1bydefault.
ThenativeVLANisVLAN1bydefault.
VLAN1cannotberenamed.
SinceVLAN1isthedefaultVLAN,itshouldnotbeusedatallonanetworkfor
Telegram Channel : @IRFaraExam
securityreasons.
Data:WhenyoucreateaVLANonaCiscoIOSswitch,itcanbeusedforanypurposeyouchoose.TheseVLANsareassignedtoaphysicalinterfaceontheswitch;theseinterfacesareknownasaccessports.Theswitchtagsallinboundtrafficenteringtheswitchanditremainstaggeduntilitexitsanaccessport.DataVLANsallowalltypesofframestotransversetothenetwork.OnlyonedataVLANcanbeassignedtoaswitchinterface.
ToassignaVLANtointerface,usethefollowingcommandwithininterface
mode:
SW1(config)#interfaceFastEthernet0/1
SW1(config-if)#switchportmodeaccess
SW1(config-if)#switchportaccessvlanvlan-ID
SW1(config-if)#noshutdown
SW1(config-if)#exit
Theswitchportmodeaccesscommandstaticallysetstheinterfaceasan
accessportandtheswitchportaccessvlanvlan-IDcommand
assignsaVLANtotheinterface.
Additionally,toresettheinterfacetoitsdefaultsettings,usethefollowingcommands:
SW1(config)#interfaceFastEthernet0/1
SW1(config-if)#noswitchportmodeaccess
SW1(config-if)#noswitchportaccessvlan
Telegram Channel : @IRFaraExam
SW1(config-if)#exit
Onceagain,wehaveusedthenegatedformoftheoriginalconfigurationstoresettheinterfacetoitsoriginalstate.
Voice:ThevoiceVLANisself-explanatory.ItisusedtotransportvoicemessageswhilekeepingthemseparatefromotherVLANsonthenetwork.EnsuringthevoicenetworkislogicallyseparatedfromthedatanetworkwillresultinasignificantimprovementforVoIP.
ToassignavoiceVLANonaninterface,usethefollowingcommandwithininterfacemode:
Switch(config)#interfaceFastEthernet0/1
Switch(config-if)#switchportmodeaccess
Switch(config-if)#switchportvoicevlanvlan-ID
Bydefault,therecanonlybeoneVLANonaninterface.However,theexceptionforhavingtwoVLANsassignedonasingleinterfaceiswhereoneisadataVLANandtheotherisavoiceVLAN.
Management:ThemanagementVLANisusedtoremotelyaccesstheswitchoveranetworkformanagementpurposes.Toputitsimply,itistheSwitchVirtualInterface(SVI),whichisconfiguredwithanIPaddressandsubnetmask.AnetworkadministratorcanuseHTTP,HTTPS,Telnet,orSSHtoremotelyconnecttoandmanagethedevice.
TocreateamanagementVLANorSVI,usethefollowingconfigurations:
Switch#configureterminal
Telegram Channel : @IRFaraExam
Switch(config)#vlan99
Switch(config)#nameManagement
Switch(config-vlan)#exit
Switch(config)#interfacevlan99
Switch(config-if)#ipaddress10.0.0.2255.255.255.0
Switch(config-if)#noshutdown
Switch(config-if)#exit
PleasekeepinmindthatthemanagementVLANshouldbeonaseparateIPsubnetfromtheremainderofthenetwork.Thiswillhelpimprovesecurityandaccessmanagementtodevices.DonotcombinethemanagementVLANwithanotherVLANonthenetwork;itisbadpracticetodoso.
Native:ThenativeVLANisusedtotransportuntaggedtrafficacrossanIEEE
802.1Qtrunklink.Wheneveranenddevicesuchasacomputersendstraffic
intoaswitch,thereceivingswitchportinsertsIEEE802.1Qtag(VLAN
ID)intotheframe;thisisknownastaggedtraffic.However,untaggedtrafficdoesnotoriginatefromaswitchport,sowheredoesitcomefrom?Anexampleofuntaggedtrafficissimplytrafficthatisgeneratedbyswitchesandroutersthemselves,suchasCDPmessages.
ToassignanativeVLANtoatrunkinterface,usethefollowingconfigurations:
SW1(config)#interfaceFastEthernet0/24
SW1(config-if)#switchportmodetrunk
SW1(config-if)#switchporttrunknativevlannative-
Telegram Channel : @IRFaraExam
vlan-ID
Ensureyoustaticallysettheinterfaceintotrunkmodeusingtheswitchport
modetrunkcommand,thenusetheswitchporttrunknative
vlancommandtochangethenativeVLANfromitsdefaultsettings.
Importantnote
ThenativeVLANmustmatchbetweentrunkinterfaces.IfthenativeVLANdoesnotmatch,youwillexperienceconnectivityissuesonthetrunklink.
Inthenextsection,wewilldescribehowswitchesallowmultipleVLANstospanacrosstheentirelocalareanetworkusingtrunks.
TrunkinterfacesImplementingtrunkshelpsussolvemajorissueswhenspanningVLANsacrossmultipleswitchesonanetwork.TrunksallowustotransportVLANtrafficsimultaneouslybetweenswitchesasopposedtousinganaccessport,whichonlyallowsasingleVLAN.Togetabetterunderstanding,let'stakealookatthefollowingdiagramwhereanaccesslinkisconfiguredbetweentheswitches:
Telegram Channel : @IRFaraExam
Figure5.6–Accesslinkbetweenswitches
Intheprecedingtopology,anaccesslinkisconfiguredbetweenbothswitches.However,VLANID10isassignedonbothphysicalinterfaces.ThismeansPC1isabletoexchangemessageswithPC3,astheyarebothonVLAN10,butnoneoftheVLAN20trafficisallowedbetweentheswitches.Thisisbecausetheaccessportsareconfiguredbetweentheswitches,whichallowsonlyoneVLAN.
Importantnote
Thelinkbetweenaswitchtoanotherswitchisknownasatrunkandthelinkbetweenaswitchtotherouterisalsoknownasatrunk.
TrunksallowswitchestocarrymultipleVLANtrafficbetweenthem.Thefollowingdiagramshowstheeffectofconvertingthelinkbetweentwoswitches
Telegram Channel : @IRFaraExam
intoatrunk:
Figure5.7–Trunklinkbetweenswitches
Asexpected,bothVLAN10andVLAN20trafficisallowedtoflowbi-directionally,thereforeallowingdevicesPC2toexchangemessageswithPC4.
Tocreateatrunkinterface,usethefollowingcommands:
Switch(config)#interfaceFastEthernet0/1
Switch(config-if)#switchportmodetrunk
Switch(config-if)#switchporttrunkallowedvlan
10,20,30
Switch(config-if)#switchporttrunknativevlanvlan-
ID
Telegram Channel : @IRFaraExam
Switch(config-if)#noshutdown
Switch(config-if)#exit
Thefollowingisabreakdownoftheconfigurationsusedtocreateatrunk:
1. (Optional)InolderCiscoswitches,youmayneedtoexecutetheswitchporttrunkencapsulationdot1qcommandbefore
settingthemodetoTrunkontheinterface.OlderCiscoswitchessupport802.1QandInter-SwitchLink(ISL).CiscoISLisanolderCiscoproprietaryencapsulationprotocolthatisnolongerbeingusedonnewerdevices;therefore,youwouldneedtochoosetheencapsulationtypebeforeenablingtrunking.
2. Theswitchportmodetrunkcommandisusedtostatic-setthe
interfaceintoTrunkmode.
3. Theswitchporttrunkallowedvlancommandisusedtoset
whichVLANsareallowedacrossthetrunklink.
4. Lastly,usingtheswitchporttrunknativevlancommandsets
thenativeVLANontothetrunkinterface.
5. ToremovetheallowedlistofVLANsonatrunkinterface,usetheno
switchporttrunkallowedvlancommand.
6. ToresetthenativeVLANtoitsdefault,usethenoswitchport
trunknativevlancommand.
Nowthatyouhavecompletedthissection,youwilllearnaboutanauto-negotiationfeatureonCiscoIOSswitchinterfaces,theDynamicTrunking
Telegram Channel : @IRFaraExam
Protocol(DTP).
DynamicTrunkingProtocolSofar,wehavelearnedthatswitchportscanbeeitheranaccessportoratrunkport.However,aswitchporthasafewothermodesthatallowittonegotiatewhethertoestablishanaccessortrunklinkbetweentwoswitches.ThisprotocolisknownasDTP.
Importantnote
Bydefault,DTPisenabledonCiscoIOSswitcheswhileapplyingthedefaultmode:dynamicauto.
ThefollowingarethevariousDTPmodesonaswitchinterface:
switchportmodeaccess:Putstheinterface(accessport)intoapermanentnon-trunkingmodeandconvertsthelinkintoanon-trunklink.
switchportmodedynamicauto:Makestheinterfaceabletoconvertthelinktoatrunklink.ThisisthedefaultmodesetonCiscoswitches.
switchportmodedynamicdesirable:Theinterfaceactivelyattemptstoconvertthelinktoatrunklink.
switchportmodetrunk:Putstheinterfaceintopermanenttrunkingmodeandconvertstheneighboringlinkintoatrunklink.
Additionally,applyingtheswitchportnonegotiatecommandprevents
theinterfacefromgeneratingDTPframes.WithoutDTPmessagesbeingsent
Telegram Channel : @IRFaraExam
out,theinterfacewillturn-upfaster,asitdoesnothavetonegotiateitsstatus.Youcanusethiscommandonlywhentheinterfaceisstaticallyconfiguredasanaccessportortrunkinterface.Furthermore,youmustmanuallyconfiguretheneighboringinterfaceasatrunkinterfaceinordertoestablishatrunklinkbetweentheswitches.
Importantnote
Theshowdtpinterfaceinterface-idcommandcanbeusedto
determinethecurrentDTPmodeonaswitchport.Alternatively,youcanusetheshowinterfaceinterface-idswitchportcommandtovalidate
boththeadministrativeandoperationalmodesoftheinterface,aswellasDTPmode.
ThefollowingchartprovidesallthepossibleoutcomeswhentwoswitchinterfacesareconfiguredwithaDTPmode:
Figure5.8–DTPnegotiationchart
Telegram Channel : @IRFaraExam
Togetabetterunderstandingofthis,let'simaginetwoswitches,AandB,areinterconnectedusingacable.Ifbothswitcheshavedefaultconfigurations,whatisthetypeoflinkformedbetweenthem?SincethedefaultinterfacemodeonaCiscoIOSswitchisswitchportmodedynamicauto,accordingtothe
chart,theirportswillnegotiateintobeingaccessports.However,ifswitchAisconfiguredasswitchportmodedynamicdesirableandswitchBis
usingitsdefaultconfiguration,theresultwillbeatrunklinkbetweenAandB.
Nowthatyouhavecompletedthissection,let'slearnhowadeviceononeVLANisabletoexchangemessageswithanotherlocatedonaseparateVLAN.
Inter-VLANroutingInter-VLANroutingisthemethodusedtoallowdevicesononeVLANtocommunicatewithotherdevicesonanotherVLAN.Tomakethishappen,youwillneedasingleCiscoIOSrouterwithanavailablephysicalinterface.Nowadays,weuseatechniqueknownasrouter-on-a-stick,whichallowsustocreatemultiplesub-interfacesonasinglephysicalinterfaceonarouter.
Typically,eachportonarouterisusuallyconnectedtoauniquenetworkorsubnet.Let'simaginetherearefiveVLANsonanetwork,andeachVLANisalsoauniqueIPsubnet.Thismeansthatforeachsubnettocommunicateoutsideitsownnetwork,adefaultgatewayisrequired.Mostcommonly,networkprofessionalsconfigurethedefaultgateway'sIPaddressontherouter'sinterface,butinasituationwheretherearefiveVLANs,weneed5interfacesonthe
router.
WhenyoupurchaseaphysicalCiscoIOSrouter,itusuallycomeswith2–4
built-ininterfaces.Ifyourequireadditionalportsonthesamerouter,you'llneed
Telegram Channel : @IRFaraExam
topurchasemoduleswith4networkportsthatcanbeinstalledinavailableslots
ontherouter.Overall,thismethodwillcostyoumoney.HowcanweconnectmultipleVLANsontoasinglerouter?
RatherthanconnectingeachVLANfromaswitchtoauniquephysicalinterface(therouter),wecancreatesub-interfaceswithinarouter'sphysicalport.Eachsub-interfacewillbeconfiguredtocarryspecificVLANtrafficandassignedthedefaultgatewayIPaddress.
Thefollowingdiagramisarepresentationofsub-interfacesonarouter:
Figure5.9–Sub-interfacesonarouter
TohaveabetterunderstandingoftrafficflowsbetweenVLANs,let'sexamine
Telegram Channel : @IRFaraExam
thefollowingtopology:
Figure5.10–Inter-VLANrouting
Inthetopology,eachcomputerisonadifferentVLAN(Layer2)andonadifferentIPsubnet(Layer3).IfPC1sendsamessagetoPC2,thefollowingactionstakeplace:
Telegram Channel : @IRFaraExam
1. PC1willdeterminethedestinationof(PC2)onadifferentIPsubnet.Therefore,PC1sendsthemessagetoitsdefaultgateway,10.0.0.1.
2. TheswitchreceivestheincomingmessagefromPC1onFastEthernet0/1andinsertsanIEEE802.1QtagwithVLAN10.
3. TheswitchchecksthedestinationMACaddressandforwardstheframeoutofitstrunkinterfacetotherouter.
4. TherouterreceivestheincomingmessagewithVLANID10initsGigabitEthernet0/1.10sub-interface.
5. Therouterchecksthedestination'sIPaddresswithintheinboundpacketandforasuitablerouteinitsroutingtable.TherouternoticesthedestinationnetworkisconnectedtoitsGigabitEthernet0/1.20sub-interface.
6. Therouterforwardsthemessageoutofthesub-interface,GigabitEthernet0/1.20,andtheswitchwillreceiveitonitstrunk.
7. TheswitchchecksthedestinationMACaddressandforwardsamessageoutoftheFastEthernet0/2interfacewithIEEE802.1Qremoved.
Thistechniqueallowsustocreatemanysub-interfacestosupporteachVLANwithinanenterprisenetwork.
Toconfigureasub-interfaceonarouter,usethefollowingsteps:
1. Createasub-interfaceusingthefollowingcommands:
R1(config)#interfaceGigabitEthernet0/1.10
Telegram Channel : @IRFaraExam
2. AssociatetheVLANforthissub-interface:
R1(config-subif)#encapsulationdot1Q10
3. AssignthedefaultgatewayIPaddressontothesub-interface:
R1(config-subif)#ipaddress10.0.0.1
255.255.255.0
4. Exitthesub-interfacemodeusingtheexitcommand.
5. Toenableallsub-interfaceswithinaphysicalportontherouter,usethefollowingcommands:
R1(config)#interfaceGigabitEthernet0/1
R1(config-if)#noshutdown
R1(config-if)#exit
Whenyouapplynoshutdowntoaphysicalinterface,allsub-interfacesare
enabledautomatically.
Nowthatyouhavecompletedthissection,let'stakeahands-onapproachandstartimplementingVLANs.
Lab–implementingVLANsIt'stimetogetourhandsdirtywithsomehands-onexperienceofimplementingVLANsonanetwork.Togetstarted,we'llbeusingtheCiscoPacketTracerapplication,whichallowsustosimulateaCiscoenvironment.Withintheapplication,pleasedesignthefollowingnetworktopology:
Telegram Channel : @IRFaraExam
Figure–5.11Networktopology
Besuretousethefollowingrecommendeddevicesandcomponents:
3Cisco2960switches.
1Cisco2911router.
Telegram Channel : @IRFaraExam
6PCs.
Usecrossovercoppercablesbetweenswitches.
Useastraight-throughcoppercabletoconnectdifferentdevicestogether–forexample,PCtoswitchandroutertoswitch.
Usetheloggingsynchronouscommandunderlineconsole0to
preventanysyslogmessagesfrombreakingintoyourCLIwhileenteringconfigurations.
Onceyou'refinishedbuildingthetopology,usethefollowinginstructionstobothcreateandconfigureVLANsonaCiscoIOSswitch:
1. OnSW1,usethefollowingcommandstocreateeachVLANandassignaname:
SW1(config)#vlan10
SW1(config-vlan)#nameSales
SW1(config-vlan)#exit
SW1(config)#vlan20
SW1(config-vlan)#nameHR
SW1(config-vlan)#exit
SW1(config)#vlan30
SW1(config-vlan)#nameIT
SW1(config-vlan)#exit
SW1(config)#vlan99
Telegram Channel : @IRFaraExam
SW1(config-vlan)#nameNative
SW1(config-vlan)#exit
2. EnsureyoucreatethesameVLANsonallotherswitcheswithinthetopology.IfaVLANdoesnotexistonaswitch,thatVLANtrafficwillnotbeallowedtopass.Toperformthistask,usethefollowingconfigurations:
SW2Configurations
SW2(config)#vlan10
SW2(config-vlan)#nameSales
SW2(config-vlan)#exit
SW2(config)#vlan20
SW2(config-vlan)#nameHR
SW2(config-vlan)#exit
SW2(config)#vlan30
SW2(config-vlan)#nameIT
SW2(config-vlan)#exit
SW2(config)#vlan99
SW2(config-vlan)#nameNative
SW2(config-vlan)#exit
SW3Configurations
Telegram Channel : @IRFaraExam
SW3(config)#vlan10
SW3(config-vlan)#nameSales
SW3(config-vlan)#exit
SW3(config)#vlan20
SW3(config-vlan)#nameHR
SW3(config-vlan)#exit
SW3(config)#vlan30
SW3(config-vlan)#nameIT
SW3(config-vlan)#exit
SW3(config)#vlan99
SW3(config-vlan)#nameNative
SW3(config-vlan)#exit
3. Next,usetheshowvlanbriefcommandtoverifythattheVLANs
arecreatedandnamedproperly,asshown:
Telegram Channel : @IRFaraExam
Figure5.12–VerifyingVLANs
Intheprecedingsnippet,alltheportsareassignedtoVLAN1bydefault.Inourlaterconfiguration,we'llreassignportsasshowninournetworktopology.
4. Let'sassigneachVLANtotheirrespectiveinterfacesusingthefollowingconfigurations:
Telegram Channel : @IRFaraExam
SW1VLANAssignmentConfigurations
SW1(config)#interfaceFastEthernet0/1
SW1(config-if)#switchportmodeaccess
SW1(config-if)#switchportaccessvlan10
SW1(config-if)#switchportnonegotiate
SW1(config-if)#noshutdown
SW1(config-if)#exit
SW1(config)#interfaceFastEthernet0/2
SW1(config-if)#switchportmodeaccess
SW1(config-if)#switchportaccessvlan20
SW1(config-if)#switchportnonegotiate
SW1(config-if)#noshutdown
SW1(config-if)#exit
SW1(config)#interfaceFastEthernet0/3
SW1(config-if)#switchportmodeaccess
SW1(config-if)#switchportaccessvlan30
SW1(config-if)#switchportnonegotiate
SW1(config-if)#noshutdown
SW1(config-if)#exit
SW2VLANAssignmentConfigurations
Telegram Channel : @IRFaraExam
SW2(config)#interfaceFastEthernet0/1
SW2(config-if)#switchportmodeaccess
SW2(config-if)#switchportaccessvlan10
SW2(config-if)#switchportnonegotiate
SW2(config-if)#noshutdown
SW2(config-if)#exit
SW2(config)#interfaceFastEthernet0/2
SW2(config-if)#switchportmodeaccess
SW2(config-if)#switchportaccessvlan20
SW2(config-if)#switchportnonegotiate
SW2(config-if)#noshutdown
SW2(config-if)#exit
SW2(config)#interfaceFastEthernet0/3
SW2(config-if)#switchportmodeaccess
SW2(config-if)#switchportaccessvlan30
SW2(config-if)#switchportnonegotiate
SW2(config-if)#noshutdown
SW2(config-if)#exit
SincetherearenoenddevicesconnectedtoSW3,wedonothavetocreateaccessports.
Telegram Channel : @IRFaraExam
5. Usetheshowvlanbriefcommandtoverifythattheinterfaceshave
beenreassignedonbothSW1andSW2.ThefollowingsnippetshowstheresultsonSW1:
Figure5.13–Interfaceassignments
Additionally,youcanusethefollowingcommandstogainspecificinformationaboutaVLAN:
--Useshowvlanidvlan-IDtoviewdetailsaboutaVLANifyou
knowtheVLANID.
Telegram Channel : @IRFaraExam
--Useshowvlannamevlan-nametoviewdetailsaboutaVLAN
ifyouknowthenameoftheVLAN.
--Theshowvlansummarycommandprovidesaquicksummaryof
alltheVLANsontheswitch.
6. Usetheshowinterfaceinterface-idswitchport
commandtoviewtheadministrativeandoperationalstatusandtheVLANassignmentsonaspecificinterface,asshown:
Telegram Channel : @IRFaraExam
Figure5.14–Verifyingtheinterfacestatus
Additionally,showrunning-configwillprovideyouwiththe
configurationslistedundereachinterface.
NowthatwehaveimplementedVLANsonallswitchesandmadeourassignmentstotheinterfaceaccordingly,let'snowmakethetrunkinterfaces
Telegram Channel : @IRFaraExam
carryVLAN10,20,30,and99trafficbetweentheswitchesinourtopology.
Lab–creatingtrunkinterfacesInthissection,wewillbeusingthesametopologyfromtheprevioussectionandsimplycontinuingtheconfigurations.Togiveyouanideaofourobjective,we'llbeconfiguringthelinksshowninthefollowingdiagramastrunks:
Telegram Channel : @IRFaraExam
Figure5.15–Trunkinterfaces
Tostartcreatingandconfiguringtrunkinterfaces,usethefollowingconfigurations:
1. ConfigurethetrunkinterfaceonSW1usingthefollowingconfigurations:
SW1TrunkInterfaceConfigurations
SW1(config)#interfaceFastEthernet0/24
SW1(config-if)#switchportmodetrunk
SW1(config-if)#switchporttrunkallowedvlan
10,20,30
SW1(config-if)#switchporttrunknativevlan99
SW1(config-if)#switchportnonegotiate
SW1(config-if)#noshutdown
SW1(config-if)#exit
AfterchangingthedefaultnativeVLANsettingfrom1to99,youwill
seeaSyslogmessage,asfollows:
%CDP-4-NATIVE_VLAN_MISMATCH:NativeVLANmismatch
discoveredonFastEthernet0/24(1),withSW3
FastEthernet0/24(99)
ThismessageisgeneratedbecausethenativeVLANsmustmatchbetweenswitchesthataresharingatrunk.Currently,wehavethenativeVLANsetto99onSW1butthenativeVLANremainsas1(default)on
Telegram Channel : @IRFaraExam
SW3asithasn'tbeenadjustedyet.Theloggingsynchronous
commandwillpreventthismessagefrombreakingintoyourcommandlinewhileyouwork.
2. ConfigurethetrunkinterfaceonSW2usingthefollowingconfigurations:
SW2TrunkInterfaceConfigurations
SW2(config)#interfaceFastEthernet0/23
SW2(config-if)#switchportmodetrunk
SW2(config-if)#switchporttrunkallowedvlan
10,20,30
SW2(config-if)#switchporttrunknativevlan99
SW2(config-if)#switchportnonegotiate
SW2(config-if)#noshutdown
SW2(config-if)#exit
3. ConfigurethetrunkinterfacesonSW3toshareVLANswithbothSW1andSW2,respectively,usingthefollowingconfigurations:
SW3Configuration–InterfaceconnectingSW1
SW3(config)#interfaceFastEthernet0/24
SW3(config-if)#switchportmodetrunk
SW3(config-if)#switchporttrunkallowedvlan
10,20,30
Telegram Channel : @IRFaraExam
SW3(config-if)#switchporttrunknativevlan99
SW3(config-if)#switchportnonegotiate
SW3(config-if)#noshutdown
SW3(config-if)#exit
SW3Configuration–InterfaceconnectingSW2
SW3(config)#interfaceFastEthernet0/23
SW3(config-if)#switchportmodetrunk
SW3(config-if)#switchporttrunkallowedvlan
10,20,30
SW3(config-if)#switchporttrunknativevlan99
SW3(config-if)#switchportnonegotiate
SW3(config-if)#noshutdown
SW3(config-if)#exit
ThenativeVLANmismatchlogmessagesshouldstopasalltrunkinterfacesarenowusingnativeVLANID99.
4. Usetheshowinterfacestrunkcommandoneachswitchto
verifythateachtrunkhasthesameallowedlistofVLANsandnativeVLANsasthefollowing:
Telegram Channel : @IRFaraExam
Figure5.16–Verifyingthetrunkinterfaces
Ensurethattheswitchporttrunkallowedvlancommandcontains
alltheVLANsthatarerequiredtoallowinter-switchconnectivity.IfVLANtrafficisnotabletogoacrosstootherswitches,checkthefollowing:
CheckwhethertheVLANhasbeencreatedonallswitchesusingtheshowvlanbriefcommand.
CheckwhethertheVLANisallowedonthetrunkinterfacesonallswitchesusingtheshowinterfacestrunkcommand.
Checktheadministrativeandoperationalstatusofinterfacesusingtheshowinterfacesinterface-IDswitchportcommand.
Checkthephysicalconnectionsbetweendevicesonthetopology.
Telegram Channel : @IRFaraExam
Additionally,usetheshowrunning-configcommandtocheckthe
configurationsappliedtoeachinterface,asshown:
Figure5.17–Configurationsontrunkinterfaces
Tocompletethelab,usethefollowingIPconfigurationsforeachPConthetopology:
Telegram Channel : @IRFaraExam
Figure5.18–IPaddressingschemeforPCsonthetopology
Onceyou'refinishedassigningtheIPaddresses,opentheCommandPromptoneachPCandattempttotestconnectivitytoanotherdeviceonthesameVLAN.
ThefollowingshowsPC1hasconnectivitytoPC4:
Telegram Channel : @IRFaraExam
Figure5.19–PingresultsbetweenPC1andPC4
Ifyourecall,youcanonlycommunicatewithdevicesonthesameVLANasyourdevice;therefore,PC1willnotbeabletoreachdevicesonVLAN20and30.ToenabletwoormoreVLANstoexchangemessages,wewillneedthehelpofarouter.Inthenextsection,youwilllearnhowtoconfiguretheCiscoIOSroutertoperforminter-VLANrouting.
Lab–configuringinter-VLANroutingToperforminter-VLANroutingbetweenVLANs,wesimplyneedonerouterandonlyoneofitsinterfaces;thisphysicallayoutisknownasrouter-on-a-stick:
Telegram Channel : @IRFaraExam
SW3(config-if)#switchportmodetrunk
SW3(config-if)#noshutdown
SW3(config-if)#exit
Forthistrunkconfigurationontheswitch,youarenotrequiredtouseeithertheswitchporttrunkallowedvlanorswitchport
trunknativevlancommandsontheinterface.Usingonlythe
switchportmodetrunkcommandwillallowallVLANsonthe
interfacebydefault.
2. Createasub-interfaceontheroutertocarrytraffictoandfromVLAN10:
R1(config)#interfaceGigabitEthernet0/1.10
R1(config-subif)#encapsulationdot1Q10
R1(config-subif)#ipaddress10.0.0.1
255.255.255.0
R1(config-subif)#exit
3. Createasub-interfaceontheroutertocarrytraffictoandfromVLAN20:
R1(config)#interfaceGigabitEthernet0/1.20
R1(config-subif)#encapsulationdot1Q20
R1(config-subif)#ipaddress172.16.0.1
255.255.255.0
R1(config-subif)#exit
4. Createasub-interfaceontheroutertocarrytraffictoandfromVLAN30:
Telegram Channel : @IRFaraExam
Figure5.21–ConnectivitybetweenPC1andPC2
Additionally,wecanperformatraceroutebetweenPC1andPC2toseethepaththatthepacketisusing:
Figure5.22–TraceroutebetweenPC1andPC2
Asyoucansee,PC1sendsitspackettoitsdefaultgateway,10.0.0.1,which
isasub-interface–GigabitEthernet0/1.10–ontherouter.Then,the
routerforwardsthepackettotheintendeddestination,PC2–172.16.0.10.
Telegram Channel : @IRFaraExam
Lastly,usethefollowingpointsasguidelinesfortroubleshootingbothVLANsandtrunkinterfaces:
ChecktheIPaddressingonalldevices.
VerifytheVLANassignmentontheswitchports.
CheckfornativeVLANmismatch.
CheckforallowedVLANsonthetrunkinterface.
Checkfortrunkmodemismatch.
UsetheshowipinterfacebriefcommandtoverifytheIP
addressesoneachsub-interface.
Usetheshowinterfacetrunkcommandtoverifytheport,mode,
andallowedandnativeVLANs.
Usetheshowinterfaceinterface-IDswitchport
commandtochecktheadministrativeandoperatingmodeofaninterface.
Usetheshowinterfacesub-interface-IDcommandonthe
routertoverifytheencapsulationmodeandVLANIDonthesub-interface.
Usetheshowrunning-configcommandtoverifyconfigurations
appliedtointerfaces.
Havingcompletedthissection,you'velearnedallaboutVLANs,trunking,inter-VLANrouting,andmuchmore.Inthenextsection,wewilllearnhowtodiscoverconnecteddevicesusingvariouslayer2discoveryprotocols.
Telegram Channel : @IRFaraExam
Layer2DiscoveryProtocolsInthissection,wewilldiscusstwopopularlayer2protocolsthathelpusasnetworkingprofessionalstomapanetworktopologywithoutseeinganetworkdiagram.Attheendofthistopic,you'llbeabletodeterminetheroles,localinterfaces,modelnumbers,andevenIPaddressesofdirectlyconnectedneighbordeviceswhilehavingaclearideaoftheactualnetworktopology.
ThefollowingexercisesareexecutedinourexistingVLANtopologylab.
CiscoDiscoveryProtocol(CDP)CDPisaCiscoproprietaryprotocolthatoperatesatlayer2,thedatalinklayer.CDPisusedtoassistCiscodevicestolearnabouttheirdirectlyconnectedneighbors,suchasotherswitchesandrouters.CDPisenabledbydefaultonCiscoswitchesandrouters.
Importantnote
Devicesexchangeadvertisements(messages)usingamulticastaddress,01:00:0C:CC:CC:CC.
ACDPmessagecontainsthefollowing:
TheIOSversion
Thedevicemodelandtype
Connectedinterfacesforbothlocalandremotedevices
Telegram Channel : @IRFaraExam
Hostnames
Thishelpsotherdevicesonthenetworktohaveanideaofwhattypeofdevicestheyaredirectlyconnectedto.
ToenableCDPgloballyonaCiscoIOSswitch,usethefollowingcommand:
SW1(config)#cdprun
ToturnoffCDPgloballyontheentireswitch,simplyexecutethenocdprun
commandinglobalconfigurationmode.
Additionally,CDPcanbeenabledonanindividualinterfaceusingthefollowingcommands:
SW1(config)#interfacefastEthernet0/1
SW1(config-if)#cdpenable
SinceCDPmessagescontainimportantandidentifiableinformationregardingdevicesonanetwork,thisisasecurityissue.IfamalicioususerisabletocapturethoseCDPmessages,they'llbeabletodeterminethevariousrolesandfunctionsofnetworkcomponents.Therefore,itisrecommendedtodisableCDPmessagesfromexistinginterfacesthatareconnectedtotheenddevice.CDPmessagesshouldonlybeexchangedbetweenswitchesandroutersthatareauthorizedonthenetwork.
Usingtheshowcdpneighborscommandwillprovideyouwiththe
characteristicsandrolesofdirectlyconnecteddevices.ThefollowingsnippetshowsvariousdevicesconnectedtoSW3:
Telegram Channel : @IRFaraExam
Figure5.23–CDPneighbors
Theprecedingsnippetshowsusafewswitchesandroutersthatareconnected,theirfunctions,platformormodelnumber,andthelocalandremoteportsthatarebeingused.SuchinformationisusefulwhenyouareremotelyaccessingadeviceviaIPaddressandarenottoosureaboutthenetworktopology.Additionally,thisinformationhelpsyoumapanetworkwithoutseeinganetworkdiagram.
Usingtheshowcdpneighborsdetailcommandprovidesyouwith
moreinformationaboutdirectlyconnecteddevicesandtheirIPaddresses,asshowninthefollowingsnippet:
Telegram Channel : @IRFaraExam
Figure5.24–CDPprovidestheIPaddressoftheconnecteddevice
ThefollowingareadditionalcharacteristicsofCDP:
CDPmessagesaresentevery60seconds.
Thedefaulthold-downtimeris180seconds.IfaCDPmessageisnot
receivedwithinthistime,theneighbordeviceisremovedfromtheCDPcache/database.
Theshowcdpinterfaceinterface-IDcommandisusedto
determinetheCDPtimersonaninterface.
Telegram Channel : @IRFaraExam
ThechallengethatnetworkprofessionalsfacewhenusingCDP,isthefactthatitonlyworksonCiscodevices.Inalotofenterprisenetworks,wegetamixofvendorequipmentandthisisamajorshortcomingofCDP.Inthenextsection,wewilltakealookatusinganindustrystandardtohelpusdiscovernetworkdevices:LLDP.
Link-LayerDiscoveryProtocol(LLDP)LLDPisanotherdiscoveryprotocolthatoperatesoverlayer2.LLDPissupportedonbothCiscoandnon-Ciscodevices,thussurpassingtheshortcomingsofbeingaproprietaryprotocolasisthecasewithCDP.Forthisreason,LLDPisthestandardusedfordiscoveryprotocolsonenterprisenetworks.
Importantnote
LLDPisdefinedbyIEEE802.1AB,whichmakesitinter-operableonother
vendordevices.LLDPisnotturnedonbydefaultonCiscodevices.
ToconfigureLLDPonaCiscoIOSdevice,usethefollowingsteps:
1. ToturnonLLDPglobally,executethelldpruncommandinglobal
configurationmode,asshown:
SW1>enable
SW1#configureterminal
SW1(config)#lldprun
2. ConfiguretheinterfacesyouwanttousewithLLDP:
Telegram Channel : @IRFaraExam
SW1(config)#interfaceFastEthernet0/24
SW1(config-if)#lldpreceive
SW1(config-if)#lldptransmit
3. ToverifytheLLDPstatusonadevice,usetheshowlldpcommand,as
shown:
Figure5.25–LLDPstatusoutput
4. Toviewallconnecteddevices,usetheshowlldpneighbors
command:
Figure5.26–LLDPconnectedneighbors
5. TogetfurtherdetailsandtheIPaddressesofconnectedLLDPneighbors,usetheshowlldpneighborsdetailcommand,asshown:
Telegram Channel : @IRFaraExam
Figure5.27–LLDPneighborwithIPaddress
GatheringtheinformationfromeithertheCDPorLLDPoutput,youarenowabletobuildanup-to-datenetworkdiagrameasily.Inthenextsection,we'lllearnhowtocombinemultiplephysicalinterfacesonaswitchtooperateasasinglelogicalinterface,anEtherChannel.
UnderstandingandconfiguringEtherChannelsLet'simagineyouareconnectingtwoswitchesusingtheirGigabitEthernet
Telegram Channel : @IRFaraExam
interfaces;yourobjectiveistocombinethebandwidthofthetwophysicalinterfacestogetatotalof2GB/sbetweentheswitches.Makingthephysicalconnectionsbetweenbothswitchesdoesnotsimplycombinethebandwidthautomatically.Thefollowingdiagramshowsavisualrepresentationoftheconnection:
Figure5.28–Twoswitchesconnectedtogether
Whyisonelinkblockedbetweentheswitches?Bydefault,Ciscoswitcheshavealayer2looppreventionprotocolknownasSpanning-TreeProtocol(STP).Therefore,physicallyinterconnectingswitches,asshowninthepreviousdiagram,willcauseSTPtoautomaticallyblockoneoftheinterfaces.
ThisiswhereEtherChannelscomeintosaveusoncemore.AnEtherChannelallowsustocombinemultiplephysicalportsonaswitchtocreateasinglelogicalinterface.Therefore,theEtherChannelwillcarrythetotalbandwidthofallthephysicalportscombined.
Importantnote
IntheCiscoworld,physicallinkaggregationisknownasEtherChannel.Withothervendors,thistechnologyisknownasLinkAggregationGroup(LAG).
Telegram Channel : @IRFaraExam
EtherChannelprovidesthefollowingbenefitsinanenterprisenetwork:
Ratherthanconfiguringindividualinterfaces,theconfigurationscanbedonedirectlyontheEtherChannelinterface,ratherthanthephysicalports.
ImplementingEtherChannelsonanetworkcanassistwithloadbalancingandthelinkaggregationoftrafficbetweenswitches.
EtherChannelsusetheexistingphysicalinterfacesonaswitch;therefore,youdonotneedtoinstalladditionalmodules.
ThefollowingcriteriaarerequiredwhencreatinganEtherChannelbetweenswitches:
Theinterfacetypemustmatchbetweenswitches.IfswitchAisusingGigabitEthernetinterfaces,thenswitchBmustusethesame.
Usethesamenumberofphysicalinterfacesonbothdevices.IfswitchAisusing4physicalinterfaces,thenswitchBmustuse4physicalinterfaces
aswell.
BothduplexandspeedmustmatchonallphysicalinterfacesthatarebeingusedtocreatetheEtherChannel.
TheVLANsandnativeVLANsmustmatchontheinterfaces.
Toputitsimply,everythingmustmatchinordertocreatetheEtherChannel.
ThefollowingdiagramshowstheresultwhentwoswitchesattempttoformanEtherChannelwhenallconfigurationsmatch:
Telegram Channel : @IRFaraExam
Figure5.29–EtherChannel
However,ifthereareanyconfigurationsoffoneitheroftheswitches,theEtherchannelwillnotbeformed.ThefollowingdiagramshowsamisconfigurationononedevicethatpreventstheformationoftheEtherChannel:
Telegram Channel : @IRFaraExam
Figure5.30–MisconfigurationpreventingtheformationoftheEtherChannel
OnCiscoIOSdevices,therearetwolayer2protocolsthatallowustoformanEtherChannel:
PortAggregationProtocol(PAGP)
LinkAggregationControlProtocol(LACP)
PAGPisaCiscoproprietaryprotocolthatisusedtoformanEtherChannel.PAGPusesthefollowingmodestohelptwoswitchesnegotiatewhethertoformanEtherChannel:
On:SetstheinterfacetobecomeanEtherChannelwithoutnegotiating
Desirable:ActivelyseekswhethertheotherdevicewantstoformanEtherChannel
Auto:PassivelywaitsfortheotherdevicetonegotiateincreatinganEtherChannel
WhenusingPAGP,anEtherChannelwillonlybeformedwhenusingthefollowingconditions:
Telegram Channel : @IRFaraExam
Figure5.31–PAGPconditions
LACP,ontheotherhand,isanopensourceprotocoldefinedbyIEEE
802.3adthatallowsanyvendorofswitchestoformEtherChannels.LACPhas
becomethestandardwhencreatingEtherChannels.LACPhasthefollowingmodes:
On:SetstheinterfacetobecomeanEtherChannelwithoutnegotiating
Active:ActivelyseekswhethertheotherdevicewantstoformanEtherChannel
Passive:PassivelywaitsfortheotherdevicetonegotiateincreatinganEtherChannel
WhenusingLACP,anEtherChannelwillonlybeformedwhenusingthefollowingconditions:
Telegram Channel : @IRFaraExam
Figure5.32–LACPconditions
NowthatyouhaveanideaofthepurposeandfunctionalityofanEtherChannel,let'sgainsomehands-onexperienceofusingLACPtocreateanEtherChannel.
Lab–implementingEtherChannelsTogetstarted,we'llbeusingtheCiscoPacketTracerapplication,whichallowsustosimulateaCiscoenvironment.Withintheapplication,designthefollowingnetworktopologyusingCisco2960switches.Makesureyou'reusingcrossovercablesbetweentheswitches:
Telegram Channel : @IRFaraExam
Figure5.33–EtherChannellabtopology
TocreateanEtherChannel,usethefollowinginstructions:
1. OnSW1andSW2,administrativelyshutdownthephysicalinterfacesthatyouareplanningtousetoformtheEtherChannel.InSW1andSW2,applytheshutdowncommandonbothinterfaces:Gi0/1andGi0/2.This
willpreventanylayer2loopsfromforming,meaningtheinterfacesgointoanerr-disablestate.
Importantnote
Torestoreaninterfacefromerr-disabledtoconnected,firstlyyou
mustadministrativelyshutdowntheinterfaceusingtheshutdown
command,waitforafewseconds,thenapplythenoshutdown
commandtorestoretheaffectedinterfaces.
2. OnSW1,usethefollowingcommandstoactivateLACPonboththeGi0/1andGi0/2interfaces:
SW1(config)#interfacerangeGigabitEthernet0/1
-GigabitEthernet0/2
SW1(config-if-range)#channel-group1modeactive
SW1(config-if-range)#noshutdown
SW1(config-if-range)#exit
3. OnSW1,accessthenewlycreatedchannel-group(EtherChannel)andconfigureitonthetrunk:
Telegram Channel : @IRFaraExam
SW1(config)#interfaceport-channel1
SW1(config-if)#switchportmodetrunk
SW1(config-if)#exit
4. OnSW2,usethefollowingcommandstoactivateLACPonboththeGi0/1andGi0/2interfaces:
SW2(config)#interfacerangeGigabitEthernet0/1
-GigabitEthernet0/2
SW2(config-if-range)#channel-group1modeactive
SW2(config-if-range)#noshutdown
SW2(config-if-range)#exit
5. OnSW2,accessthenewlycreatedchannel-group(EtherChannel)andconfigureittothetrunk:
SW2(config)#interfaceport-channel1
SW2(config-if)#switchportmodetrunk
SW2(config-if)#exit
6. ToverifyEtherChannelsonyourdevices,usetheshow
etherchannelsummarycommand,asshown:
Telegram Channel : @IRFaraExam
Figure5.34–Theshowetherchannelsummaryoutput
Theoutputshowsthatthere'soneEtherChannelonSW1usingLACP.Additionally,thecodesontheport-channeltellusthatbothGi0/1andGi0/2arelayer2port-channelsinuse.
7. Lastly,usingtheshowetherchannelport-channelcommand
providesuswithmoredetailsabouttheEtherChannelsontheswitch:
Telegram Channel : @IRFaraExam
Figure5.35–Theshowetherchannelport-channeloutput
Inthissection,youhavegainedtheskillstoimplementandtroubleshoot
Telegram Channel : @IRFaraExam
EtherChanneltechnologiesinaCiscoenvironment.
SummaryInthischapter,youhavelearnedtheimportanceofsegmentinganetworkusingVLANstoimprovebothnetworkperformanceandsecurity.Youalsonowhavethehands-onexperiencetocreateandassignVLANs,configurebothaccessandtrunkports,andperforminter-VLANroutingonaCisconetwork.YouhavegainedtheskillsneededtoimplementandperformnetworkdiscoveryusingtheLLDPlayer2protocol.Lastly,youhavegainedtheknowledgeandhands-onexperienceofmergingphysicalinterfacesintoasinglelogicalinterfaceknownasanEtherChannel.
IhopethischapterhasbeeninformativeandhelpsyouinyourjourneytowardimplementingandadministratingCiscosolutionsandpreparingfortheCCNA200-301certification.Inthenextchapter,Chapter6,UnderstandingandConfiguringSpanning-Tree,youwilllearnhowtosegmentyournetworktoimproveperformanceandsecurityandimplementlinkaggregationtechnologiesanddiscoveryprotocols.
QuestionsThefollowingisashortlistofreviewquestionstoreinforceyourlearningandhelpyouidentifytheareasyouneedtorevisit:
1. WhichVLANsarenotusableonaCiscoIOSswitch?
A.945
Telegram Channel : @IRFaraExam
B.1002
C.1001
D.1
2. WhencreatingVLANs,wheredoestheswitchstoretheVLANs?
A.running-config
B.startup-config
C.vlan.bin
D.vlan.dat
3. WhichmodeallowsaswitchinterfacetocarrymultipleVLANs?
A.Access
B.Up
C.Trunk
D.Administrativelyup
4. Whichstandarddefinestaggedtraffic?
A.IEEE802.1Q
B.IEEE802.3ab
C.IEEE802.1X
Telegram Channel : @IRFaraExam
D.IEEE802.11
5. WhichcommanddisablesDTPonaninterface?
A.switchporttrunkencapulationdot1q
B.switchportnonegotiate
C.switchportaccessnovlan
D.switchportnodtp
6. Whichportstateswillcreateatrunk?
A.SwitchA–DynamicAutoandSwitchB–DynamicAuto
B.SwitchA–DynamicAutoandSwitchB–DynamicDesirable
C.SwitchA–DynamicAutoandSwitchB–Access
D.SwitchA–AccessandSwitchB–DynamicTrunk
7. Whenconfiguringasub-interface,whichcommandneedstobeexecutedbeforeassigninganIPaddress?
A.switchporttrafficencapsulationdot1Q
B.switchporttrunkdot1Q10
C.encapsulationtrunkdot1Q
D.encapsulationdot1Q10
Telegram Channel : @IRFaraExam
8. Whichlayer2discoveryprotocolisabletoworkonallvendordevices?
A.CDP
B.ISL
C.LLDP
D.DSL
9. WhatisanothernameforEtherChannels?
A.LAG
B.LACP
C.PAGP
D.Port-channel
10. WhichLACPmodeactivelyseekstodeterminewhethertheotherdevicewantstoformanEtherChannel?
A.On
B.Desirable
C.Auto
D.Active
Furtherreading
Telegram Channel : @IRFaraExam
Thefollowinglinksarerecommendedforadditionalreading:
ConfiguringEtherChannels:https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swethchl.html
Configuringaccessandtrunkinterfaces:https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/AccessTrunk.html
Configuringinter-VLANrouting:https://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3-intervlanrouting.html
ConfiguringLLDP:https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/46sg/configuration/guide/Wrapper-46SG/swlldp.html
Telegram Channel : @IRFaraExam
Chapter6:UnderstandingandConfiguringSpanning-TreeWhenextendingyourLayer2networkandensuringalldevicesareconnected,itisimportanttoimplementphysicalredundancy.Thisistoensurethattherearemultiplepathsavailableintheeventwhereanetworkswitchorlinkgoesdown.Inthischapter,youwilllearnhowredundancycancreateabroadcaststormanddeterioratenetworkstability.You'llalsolearnhowtoconfigureLayer2looppreventionprotocolstoensurethattherearenoloopsonyourswitchnetwork.
Inthischapter,wewillcoverthefollowingtopics:
WhatisSpanning-TreeProtocol?
Spanning-Treestandards
Portrolesandstates
Determiningtherootbridge
ConfiguringandtroubleshootingSpanning-TreeProtocollabs
TechnicalrequirementsTofollowalongwiththeexercisesinthischapter,pleaseensurethatyouhavemetthefollowingsoftwarerequirement:
CiscoPacketTracer:https://www.netacad.com.
Telegram Channel : @IRFaraExam
Thecodefilesforthischaptercanbefoundathttps://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions/tree/master/Chapter%2006.
CheckoutthefollowingvideotoseetheCodeinAction:https://bit.ly/2RQY8uS
WhatisSpanning-TreeProtocol?OneofthemajortopicsintheCCNAcertificationisunderstandinghowtheSpanning-TreeProtocol(STP)worksonaLayer2switchnetwork.Innetworksofallsizes,fromsmallbusinessestolargeenterprisesandmultiplebranchsites,therearemanyinterconnectedswitchesthatprovideconnectivitytoenddevices.InChapter1,IntroductiontoNetworking,wespokeabouttheCiscohierarchicalthree-tierdesign,whichcontainsthecore,distribution,andaccesslayers.
Torecap,thefollowingisadiagramshowingtheCiscothree-tierswitchmodel:
Telegram Channel : @IRFaraExam
Figure6.1–Ciscothree-tiermodel
Ciscorecommendsthatthismodelshouldbeimplementedinanysizednetworkasitprovidesthefollowingbenefits:
Allowsscalability
AllowsEtherChannelsbetweendevices
Providesredundancy
Telegram Channel : @IRFaraExam
Scalabilityallowsustosimplyaddmoreaccessswitchesandconnectthenewlyaddedswitchestothedistributionlayertosupportgrowth,asanorganizationmaybeexpandingitsphysicalinfrastructure.Additionally,asyoulearnedinthepreviouschapter,EtherChannelsplayavitalroleinournetworksastheyareusedtocombinephysicalinterfacesintoasinglelogicalinterfaceandthereforecarrymorebandwidthbetweenswitches.Lastly,redundancyisveryimportantonanetworkofanysize.Withoutredundancy,shouldaswitchorlinkgodown,anareaofthenetworkwillbeunavailablewithoutanyalternativepaths.
Let'sfocusalittlemoreonhowredundancyisbothagoodandbadthinginanetwork.It'sabitlikeadouble-edgedsword,whereonesideisusedtoattackanenemywhiletheothersidecanhurtyou.Weallknowthatredundancyisfundamentallyaverygoodthingonanetwork,buthowcanredundancybeabadthinginanetworkenvironment?Togetabetterunderstandingofhowredundancycancrippleanetwork,takealookatthefollowingdiagram:
Telegram Channel : @IRFaraExam
Figure6.2–Layer2loops
IfPC1sendsabroadcastmessageonthenetwork,thefollowingistheeffectwithoutspanning-tree:
1. PC1sendsabroadcastmessagewithadestinationMACaddressofFF-
FF-FF-FF-FF-FFtoSW1.
2. SW1willseethatthedestinationMACaddressoftheframeisabroadcast,andforwarditoutofallotherports.ThismeansthemessageissenttoSW2,SW3,andPC2.WhenPC2receivesthemessage,itwillprocessit.
Telegram Channel : @IRFaraExam
3. WhenSW2receivesthebroadcastfromSW1,itwillforwardittoSW3.Additionally,SW3willreceivethebroadcastfromSW1andforwardittoSW2.
4. WhenSW2receivesthebroadcastfromSW3,itwillforwardittoSW1.Furthermore,whenSW3receivesthebroadcastfromSW2,itwillalsoforwardittoSW1.
5. Thiscreatesanever-endingLayer2looponthenetworkwherethebroadcastmessagesarebeingregeneratedconstantly.
TheoveralleffectofPC1generatingasinglebroadcastmessagewillresultinnever-endingregeneratingbroadcastmessagesbetweentheswitchesthatarecontinuouslybeingcreatedandloopingbetweendevices.Thiswillcauseabroadcaststormonthenetwork,andthereforewilleventuallycrippletheLayer2networkinfrastructure.
STPisaLayer2looppreventionprotocolthatisdefinedbyIEEE802.1D.
STPisautomaticallycreatedbyonelogicalactivepathbetweenalldevicesonaLayer2networkwhilelogicallyblockingaredundancypathtopreventloopsfromoccurringonthenetwork.
Thefollowingdiagramshowsspanning-treeblockingaredundantpathtoensuretherearenoloops:
Telegram Channel : @IRFaraExam
Figure6.3–Redundantpathblocked
Intheprecedingdiagram,ifPC1sendsabroadcastmessage,STPhasalreadyplaceditsblockingmechanismtopreventtheregenerationofthebroadcastmessagefrompropagatingacrossthenetwork.EachswitchwillautomaticallysendBridgeProtocolDataUnits(BPDUs)every2seconds;theseBPDUshelpSTPtodetermineredundantpaths.
Iftheactivepathgoesdown,whatwillSTPdo?Spanning-treewillautomaticallydetectthefailureonthenetworkwithinafewsecondsandautomaticallyconvertalogicallyblockedpathintoanactivestatetoallowdevicestoreacheachotherwhileensuringtherearenoloops.
Telegram Channel : @IRFaraExam
BridgeProtocolDataUnitHowdoesSpanning-Treeknowwhenapathisdown?Bydefault,spanning-treeisenabledandevery2seconds,eachCiscoswitchexchangesaspecialframeknownasaBPDU.
ThefollowingdiagramshowsagraphicalrepresentationofaBPDUframe:
Figure6.4–BPDUframe
ThefollowingpointsoutlinethecompositionofeachBPDUframesentbyaCiscoIOSswitch:
BridgeID:Eachswitchcontainsapriorityvaluethatisusedtoelectarootbridge.ThedefaultbridgeIDonallCiscoswitchesissetto32768.
Thisvaluecanbemodifiedtoincrementsof4096andsupportsarange
from0to61440.Thebenefitofadjustingtheprioritymeansthatthe
lowerthevalue,themorelikelytheswitchistobeelectedastherootbridgeonthenetwork.
ExtendedsystemID:ThisvalueisthesameastheVLANIDforthespanning-treeinstance.OnaCiscoIOSswitch,thereisaseparate
Telegram Channel : @IRFaraExam
spanning-treeinstanceforeachVLANexistingonthedevice.ThismeansiftherearesixVLANsonthenetwork,thentherearesixinstancesofspanning-tree.
MACaddress:EachswitchhasitsownuniqueMACaddressthatitusesforcommunicationwithotherdevicesonthenetwork.ToviewtheMACaddressofaswitch,usetheshowversioncommand,asshown:
Figure6.5–MACaddressofaCiscoIOSswitch
TheinformationcontainedwiththeBPDUmessagehelpstheswitchestodetermine(elect)arootbridgeonthenetwork.Nowthatyou'velearnedthefundamentalsofspanning-tree,let'stakeadeeperdiveintolearninghowspanning-treemakesitschoicesonanetworkinthefollowingsection.
Rootbridgeandsecondaryrootbridge
Telegram Channel : @IRFaraExam
Inmanyorganizations,therearemanagersforalmostalltypesofemployees.Thepurposeofthemanageristoguideandsupporttheemployeesintheirdailyduties.Theorganizationusuallyhiresamanagertoensuretheirdepartmentisabletomeetthebusinessobjectivesandgoalsonadailybasis.
Similarly,onanetwork,aspecialswitchhastobeelectedtoinformallotherswitcheswhichpathstoleaveasactivetoensurethereisonlyonelogicalpathbetweenanydevicesonthenetwork,whileallotherpathsarelogicallyblockedtopreventanyLayer2loops.Thisspecialswitchisknownastherootbridge.
Therootbridgeisdeterminedbytheswitchwiththelowestpriorityonthenetwork.AllCiscoIOSswitcheshaveadefaultpriorityof32768.Inthe
situationwhereallswitcheshavethesamepriorityvalue,thentheswitchwiththelowestMACaddressiselectedastherootbridgeonthenetwork.Oncetherootbridgehasbeenelected,allotherswitchesonthenetworkwillnowpointtowardtherootbridge,asitservesasthecentralreferencepointforalltraffic.
Usingtheshowspanning-treecommand,wecanviewtheSTPdetails
andoperationsonaswitch:
Telegram Channel : @IRFaraExam
Figure6.6–Spanning-treeoperation
Oneachswitch,youwillalwaysseeboththerootbridgeinformation,asseenintheuppersectionoftheprecedingscreenshot,andthelocalswitch'sinformation,whichisshownintheBridgeIDsectioninthemiddleportionofthescreenshot.EachswitchonthenetworkwillalwayspointtowardtherootbridgeandhavetherootIDdetailsintheirspanning-treeinstancefortheVLAN.
Telegram Channel : @IRFaraExam
Fromtheprecedingsnippet,wecandeterminethefollowingabouttherootbridge:
Thespanning-treeinstanceisforVLAN1.
Thisswitchisrunningthedefaultspanning-treemode,Per-VLANSpanning-Tree+(PVST+).Thisisindicatedbytheieeeprotocol.
TherootIDfortherootbridgeis4097.
TherootbridgeMACaddressis00D0.FFA3.AC10.
Thecostis19,thereforethelocalswitchisusingaFastEthernetinterface
astherootport.
Importantnote
EachtypeofinterfaceonaCiscoIOSswitchhasacostvalueassociatedwithit.AnEthernetinterfacesupportsaspeedof10Mbps=100,
FastEthernetinterfacesare100Mbps=19,GigabitEthernetinterfaces
are1Gbps=4,and10GigabitEthernetinterfacesare10Gbps=2.
TheHelloTimeris2seconds(default).
Additionally,wecandeterminethefollowingaboutthelocalswitch(D2):
ThePriorityvalueofD2is32768(defaultvalue).
TheextendedsystemID(VLAN)is1.
BridgeID=Priority+Ext.Sys.ID=32768+1=32769.Keepin
Telegram Channel : @IRFaraExam
mindthatthebridgeIDisnotthepriorityvalueonly.
TheMACaddressofD2is0001.9671.BEDE.
Spanning-treealsousesthesumofthecostbetweenalocalswitchandtherootbridgeinchoosingtheclosestpath.
Spanning-treewillautomaticallyelectaswitchtotherootbridge,whichisnotagoodthing.Inabadsituation,spanning-treewillelecttheoldestswitchonthenetworkandthisswitchmaybeontheaccesslayerwheretherearenoredundancypowersupplies.Sinceaccesslayerswitchesareusedtoconnectenddevicestothenetwork,thesecanberegularlymoved(disconnected).Therefore,it'srecommendedthataswitchinthecorelayerbeconfiguredastherootbridge.
Onemajorconcernisiftherootbridgegoesdown,spanning-treewillautomaticallyelectanotherswitchtotakeuptheroleofbeingthenewrootbridgeonthenetwork.Asanetworkprofessional,it'snotrecommendedtoallowtheauto-electionprocesstoselectarootbridgeforus,butratherwemanuallyconfigureaspecificswitchtobethesecondaryrootbridgeintheeventthattheprimaryrootbridgegoesoffline.
Asecondaryrootbridgecanbecreatedbysimplyassigningapriorityvaluehigherthantherootbridge.Thepriorityvaluecanonlybeinincrementsof4096.Iftherootbridgefails,thesecondaryrootbridgewillstepinandtakethe
roleasthenewrootbridgeonthenetwork.
Additionally,iftherearemultipleVLANsonthenetwork,theremustbearootbridgeforeachVLAN.Attimes,youmaythinkit'swisethatonecoreswitchistherootbridgeforalltheVLANs,butinreality,itshouldnot.IfasinglecoreswitchistherootbridgeforallVLANs,that'sextraloadandresourcesthatthe
Telegram Channel : @IRFaraExam
coreswitchhastoexertinperformance.Whatifweload-balancetheVLANsbetweenmultiplecoreswitches?
ThefollowingdiagramshowstwocoreswitchesloadbalancingtherootbridgefunctionbetweenmultipleVLANsonanetwork:
Figure6.7–Spanning-treeloadbalancing
ShouldcoreSW1godown,SW2willtaketheroleoftherootbridgeforVLAN10,20,and30inadditiontoVLAN40,50,and60,andviceversaifSW2goesdownaswell.
Spanning-treestandardsTheSTPisanopensourceLayer2looppreventionmechanismthatisenabledonswitchesbydefault.STPisdefinedbyIEEE802.1D.However,Ciscodoes
notimplementtheIEEE802.1Dversionofspanning-treeontheirdevices.
Telegram Channel : @IRFaraExam
PortrolesandstatesInthissection,youwilllearnaboutthevariousportrolesandstatesinvolvedwhenaninterfacetransitionsintoforwardingorblockingtraffic.
Thefollowingaretheportrolesusedinspanning-tree:
Rootports:Thesearetheportsthatareclosesttotherootbridge.Ifyourecall,eachswitchalwayspointstowardtherootbridgeattheendoftheelectionprocess.Thismeansthateachswitchhasarootportthatpointsbacktotherootbridgeonthenetwork.Rootportsareneverontherootbridgeitself.
Designatedports:Thesearewhatareknownasnon-rootports,whicharestillalwaysabletoforwardtrafficbetweendevicesonthenetwork.
Alternateorbackupports:TheseareinterfacesthatareinalogicallyblockedstatethatiscausedbytheSTPtopreventanyLayer2loopsonredundantpaths.
ToviewtheportrolesandstateofeachinterfaceonaCiscoIOSswitch,usetheshowspanning-treecommand.Thefollowingsnippetshowsboththe
rolesandstatesofeachinterface:
Telegram Channel : @IRFaraExam
Figure6.8–Ports'rolesandstates
Whenaswitchbootsup,itsinterfacesdonotgodirectlytoaforwardingstatetoallowtraffictoflowimmediately,butgothroughafewphases.Thefollowingistheorderinwhichaninterfacetransitionsfromthetimeaswitchbootsup:
1. Blocking:Inthisstate,userdataisnotpassedontothenetwork;
however,BPDUsarestillreceivedontheport.
2. Listening:ThisstateprocessesBPDUsbutneitherforwardsuserdata
norframesontothenetwork.
3. Learning:ThisstateprocessesBPDUsandlearnstheMACaddresses
butdoesnotforwardframes.
4. Forwarding:Thisisthenormaloperatingstateofaswitch'sinterface.
Itisabletosendandreceiveusers'dataandprocessBPDUs.
Telegram Channel : @IRFaraExam
5. Disabled:Thisstateisadministrativelyshutdownbythedevice
administrator.
Nowthatyouhavelearnedaboutthevariousportrolesandstates,inthenextsub-section,youwilllearnhowtouseasystematicapproachtoidentifytherootbridgeandportrolesinanetworktopology.
DeterminingtherootbridgeandportrolesAnimportantskillforanyupcomingnetworkprofessionalistheabilitytolookataspanning-treetopologyandidentifytherootbridgeandalltheportroles.Inthissection,Iwillguideyouthroughtheprocessofhoweasilythiscanbedonebyusingtheinformationfromtheprevioussectionsandafewadditionalguidelines.
Thefollowingismypersonalruleofthumbtohelpidentifytherolesofeachportinspanning-tree:
1. Identifytherootbridge.
2. Identifytherootports.
3. Identifythedesignatedports.
4. Identifythealternateports.
Togetstarted,let'sstudythefollowingnetworktopologywithspanning-tree:
Telegram Channel : @IRFaraExam
Figure6.9–Spanning-treetopology
Usingallyouhavelearnedsofar,includingtheguidelinesandthenetworktopology,let'sdeterminealltheportrolesandunderstandwhyeachporthasaspecificrole.Thefollowingstepsshowhowtodeterminewhatistakingplaceinthespanning-treetopology:
Telegram Channel : @IRFaraExam
1. Firstly,identifytherootbridge.Fromthetopology,wecanseethatSW2hasthelowestbridgeIDandthereforewilltaketheroleoftherootbridgeinthenetwork.
2. Identifyalltherootportsonthenetwork.Rootportsarethosethatareclosesttotherootbridge.Fromthetopology,theSW1FastEthernet
0/1andSW4FastEthernet0/4interfacesareclosestanddirectly
connectedtotherootbridge.Therefore,thesearerootports.
3. DoesSW3haveanyrootports?Yes,itdoes.TherearetwopathsfromSW3totherootbridge.TheseareSW3toSW1andSW3toSW4.Thesepathsareofequalcost(interfacevalue).Therefore,weneedtotakealookatwhichdevicehasalowerbridgeIDbetweenSW1andSW4.Lookingclosely,wecanseethatbothadjacentswitches,SW1andSW4,havethesamebridgeIDvalue.Therefore,theswitchwiththelowestMACaddressbreaksthetieondeterminingthepreferredpath.ThismeansthepreferredpathfromSW3totherootbridgeisviaSW1.Therefore,SW3FastEthernet0/2willalsobearootport.
4. Nowthatwehavelabeledallourrootports,let'sassigndesignatedports.Allportsontherootbridgearealwaysdesignationports.
5. SincethepreferredpathfromSW3totherootbridgeisviaSW1,FastEthernet0/2onSW1willalsobedesignatedport.
6. Lastly,oneoftheinterfacesbetweenSW3andSW4hastobeanalternateporttopreventaLayer2looponthenetwork.Thequestionishowtodeterminewhichinterfaceshouldbeanalternateportandwhichshouldbeadesignatedport.Tohelpus,let'stakealookattheirbridgeIDs.Since
Telegram Channel : @IRFaraExam
SW3hasthesamebridgeIDbutadifferentMACaddressthanSW4,SW3FastEthernet0/3willbeadesignatedportandSW4
FastEthernet0/3willbethealternateport.
Thefollowingdiagramshowsthecompleteportlabelsofeachswitchinournetworktopology:
Telegram Channel : @IRFaraExam
Figure6.10–Portlabels
Youmaybewondering,sinceSW3FastEthernet0/3isadesignatedport
(theForwardingstate)andSW4FastEthernet0/3isanalternateport
(theBlockingstate),howdoesSW3forwardtraffictoSW4andviceversa?
EachswitchwillonlyforwardtrafficusingtheavailablepathcreatedbySTP.SW3willtakethepathtoSW1–SW2–SW4andSW4willusethereversepathtosendtrafficbacktoSW3.
Identifyingandunderstandinghowspanning-treeworksisimportantinnetworksasitalsohasanimportantparttoplayinyourCCNAexamination.Havingcompletedthissection,youhavegainedtheskillstoidentifytherolesandfunctionsofeachportinaspanning-treetopology.Inthenextsection,youwilllearnaboutCisco'sproprietaryimplementationofspanning-tree,PVST+.
PVST+CiscohastakentheopensourceIEEE802.1Dstandardandhascreatedtheir
improvedproprietaryversionknownasPVST+,whichisenabledonallCiscoIOSswitchesbydefault.UnlikeSTP(IEEE802.1D),CiscoPVST+createsa
uniqueinstanceforeachVLANexistingonthenetwork,hencethenamePerVLANSpanningTree+.
BothSTPandPVST+havethefollowingportstates:
Blocking:Duringthisstate,theinterfacedoesnotforwardframesor
learnaboutMACaddresses.ItsimplysendsandreceivesBPDUs.
Listening:TheinterfacelistensforBPDUstodeterminethepathto
Telegram Channel : @IRFaraExam
therootbridgeandsendBPDUs.ItdoesnotforwarddataframesorlearnMACaddresses.
Learning:MACaddressesarelearnedandpopulatetheContent
AddressableMemory(CAM)table.
Forwarding:TheinterfacecontinuestosendandreceiveBPDUsand
learnMACaddresses.Theinterfacebeginstoforwarddataframestootherdevicesonthenetwork.
Disabled:Theinterfaceisadministrativelydown.
Importantnote
CiscoallowsitsPVST+tointer-operatewithothervendersthatarerunningtheIEEE802.1DSTP.
NetworksthatarerunningSTPandPVST+usuallytakearound30–50seconds
toconvergeandallowtraffictoflowonthenetwork.Sometimes,afterdevicesarebootedupfromapoweroutageormodificationsarebeingmadeonthenetwork,50secondsmaybealotoftimetogettrafficflowing.
Importantnote
MultipleSpanning-TreeProtocol(MSTP),definedbyIEEE802.1s,isan
opensourceprotocolthatisdesignedtouseasingleinstanceofspanning-treetomanagealltheVLANsonanetwork.
Inthenextsection,youwilllearnhowtousetheCommand-LineInterface(CLI)tofindtherootbridgeandidentifyvariousportrolesandstatesonaCisco
Telegram Channel : @IRFaraExam
environment.
Lab–discoveringtherootbridgeIt'stimetogetourhandsonsomepracticalexperienceandlearnhowtodiscovertherootbridgeonaCiscoswitchnetwork.Togetstarted,we'llbeusingtheCiscoPacketTracerapplication,whichallowsustosimulateaCiscoenvironment.Withintheapplication,pleasedesignthefollowingnetworktopology:
Telegram Channel : @IRFaraExam
Figure6.11–DiscoveringtherootbridgeonaCisconetwork
Pleaseensuretousethefollowingguidelinestomakesureyougetthesameresults:
Usethecrossovercabletointerconnectalltheswitches.
Telegram Channel : @IRFaraExam
UseonlyFastEthernetinterfaceswhenattachingthecablestoeachdevice.TheinterfaceIDisnotneededasit'sasimplelab.
UsetheCisco2960switchesattheaccesslayer.
UsetheCisco3560switchesatboththedistributionandcorelayers.
Assignthehostnamestoeachdeviceasshowninthetopology.
DonotcreateanyEtherChannelsbetweenC1andC2inthecorelayer.
StartbyplacingtheaccesslayerswitchesontheCiscoPacketTracerinterface,thenthedistribution,andlastlythecoreswitches.Cablingshouldbeappliedinthesamesequenceaswell.Thisistocreateaspecificoutcome.
Oneofthefirsttasksyoumayhaveasanetworkprofessionalistodiscoverwhichswitchwithinyournetworkhastheroleofbeingtherootbridge.Toensureyoucansuccessfullyperformthistask,usethefollowinginstructions:
1. Inanenterprisenetwork,it'srecommendedthatthecoreswitchbecomestherootbridge,butthisisn'talwaystheexpectedresultinmanynetworks.Usetheshowspanning-treecommand,asshown,toverifythe
status:
Telegram Channel : @IRFaraExam
Figure6.12–Spanning-TreestatusonC1
TheoutputshowstheSpanning-TreeinstanceforVLAN1.Here,weare
abletoseethatC1isrunningPVST+bydefaultashighlightedinthe
snippet.Additionally,youareabletoseetherootIDinformationabouttherootbridgeandC1'sBridgeIDinformation.NoticethattherootIDdetails
donotmatchthatofC1'sbridgeinformation.ThisindicatesthatC1isnot
therootbridge.Remember,therootportsarealwaysclosesttotherootbridge.NoticethatC1hasarootport,FastEthernet0/2.Wecan
usethisinformationtohelptofindtherootbridge.
2. Let'susetheshowcdpneighborscommandtoidentifythetypeof
devicethatisconnectedtoC1onitsFastEthernet0/2interface:
Telegram Channel : @IRFaraExam
Figure6.13–DiscoveringconnecteddevicesonC1
Wecanseethatthere'sanotherswitch(3560model)connectedonC1's
FastEthernet0/2interface.WecannowlogontoD2andcheck
whetherit'stherootbridge.
Tip
Ifyoudonotgetthesameresultsareoutlinedinthislabexercise,that'sOK.Pleaseusethesameconceptsonidentifyingtherootbridgeandportstates.Usetheshowspanning-treeandshowcdpneighbors
commandstohelpyoutracethepathtotherootbridgeonyournetworktopology.
3. OnD2,let'sexecutetheshowspanning-treecommandtoverify
whetherit'stherootbridge:
Telegram Channel : @IRFaraExam
Figure6.14–Spanning-TreestatusonD2
TheresultsindicatethatD2isn'ttherootbridgebutitalsohasarootport,
FastEthernet0/3,whichpointstotherootbridge.
4. Onceagain,let'susetheshowcdpneighborscommandtohelpus
identifywhatisconnectedtoD2'sFastEthernet0/3interface:
Telegram Channel : @IRFaraExam
Figure6.15–DiscoveringconnecteddevicesonD2
Wecanseethatthere'sanotherswitch(2960model)connectedonD2's
FastEthernet0/3interface.WecannowlogontoA3andcheck
whetherit'stherootbridge.
5. OnA3,let'sexecutetheshowspanning-treecommandoncemore
toverifywhetherit'stherootbridge:
Telegram Channel : @IRFaraExam
Figure6.16–Spanning-TreestatusonA3
Wehavehitapotofgoldherebyfindingtherootbridgeinourtopology.ThefirstthingthattellsuswehavefoundtherootbridgeisthesentencethatsaysThisbridgeistheroot.Ifyoucross-referenceeachshow
spanning-treeoutputfromallotherswitchesinthetopology,you'llsee
theyallhavetherootIDthatmatchesthatofA3'sbridgeIDdetails.
Importantnote
Furthermore,allportsontherootbridgealwayshavetheroleofbeingdesignatedportswiththeiroperatingstatusesasForwarding.
Throughoutthislabexercise,youhaveseenhoweachswitchonthetopologyhasbeenusingitsdefaultconfigurationswiththeexceptionofitshostname.
Telegram Channel : @IRFaraExam
Eachswitchhasabridgepriorityof32768andanextendedsystemIDof1
(forVLAN1).
Thefollowingdiagramshowsthehighlightlinksbeingthosethataremadeactivebytherootbridge,whileothersarelogicallyblockedtopreventanyLayer2loopsonthenetwork:
Telegram Channel : @IRFaraExam
Figure6.17–Activepaths
Additionally,ifyourecall,therootbridgeisthecentralreferencepointforalltrafficontheswitchnetwork.Aswehavediscovered,therootbridgeinournetworkisattheaccesslayer.Theaccesslayerswitchesarenotasrobustandresilientasthecoreswitchesinanetworkwiththeirredundantpowersuppliesandsupportforhot-swappablecomponents.Therefore,asanupcomingnetworkingprofessional,it'srecommendedtoconfigureoneofthecoreswitchesastherootbridge,asshowninthenextexercise.
Thelearningoutcomeofthisexercisewastoprovideyouwiththehands-onexperienceofdiscoveringtherootbridgeonanetworkusingoneofthemostimportantspanning-treecommands,theshowspanning-treecommand.
Theshowcdpneighborscommandhasalsobeenveryhelpfulinthe
process.Lastly,todemonstrateanenterpriseenvironmentthatisn'tconfiguredproperly,therootbridgemaynotalwaysbetheswitchweexpect.
Inthenextsection,youwilllearnaboutafasterconvergingversionofPVST+,Rapid-PVST+.
Rapid-PVST+There'samuchfasterversionofSTP,knownasRapidSTP(RSTP).ItisdefinedbyIEEE802.1wandhastheabilitytoconvergeanentirenetworkin
approximately2seconds,comparedtotheotherIEEE802.1Dstandard.Cisco
tooktheimprovedRSTP(IEEE802.1w)standardandmadeaproprietary
versionknownasRapid-PVST+.
ToenableRapid-PVST+onaCisconetwork,usethefollowingcommandin
Telegram Channel : @IRFaraExam
globalconfigurationmodeonallCiscoIOSswitches:
spanning-treemoderapid-pvst
Rapid-PVST+supportsthefollowingportstates:
Discarding:ThisstateissimilartoBlocking.Itdoesnotforward
framesorlearnaboutMACaddresses.ItsimplysendsandreceivesBPDUs.
Learning:MACaddressesarelearnedandpopulatetheContent
AddressableMemory(CAM)table.
Forwarding:TheinterfacecontinuestosendandreceiveBPDUsand
learnMACaddresses.Theinterfacebeginstoforwarddataframestootherdevicesonthenetwork.
KeepinmindwhenusingRapid-PVST+thattherearenoBlockingand
ListeningstatessimplybecauseRSTPandRapid-PVST+donotneedto
havealisteningstatetolearnMACaddressesandpopulatetheCAMtable.
Importantnote
PortFast,BPDUguard,BPDUfilter,rootguard,andloopguardare
applicableinRapid-PVST+.
PortFastThisfeatureallowstheporttogodirectlyintoaForwardingstatewithout
havingtomovethroughtheLearningandListeningstates.PortFast
Telegram Channel : @IRFaraExam
shouldbeconfiguredonedgeportsonly.
Importantnote
Edgeportsarethosethatarenotconnectedtoanotherswitch.
Edgeports(PortFast)shouldnotreceiveBPDUsontheirinterfaces.The
BPDUguardfeatureshouldbeusedwithPortFasttopreventBPDUsfrom
enteringanedgeport.IfaBPDUisreceivedonanedgeportwithBPDUguard
enabled,theportwillswitchintoanerr-disabledstate(logicallyshuts
down).
Importantnote
BPDUguardisalsoimplementedforsecurityreasons;itwillnotallowarogue
switchtoautomaticallyconnecttotheportwithBPDUGuardenableddueto
PortFast,whichwillcreateL2loopingissues.
Inthefollowinglab,youwilllearnhowtoefficientlyconfigureRapid-PVST+onaCisconetwork.
Lab–implementingRapid-PVST+onaCisconetworkHavingcompletedthepreviousexercise,thespanning-treeelectionprocesshasautomaticallyselectedanaccesslayer(A3)switchtobetherootbridge.To
configuretherootbridgeonourtopology,usethefollowinginstructions:
Telegram Channel : @IRFaraExam
1. Bydefault,theCiscoIOSswitchisrunningPer-VLANSpanningTree+(PVST+).Let'sfirstconfigureRapid-PVST+toensureconvergenceonournetwork.Executethespanning-treemoderapid-pvst
commandinglobalconfigurationmodeonallswitchesonthenetwork.Thefollowingisademonstrationofoneofthecoreswitches:
C1(config)#spanning-treemoderapid-pvst
2. AfterenablingRapid-PVST+onallswitches,usetheshow
spanning-treecommandoneachdevicetoverifywhetherthenew
operatingstandardhasbeenchangedtoRapid-PVST+.ThefollowingsnippetshowshowtoidentifythatRapid-PVST+isenabled:
Figure6.18–Rapid-PVST+status
TheCiscoIOShasaveryunusualwayoftellingyouthatRapid-PVST+isrunning;ontheoutput,itsaysRSTP(RapidSpanningTreeProtocol),butinreality,itisactuallyRapid-PVST+thatisrunningonthedevice,asshownintheprecedingscreenshot,becauseCiscorunsonlyitsproprietary
Telegram Channel : @IRFaraExam
versionofIEEE802.1w.
3. TomakeC1therootbridgeonthenetwork,wehavetoadjustitsbridge
prioritytobelowerthanalltheotherswitchesonthetopology.Thebridgepriorityrangesfrom0–61440inincrementsof4096.Wecanusethe
followingcommandtosetabridgepriorityof4096forVLAN1onour
C1switch:
C1(config)#spanning-treevlan1priority4096
4. Let'susetheshowspanning-treecommandtoverifythatC1isthe
rootbridgeonthenetwork:
Figure6.19–RootbridgestatusonC1
Telegram Channel : @IRFaraExam
Asexpected,C1hasnowbecometherootbridgeforVLAN1onthe
networkandisrunningRapid-PVST+.
5. Additionally,wecancreateasecondaryrootbridgesuchthatintheeventC1goesoffline,thesecondaryrootbridgecantaketheroleofbeingthe
primaryrootbridgeforVLAN1.TosetC2asthesecondaryrootbridge,
usethefollowingcommand:
C2(config)#spanning-treevlan1priority8192
Tocreatethesecondaryrootbridge,ensurethatthepriorityvalueisoneincrementof4096higherthantheprimaryrootbridgepriorityvalue.
Importantnote
TheCiscoIOSwillnotallowyoutosetanyvaluethatisnotanincrementof4096.
6. Lastly,let'scheckswitchA3toverifythatthechangehasalsotakenplace:
Telegram Channel : @IRFaraExam
Figure6.20–SwitchA3pointstoC1asthenewrootbridge
Asexpected,switchA3containsthedetailsofthenewrootbridge,C1,withinits
spanning-treeofVLAN1andhasarootportthatpointstowardC1onthe
topology.
Thehighlightedlinksinthefollowingdiagramarethosethataremadeactivebythenewrootbridgeonthenetwork,whileothersarelogicallyblockedtopreventanyLayer2loopsonthenetwork:
Telegram Channel : @IRFaraExam
Figure6.21–Activepaths
Asyoucansee,theentirelogicaltopologyhaschangedwiththeconfigurationofthenewrootbridgeandthereisonlyonelogicalpath,thereforepreventinganyLayer2loopsonthenetwork.
Telegram Channel : @IRFaraExam
Boththeprimaryrootbridgeandthesecondaryrootbridgecanbeconfiguredtoautomaticallyadjusttheirbridgepriorityvaluetobethelowestonthenetworkatalltimes.Usinganalternativecommandofeachswitchprovidesthisoptionforus.
Toconfiguretheprimaryrootbridge,usethefollowingcommand:
C1(config)#spanning-treevlan1rootprimary
Toconfigurethesecondaryrootbridge,usethefollowingcommand:
C2(config)#spanning-treevlan1rootsecondary
Havingcompletedthisexercise,youhavegainedtheskillstoconfigureandimplementRapid-PVST+onaCisconetwork.Inthenextlab,wewillcontinueusingthisexistingtopologywhereyouwillgainhands-onexperienceofconfiguringPortFastandBPDUguardonaCiscoswitch.
Lab–configuringPortFastandBPDUguardAswelearnedearlier,PortFastisafeaturethatallowsaninterfaceto
transitionintoaForwardingstatewithoutgoingthroughboththeLearning
andListeningstates.ItisafeatureusedwhenrunningRapid-PVST+ona
Ciscoswitch.Inthislab,youwilllearnhowtoconfigureaninterfacewithPortFastandimplementBPDUguardtopreventanyunwantedBPDU
messagesfromenteringtheinterface.
Importantnote
Telegram Channel : @IRFaraExam
Theseconfigurationsshouldonlybeappliedtoedgeports.Edgeportsareportsthatarenotconnectedtoanotherswitch,suchasenddevices,routers,firewalls,printers,andsoon.
Togetstartedwiththisexercise,pleaseusethefollowinginstructions:
1. Let'simagineaPCisconnectedtoswitchA1onFastEthernet0/3.
WecanimplementPortFastbyensuringtheinterfaceisanaccessport:
A1(config)#interfaceFastEthernet0/3
A1(config-if)#switchportmodeaccess
A1(config-if)#switchportnonegotiate
2. ToenablethePortFastfeatureontheinterface,usethefollowing
command:
A1(config-if)#spanning-treeportfast
3. OncePortFasthasbeenenabled,enableBPDUguardtoprevent
BPDUsfromenteringtheport:
A1(config-if)#spanning-treebpduguardenable
Thefollowingsnippetshowstheexpectedsequenceandoutcomesofcompletingtheprevioussteps:
Telegram Channel : @IRFaraExam
Figure6.22–ConfiguringPortFastandBPDUguard
4. Lastly,wecanusetheshowrunning-configcommandtoverifythe
configurationundertheinterface,asshown:
Telegram Channel : @IRFaraExam
Figure6.23–Therunning-configfile
Additionally,theshowspanning-treeinterfacefastEthernet
0/3portfastcommandcanbeusedtoverifywhetherPortFasthasbeen
enabledonaninterface.
Havingcompletedthisexercise,youhaveacquiredtheskillstoimplementthePortFastandBPDUguardfeaturesonalledgeportswithinaCisco
environment.
SummaryWetookadeepdiveintolearninghowredundancycanbeagoodbutalsoabad
Telegram Channel : @IRFaraExam
thing,asitmaycreateaLayer2loopinourswitchnetwork.Mostimportantly,wecoveredtheimportanceofunderstandingspanning-treeandhowitworkstohelppreventphysicalredundancyfromtakingdownourenterprisenetwork.Havingcompletedthischapter,youhavegainedtheskillstodetermineportrolesinaspanning-treetopology,configurebothprimaryandsecondaryrootbridges,andlastly,implementPortFastwithBPDUguard.
IhopethischapterhasbeeninformativetoyouandishelpfulinyourjourneytowardlearninghowtoimplementCiscosolutionsandpreparefortheCCNA200-301certification.Inthenextchapter,Chapter7,InterpretingRoutingComponents,youwilllearnabouttheimportanceofroutingandhowroutersdeterminethebestpathtoadestinationnetwork.
QuestionsThefollowingareashortlistofreviewquestionstohelpreinforceyourlearningandhelpyouidentifyareasyoumightneedtoworkon:
1. WhichcommandallowsyoutoseetheMACaddressofaswitch?
A.showversion
B.showipinterfacebrief
C.showrunning-config
D.showstartup-config
2. WhichofthestandardspreventsLayer2loopsonanetwork?
A.IEEE802.1X
Telegram Channel : @IRFaraExam
B.IEEE802.3
C.IEEE802.11
D.IEEE802.1D
3. Whatisthepriorityvalueofaswitchthathasbeenfactoryrestored?
A.0
B.32768
C.32769
D.4096
4. Whichisthedefaultspanning-treeoperatingmodeonCiscoIOSswitches?
A.PVST+
B.STP
C.Rapid-PVST+
D.RSTP
5. WhichportisnotincludedinRapid-PVST+?
A.Discarding
B.Forwarding
Telegram Channel : @IRFaraExam
C.Listening
D.Learning
6. Whichportisclosesttotherootbridge?
A.Backupport
B.Alternateport
C.Designatedport
D.Rootport
FurtherreadingThefollowinglinksarerecommendedforadditionalreading:
UnderstandingSpanning-Tree:https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/5234-5.html
ConfiguringRapidPVST+:https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/RPVSpanningTree.html
ConfiguringPortFastandBPDUGuard:https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/8-2glx/configuration/guide/stp_enha.html
Telegram Channel : @IRFaraExam
Section3:IPConnectivityThissectionbeginsbyintroducingyoutohowroutersareusedtointerconnectremotenetworksandhowroutersmaketheirforwardingdecisionstosendapackettoitsintendeddestination.Next,youwilllearnaboutbothstaticanddynamicroutingprotocols,theiradvantages,andusecases.Then,youwilllearnhowtoimplementandtroubleshootbothstaticanddynamicroutingonanetworktoensureconnectivity.
Thissectioncontainsthefollowingchapters:
Chapter7,InterpretingRoutingComponents
Chapter8,UnderstandingFirstHopRedundancy,StaticandDynamicRouting
Telegram Channel : @IRFaraExam
Chapter7:InterpretingRoutingComponentsAllnetworkprofessionalsmusthaveanunderstandingoftheconceptsofrouting.InembarkinguponthisnewdomainonIPconnectivity,youwillbeintroducedtothetopicsofroutersandhowtheyhelpusconnecttoremotenetworks.Routershelpsusreachtheinternet,accessresourcesonline,andshareinformationwitheachother.Therefore,ifyouareunabletoconfigurerouterstosendpacketsbetweenremotenetworksandtoenablethemtoautomaticallyexchangeroutes,youwillhavegreatdifficultyworkinginnetworking.
Uponcompletingthischapter,youwillhavelearnedtheprocessCiscoIOSroutersusetomaketheirforwardingdecisions.Additionally,youwillhavegainedtheabilitytoidentifyanddescribeeachcomponentwithintheroutingtableofarouterandwillbeabletopredicttheforwardingdecisionofeachdeviceinaCiscoenvironment.
Inthischapter,wewillcoverthefollowingtopics:
UnderstandingIProuting
Componentsoftheroutingtable
Routingprotocolcodes
Prefixandnetworkmask
Nexthop
Telegram Channel : @IRFaraExam
Administrativedistance
Routingmetrics
TechnicalrequirementsTofollowalongwiththeexercisesinthischapter,pleaseensurethatyouhavemetthefollowingsoftwarerequirement:
CiscoPacketTracer:https://www.netacad.com
Thecodefilesforthischapterareavailableat:https://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions/tree/master/Chapter%2007.
UnderstandingIProutingRoutersplayanimportantroleinhownetworksoperatedaytoday.Withoutthem,wewouldn'tbeabletoconnecttoothernetworksortheinternet.Inthissection,wewilllearnhowCiscoroutersconnectremoteandforeignnetworks,allowingustoaccessdevicesandapplicationslocatedwithinadatacenterorevenanotherlocationsomewhereontheinternet.WewillconsiderthequestionHowdoesaroutermakethedecisiontoforwardtraffictotherightnetwork?
Inthepreviouschapters,wehavespentalotoftimelearninghowtobuildanoptimallocalareanetworkusingalotoftechnologieswithCiscoIOSswitches.OneofthekeythingsyoumayhavenoticedregardingCiscoIOSswitchesisthatanewCiscoswitchwithdefaultconfigurationswillstillallowyoutoconnectenddevicesontoitsphysicalinterfacesandwillforwardtraffic(frames)without
Telegram Channel : @IRFaraExam
youinsertinganyadditionalconfigurationsonthedevice.However,thisisnotthecasewithaCiscoIOSrouter.
TheCiscoIOSrouter,whichhasdefaultconfigurationsorfactorysettings,doesnotdothingssuchasforwardtraffic(packets)betweenitsinterfaces.Tomakearouteroperational,thenetworkprofessionalsuchasyourselfhastotelltherouterhowtrafficshouldflowbetweenitsinterfaces.Inotherwords,withoutconfiguringtheCiscorouter,itwillsimplydonothingonanetworkwhenit'spoweredon.
ArouterhasthecapabilitytoreadtheLayer3headerofanIPpacketandmakeadecisiononhowtoproceedinforwardingthepacket.Whenapacketentersaninterfaceonarouter,itisde-encapsulatedbyremovingtheLayer2headerinformation,suchasthesourceanddestinationMACaddresses.However,theroutertakesalookatthedestinationIPv4orIPv6addressandchecksitsroutingtableforasuitableroute.
TheroutingtableisdynamicallyupdatedwhenalocalinterfaceontherouterisassignedanIPaddressandisenabled.Inaddition,therouterhasthecapabilityofrunningdynamicroutingprotocolsthatallowotherroutersonthenetworktoexchangeroutes.Arouteissimplyapathtoreachadestinationnetwork;withoutanyroutes,arouterwon'tbeabletoforwardpacketstotheirdestinations.
Let'stakealookatthefollowingtopologytogainabetterunderstandingofhowrouterswork:
Telegram Channel : @IRFaraExam
Figure7.1–Simplenetworktopology
Thetopologyillustratesanorganization'snetwork,consistingoftheheadquartersandthreeremotebranches/offices.TheorganizationusesaMetroEthernet(MetroE)WANtointerconnecttheirbranchestotheheadquarters.TheWAN
Telegram Channel : @IRFaraExam
serviceismanagedbyalocalInternetServiceProvider(ISP).
Importantnote
AMetropolitan-areaEthernetorMetroEconnectionisatypeLayer2WANservicethatiscommonlyprovidedbyanISPusingEthernetstandards.
Let'simaginethataPContheBranchAnetwork(172.16.1.0/24)hasto
sendtraffictoaserverinHQthatislocatedonthe10.1.1.0/24network.
Whatwillbethepathorroutethetrafficwilltake?Toanswerthisquestionandfullyunderstandwhattakesplaces,let'slookatalow-levelviewofthetopology:
Telegram Channel : @IRFaraExam
Figure7.2–Low-leveltopology
IwouldrecommendtakingsometimetobuildthistopologyusingCiscoPacketTracerasyouwillbeabletoperformthesamevalidationchecksthatIwillbeusingfortheremainderofthischapterandthenext.Whenbuildingthetopology,usethefollowingguidelines:
UseonlyCisco2911routers.
EnsureyouconfiguretheIPaddressoneachdeviceasshowninthediagram.
EnsureeachPCisabletopingitsdefaultgateway.
Ensureeachroutercanpingallotherroutersonthenetwork.
Let'sseewhetherPC2ontheBranchAnetworkisabletopingPC1ontheHQnetwork.First,let'sverifytheIPaddressonPC2byusingtheipconfig
command:
Telegram Channel : @IRFaraExam
Figure7.3–PC2IPaddressing
YouneedtochecknetworkconnectivitybetweenPC2anditsdefaultgateway,theBranch-Arouter:
Figure7.4–ConnectivitytesttotheBranchArouter
Fromtheprecedingsnippet,wecandeterminethatfourInternetControlMessageProtocol(ICMP)EchoRequestmessagesweresentfromPC2totheBranch-Arouter.TherouterhasrespondedtoeachmessagewithanICMPEchoReply.ThismeansthatPC2hasconnectivitytoitsdefaultgateway,theBranch-Arouter.
ThenextstepistocheckwhetherPC2hasconnectivitytoPC1.Let'spingPC1fromPC2:
Telegram Channel : @IRFaraExam
Figure7.5–ConnectivityfailurebetweenPC2andPC1
Thistime,wedidnotgettheexpectedresults.WhenevertheresponseisDestinationhost(ornetwork)isunreachable,thismeansthatthedeviceyouaretestingconnectivityfromdoesnotknowhowtoreachthedestinationhostornetwork.Inourpreviousstep,PC2isabletoreachitsdefaultgateway.Let'sattempttoperformsomebasictroubleshootingtofurtherinvestigateandlearnwhythere'snoend-to-endconnectivity.WecanusethetraceroutetoolinMicrosoftWindowstocheckthepaththepacketwilltakefromPC2toPC1.OnMicrosoftWindows,thetracertcommandisused:
Telegram Channel : @IRFaraExam
Figure7.6–Performingatraceroute
ThetracerouteutilityusestheICMPtosendICMPEchoRequeststoadestinationhostdevicewhileadjustingtheTimeToLive(TTL)valueofeachpacketitsendstothedestination.Thepurposeofthistoolistocheckthepathapacketwilltakebetweentwodevicesandalsocheckforlatencyissuesbetweenhops.AhopreferstoeachLayer3devicethepackethastopassinordertoreachitsdestination.Thelatencyissimplyameasurementofthetimeittakesadevicetorespondtoamessagesuchasarequest.Higherlatencymeansadevicetakesalongertimetorespond.Asanetworkengineer,wewanttoensurethatournetworkhaslatencytoensurefasterresponsetimes.
Importantnote
OnMicrosoftWindowssystems,thetracertcommandisusedwithinthe
commandprompt,whileLinuxandCiscodevicesusethetraceroute
command.
Thetracerouteresultsshowthatat172.16.1.1(theBranch-Arouter),there
arerequesttimedoutmessages.It'satthispointthatwecanbegin
Telegram Channel : @IRFaraExam
troubleshootingtounderstandwhyweareexperiencingaproblem.
Let'sheadovertotheBranch-Arouterandcheckitsroutingtableusingtheshowiproutecommand:
Figure7.7–RoutingtableoftheBranch-Arouter
TheCiscoIOSrouterwillonlycontaindestinationrouteswithinitsroutingtable.Intheprecedingsnippet,thereisnodestinationnetworkof10.1.1.0/24inanyoftherows(entries).Ifarouteisnotpresenthere,it
simplymeanstherouterdoesnotknowhowtoforwardthepackettothe10.1.1.0/24networkandwillsendanICMPmessagebacktoPC2
indicatingitdoesnothaveavalidroutetothedestination,hencetheresponsewasDestinationhostisunreachable.
Tip
IfyouwouldliketolearnmoreaboutthedifferentICMPmessagetypes,pleaserefertomyarticleathttps://hub.packtpub.com/understanding-network-port-
Telegram Channel : @IRFaraExam
numbers-tcp-udp-and-icmp-on-an-operating-system/.
Furthermore,wecanseeinFigure7.7thattheBranch-Arouteronlyknowsabouttwouniquenetworks;the10.2.1.0/24networkthatisusedforthe
MetroEWANconnectionontheGigabitEthernet0/2interface,andthe
172.16.1.0/24networkthatisconnectedonGigabitEthernet0/0
fortheLANinterface.However,theBranch-ArouterdoesnotknowabouttheotherthreeLANs:Branch-B,Branch-C,andHQlocations.
IftheBranch-Arouterhadknownaboutallnetworkswithinthetopology,theexpectedroutewouldbepointingtowardtheHQrouterattheIPaddress10.2.1.5.Routersarenotconcernedwiththeentirepathapacketwilltaketo
reachitsdestinationhostornetwork.Allarouterisconcernedwithishanding-offthepackettoanexthop;inotherwords,anotherrouterthatwillforwardthepackettowarditsdestination.Keepinmindthatthisprocessisrepeateduntilthepacketisdelivered.
Importantnote
Ciscoroutersreadtheirroutingtablefromtoptobottomeachtimetheyhavetocheckforasuitableoravailableroute.
ThefollowingoutlinestheprocessofactionstakenbyarouterwhenitreceivesanIPpacket:
1. WhenarouterreceivesanIPpacketononeofitsinterfaces,itchecksthedestinationIPaddresswiththeLayer3headerofthepacket.
2. ItthenusesthedestinationIPaddressandchecksitsroutingtableforan
Telegram Channel : @IRFaraExam
availableroute(path).
3. Ifasuitablerouteisfound,itsendsthepackettothenexthopviatheexitinterface.
4. Ifarouteisnotfound,therouterchecksforagatewayoflastresorttoforwardthepacket.
5. Ifneitherrouteisfound,therouterrepliestothesenderwithaDestinationhost(network)notfoundmessage.
Nowthatyouhavecompletedthissection,youhavelearnedhowCiscoIOSroutersdetermineasuitablepathtoforwardapacket.Inthenextsection,wewilldiscusseachcomponentwithintheroutingtable.
ComponentsoftheroutingtableTofurtherunderstandhowroutersmaketheirdecisionswhenitcomestoforwardingpacketsbetweennetworks,it'simportanttounderstandeachcomponentoftheroutingtablewithinaCiscoIOSrouter.Inthissection,wewillcoveralltheessentialcomponentsthatarepartoftheroutingtable,including:
Routingprotocolcodes
Prefix
Networkmask
Nexthop
Administrativedistance(AD)
Telegram Channel : @IRFaraExam
Metric
Gatewayoflastresort
Let'sstartwithroutingprotocolcodes.
RoutingprotocolcodesWhenyouexecutetheshowiproutecommandonaCiscorouter,thevery
firstthingyouwillseeisaconciselistofcodes.Thesecodesareformallyreferredtoasroutingprotocolcodes.Eachcodeisusedtohelpyouidentifyhowaroutehasbeenlearnedandaddedtotheroutingtable.
ThefollowingsnippetshowstheroutingprotocolcodesofaCiscoIOSrouter:
Figure7.8–Routingprotocolcodes
ThefollowingisabriefdescriptionoftheessentialcodesyouneedtoknowasaCCNAstudent:
C:Thiscodeindicatesthattherouteisdirectlyconnectedtotherouter.Put
Telegram Channel : @IRFaraExam
simply,whenyouconfigureanIPaddressonarouter'sinterfaceandit'smadeactive,therouterautomaticallyinsertsadirectlyconnectedroutetothatnetworkwithinitsroutingtable.
L:Thiscodeindicatestherouteisalocalroute.Alocalrouteisonethat
pointsnottoanetworkliketheothers,buttoaspecifichostdeviceonanetwork.LocalroutesarecommonlyinsertedintotheroutingtablebydefaultwhenyouconfigureanIPaddressonanactiveinterfaceonarouter.Ifyoulookcloselyattheroutingtable,youwillnoticethattheIPaddressonalocalrouteisthesameastheaddressontheinterfaceitself.Additionally,youcanconfigurealocalroutethatpointstoadeviceonaremotenetwork.
S:Thiscodeindicatestheroutehasbeenmanuallyconfiguredand
insertedintotheroutingtable;thisisknownasastaticroute.
R:Thisroutingcodeindicatesthattherouterhaslearnedaboutaremote
networkviaadynamicroutingprotocolknownasRoutingInformationProtocol(RIP).RIPisanoldroutingprotocolthatallowsrouterstosimultaneouslyexchangeroutinginformationandupdatetheirroutingtablesautomatically.RIPisusedwithinaninternalorprivatenetwork.
B:Thiscodeindicatesthattherouterhaslearnedaboutaremotenetwork
viatheBorderGatewayRoutingProtocol(BGP).BGPisknownasanExteriorGatewayProtocol(EGP)andiscommonlyusedontheinternetbetweenISPstoexchangepublicnetworks.
D:Thisroutingcodeindicatesthattheroutehasbeenlearnedbythe
EnhancedInteriorGatewayRoutingProtocol(EIGRP).
Telegram Channel : @IRFaraExam
EX:Thiscodeindicatesthatanexternalroute,suchastheroutetothe
internet,hasbeenlearnedviatheEIGRP.
O:ThiscodeindicatesthattheroutehasbeenlearnedbytheOpen
ShortestPathFirst(OSPF)routingprotocol.
*:Thiscodeindicatestherouteisadefaultroutethatusuallypointstothe
internet.Thiscodeiscommonlycoupledwithotherroutingcodes,asyouwilldiscoverinthenextchapter.
ThefollowingsnippetshowsthecurrentrouteoftheBranch-Arouter:
Figure7.9–Parentroute
Withintheroutingtable,youwillcommonlyseeroutesinstalledwithoutanactualpathtoreachthedestinationnetwork.Thehighlightedrouteisknownasaparentroute.TheparentrouteisusuallyindicatedbyaclassfulnetworkID.Intheprecedingsnippet,theparentroutecontainsadestinationnetworkof10.0.0.0./8withtwochildroutes:10.2.1.0/24and10.2.1.10/32.
Telegram Channel : @IRFaraExam
Let'stakealookatthefollowingsnippet,whichshowsexamplesofchildroutesontheBranch-Arouter:
Figure7.10–Childroutes
Lookingcloselyatthehighlightedareasintheprecedingsnippet,youshouldnoticethatonlychildroutescontaintheroutingprotocolcodes;theparentroutesdonot.AnicefeatureoftheCiscoIOSisthatitplaceseachrouteinnumericalorderwithintheroutingtable,whichmakesiteasyforbothusandtheroutertoperformroutelookups.
ThefollowingsnippetshowsanexampleofrouteslearnedviatheOSPFroutingprotocol:
Telegram Channel : @IRFaraExam
Figure7.11–Dynamicallylearnedroutes
Adynamicallylearnedroutealwayscontainsextraparameterswithintheroutecomparedtobothlocalanddirectlyconnectedroutes.Inthenextfewsections,wewilltakealookattheseadditionalcomponentsandtheirfunctions.
PrefixandnetworkmaskAnotherimportantcomponentoftheroutingtable,andspecificallypartofaroute,istheprefix.TheprefixisidentifiedasthedestinationnetworkID.When
Telegram Channel : @IRFaraExam
therouterislookingforasuitableroute,itcheckstheprefixofeachinstalledrouteinitsroutingtableforasuitablematch.
Thefollowingsnippetshowstheprefixwithintheroutingtable:
Figure7.12–Prefix
Foreveryprefixwithintheroutingtable,there'sanassociatednetworkmaskintheformof/xformat.Thefollowingsnippetshowsthatthehighlightedarea
withineachroutehasaprefixandnetworkmask:
Telegram Channel : @IRFaraExam
Figure7.13–Networkmask
Thenetworkmaskintheroutingtablerepresentsthesubnetmaskforeachprefix(networkID).Ifyourecall,inChapter3,IPAddressingandSubnetting,welearnedthatthevaluerepresentsthenumberofoneswithinthesubnetmaskofeachnetwork.Forexample,anetworkmaskof/24simplymeansthereare24
oneswithinthesubnetmask;whenconvertingthemaskfrombinarytodecimal,theresultwillbe255.255.255.0.
NexthopWhenaremoterouteisinsertedintotheroutingtable,anexthopisusually
Telegram Channel : @IRFaraExam
associatedwithreachingthedestinationnetwork.Togainabetterunderstandingofthis,let'stakealookatthefollowingsnippet:
Figure7.14–Nexthop
Intheprecedingsnippet,wecanidentifyatotaloffourremotenetworkslearnedviatheOSPFroutingprotocol.Let'stakealookattherouteforthe10.1.1.0/24network.Fromourtopology,wecanseethatthisnetworkis
locatedontheHQLANandtheonlywayabranchrouterisabletoforwardapackettothatnetworkisviathepacketbeingsenttotheHQrouteronthe10.2.1.5address.
Telegram Channel : @IRFaraExam
Let'sbreakdowntherouteandthetopologyabitfurther.Onceagain,let'sdissectthefollowingroute:
O10.1.1.0/24[110/2]via10.2.1.5,00:07:45,
GigabitEthernet0/2
Wecandeterminethefollowing:
TheroutewaslearnedviatheOSPFroutingprotocol.
Thedestinationnetworkis10.1.1.0/24.
Theonlywaytoreachthedestinationnetwork(10.1.1.0/24)is
through10.2.1.5,whichisknownasthenexthopintheroutingtable.
Thetimerindicateshowlongtheroutehasbeenintheroutingtable.
Theinterface(GigiabitEthernet0/2)representstheexitinterface.
TheexitinterfaceissimplytheexitdoorfromtheBranch-Arouterthatleadstoward10.2.1.5.
Inthenextchapter,wewillexploreroutinginmoredetail.Wewillneedtoaddressthefactthatnotallconfiguredrouteshaveanexthopsincesomeroutersmaybeconfiguredtouseonlyanexitinterface,whileothersuseanexthopandexitinterfaceatthesametime.
AdministrativeDistanceAdministrativeDistance(AD)issimplythetrustworthinessofarouteorpath.ACiscoIOSroutercansupportmultipleroutingprotocolsrunningatonetime.Eachroutingprotocolhasitsownuniquealgorithmthatisusedtochooseabest
Telegram Channel : @IRFaraExam
pathorroutetoinstallwithintheroutingtable.Thebestroutewillbeusedwhenforwardingpacketstoadestination.
Let'stakealookatthefollowingtopology:
Figure7.15–AdministrativeDistancetopology
Intheprecedingdiagram,let'simaginethePCwantstosendamessagetotheserver.ThefollowingarethestepstakenbythePCandtherouterwhenforwardingapacket:
Telegram Channel : @IRFaraExam
1. ThePCwillcheckthedestination'sIPaddressanddeterminewhether10.0.0.10belongsonthesameIPnetworkasthePC.Sinceit'sa
differentnetwork,thePCwillproceedtosendthemessagetoitsdefaultgateway.Additionally,thePCwillsetthedestinationMACaddressasthatofthedefaultgateway,Router-A.Thisishowenddevices,suchasPCsandservers,sendmessagestotheirdefaultgatewaythatisintendedtoleavethenetwork.
Importantnote
Thedefaultgatewayisadevicesuchasarouterthathasapathtotheinternetoraforeignnetworkthatdoesnotbelongtotheorganization.Thisisalsoanodethatpacketsareforwardedtowhennootherspecificroutesarefoundintheroutingtabletothedestination.
2. WhentherouterreceivestheincomingpacketfromthePC,itwillde-encapsulateitandcheckthedestinationIPaddress.Inthisscenario,thedestinationIPaddressis10.0.0.10.
3. Therouterwillthencheckitsroutingtableforasuitableroute(path)toforwardthepacket.
Atthispoint,therouterisconnectedtofourroutestoreachtheserver.ThesearePathA,PathB,PathC,andPathD.Let'sassumeeachpathhasauniqueroutingprotocol:
RIP–configuredonPathA
OSPF–configuredonPathB
Telegram Channel : @IRFaraExam
EIGRP–configuredonPathC
Staticroute–configuredonPathD
Whatwouldtherouterdo?CiscohassetthedefaultadministrativedistanceforeachroutingprotocolwithintheirCiscoIOSforalltheirdevices.Thefollowingtablecontainstheadministrativedistancesforeachroutingprotocol:
Figure7.16–AdministrativeDistancetable
Backtoourscenario.Lookingattheprecedingtable,theroutewiththelowestadministrativedistancewillbethepreferredroutetothedestinationnetwork.So,thepreferredroutewouldbethestaticrouteviaPathDbecauseithasanADof1,whichisthelowestoutofalltheotherroutingprotocolsandpaths.
Anotherimportantquestionwemustconsideris:Howcanyoudeterminetheadministrativedistanceofaroute?Thesimplestmethodwouldbetolearnthetableprovided.Additionally,foreachrouteinstalledinitsroutingtable,therouterinsertstheADaftertheprefixandnetworkmask,asshowninthe
Telegram Channel : @IRFaraExam
followingsnippet:
Figure7.17–AdministrativeDistanceintheroutingtable
Let'simaginetheroutingtabledoesnotcontainanyroutingprotocolcodes.SimplybylookingattheADvaluenexttoeachprefixandcross-referencingthetable,youcanquicklydeterminetheroutingprotocol,andviceversaifthereisn'tanyadministrativedistancevaluebutonlyroutingprotocols.
Ifyoulookcloselyattheprecedingroutingtable,youseethatdirectlyconnected(C)routesdonotcontainanyadministrativedistances.ItissimplyimpliedthattheADvalueis0,since0isthemosttrustworthyroutegiventhatitisphysically
connectedtotherouter.
Telegram Channel : @IRFaraExam
RoutingmetricsIntheprevioussection,wespokeaboutarouterthatwasrunningmultipleroutingprotocolsandhadtochoosethemosttrustworthyroutetoinstallinitsroutingtable.So,whatiftherouterisusingonlyoneroutingprotocolsuchasOSPFandtherearemultiplepathstothesamedestinationnetwork.Whatwilltherouterdothen?Inthissituation,therouterwillcheckthemetricvalueforeachpossiblerouteandwillonlyinstalltheroutethathasthelowestmetric.
Importantnote
Themetricisalsoreferredtoasthecostofaroute.Eachroutingprotocolusesitsownalgorithm,whichisusedtocalculatethebestpossiblepathtoadestinationnetwork,andassignsanumericalvalue(metric)toeachavailablepath.
Thefollowingsnippetshowsaroutingtablecontainingvariousroutesandtheirmetricvalues:
Telegram Channel : @IRFaraExam
Figure7.18–Metric
Asmentioned,eachroutingprotocolusesadifferentmethodofcalculatingthemetric(cost)toreachadestinationnetwork.Here,wewilltakeabrieflookatthemetricsusedbyeachInteriorGatewayProtocol(IGP).
Thefollowingisabrieflistofdynamicroutingprotocols.
RoutingInformationProtocolRIPisoneofthefirst-generationroutingprotocolsthatallowedrouterstoautomaticallylearnaboutnewnetworksandupdatetheroutingtableifachangewasmadeonthenetworktopology.ThedownsideofRIPisthatitusesametric
Telegram Channel : @IRFaraExam
ofhopcountandonlysupportsamaximumhopcountof15.Thismeans,betweenasenderandadestinationnetwork,theremustexist15orfewerrouters.Iftherearemorethan15hopsbetweenthesenderandthedestination,the15thhoprouterwilldiscardthepacketandthesenderofthemessagewillreceiveaDestinationhostunreachableresponsefromtherouter.
Ifyourecall,intheUnderstandingIProutingsection,wenotedthatanIPpacketcontainsaTimeToLive(TTL)field,whichcontainsanumericalvaluethatdecreasesasitpasseseachhop(routerorLayer3device)onthewaytoitsdestination.Thisisalooppreventionmechanismtoensurethatapacketdoesnotliveforeveronacomputernetwork.
Importantnote
RIPisadistance-vectorroutingprotocol.However,sinceRIPisnolongerapartoftheCCNA200-301examinationobjectives,wewillnotbediscussingRIPfurther.
RIPusestheBellmanFordalgorithm,whichcalculatesthehopcountbetweenalocalrouterandthedestinationnetworks.Itwillusetheroutewiththelowestnumberofhops(metric)andinstallitwithintheroutingtable.
OpenShortestPathFirstTheOSPFroutingprotocolusestheShortestPathFirst(SPF)algorithm,whichwascreatedbyEdsgerDijkstra.Thisalgorithmwasdesignedtousethecumulativebandwidthtocalculatethemetricsforaroute(path)toadestinationnetwork.WithOSPF,thenumberofhopsapackethastopassbeforereachingitsdestinationdoesnotmatter;ratheritisthefastestroutetoreachtherethatis
Telegram Channel : @IRFaraExam
important.
EnhancedInteriorGatewayRoutingProtocolEIGRPwasaCiscoproprietaryprotocoluntil2013.ItusestheDiffusingUpdateAlgorithm(DUAL)tocalculatethebestandmostcost-effectivepath.Unliketheotherdynamicroutingprotocols,EIGRPisconsideredtobeahybridroutingprotocolasitdoesnotonlycalculatethebestloop-freepathtoadestinationnetwork,butalsoabackup,loop-freepath.Thus,intheeventthemainpathgoesdown,EIGRPcanalmostimmediatelyplacethebackuploop-freepathintotheroutingtable.
Importantnote
EIGRPisnolongerpartoftheCCNA200-301examinationobjectives.
DUALusesthefollowingtocalculatethemetricfornetworkroutes:
Bandwidth
Delay
TXLoad
RXLoad
Reliability
TheseareknownasEIGRPmetricweightsandarerepresentedbyaKvalue.By
default,EIGRPonlyusesthebandwidthanddelayvaluesduringitsmetriccalculations.
Telegram Channel : @IRFaraExam
GatewayoflastresortThelastcomponentoftheroutingtable,andonethatisofgreatimportance,isthegatewayoflastresort.ThisisthedefaultgatewaythatisinsertedwithintheroutingtableofaCiscorouter.Ciscoroutersalsoneedtobeconfiguredwithadefaultgatewaythatpointstotheinternet.Withoutagatewayoflastresort,CiscorouterswillnotbeabletoforwardtrafficfromtheinternalLocalAreaNetworks(LANs)totheinternet.
ThegatewayoflastresortiseitherstaticallyconfiguredbyanetworkprofessionalontheCiscorouterordistributedviaadynamicroutingprotocolsuchasOSPF.
ThefollowingsnippetshowsaCiscorouterthathasagatewayoflastresortwithinitsroutingtable:
Telegram Channel : @IRFaraExam
Figure7.19–Gatewayoflastresort
Intheprecedingsnippet,thegatewayoflastresortis10.2.1.5.Additionally,
thelastrouteintheroutingtablecontainsadefaultroutethatislearnedviaOSPFandthatalsohasanexthopof10.2.1.5.Inbestpractice,defaultroutes
arealwaysplacedatthebottomoftheroutingtable.
Importantnote
Adefaultrouteisonlyconfiguredtopointtowardanynetworkthatdoesnotexistwithinaroutingtable.Ciscoroutersdonotcontaineverynetworkthatexistsontheinternetand,iftheydid,theroutingtablewouldbehuge.Thedefaultrouteis
Telegram Channel : @IRFaraExam
designedtosendtraffictoadevicethatleadstotheinternet;thisdeviceisknownasthegatewayoflastresort.
Thereasonforthisplacementisthat,whenarouterperformsalookup,italwaysstartsatthetopofthelistandworksitswaydown.Iftherearenoavailableroutestoforwardthepacket,thedefaultrouteisusedtoforwardthepacket.However,ifarouterdoesnothaveanavailablerouteoradefaultroute,theroutersendsaDestinationunreachablemessagebacktothesender.
Havingcompletedthissection,youhavegainedtheessentialknowledgetopredictthedecisionsofaCiscorouter.Furthermore,youhavelearnedhowroutersmaketheirdecisionsonpopulatingrouteswithintheirroutingtableandhowtheymakeforwardingdecisionstoensurethatthepacketsalwaystakethemosttrustedandcost-efficientpathstotheirdestinations.
SummaryDuringthecourseofthischapter,wehavediscussedthestrategiesthatCiscoIOSroutersusetoforwardpacketstotheirintendeddestinations.Welookedattheroutingtableandbrokedowneachcomponenttogiveyouagreaterunderstandingofeachcomponent'spurposeandresponsibilityontherouter.YouhavelearnedhowtopredicttheforwardingdecisionofaCiscorouterinthefollowingsituations:whentherearemultipleroutingprotocolsgivingaroutetothesamedestinationnetwork,whenthesameroutingprotocolhasmultiplepathstothesamenetwork,andwhentherearemultiplepathswiththesamecost(metric).
IhopethatthischapterhasbeeninformativeandhelpsyouonyourjourneytowardlearninghowtoimplementandadministrateCiscosolutionsandprepare
Telegram Channel : @IRFaraExam
fortheCCNA200-301certification.Inthenextchapter,UnderstandingStaticandDynamicRouting,wewilllearnhowtosetupstaticanddynamicroutingprotocolstoensureIPconnectivitybetweenmultiplenetworksinaCiscoenvironment.
QuestionsThefollowingisashortlistofreviewquestionstohelpreinforceyourlearningandhelpyouidentifywhichareasrequireimprovement.
1. Whatistheadministrativedistanceofadirectlyconnectedroute?
A.0
B.1
C.5
D.110
2. ArouterhasRIP,EIGRP,andOSPFrunningatthesametime.Eachprotocolhasapathtothenetwork192.168.1.0/27.Whichpathwill
beinstalledintheroutingtable?
A.EIGRP
B.RIP
C.OSPF
D.Alloftheabove
Telegram Channel : @IRFaraExam
3. Whichofthefollowingroutingprotocolcodesisusedtorepresentadefaultrouteintheroutingtable?
A.D
B.*
C.S
D.O
4. Whichofthefollowingstatementsistrueregardingadministrativedistance?
A.Administrativedistanceisthecostbetweenasourceanddestinationnetwork.
B.Administrativedistancerepresentstheactualdistancebetweenthesourceanddestinationnetwork
C.Administrativedistanceiscalculatedbytherouter
D.Administrativedistanceisusedtorepresentthetrustworthinessofaroute
5. ArouterisusingonlytheOSPFroutingprotocoltolearnremotenetworks.Iftherearethreepathstothesamedestinationnetwork,whatwilltherouterdo?
A.Therouterwillinstallthepathwiththehighestmetric.
B.Therouterwillinstallthepathwiththelowestmetric.
Telegram Channel : @IRFaraExam
C.Therouterwillinstallallpathsthathavethesamemetrics.
D.Therouterwillinstallallpathsregardlessoftheirmetrics.
6. Arouterusestheparentrouteswhenforwardingpacketstoadestination.Trueorfalse?
A.True
B.False
7. Thenetworkmaskofaparentrouteisthesameasthechildroutes.Trueorfalse?
A.True
B.False
8. Whatisthepurposeofthetimerwithintheroutingtable?
A.Itindicatesthecurrenttimeontherouter.
B.Itindicateshowlongtherouterhasbeenpowered-on.
C.Itindicateshowlongtheroutingtableisavailablefor.
D.Itindicateshowlongtheroutehasbeeninstalledintheroutingtable.
9. Whichofthefollowingstatementsisnottrue?
A.Theroutingtableisstoredintherunningconfig.
B.TheroutingtableisstoredinFlash.
Telegram Channel : @IRFaraExam
C.TheroutingtableisstoredinNVRAM.
D.Alloftheabove.
10. WhichofthefollowingprotocolcodesrepresentsEIGRPintheroutingtable?
A.O
B.E
C.D
D.R
FurtherreadingThefollowinglinksarerecommendedforadditionalreading:
Routeselection:https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/8651-21.html
Understandingtheroutingtable:https://www.ciscopress.com/articles/article.asp?p=2180210&seqNum=12
Telegram Channel : @IRFaraExam
Chapter8:UnderstandingFirstHopRedundancy,StaticandDynamicRoutingRoutersarecomputerstoo.TheyhelpusinterconnectdifferentIPnetworks.Withoutthem,wecan'tcommunicateorexchangemessageswithadeviceoruseronanothernetworkinadifferentlocation.Thesedevicesaresupersmartandhelpforwardpacketstotheirintendeddestinations.Routersdeterminethebestpathtoforwardpacketstotheirdestinations,ratherthanushavingtomakeadecisioneachtimeadevicewantstoexchangeamessageacrossanetwork.
Inthischapter,youwilllearntheessentialdetailsofstaticrouting.We'lltalkaboutthetypesofstaticroutesthatcanbeimplementedonanetworkandtheirusecases.Furthermore,youwilllearnhowdynamicroutingprotocolsautomaticallylearnremotenetworksandupdateroutingtables.Lastly,youwilllearnhowtoimplementstaticroutesandconfiguretheOSPFroutingprotocolonaCiscoenvironment.
Inthischapter,wewillcoverthefollowingtopics:
Understandingstaticrouting
Configuringstaticrouting
Understandingdynamicrouting
Configuringthedynamicroutingprotocol
Understandingfirsthopredundancy
Telegram Channel : @IRFaraExam
TechnicalrequirementsTofollowalongwiththeexercisesinthischapter,pleaseensurethatyouhavemetthefollowinghardwareandsoftwarerequirements:
CiscoPacketTracer:https://www.netacad.com
CiscoIOSv
GNS3
Cisco2911routers
Thecodefilesforthischapterareavailablehere:https://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions/tree/master/Chapter%2008.
CheckoutthefollowingvideotoseetheCodeinAction:https://bit.ly/33QUbvL
UnderstandingstaticroutingWhydon'tCiscoroutersautomaticallyforwardtrafficlikeCiscoIOSswitches?EachinterfaceonaCiscoroutermustbeonauniqueIPnetwork.WithoutconfiguringanIPaddressonarouter'sinterface,therouterwillnotknowwhattodowithincomingmessageswithoutanIPassignment.Toputthissimply,whenyouunboxanewCiscoIOSrouterandinsertitintoyournetwork,itdoesnotdoanything.That'sright–itdoesabsolutelynothingbydefault.
WhenyouconfigureanIPaddressonaCiscoIOSrouter'sinterface,therouterinsertstworouteswithinitsroutingtable.Let'stakealookatthefollowing
Telegram Channel : @IRFaraExam
topologytogetabetterunderstandingofthis:
Figure8.1–Simplenetworktopology
Withinthenetworktopology,thereareatotalofthreenetworks:192.168.1.0/24,192.168.2.0/24,and192.168.3.0/24.Wewould
assumetheroutersautomaticallyknowaboutallthenetworksandupdatetheroutingtable,butthisdoesnothappen.
Let'stakealookatR1'sroutingtableafterconfiguringtheIPaddressesonbothitsGigabitEthernet0/0andGigabitEthernet0/1interfaces:
Telegram Channel : @IRFaraExam
Figure8.2–Routingtable
R1onlyknowsaboutitsdirectlyconnectednetworks:192.168.1.0/24and
192.168.2.0/24.Therefore,ifPC1triestosendamessagetothe
192.168.3.0/24network,R1willrespondwithadestinationhost
unreachablemessage.Bydefault,routersonlyknowaboutdirectlyconnectednetworks.Allothernetworksareconsideredtoberemotenetworks.StaticroutingallowsustomanuallyimplementastaticroutethattellsR1howtoreachthe192.168.3.0/24network.
Howdowecreateastaticroute?Astaticrouteisthepathtoaremotenetworkthatmayormaynotbedirectlyconnectedtotherouter.Firstly,lookingatthetopology,wemustaskourselves:ifapacketiscurrentlyonR1,howdoesitreachthe192.168.3.0/24network?ItdefinitelyhastobesenttoR2.More
specifically,ithastobesenttoR2'sGigabitEthernet0/1interfacevia
Telegram Channel : @IRFaraExam
the192.168.2.1IPaddress.Ifweweretowriteastatement,wewouldget
thefollowing:
"Trafficwhosedestinationis192.168.3.0thathasasubnetmaskof255.255.255.0shouldbeforwardedto192.168.2.1asthenexthop."
WhenwecreateastaticrouteonR1fromtheprecedingstatement,wegetthefollowingcommand:
iproute192.168.3.0255.255.255.0192.168.2.1
Wheneveryou'recreatingastaticroute,startwiththedestinationnetwork(192.18.3.0),thenitssubnetmask(255.255.255.0),andlastly,specify
thenexthopIPaddress(192.168.2.1).Additionally,insteadofspecifying
thenexthop,youcanspecifytheexit-interfaceofR1,GigabitEthernet
0/1.KeepinmindthatR2willalsoneedaroutetoreturntrafficbacktothe
192.168.1.0/24network.
Implementingstaticrouteshasbothitsprosandcons.Inthenextsection,wewilltakealookatthebenefitsanddownsidesofusingstaticroutinginanenterprisenetwork.
Doweneedstaticrouting?Asanetworkgrows,additionalstaticroutesarecreated.Therefore,thenumberofstaticroutesincreasesasthenetworktopologygrows.Ifthereisachangeonthenetworktopology,whetheranewnetworkiscreated,removed,ormodified,thenetworkengineerhastomanuallyadjustthestaticrouteconfigurationsoneachdevicetosupportthechangeonthenetwork.Staticroutesaregoodenough
Telegram Channel : @IRFaraExam
forsmallandsimplenetworktopologiesbutforalargeenterprisetopologythathasmanyIPsubnetswithremotesites(offices/networks),staticroutingcanbecomecomplex.
However,thereareadvantagestousingstaticroutingonanetwork.Whenanetworkadministratorinstallsastaticroutewithintheroutingtableofarouter,itismanuallyconfiguredandinserted.Thisprovidesimprovedsecurity,comparedtousingdynamicroutingprotocols,whichhavetheabilitytomodifytheroutingtableautomatically.Let'simagineahackerinjectsunsoliciteddynamicroutestoanenterpriseroutingdomainandcausesalltheorganization'srouterstoforwardtrafficdestinedfortheinternetthroughthehacker'scomputer.Withstaticroutes,therouteshavetobemanuallyadjusted.
Withdynamicroutingprotocols,theiralgorithmshavetocalculatethebestpathbyusingvariousmetrics.Withstaticrouting,there'snoalgorithm.Theroutersimplycheckstheroutingtableforabest-matchroute.Onceasuitablerouteisfound,theroutersimplystopssearchingandexecutesthestaticroute.
Whenitcomestopredictingthenexthop,thisiseasywithstaticroutingasthepathdoesnotchange.Withdynamicroutingprotocols,ifthereisachangeonthenetworktopology,thenexthopaddressmaychangebasedonthedynamicroutingprotocolalgorithm'schoicewhenselectingthebestpathandthenexthoptoforwardpackets.
Thefollowingarethebestsituationswhenstaticroutesshouldbeusedinyournetworkenvironment:
Tocreateastaticroutetoaspecificnetworkinorderto,forexample,ensurethepathtoaspecificnetworkdoesnotchange
Telegram Channel : @IRFaraExam
Tocreateadefaultroutetoforwardpacketstotheinternet
Tocreateabackuproute
Inthefollowingsections,we'lllearnaboutvarioustypesofstaticroutesandhowtoapplythemtotheCiscoIOSrouter.
TypesofstaticroutesTherearemanytypesofstaticroutes,andeachisusedwithinacertainscenarioonanetwork.Inthissection,wewilllearnaboutthecharacteristicsofeachtypeofstaticrouteandhowtoimplementthemonaCisconetwork.
NetworkroutesStaticnetworkroutesarethosethatarecommonlyusedwhenconfiguringstaticrouting.Theseroutesarecreatedtotelltherouterhowtoforwardpacketsthataredestinedforaremotenetwork.
ToconfigureanIPv4staticroute,usethefollowingsyntax:
Router(config)#iproutedestination-network-address
subnet-mask[next-hop-IP-address|exit-interface]
ToconfigureanIPv6staticroute,usethefollowingsyntax:
Router(config)#ipv6unicast-routing
Router(config)#ipv6routeipv6-prefix/ipv6-mask
[next-hop-ipv6-address|exit-interface]
Telegram Channel : @IRFaraExam
Inthenextsection,wewilltakealookatnexthopstaticroutes.
NexthopstaticroutesNexthopstaticroutesdothesameasthepreviouslydescribednetworkroute,butthistimewewillusethenexthoptospecifywhichIPaddressthelocalroutershouldforwardthepacketto.
ToconfigureanIPv4nexthopstaticroute,usethefollowingsyntax:
Router(config)#iproutedestination-network-address
subnet-masknext-hop-IP-address
ThefollowingisanexampleofanIPv4staticrouteusinganexthop:
Branch-A(config)#iproute10.1.1.0255.255.255.0
10.2.1.5
ToconfigureanIPv6nexthopstaticroute,usethefollowingsyntax:
Router(config)#ipv6unicast-routing
Router(config)#ipv6routeipv6-prefix/ipv6-mask
next-hopipv6address
ThefollowingisanexampleofanIPv6nexthopstaticroute:
HQ(config)#ipv6unicast-routing
HQ(config)#ipv6route2001:ABCD:1234:2::/64
2001:ABCD:1234:5::10
ThebenefitofusinganexthopisthattheroutespecifiesanIPaddress.
Telegram Channel : @IRFaraExam
Rememberthatstaticroutesdonotchangewithoutuserintervention.Therefore,therouterwillalwaysusethenexthopIPaddress.
Inthenextsection,we'lltakealookatusingdirectlyconnectedstaticroutes.
DirectlyconnectedstaticroutesAdirectlyconnectedstaticroutehasthesamefunctionalityasthenetworkroutebutratherthanspecifyinganexthop,weusetheexit-interfaceofthelocalrouterwhenconfiguringthisroute.
ToconfigureanIPv4directlyconnectedstaticroute,usethefollowingsyntax:
Router(config)#iproutedestination-network-address
subnet-maskexit-interface
ThefollowingisanexampleofanIPv4directlyconnectedstaticroute:
Branch-A(config)#iproute10.1.1.0255.255.255.0
gigabitethernet0/2
ToconfigureanIPv6directlyconnectedstaticroute,usethefollowingsyntax:
Router(config)#ipv6unicast-routing
Router(config)#ipv6routeipv6-prefix/ipv6-mask
exit-interface
ThefollowingisanexampleofanIPv6directlyconnectedstaticroute:
HQ(config)#ipv6unicast-routing
HQ(config)#ipv6route2001:ABCD:1234:2::/64
Telegram Channel : @IRFaraExam
gigabitethernet0/1
Theexit-interfaceactsasthedoorwaytoleavethelocalrouter.Whenusingthistypeofstaticroute,therouterisnotconcernedaboutthedeviceontheotherendcatchingthispacket.Itsimplyshootsthepacketoutadoorway(exit-interface).
Inthenextsection,we'lltakealookatconfiguringafullyspecifiedstaticroute.
FullyspecifiedstaticroutesAfullyspecifiedstaticrouteiscreatedbysimplyspecifyingboththeexit-interfaceofthelocalrouterandthenexthopIPaddressofthenextrouter.
ToconfigureanIPv4fullyspecifiedstaticroute,usethefollowingsyntax:
Router(config)#iproutedestination-network-address
subnet-maskexit-interfacenext-hopIPaddress
ThefollowingisanexampleofanIPv4fullyspecifiedstaticroute:
Branch-A(config)#iproute10.1.1.0255.255.255.0
gigabitethernet0/2192.168.2.1
ToconfigureanIPv6fullyspecifiedstaticroute,usethefollowingsyntax:
Router(config)#ipv6unicast-routing
Router(config)#ipv6routeipv6-prefix/ipv6-mask
exit-interfacenext-hopLink-Local-IPv6address
ThefollowingisanexampleofanIPv6fullyspecifiedstaticroute:
Telegram Channel : @IRFaraExam
HQ(config)#ipv6unicast-routing
HQ(config)#ipv6route2001:ABCD:1234:2::/64
gigabitethernet0/1FE80::2
Thefullyspecifiedstaticrouteensuresallparametersaremanuallyconfiguredonthelocalrouter.Inthenextsection,we'lltakealookatthepurposeofadefaultroute.
DefaultrouteWhatiftherouterreceivesapacketthathasadestinationaddresslocatedontheinternet?Whatwilltherouterdo?Asyouwillhaverealizedbynow,ifarouterdoesnothavearoutewithinitsroutingtable,itwillreplytothesenderwitheitheradestinationhostunreachableordestinationnetworkunreachablemessage.Ontheinternet,therearehundredsofthousandsofpublicnetworks,soitwouldbeveryinefficienttoinstallallthosepublicnetworkswithintheroutingtableofyourrouter.It'samajorissueifyourrouterdoesn'tknowhowtoreachorforwardpacketstotheinternet.
Tosolvethisproblem,wecanuseaspecialtypeofstaticrouteknownasadefaultroute.Thedefaultrouteisusedtoforwardtraffictoanotherrouterthatmayknowwhattodowithapacket.Practicallyspeaking,weusedefaultroutestoforwardtraffictotheinternet.
ToconfigureanIPv4defaultroute,usethefollowingsyntax:
Router(config)#iproute0.0.0.00.0.0.0<next-hop-
IP-address|exit-interface>
Telegram Channel : @IRFaraExam
Noticethatintheprecedingsyntax,thedestinationnetworkIDandsubnetmaskareallzeros(0s).Thisimpliesanynetworkthatdoesnotexistwithintheroutingtableusesthisroute.
ThefollowingisanexampleofanIPv4defaultroutethatisusing10.2.1.5as
thenexthop:
Branch-A(config)#iproute0.0.0.00.0.0.010.2.1.5
ToconfigureanIPv6defaultroute,usethefollowingsyntax:
Router(config)#ipv6unicast-routing
Router(config)#ipv6route::/0<next-hop-IPv6-
address|exit-interface>
ThefollowingisanexampleofanIPv6defaultroute:
Branch-A(config)#ipv6unicast-routing
Branch-A(config)#ipv6route::/02001:ABCD:1234:5::5
Whyuse::/0astheIPv6destinationnetwork?Asyoumayrecallfrom
Chapter3,IPAddressingandSubnetting,thedouble-colon(::)representsthat
twoormorehextetsarezeros(0s).Inthisinstance,thedouble-colon(::)
representsthatallhextetsare0swithasubnetmaskof0aswell.
Inthenextsection,we'lltakealookathowhostroutesareusedwithinanetwork.
Hostroutes
Telegram Channel : @IRFaraExam
HostroutesareeitherintheformofIPv4orIPv6addressesintheroutingtable.Theycanbeinstalledautomaticallyintheroutingtable,configuredasstatichostroutes,orobtainedautomaticallythroughothermethods.Hostroutesareusedtoroutetraffictoaspecifichost.
Thefollowingsnippetshowssomehostroutesthatwereautomaticallyinstalledintheroutingtable:
Figure8.3–Hostroutes
Ahostrouteisastaticroutethatsimplyspecifiesahostratherthananetwork.Thistypeofstaticrouteallowsyoutocreateindividualstaticroutesthatspecifyhowtoreachaspecifichostonanetwork.
Telegram Channel : @IRFaraExam
ToconfigureanIPv4hostroute,usethefollowingsyntax:
Router(config)#iproutedestination-ipv4-address
255.255.255.255<next-hop-IP-address|exit-
interface>
ThefollowingisanexampleofanIPv4hostroute:
Router(config)#iproute192.168.1.14
255.255.255.255gigabitethernet0/2
ToconfigureanIPv6hostroute,usethefollowingsyntax:
Router(config)#ipv6unicast-routing
Router(config)#ipv6routedestination-ipv6-global-
unicat-address/128<next-hop-IP-address|exit-
interface>
ThefollowingisanexampleofanIPv6hostroute:
Router(config)#ipv6unicast-routing
Router(config)#ipv6route2001::201/128
gigabitethernet0/3
Whenconfiguringahostroute,ensureallbitsare1swithinthesubnetmasktoimplyallthebitsatthedestinationIPv4addressesmatch.ForanIPv4hostroute,thesubnetmaskis255.255.255.255;forIPv6,it's/128.
Inthenextsection,we'lltakealookathowtocreateabackuprouteusingfloatingroutes.
Telegram Channel : @IRFaraExam
FloatingrouteLet'simagineyourorganizationisusingtwointernetserviceproviders:ISPAandISPBforinternetconnectivityredundancy.ISPAservesastheprimarylinkwhileISPBisthebackupintheeventtheconnectiontoISPAgoesdown.
Thefollowingdiagramshowsasimplenetworktopology:
Figure8.4–Redundantinternetconnections
AlltrafficfromtheinternalLANwilluseISPAasthepreferredroute.ThefollowingistheconfigurationusedonR1toensurepacketsaresenttoISPA:
R1config)#iproute0.0.0.00.0.0.0192.0.2.1
Telegram Channel : @IRFaraExam
AfloatingstaticroutecanbecreatedbysimplyspecifyinganAdministrativeDistance(AD)ashigherthanastaticrouteoradynamicroutingprotocol.Asanexample,tocreateafloatingstaticroute,thefloatingstaticrouteshouldbeconfiguredwithanADgreaterthan1.Floatingstaticroutesareveryusefulonarouter,astheycanactionabackuproutetotheprimaryroute.
TocreateafloatingrouteonR1withanADvalueof2,wecanusethefollowingcommands:
R1config)#iproute0.0.0.00.0.0.0192.0.2.12
Noticethat,attheendofthenexthop,thereisanumericalvalue.CiscoIOSallowsustospecifyanADvaluefortheroute.Thisallowsustocreatebackuproutesfordynamicroutesthatarenolongeravailable.
ThefollowingsnippetshowsthepaththepacketsitwilltakeifISPAgoesdown:
Telegram Channel : @IRFaraExam
Figure8.5–Backuproute
Theoriginalroutewillberemovedfromtheroutingtableandthefloatingroutewillbeinstalledandwillbecometheprimaryroute/pathtoreachtheinternet.
ToconfigureanIPv4floatingroute,usethefollowingsyntax:
Router(config)#iproutedestination-network-address
subnet-mask[next-hopIPaddress|exit-interface]
administrative-distance-value
ToconfigureanIPv6floatingroute,usethefollowingsyntax:
Router(config)#ipv6unicast-routing
Telegram Channel : @IRFaraExam
Router(config)#ipv6routeipv6-prefix/ipv6-mask
[next-hopipaddress|exit-interface]
administrative-distance-value
ImportantNote
Floatingstaticroutesarecreatedasbackupsforthedefaultrouteoradynamicrouteontherouter.Keepinmindthatstaticroutesarepersistentintheroutingtable.
Havingcompletedthissection,youhavelearnedaboutthevarioustypesofstaticroutesandhowtoimplementthem.Thefollowingsectionswilltakeyouthroughafewhands-onlabs,whichwillhelpyoudevelopyourstaticroutingskillsasaprofessional.
Lab–configuringstaticroutingusingIPv4It'stimetogetsomepracticalexperienceinimplementingstaticroutestogainconnectivitybetweenremotenetworks.Togetstarted,we'llbeusingtheCiscoPacketTracerapplication,whichallowsustosimulateaCiscoenvironment.Withintheapplication,pleasedesignthefollowingnetworktopology:
Telegram Channel : @IRFaraExam
Figure8.6–IPv4staticroutinglabtopology
Usethefollowingguidelinestocreatethislabtoensureyougetthesameresults:
EachPCisconfiguredcorrectlywithitsappropriateIPaddressingschemes,asshowninthetopologydiagram.
Telegram Channel : @IRFaraExam
EnsureeachPCcanpingonlyitsdefaultgateway.Forexample,PC2shouldbeabletopingtheBranch-Arouterviaits172.16.1.1IP
address.
Theroutersshouldbeabletopingeachotherviatheirinterfacesonthe10.2.1.0/24networkonly.
UseonlyCisco2911routers.
Havingbuiltthenetworktopology,usethefollowinginstructionstoimplementstaticroutes:
1. Firstly,asagoodnetworkprofessional,itiswisetoverifyyourIPconfigurationsonyourdevices.OneachPC,opentheCommandPromptprogramandexecutetheipconfigcommandtoverifythatthecorrect
IPaddress,subnetmask,anddefaultgatewayhavebeenassigned.
ImportantNote
IfyouareusingaphysicallabwithaLinuxoperatingsystem,usetheifconfigcommandtovalidateyourIPaddressconfigurations.
2. Oneachrouter,usetheshowipinterfacebriefcommandto
verifythattheappropriateIPaddressisassignedonthecorrectinterfacesandthattheinterfacesareinanUp/Upstatus.
3. Let'stesttheconnectivitybetweeneachPCanditsdefaultgateway.OnPC1,let'spingtheHQrouter,asshowninthefollowingsnippet:
Telegram Channel : @IRFaraExam
Figure8.7–Defaultgatewayconnectivitytest
TheHQrouterrespondsbysendingtheICMPmessagesbacktoPC1.ThisresponseverifiesconnectivitybetweenPC1anditsdefaultgateway.
4. Next,let'sattempttotestconnectivitybetweenremotenetworksbetweenPC1andPC2.OnPC1,usetheping172.16.1.10command,as
showninthefollowingsnippet:
Telegram Channel : @IRFaraExam
Figure8.8–ConnectivitytestfromPC1toPC2
Thedefaultgateway,whichistheHQrouter,hasrespondedwithadestinationhostunreachablemessage.Thisindicatesitdoesnothavearoutetoreachhost172.16.1.10initsroutingtable.
5. Wecanusetheshowiproutecommandoneachroutertodetermine
whichnetworkstheyhavewithintheirroutingtable.ThefollowingsnippetshowstheroutingtableontheHQrouter:
Figure8.9–RoutingtableoftheHQrouter
You'llnoticethateachrouteronlyknowsaboutitsdirectlyconnectednetworks.Ourjobistoensureeachrouterknowshowtoreachallothernetworks.Wewillconfigurethedefaultroutesinthenextlab.
6. Let'sbeginbyconfiguringtheHQrouterwithstaticroutestoreachBranchB,BranchC,andtheHQnetworks.Ensureyouenterthefollowingcommandsinglobalconfigurationmode:
HQ(config)#iproute172.16.1.0255.255.255.0
10.2.1.10
HQ(config)#iproute172.20.1.0255.255.255.0
10.2.1.15
Telegram Channel : @IRFaraExam
HQ(config)#iproute192.168.1.0255.255.255.0
10.2.1.20
Theprecedingconfigurationswillinstallastaticrouteforeachbranchnetworkinthetopology.
ImportantNote
Toremoveastaticroute,usethenocommand,followedbytheentire
staticroute,suchasnoiproute172.16.1.0255.255.255.0
10.2.1.10.
Wecanusetheshowiproutecommandtoverifythattherouting
tablehasbeenupdated:
Figure8.10–UpdatedroutingtableontheHQrouter
Now,therearestaticroutesthathavebeeninstalledontheHQroutingtableforeachremotebranchnetwork.
Telegram Channel : @IRFaraExam
7. Let'sattempttopingbetweenPC1andPC2againtoverifywhetherwehaveend-to-endconnectivity:
Figure8.11–Requesttimedoutmessages
Asyoucansee,theresponseshavechanged.Now,we'regettingRequesttimedoutresponses.Whatdoesthismean?Theseresponsesareprovidedwhenthetargetdevice(PC2)hasdisabledICMPresponses,afirewallorsecurityapplianceisblockingICMPmessages,orthetargetdoesnothavearoutebacktothesender(PC1).Inthissituation,thereisn'tafirewallorICMPbeingblockedanywhere,soit'sthethirdreason.
8. Let'schecktheroutingtableontheBranch-AroutertoverifywhetherithasaroutebacktotheHQnetwork:
Telegram Channel : @IRFaraExam
Figure8.12–RoutingtableoftheBranch-Arouter
Assuspected,theBranch-Arouterdoesnothavearouterbacktothe10.1.1.0/24network,northeotherremotenetworks.
9. Usingthefollowingcommands,wewillconfiguretheBranch-Arouterwithstaticroutestoallotherremotebranchnetworkswithinthetopology:
Branch-A(config)#iproute10.1.1.0255.255.255.0
10.2.1.5
Branch-A(config)#iproute172.20.1.0
255.255.255.010.2.1.15
Branch-A(config)#iproute192.168.1.0
255.255.255.010.2.1.20
ChecktheroutingtableoftheBranch-Arouter.Thisway,wecanverifythatthenewroutesareinplace:
Telegram Channel : @IRFaraExam
Figure8.13–StaticroutesontheBranch-Arouter
NowthattheBranch-Arouterhasaroute(path)backtotheHQnetwork(10.1.1.0/24)via10.2.1.5,let'stestend-to-endconnectivityonce
more.
10. TestconnectivityfromPC1toPC2toverifyroutingisworkingproperlybetweentheHQandBranch-Arouters:
Telegram Channel : @IRFaraExam
Figure8.14–Connectivitytest
Additionally,wecanperformatraceroutetovalidatethepaththepackettakesbetweenPC1andPC2:
Figure8.15–Tracerouteshowingpath
ThefirsthopisthedefaultgatewayforPC1,whilethesecondhopisthenexthopfortheaddressforthe172.16.1.0/24network,asseen
withintheroutingtableoftheHQrouter.Thethirdhopistheactual
Telegram Channel : @IRFaraExam
destinationhost.
11. Let'snotforgettoconfigurethestaticroutesontheBranch-Brouter.Usethefollowingcommands:
Branch-B(config)#iproute10.1.1.0255.255.255.0
10.2.1.5
Branch-B(config)#iproute172.16.1.0
255.255.255.010.2.1.10
Branch-B(config)#iproute192.168.1.0
255.255.255.010.2.1.20
12. ToconfigurethestaticroutesontheBranch-Crouter,usethefollowingcommands:
Branch-C(config)#iproute10.1.1.0255.255.255.0
10.2.1.5
Branch-C(config)#iproute172.16.1.0
255.255.255.010.2.1.10
Branch-C(config)#iproute172.20.1.0
255.255.255.010.2.1.15
13. Lastly,usepingtovalidateend-to-endconnectivitybetweenallthe
devicesonthetopology.
Havingcompletedthislab,youhavegainedthehands-onskillstoimplementstaticroutingandperformtroubleshootingtechniquesinaCiscoenvironment.
Lab–configuringanIPv4defaultroute
Telegram Channel : @IRFaraExam
Inthislab,youwilllearnhowtoimplementadefaultroutethatpointstotheinternet.Pleasekeepinmindthatthislabissimplyanextensionofthepreviouslab.Asyoumayrecall,adefaultrouteisaroutethatpointstoaforeignnetworkthatdoesnotbelongtoyourorganization.It'ssimplyyourpath(route)totheinternet.
Togetstartedwithconfiguringadefaultroute,usethefollowinginstructions:
1. OntheBranch-Arouter,usethefollowingcommandtocreateadefaultroutethatpointstotheHQrouter,asthat'swheretheinternetlinkislocated:
Branch-A(config)#iproute0.0.0.00.0.0.0
10.2.1.5
2. ChecktheroutingtableoftheBranch-Aroutertovalidatethatthedefaultroutehasbeeninstalledandthatthelastresortgatewayhasbeenset:
Telegram Channel : @IRFaraExam
Figure8.16–Defaultroute
ConfiguringthedefaultrouteonBranch-Awillcreatethefollowingeffect:ifanypacketsaredestinedforanetworkthatdoesnotexistwithintheroutingtableoftheBranch-Arouter,thedefaultroute(gatewayoflastresort)willbeused.Therouterwillforwardthepacketto10.2.1.5.
Furthermore,sincethedefaultroutedoesnothaveanexit-interface,therouterwillperformarecursivelookupwithintheroutingtabletodeterminewhichnetwork10.2.1.5belongsto.Thisisdoneto
determinewhichexit-interfacetheroutershouldusewhenforwardingthepacket.Accordingtotheroutingtable,therouterwillforwardthepacketoutofinterfaceGigabitEthernet0/2since10.2.1.5belongsto
the10.2.1.0/24subnet.
3. Repeatbothsteps1and2ontheBranch-BandBranch-Crouterstoconfigureadefaultroute.
4. Let'sconfiguretheHQrouterasthestubrouterthathastheactualinternetconnection.OntheHQrouter,wewillconfigureadefaultroutethatpointstothe192.0.2.1internetgatewayaddressontheISProuter:
HQ(config)#iproute0.0.0.00.0.0.0192.0.2.1
ImportantNote
Inarealenvironment,theISPwillprovideyouwiththepublicIPaddressyouneedtoconfigureonyourstubrouter'sinterface,aswellastheinternetgatewayaddress.
Telegram Channel : @IRFaraExam
Atthispoint,alltheroutershaveadefaultroutethatpointstowardtheinternetorISPnetwork.Tokickitupanotch,ensuretheISProuterandtheserverhavebeenconfiguredwiththeIPscheme,asshowninthetopology.EnsuretheservercanpingtheISProuterandviceversa.
5. ConfigureadefaultrouteontheISProuterthatpointstowardtheHQrouter:
ISP(config)#iproute0.0.0.00.0.0.0192.0.2.2
ThepurposeofthissteptoallowthePCstoreachthepublicserverontheinternetwithinourlab.
6. Let'stesttheconnectivityfromanyPCtotheserver,whichisontheinternet.ThefollowingscreenshotshowstheresultsfromPC2onournetwork:
Figure8.17–Connectivitytesttotheserver
7. Next,let'sperformatraceroutetotheserver:
Telegram Channel : @IRFaraExam
Figure8.18–Traceroutetest
Asyoucansee,thetracerouteshowsthepaththepackettookfromPC2totheserver.
8. Furthermore,lookingattheroutingtable,wecanseethat192.0.2.4/30doesnotexist:
Telegram Channel : @IRFaraExam
Figure8.19–RoutingtableoftheBranch-Arouter
TheBranch-Arouterusedthedefaultroutegatewayasalastresorttoforwardthepackettoanotherdevice,whichmayhaveapathorroutetothedestinationhost.
Tip
Foreachbranchrouter,ratherthaninstallingastaticrouteforeachremotenetwork,youcansimplyinstallasingledefaultroutetothemainoffice,suchastheHQrouter.Thiswillensuretheroutingtableiswithinreachandthattheremotebranchrouteriskeptsmallandconcise.Additionally,theHQroutershouldcontainstaticroutestoeachremotebranchnetwork.Toputthissimply,wheneverabranchofficerhastosendamessagetoanotherbranchorremotenetwork,themessagewillalwaysbesenttotheHQrouter.Inthenextlabexercise,wewillapplythismethodandlearnhowtoperformthistask.
Havingcompletedthislab,youhavegainedthehands-onskillsandexperienceyouneedtoconfigureandimplementadefaultrouteonanIPv4network.
Lab–configuringstaticroutingusingIPv6Inthislab,youwilllearnhowtoconfigurebothIPv6staticanddefaultroutesinaCiscoenvironment.Youarenotrequiredtorebuildanewtopologyforthisexercise;IPv6supportsdualstacking,whichallowsyoutoconfigurebothIPv4andIPv6addressesonthesameinterfaces.Therefore,youcansimplycontinueworkingfromthepreviouslab.
ThefollowingistheIPv6topologywe'llbeusingtocompletethishands-on
Telegram Channel : @IRFaraExam
exercise:
Figure8.20–IPv6routinglabtopology
Beforeyoubegin,ensureyouhaveconfiguredthedeviceswithboththeglobalunicastandlink-localIPv6addressingschemes,asshowninthefollowingtable:
Telegram Channel : @IRFaraExam
Figure8.21–ISPandHQdeviceIPv6addressingschemes
ThefollowingtableprovidestheIPv6addressingschemesforeachbranchrouter:
Telegram Channel : @IRFaraExam
Figure8.22–Branchrouters'IPv6addressingscheme
Lastly,eachenddevice,suchasthePCsandtheserver,alsorequireIPv6addresses:
Telegram Channel : @IRFaraExam
Figure8.23–EnddeviceIPv6addressingscheme
OnceeachdevicehasbeenfullyconfiguredwithitsIPv6addresses,ensurethereisend-to-endconnectivity:
PingbetweeneachPCanditsdefaultgatewayusingboththeglobalunicastandlink-localIPv6addresses.
Pingfromonebranchroutertoanother.
PingfromtheHQroutertotheISProuter.
TogetstartedwithimplementingIPv6staticroutes,usethefollowinginstructions:
1. Enterglobalconfigurationmodeoneachrouterandexecutetheipv6
Telegram Channel : @IRFaraExam
unicast-routingcommandtoallowIPv6routing.
2. Firstly,installIPv6staticroutersforeachbranchnetworkontheHQrouter,asfollows:
HQ(config)#ipv6route2001:ABCD:1234:2::/64
2001:ABCD:1234:5::10
HQ(config)#ipv6route2001:ABCD:1234:3::/64
2001:ABCD:1234:5::15
HQ(config)#ipv6route2001:ABCD:1234:4::/64
2001:ABCD:1234:5::20
3. Oneachbranchrouter,installonlyanIPv6defaultroutethatpointstoHQasitsIPv6gatewayoflastresort.Usethefollowingcommandstoachievethistask:
Branch-A(config)#ipv6route::/0
2001:ABCD:1234:5::5
Branch-B(config)#ipv6route::/0
2001:ABCD:1234:5::5
Branch-C(config)#ipv6route::/0
2001:ABCD:1234:5::5
Atthispoint,eachPCcanreachanotherPConaremotenetworkandalltrafficpassesthroughtheHQrouter.
4. Let'sinstalladefaultrouteontheHQroutertopointtowardtheinternet:
HQ(config)#ipv6route::/02001:abcd:1234:6::1
Telegram Channel : @IRFaraExam
Toensurewecansimulatetheinternetwithinourlabenvironment,wealsoneedtoinstalladefaultrouteontheISProuterthatpointsbacktotheHQrouterusingthefollowingcommand:
ISP(config)#ipv6route::/02001:abcd:1234:6::2
5. Verifyend-to-endconnectivityfromonePCtoanother.ThefollowingsnippetshowsthepingresultsbetweenPC2andPC4:
Figure8.24–ConnectivitybetweenPC2andPC4
ThefollowingsnippetshowsthepaththepackettookfromPC2andPC4:
Telegram Channel : @IRFaraExam
Figure8.25–TraceroutebetweenPC2andPC4
Asexpected,alltrafficpassesthroughtheHQroutersincewehaveconfigureditusingthedefaultrouteoneachbranchrouter.
6. Usingtheshowipv6routecommand,wecanvalidatetheIPv6
routingtableofeachrouter.ThefollowingsnippetshowstheroutingtableoftheBranch-Arouter:
Telegram Channel : @IRFaraExam
Figure8.26–Branch-AIPv6routingtable
7. Lastly,wecanusetheshowipv6interfacebriefcommandto
verifytheIPv6addressesoneachrouter'sinterface.ThefollowingsnippetshowsboththeIPv6link-localandglobalunicastaddressesontheHQrouter:
Telegram Channel : @IRFaraExam
thenetworkexpands.
Tosavetheday,therearedynamicroutingprotocols.Whatexactlyaredynamicroutingprotocols?Theanswertothisquestionisquitesimple:theyarelayer3routingprotocolsthatcanbeconfiguredonaroutertoautomaticallydiscoverremotenetworks,maintainandupdateroutingtables,andcalculatethebestpathtoadestinationnetwork.Intheeventarouteorpathisnolongeravailable,dynamicroutingprotocolscanfindanewpathandinstallitintheroutingtableautomatically.
Therearevarioustypesofdynamicroutingprotocols.Thefollowingfigureprovideabreakdownofthem:
Telegram Channel : @IRFaraExam
Figure8.28–Dynamicroutingprotocols
Therearevariouscategoriesandsub-categoriesofdynamicroutingprotocolsthataregroupedbasedontheircharacteristicsandhowtheyfunction.Let'stakealookatthem.
TypesofdynamicroutingprotocolsTherearetwomaincategoriesofdynamicroutingprotocols:InteriorGateway
Telegram Channel : @IRFaraExam
Protocols(IGPs)andexteriorgatewayprotocols(EGPs).Thedifferencebetweenthesetwoisquitesimple.IGPsareusedwithinaprivatenetworkownedbyanorganization.IfIGPsareusedonprivatenetworks,wheredoyouthinkEGPsareused?Theyaremostlyusedontheinternet,whichisapublicnetwork.
ThereiscurrentlyoneEGPandit'scalledthebordergatewayprotocol(BGP).BGPisusedtoexchangeroutinginformationbetweenAutonomousSystems(ASes)ontheinternet.AnASisdefinedasanorganizationthatmanagesalotofpublicnetworks.AsimpleexampleofthisisanISP.ImagineISP_Ahasto
informotherISPsaroundtheworldaboutthenetworksISP_Aownsandhowto
reachthem.EachISPsharesroutinginformationviatheBGProutingprotocolontheinternet.
EachISPhasauniqueAutonomousSystemNumber(ASN),whichallowsittoestablishaBGPadjacencywithanotherASNtoexchangeBGProutes.BGPisunliketheotherroutingprotocolsasitchoosesthebestroutebasedonitspath.
ThefollowingdiagramshowsasimplerepresentationofBGPinterconnectingviaASNs:
Telegram Channel : @IRFaraExam
Figure8.29–BGPbeingusedbetweenvariousASNs
BGPisaveryslowconvergingdynamicroutingprotocol,whichiswhyitismostlyusedontheinternetratherthanonprivatenetworks.WhenwespeakaboutBGP,weusuallymeanexternalBGP(eBGP),whichisusedontheinternetandbetweenASes.However,there'sanotherversionknownasinternalBGP(iBGP)thatexchangesroutinginformationwithinasingleAutonomousSystem.
ImportantNote
Telegram Channel : @IRFaraExam
BGPisnolongercoveredintheCCNA200-301examobjectivesandhasmovedtotheCiscoCertifiedNetworkProfessional(CCNP)Enterprisecertificationlevel.However,it'sworthmentioninginthissection.
ThefollowingistheBGProutingtableofapublicBGProuter:
Figure8.30–BGProutingtable
Theprecedingsnippetshowsthedestinationnetworksontheleft,theirnexthop,andpath.ThepathprovidestheASNvalues.Therefore,foreachofthe1.0.0.0/24networks,thepackethastobesenttoAS24441via
202.93.8.242,thentoAS13335,andsoon.
Tip
TheBGPLookupGlassprojectiscreatedamongISPsaroundtheworld;itallowsanyonetoTelnetintotheirBGP-enabledrouterstolearnmoreabouttheBGProutingprotocol.Simplyusethesearchtermbgplookingglass
Telegram Channel : @IRFaraExam
withinyourwebbrowsertofindpubliclyaccessibleBGProuters.
OneoftheoldestIGPdynamicroutingprotocolsistheroutinginformationprotocol(RIP).RIPisdefinedasadistancevectorroutingprotocol.Adistancevectorroutingprotocolisonlyconcernedaboutthedistanceanddirectionofthedestinationnetwork.RIPusestheBellman-Fordalgorithm,whichuseshopcountasitsmetrictocalculatethedistancebetweentherouterandthedestinationnetwork.
ImportantNote
RIPhasamaximumhopcountof15.Foranetworkthathasmorethan15
hops,RIPwillnotbesuitable.Additionally,RIPdoesnotsupportVLSM.
Thepathwiththeleastnumberofhops(routers)willbeelectedasthebestrouteandwillbeinstalledintheroutingtable.Furthermore,beingadistancevectorprotocol,RIPwillforwardthepackettothenexthop(neighbor)alongthepathuntilthepacketisdelivered.
ImportantNote
RIPwascoveredinthepreviousversionsofCCNA.ItisnolongerpartoftheCCNA200-301examinationobjectivesandisbeyondthescopeofthisbook.
Theenhancedinteriorgatewayroutingprotocol(EIGRP)isanotherdistancevectorroutingprotocolandwasaCisco-proprietaryroutingprotocoluntilMarch2013,whenCiscoannouncedthatit'sopentothenetworkcommunityandvendorsinregardtoitsimplementation.EIGRPusesthediffusingupdatealgorithm(DUAL)tocalculatethebestpathtoadestinationnetwork.
Telegram Channel : @IRFaraExam
DUALusesthefollowingfactorswhencalculatingasuitableroute:
Bandwidth
Delay
TransmittingLoad(txload)
ReceivingLoad(rxload)
Reliability
However,EIGRPusesbandwidthanddelaybydefault.Theotherfactorsareoffbydefault.ThefollowingsnippetshowsthevaluesusedbyDUALforitscalculation:
Figure8.31–Interfacedetails
TheadvantageEIGRPhasoverotherdynamicroutingprotocolsisitsabilitytocalculateabackuploop-freepathatthesametimeitiscalculatingaprimary
Telegram Channel : @IRFaraExam
routetoadestinationnetwork.
ImportantNote
EIGRPisnolongercoveredintheCCNA200-301examobjectivesandhasmovedtotheCiscoCertifiedNetworkProfessional(CCNP)Enterprisecertificationlevel.However,it'sworthmentioninginthissection.
Aloop-freepathisonethatdoesnothavealayer3routinglooponanetwork.ThisisveryusefulintheeventarouteisunavailableasEIGRPcanalmostimmediatelyinsertthebackuploop-freepathwithintheroutingtabletoensureconnectivity.
OpenShortestPathFirstOneofthemostpopularlink-stateroutingprotocolsisOpenShortestPathFirstversion2(OSPFv2).DefinedbyRFC1247,OSPFv2wasintroducedtothenetworkingindustrybackin1991andsincethen,ithasbeenwidelyadoptedandimplementedinmanyorganizations.
ThefollowingarethebenefitsofusingOSPF:
Opensource:BeingopensourceallowsanorganizationwithmixedvendorequipmenttoimplementOSPFtoexchangeroutinginformationbetweenthevariousmanufacturersofrouters.
Scalability:OSPFcanbeimplementedinanetworkofanysize.Additionally,OSPFcanbeconfiguredinahierarchicalsystemwhereOSPF-enabledrouterscanbegroupedintoareas.
Telegram Channel : @IRFaraExam
Secure:TheOSPFroutingprotocolsupportsbothMessageDigest5(MD5)andSecureHashingAlgorithm(SHA)forauthentication.ThisallowstwoOSPF-enabledrouterstoauthenticatewitheachotherbeforeexchangingOSPFroutingdetailssuchasnetworkinformation.
Efficiency:Unlikeolderdynamicroutingprotocols,OSPFwillonlysendanupdateifachangeoccursonanetworkratherthansendingperiodicupdatesatspecificintervals.
Classless:TheOSPFroutingprotocolsupportstheuseofcustomsubnetmasksandVLSM.
TheOSPFroutingprotocolismadeupofvariouscomponents.Theseenabletheprotocoltohaveaclearideaoftheentirenetworktopologywhenithastotelltherouterhowtoforwardapacket.
ThefollowingaretheOSPFcomponents:
Adjacencytable:BeforeOSPFexchangesroutinginformationwithaneighborrouteronthenetwork,theybothneedtoestablishanOSPFadjacencywitheachother.Thisadjacencyissimplylikeamutualhandshakeindicatingthatbotharewillingtosharenetworkroutes.Thisadjacencytablecontainsalistofalltheneighborroutersthathaveestablishedanadjacencywithalocalrouter.Thistableissometimesreferredtoastheneighbortable.Theshowipospfneighbor
commandallowsyoutoviewtheadjacencytable.
Link-statedatabase:TheLink-StateDatabase(LSDB)simplycontainsalistofinformationaboutalltheOSPF-enabledroutersonthenetwork.TheLSDBisalsousedtocreatethenetworktopologytablethatOSPF
Telegram Channel : @IRFaraExam
usestodeterminethecostofthebestpathorroutetoadestinationnetwork.Theshowipospfdatabasecommandwillallowyouto
viewthecontentsoftheLSDB.
Forwardingdatabase:Thisissimplytheroutingtable.AftertheOSPFalgorithm,ShortestPathFirst(SPF)calculatesallthepathstoallthedestinationnetworks.Itwillinstallthebestpath(route)withintherouter'sroutingtable.Byusingtheshowiproutecommand,youcanview
theforwardingdatabase.
Inthefollowingsection,wewilltakeamuchdeeperdivetofurtherunderstandtheoperationsofOSPFasalink-stateroutingprotocol.
OSPFoperationsOSPF-enabledroutersensuretheyallmaintainup-to-dateinformationabouttheentirenetworktopology;thisenablesOSPFtochoosethebestpathatalltimes.However,toensureeverythingworkssmoothly,OSPFusesthefollowingsequenceofoperationsbetweenallenabledroutersonthenetwork:
1. OSPFwillattempttoestablishneighboradjacencieswithotherOSPF-enabledroutersonthenetwork.WhenOSPFisenabledonarouter'sinterface,itsendsaHelloPacketevery10secondslikeapulseoutofitsinterface.TheHelloPacketissimplyawaytoletaneighborrouterknowitwantstoestablishadjacency.
2. AfterestablishingOSPFadjacencies,therouterswillbegintoexchangeLink-StateAdvertisements(LSAs)withtheirneighborsonthenetwork.TheseLSAsaresimplyspecialOSPFpacketsthatcontaininformation
Telegram Channel : @IRFaraExam
aboutthecostandstateofthedirectlyconnectednetworksoneachneighborrouter.WhenanOSPF-enabledrouterreceivesanLSA,itwillthenforwardthatsameLSAtoallotherdirectlyconnectedneighbors.ThisprocessisrepeateduntilalltherouterswithinthenetworkreceivealltheLSAs.
3. Next,allOSPF-enabledrouterswillusetheinformationcontainedwithintheLSAstobuildtheLSDB.ThisallowsOSPFtovirtuallyseetheentirenetworktopology,theirinterfacecosts,andtheirstates.
4. AftertheLSDBhasbeenbuilt,OSPFexecutesitsSPFalgorithmtocalculatethebestpathbetweennetworks.
5. TheSPFalgorithmtheninstallsthebestpathtoeachnetworkwithintheforwardingdatabase,alsoknownastheroutingtable.
ImportantNote
KeepinmindthatifthereisaroutewithalowerADthanOSPFthatalreadyexistswithintheroutingtable,theOSPFroutewillnotbeinstalledsinceADtakespriority.
TheOSPFv2routingprotocolusesthefollowinglayer2andlayer3addressestoexchangeinformation:
DestinationmulticastMACaddress:01-00-5E-00-00-05or01-
00-5E-00-00-06
IPv4multicastaddress:224.0.0.5or224.0.0.6
Telegram Channel : @IRFaraExam
Inthenextsection,wewilldiscussthevarioustypesofOSPFmessagesthatareexchangedbetweenroutersonanetwork.
OSPFmessagesEnablingtheOSPFroutingprotocolonarouter'sinterfaceisquitesimple.Asanetworkprofessional,youneedtounderstandthetechnicaldetailsthatoccurinthebackgroundinOSPF.TheOSPFprotocolusesvariousOSPFpackettypestosendinformationtoaneighborrouter.ThefollowingaretheOSPFpackettypesandtheirdescriptions:
Type1:ThesearetheOSPFHelloPacketsthatareusedtocreateandmaintaintheneighboradjacencies.
Type2:TheseareknownasDatabaseDescription(DBD)packets.ThesepacketsareusedtoensureeachOSPF-enabledrouter'sLSDBisexactlythesame.
Type3:ThistypeofpacketisknownasaLink-StateRequest(LSR)packet.OSPF-enabledroutersusethispackettorequestfurtherinformationaboutanyentryintheDBDbysimplysendinganLSR.
Type4:ThispacketisknownastheLink-StateUpdate(LSU).ThesepacketsareusedbyOSPFtorespondtoLSRsandnewroutinginformation.
Type5:ThistypeofpacketistheLink-StateAcknowledgement(LSA).ThesearesentwhenanLSUisreceivedfromanotherrouter.
Inthenextsection,wewilllearnabouttheimportanceoftheOSPFHello
Telegram Channel : @IRFaraExam
Packet.
OSPFHelloPacketanddeadtimersTocreateandmaintainanOSPFadjacencywithaneighborrouter,HelloPacketsaresentevery10secondsbydefaulttotheIPv4multicastaddressof
224.0.0.5andtheIPv6addressofFF02::5.SendingaHelloPacket
constantlycreatesapulsethattellsarouteritsneighborisalive.Thisdoesnotremoveanynetworkfromtheroutingtablethatbelongstotheneighborrouter.However,onslowernetworks,suchasthosethataredefinedasnon-broadcastmultipleaccessnetworks,OSPFusesadefaultHellotimerof30seconds.
WhatwouldhappenifanOSPF-enabledrouterdoesnotreceiveaHelloPacketfromoneofitsneighborswithin10seconds?Theneighborrouterwillbe
considereddownandwillberemovedfromtheroutingtable,itsdirectlyconnectednetworks,anditsassociatedroutes.However,OSPFhasaDeadtimer,whichis40secondsbydefaultand120secondsfornon-broadcast
multipleaccessnetworks.TheDeadtimerissimplythetimeforwhichanOSPF-enabledrouterwillwaittoreceiveaHelloPacketfromitsneighborbeforedeclaringtheneighbordeviceisdown.
TheHellotimermustmatchbetweenneighborsforanOSPFadjacencytobeformed.Thefollowingdiagramshowstworouters.R1isusingthedefaultOSPFHelloTimerof10secondsonitsGigabitEthernet0/1interfaceandR2
isusing11seconds:
Telegram Channel : @IRFaraExam
Figure8.32–HelloTimermismatch
Usingtheshowipospfinterfacecommand,wecanverifytheHello
andDeadtimersontheinterface:
Figure8.33–Checkinginterfacetimers
TheprecedingsnippetshowsthattheOSPFHelloTimerhasbeenadjustedto11secondsontheinterface.OSPFallowsustomodifytheHelloandDeadtimers
Telegram Channel : @IRFaraExam
oneachinterfaceonarouter.ToadjusttheHelloTimerandDeadtimers,usethefollowingcommands:
R2(config)#interfacegigabitEthernet0/1
R2(config-if)#ipospfhello-intervaltime-in-seconds
R2(config-if)#ipospfdead-intervaltime-in-seconds
ImportantNote
KeepinmindthatthedefactostandardfortheDeadtimeris4timeswhatitisfortheHelloTimer.
Inthenextsection,wewilltakealookatthevariousOSPFinterfacestatesandtheirdescriptions.
OSPFinterfacestatesBeforeOSPFestablishesanadjacencywithaneighbor,theOSPF-enabledinterfaceonarouterhastotransitionbetweenvariousoperationalstates.Thesestatesareusedwhencreatingneighboradjacencies,exchangingroutingdetails,calculatingthebestpathtoadestinationnetwork,andensuringallroutersconverge.
Thefollowingisthesequenceofaninterfaceasitreachesconvergence:
1. Down:Atthisstate,theroutersendsHelloPacketsbuthasn'treceivedany
HelloPacketsfromanyneighborrouters.
2. Init:HelloPacketsarereceivedfromaneighborrouter.
Telegram Channel : @IRFaraExam
3. Two-way:Thisstateindicatesthereisatwo-waycommunication
betweentworouters.
4. ExStart:Thisstateindicatesthatthelinkisapoint-to-pointnetwork
andtherouternegotiateswhichinterfacewillsendtheDBD.
5. Exchange:ThisstateiswhereroutersexchangeDBDpacketsonthe
network.
6. Loading:Withinthisstate,LSRandLSUpacketsareexchanged
betweenrouterstogainmoreinformationaboutroutes.TheSPFalgorithmprocessesalltheroutestocalculatethebestpathtodestinationnetworks.
7. Full:Thisstateindicatesthatalltheroutershaveconvergedandknow
aboutallthenetworks,interfacecosts,androuters.
ToverifytheOSPFinterfacestates,usetheshowipospfneighbor
command,asshowninthefollowingsnippet:
Figure8.34–VerifyingOSPFinterfacestates
Inthenextsection,wewilllearnhowOSPFusesinterfacebandwidthtochoose
Telegram Channel : @IRFaraExam
itsbestpath.
OSPFinterfacecostOSPFisalink-stateroutingprotocol,whichmeansitusescumulativebandwidthasitsmetrictodeterminethemostcost-efficientpathtoadestinationnetwork.OSPFusesthefollowingformulatocalculateitspathcost:
Cost=referencebandwidth/interfacebandwidth
Firstly,you'llneedtodeterminethedefaultreferencebandwidthonarouter.Thiscanbedonebyusingtheshowipospfcommand,asshowninthefollowing
snippet:
Figure8.35–Referencebandwidth
Asshownintheprecedingsnippet,thedefaultreferencebandwidthissetto
Telegram Channel : @IRFaraExam
100.Next,wecanusetheshowinterfacescommandtoobtainthe
bandwidthvalueonaninterface,asshowninthefollowingsnippet:
Figure8.36–Interfacebandwidth
Now,wecansubstituteourvaluesinourformula:
Cost=100/1000000
Theresultroundsto1.WecanverifythecostofanOSPF-enabledinterfacelikeso:
Figure8.37–OSPFcost
Asexpected,theOSPFcostonthisinterfaceis1.OSPFcalculatesthecostofeachinterfaceonalltheroutersbetweenallnetworks,thenusesthepaththathas
Telegram Channel : @IRFaraExam
theoverallleastcostasthebestpathtoadestinationnetwork.
Interfacecostscanbemanuallyadjustedsimplybyusingthefollowingcommands:
R2(config)#interfacegigabitEthernet0/1
R2(config-if)#ipospfcostvalue-in-kilobits
Inthenextsection,wewillcovertheconceptsoftheDesignatedRouter(DR)andBackupDesignatedRouter(BDR).
DesignatedrouterAsmentionedpreviously,eachOSPF-enabledrouterhasestablishedanadjacencywithitsneighborsbeforetheycansharenetworkroutes.Oncetheadjacencieshavebeenestablished,HelloPacketsarecontinuouslyexchangedbetweenneighbors.Butwhatifarouterhasmultipleadjacenciesonthesameinterface?
Let'stakealookatthefollowingdiagram,whereeachrouterhasanadjacencytoeveryotherrouter:
Telegram Channel : @IRFaraExam
Figure8.38–OSPFadjacencies
Intheprecedingdiagram,alltheroutersshareasinglemulti-accessnetworkviatheswitch.Insuchsituations,eachrouterwillbesendingHelloPacketstoallotherrouters.Ifthere'satopologychange,therouterswillfloodupdatestoallroutersaswell.
Tip
Tocalculatethenumberofadjacenciesonamulti-accessnetwork,usetheformulaN(N-1)/2,whereNisthenumberofrouters.
Telegram Channel : @IRFaraExam
HavingsomanyadjacenciescausesextensivefloodingofLSAsacrossthenetwork,thuscreatinganunnecessarilyhighnumberofOSPFadjacencies.Tohelpsolvethisissue,OSPFassignsaDRandaBDRonthenetwork.
AllotherroutersthatarenotaDRorBDRbecomeaDROTHER.EachDROTHERwillcreateanadjacencytotheDRandtheBDRonly.EachrouterwillsenditsHelloPackettoboththeDRandBDR.WhentheDRreceivesthepacketfromanotherrouter,theDRsendsthepackettoallotherroutersthatrequirethemessage.Therefore,aDROTHERwillhavetwoadjacenciesonly:oneadjacencytotheDRandanothertotheBDR.Thisconceptreducesthenumberofunnecessaryadjacenciesandfloodingoflink-statemessagesacrossthenetwork.
RouterID
ARouterIDisrequiredbyeachroutertoparticipateinanOSPFdomain.RouterIDscanbeassignedmanuallyorautomaticallybytherouter.TheRouterIDisusedtouniquelyidentifyarouterandparticipateintheDRandBDRelectionprocess.
TheRouterIDistakeninthefollowingorderofprecedence:
1. TheRouterIDismanuallyconfiguredviatherouterospfmode.
2. AnIPv4loopbackinterfaceisconfiguredandtheIPv4addressofthisinterfaceisthenusedastheRouterID.
3. Asthelastresort,OSPFwillusethehighestactiveconfiguredIPv4addressontherouter'sinterfaces.
ThefollowingsnippetshowshowtoconfiguretheRouterIDusingtheloopback
Telegram Channel : @IRFaraExam
interfaceontherouterandhowtomanuallyconfigureitwithintherouterospf
mode:
Figure8.39–RouterIDconfiguration
ToresettheRouterID,usetheclearipospfprocesscommandwithin
privilegedmode.
TheRouterIDplaysakeyroleduringtheDRandBDRelectionprocess.Inthenextsection,wewilltakealookathowOSPFmakesitschoiceinelectingaDRonthenetwork.
Telegram Channel : @IRFaraExam
DRandBDRelectionprocess
Inthissection,wewillcovertheOSPFDRandBDRelectionprocessthoroughly.Let'simaginetherearefiveOSPF-enabledroutersallsharingasinglebroadcastnetwork.Eachrouterhasbeenmanuallyconfiguredwithaunique32-bitRouterID,asshowninthefollowingdiagram:
Figure8.40–DRandBRDelectionprocess–part1
Telegram Channel : @IRFaraExam
Bydefault,therouterwiththehighestRouterIDiselectedastheDR,whiletherouterwiththesecondhighestrouterIDiselectedBDR.AllotherrouterswilltaketheroleofbeingDROTHER.
Let'simaginetheDRgoesdown.TheBDRwilltaketheroleofbecomingthenewDRwithinthenetwork,whiletheDROTHERwiththehighestrouterIDwillnowbecomethenewBDR,asshowninthefollowingdiagram:
Figure8.41–DRandBRDelectionprocess–part2
Telegram Channel : @IRFaraExam
WhatiftheoriginalDRcomesbackonline?DoesitregaintheroleofDRonthenetwork?Theanswerisno–itbecomesaDROTHERsimplybecausetheelectionprocesshasended.Thefollowingdiagramshowstheeffectofthissituation:
Figure8.42–DRandBRDelectionprocess–part3
Inanothersituation,whatifanewrouterwithahigherRouterIDthantheDRis
Telegram Channel : @IRFaraExam
insertedintothenetwork?WouldthenewrouterwiththehigherrouterIDbecomethenewDR?Aswiththepreviousscenario,sincetheelectionprocesshasended,thenewrouterwillbeaDROTHER,asshowninthefollowingdiagram:
Figure8.43–DRandBRDelectionprocess–part4
Telegram Channel : @IRFaraExam
Havingcompletedthissection,youhavegainedtheessentialskillstopredicttheelectionofaDRandaBDRonamultiaccessnetwork.Inthenextsection,we'lldiscusshowtoconfigureOSPFv2onaCiscoIOSrouter.
OSPFv2commandsLet'simaginewehavetoenabletheOSPFroutingprotocoltoshareroutinginformationonthefollowingnetworktopology:
Figure8.44–Simplenetwork
WecanbeginbyenablingOSPFonR1.First,you'llneedtoaccessrouter
ospfmodebyusingthefollowingsyntax:
R1(config)#routerospfprocess-id
process-idisanumericalvaluethatrangesfrom1-65535anddoesnot
havetobethesameonotherOSPF-enabledroutersonthenetwork.
Whenconfiguringadynamicroutingprotocol,youonlyadvertiseyourdirectlyconnectednetworks.OnR1,therearetwodirectlyconnectednetworks:
Telegram Channel : @IRFaraExam
192.168.1.0/24and192.168.2.0/24.Toadvertisethesetwonetworks,
wecanusethefollowingsyntax:
R1(config-router)#networknetwork-IDwildcard-mask
areaarea-id
ImportantNote
OSPF-enabledroutershavethefunctionalitytobesegmentedintomultipleareastoensuretheirroutingtableiskeptsmall,aswellastoreducetheamountofLSAsthatarebeingexchangedonanetwork.ThisfunctionalityisreferredtoasMulti-AreaOSPF.Area0isdefinedasthebackboneareaandyoushouldalwaysstartwithArea0onyournetwork.Ciscorecommendsthatallother
OSFPareasshouldbedirectlyconnectedtoArea0.However,Multi-Area
OSPFisbeyondthescopeoftheCCNA200-301examobjectives.
Whenusingthenetworkcommandtoadvertiseanetwork,OSPFdoesnot
allowyoutospecifyasubnetmask;instead,itusesawildcardmask.Awildcardmaskissimplytheinverseofasubnetmask.Let'ssaywehavetorepresentthe255.255.255.0assubnetmaskawildcard.Here,weusethefollowing
calculations:
Figure8.45–Wildcardmaskcalculations
Telegram Channel : @IRFaraExam
ThebroadcastIPaddress,whichis255.255.255.255here,isusedatall
timeswiththesubnetmaskofthenetworkID.Asshownintheprecedingsnippet,thesubnetmaskissubtractedfromthebroadcastIPaddressandtheresultisthewildcardmask.
ToadvertisethedirectlyconnectednetworksonR1,weusethefollowingcommand:
R1(config-router)#network192.168.1.00.0.0.255area
0
R1(config-router)#network192.168.2.00.0.0.255area
0
Additionally,youcanchoosetoenableOSPFonaspecificinterface.Todothis,usethefollowingcommands:
R1(config-router)#network192.168.1.10.0.0.0area0
R1(config-router)#network192.168.2.20.0.0.0area0
Eachzero(0)withinanoctetonthewildcardsimplytellstheroutertomatchthecorrespondingoctetwithintheNetworkID.Therefore,theprecedingsetsofcommandsimplythatOSPFwillonlybeenabledoninterfacesthatmatch/assignedtheIPaddresses;thatis,192.168.1.1and192.168.2.2.
Therefore,OSPFwillnotbeenabledonaninterfacewithanIPaddressof192.168.1.129/25.
OnceOSPFhasbeenenabledonarouterinterface,itisrecommendedtopreventOSPFmessagesfromenteringandleavinginterfacesthatarenotconnectedtoanotherOSPFneighborrouter.Suchinterfacesincludethosethatareconnected
Telegram Channel : @IRFaraExam
totheinternetandtheLANinterfacesthathaveswitchesandendusers.
TopreventOSPFmessagesfromenteringandleavinganinterface,usethefollowingcommand:
R1(config-router)#passive-interfaceGigabitEthernet
0/0
PleasekeepinmindthatthiscommandalsopreventsOSPFHelloPacketsfrombeingsentandreceivedontheinterface,andthereforepreventsOSPFadjacencyfromformingonthisinterface.
TomanuallyconfiguretheRouterIDonR1,usetherouter-idcommand,as
follows:
R1(config-router)#router-id1.1.1.1
ToadjusttheglobalreferencebandwidthonOSPF,usethefollowingsyntax:
R1(config-router)#auto-costreference-bandwidth?
<1-4294967>Thereferencebandwidthintermsof
Mbitspersecond
OnCisco2911routers,thisissetto100Mbps.Tochangethedefaultto1Gbps,
usethefollowingcommandinrouterospfmode:
R1(config-router)#auto-costreference-bandwidth1000
ThisconfigurationmustbeappliedtoallotherOSPF-enabledroutersonthenetworktoensureOSPFmakesaccuratecalculationstodeterminethebestpathandroutes.
Telegram Channel : @IRFaraExam
NowthatyouhavelearnedabouttheessentialcommandsneededtoimplementOSPFonanetwork,wewillgethands-onwithsomelabs.
Lab–configuringOSPFv2Inthishands-onlab,youwilllearnhowtoimplementtheOSPFroutingprotocoltoautomaticallypopulatetheroutingtableoneachCiscorouter,aswellascalculatethebestpathtoeachremotenetwork.Thefollowingtopologyisthesameoneweusedinthepreviouslabsinthischapter:
Telegram Channel : @IRFaraExam
Figure8.46–IPv4OSPFroutinglabtopology
Feelfreetocreateanewcopyofthelabfile,butensureyouhaveremovedanystaticroutesfromtheroutingtableofeachrouter.IftherearestaticrouteswhileweareconfiguringtheOSPFroutingprotocol,theOSPFrouteswillnotbeinstalledintheroutingtableofanyroutesincestaticrouteshavean
Telegram Channel : @IRFaraExam
AdministrativeDistanceof1,whereasOSPFhasavalueof110.
TogetstartedwithconfiguringOSPFinourtopology,usethefollowinginstructions:
1. First,wewillbeginbyconfiguringtheHQroutersothatitusesOSPFtoautomaticallylearnremotenetworks.Tobegin,entertherouter'sOSPFmodeusingaprocess-IDof1:
HQ(config)#routerospf1
2. Manuallysettherouter-idvalueto4.4.4.4:
HQ(config-router)#router-id4.4.4.4
3. Asasecuritymeasure,disableLSAsorOSPFpacketsfromgoingoutofalltheinterfaces:
HQ(config-router)#passive-interfacedefault
4. Usethenetworkcommandtoadvertisethenetworksthataredirectly
connectedtoHQandusethedefaultareavalueof0:
HQ(config-router)#network10.1.1.00.0.0.255
area0
HQ(config-router)#network10.2.1.00.0.0.255
area0
5. AllowOSPFpackets/LSAstoonlybesentoutofinterfacesthathaveanotherOSPF-enabledrouter:
HQ(config-router)#nopassive-interface
Telegram Channel : @IRFaraExam
GigabitEthernet0/0
HQ(config-router)#exit
Ifthepassive-interfacecommandisappliedtotheWAN
interface,itwillnotbeabletoformanadjacencywiththeotherOSPF-enabledrouters.ThisisbecausethispreventsHelloPacketsfromenteringandleavingtheinterface.NowthatyouhaveconfiguredOSPFontheHQrouter,wewilldothesamefortheotherbranchrouters.
6. Next,usethefollowingcommandsontheBranch-AroutertoenabletheOSPFroutingprotocol:
Branch-A(config)#routerospf1
Branch-A(config-router)#router-id2.2.2.2
Branch-A(config-router)#passive-interface
default
Branch-A(config-router)#network172.16.1.0
0.0.0.255area0
Branch-A(config-router)#network10.2.1.0
0.0.0.255area0
Branch-A(config-router)#nopassive-interface
GigabitEthernet0/2
Branch-A(config-router)#exit
7. ToconfiguretheBranch-Brouter,usethefollowingconfigurations:
Branch-B(config)#routerospf1
Telegram Channel : @IRFaraExam
Branch-B(config-router)#router-id3.3.3.3
Branch-B(config-router)#passive-interface
default
Branch-B(config-router)#network172.20.1.0
0.0.0.255area0
Branch-B(config-router)#network10.2.1.0
0.0.0.255area0
Branch-B(config-router)#nopassive-interface
GigabitEthernet0/1
Branch-B(config-router)#exit
8. Let'snotforgetabouttheBranch-Crouter!UsethefollowingconfigurationstoenableOSPF:
Branch-C(config)#routerospf1
Branch-C(config-router)#router-id1.1.1.1
Branch-C(config-router)#passive-interface
default
Branch-C(config-router)#network192.168.1.0
0.0.0.255area0
Branch-C(config-router)#network10.2.1.0
0.0.0.255area0
Branch-C(config-router)#nopassive-interface
GigabitEthernet0/2
Branch-C(config-router)#exit
Telegram Channel : @IRFaraExam
Atthispoint,eachbranchnetworkcanintercommunicate.However,wecannotforgetaboutsettingupadefaultroutetotheinternet.
9. ToconfigureadefaultrouteonHQthatpointstowardtheinternet,usethefollowingcommands:
HQ(config)#iproute0.0.0.00.0.0.0192.0.2.1
10. Let'suseOSPFtoautomaticallypropagatethedefaultroutetoallotherOSPF-enabledroutersfromHQ:
HQ(config)#routerospf1
HQ(config-router)#default-informationoriginate
HQ(config-router)#exit
Byusingthedefault-informationoriginatecommand,the
defaultroutewillbeautomaticallydistributedtoallotherOSPF-enabledrouters.Thissavesyoutimethatwouldbespentmanuallyconfiguringadefaultrouteoneachrouterwithinyourtopologyandnetwork.
11. Lastly,tosimulateourinternetconnectionproperly,let'screateadefaultroutefromtheISProuterbacktoHQ:
ISP(config)#iproute0.0.0.00.0.0.0192.0.2.2
Havingcompletedthislab,youhavegainedthehands-onskillsyouneedtodeploytheOSPFroutingprotocolinareal-worldnetworkenvironmentusingCiscorouters.Inthenextsection,wewilllearnhowtoperformtroubleshootingwhenusingtheOSPFroutingprotocol.
Telegram Channel : @IRFaraExam
ValidatingOSPFconfigurationsAsanetworkprofessional,wealwaysneedtoverifyourconfigurationsonourdevices.Wecanstartbytakingalookattheroutingtableandensuringeachrouterhasroutestoallremotenetworks,aswellasaroutethatpointstotheinternet.
ThefollowingsnippetshowstheroutingtableoftheBranch-Arouter:
Figure8.47–TheBranch-Aroutingtable
Intheprecedingsnippet,wecanseethatalltheremotenetworksarelearnedandpopulatedwithintheroutingtableviatheOSPFroutingprotocol.Furthermore,
Telegram Channel : @IRFaraExam
thelastrouteisthedefaultroutefromtheHQrouterthatwepropagateusingthedefault-informationoriginatecommand.ThisiswhyourBranch-
ArouterhasagatewayoflastresortthathasbeensetautomaticallyviaOSPF.
Anotherimportanttroubleshootingcommandyoumustknowaboutistheshow
ipprotocolscommand.Wheneverweareusingadynamicroutingprotocol
suchasOSPF,EIGRP,orRIP,theshowipprotocolscommandwill
alwayspresentdetailsabouttheprotocolsrunningonthelocalrouter.
Let'stakealookatthefollowingsnippet:
Figure8.48–OSPFprocess-id
Fromtheoutput,wecandeterminethefollowingabouttheroutingprotocol:
TheOSPFroutingprotocoliscurrentlyenabledontheBranch-Arouter.
OSPFiscurrentlyusingtheprocess-idvalueof1.Pleasenotethatthe
process-idvaluedoesnotneedtomatchbetweenOSPF-enabled
routers.
Telegram Channel : @IRFaraExam
router-idwasmanuallyconfiguredas2.2.2.2.
Iftherearemultipleroutestothesamenetworkthathavethesamecostvalue(metric),OSPFwillload-balanceuptoatotaloffourpaths.
TheBranch-Arouterisadvertisingthatithastwonetworks:10.2.1.0/24and172.16.1.0/24.
Let'stakealookattheremainingportionsoftheshowipprotocols
output:
Figure8.49–Analyzingtheroutingprotocol
Wecandeterminethefollowingbasedontheprecedingsnippet:
TheinterfaceslistedunderPassiveInterface(s)willnotsendorreceiveanyOSPFmessages.
Telegram Channel : @IRFaraExam
ThelocalrouterissharingrouteswithadditionalOSPF-enabledrouters,theirAD,andtheirlastupdatetimer.
Theshowipospfneighborcommandprovidesuswithdetailsabout
OSPF-enabledneighbordevices:
Figure8.50–OSPFneighbors
Thefollowingisabreakdownofeachcolumnfromtheshowipospf
neighboroutput:
TheNeighborIDcolumncontainsalistofOSPFneighborsthathaveanadjacencywiththelocalrouter.ThisvalueistheRouterID.
ThePricolumncontainsthepriorityvalueforeachneighboradjacency.
TheStatecolumncontainsthelinkstatusforeachOSPFneighboradjacency.
TheDeadtimerisusedtoindicatewhenaHelloPacketwaslastreceivedfromeachneighbor.Thistimeralwayscountsdownandrefreshes
Telegram Channel : @IRFaraExam
wheneverthelocalrouterreceivesaHelloPacket.
TheAddresscolumncontainstheactualIPaddressassignedontheneighbor'sinterface.
TheInterfacecolumndisplaysthelocalinterfaceusedtocreateanadjacencywiththeneighborrouter.
Theshowipospfinterfacecommandcanbeusedtoverifythe
followingdetailsaboutOSPF:
TheOSPFprocess-idassociatedwiththeOSPF-enabledinterfaceon
therouter
TheOSPFrouter-idvalue
TheDRanditsIPaddress
TheBDRanditsIPaddress
TheOSPFHelloandDeadtimersvaluesontheinterface
ThenumberofOSPFadjacenciesthatexistsonthisinterface
Thefollowingsnippetshowstheoutputofusingtheshowipospf
interfacecommandonBranch-A:
Telegram Channel : @IRFaraExam
Figure8.51–VerifyingOSPFinterfacedetails
AnotherusefulcommandtocheckwhethertheinterfaceonarouterisparticipatinginOSPFistheshowipospfinterfacebrief
command.ThiscommandonlyworksontheactualCiscoIOSdevicesandnotonCiscoPacketTracer.Thelinkwillprovideyouwithdetailsaboutaninterface.Let'stakealookatthefollowingsnippet,whichwastakenfromtheBranch-Arouter:
Telegram Channel : @IRFaraExam
Figure8.52–OSPFinterfaces
ThefirstrowindicatesthatGigabitEthernet0/2isparticipatinginthe
OSPFinstance,whichhasaProcessIDof1andstatesthattheinterfacebelongs
toOSPFArea0,whichisthebackbonearea.Additionally,theIPaddressand
subnetmaskareprovided,aswellastheOSPFcostontheinterfaceandtheOSPFstateontheinterface.
Lastly,wemustnotforgettotestend-to-endconnectivityonourlabnetwork.ThefollowingsnippetshowsapingtestfromtheBranch-ALANinterface(172.16.1.1)totheserverat192.0.2.6.Thefollowingcommandwill
workonlyontheactualCiscoIOSandnotonCiscoPacketTracer:
Figure8.53–Connectivitytest
ThisallowsyoutospecifyasourceIPaddress,sothatyoucanusethesourceIPaddressfromaninterfaceontherouterthatisattemptingtoestablishconnectivitybetweenremotenetworks.
Telegram Channel : @IRFaraExam
Nowthatyouhavecompletedthissection,youhavetheknowledgeandhands-onskillstodescribe,configure,troubleshoot,andvalidateOSPFanditsconfigurationsonaCiscoenvironment.
UnderstandingfirsthopredundancyLet'simaginethat,withinyourorganization,eachdeviceisconfiguredtouseaspecificIPaddressasitsdefaultgatewaytotheinternet.WhatifthatIPaddressordevicegoesoffline?Howwillyourclientdevicesreachtheinternet?
Thefollowingdiagramshowsthedefaultgatewaygoingdown,thuspreventingclientsfromreachingtheinternet:
Figure8.54–Defaultgatewaygoesoffline
Telegram Channel : @IRFaraExam
Youmaybethinking,wecanreplacetherouterwithanotherandapplythesameconfigurationstoitandourinternetconnectivitywillberestored.Thisisaworkablesolution,butit'snottooefficientbecauseit'sareactivesolutionandrequirestoomanyinterventions.
Whatifwecouldimplementredundancyonthedefaultgatewaytoensurethat,ifthemainroutergoesdown,there'sanotherdevicethatwillactasthenewdefaultgateway,withoutushavingtochangethedefaultgateway'sIPaddressonanyoftheclients?ThisisdefinitelypossiblewithaCiscoIOSrouter.
ThetechnologyknownasFirstHopRedundancyProtocol(FHRP)allowsustousetwoCiscoIOSrouterstocreateasinglevirtualrouterthathasavirtualIPaddressandvirtualMACaddress.ThevirtualIPaddressandvirtualMACaddresswillbesharedbetweenthetwophysicalrouters.Additionally,thevirtualIPaddresswillactasthedefaultgatewayforclients.Therefore,onephysicalrouterwillhavearoleastheactiverouter,whichwillroutetrafficbackandforthtotheinternet,andtheotherphysicalrouterwillbethestandbyrouterintheeventtheActiveroutergoesoffline,takinguptheroleasthenewactiverouterwiththevirtualIPaddress.
ThefollowingdiagramshowsR1astheActiverouter:
Telegram Channel : @IRFaraExam
Figure8.55–Activerouter
IntheeventR1goesdowninthenetworktopology,theStandbyrouterwilltakeuptheroleastheActiverouteronthenetwork.Thiscausesverylittleserviceinterruptionasthefailoverhappens.ThefollowingdiagramshowsthetrafficflowwhenR2becomesthenewActiverouteronthenetwork:
Telegram Channel : @IRFaraExam
Figure8.56–NewActiverouter
UsinganFHRPisabettersolutionasit'sproactiveanddoesnotrequireanetworkprofessional'sintervention.ThereareafewFHRPsthatexistintheindustry.We'lllookattheircharacteristicsinthenextsection.
VariousFHRPsThefollowingsub-sectionwillbrieflyoutlinethecharacteristicsofeachFHRPthatcanbeimplementedinanetworktoensurethatinternalhostdevicesarealwaysabletoreachtheirdefaultgateway.
HotStandbyRouterProtocol
Telegram Channel : @IRFaraExam
TheHotStandbyRouterProtocol(HSRP)isaCisco-proprietaryFHRPthatallowsanumberofCiscoIOSrouterstobegroupedintoaclustertocreateavirtualrouter.ThevirtualrouterwillhaveavirtualIPaddressthatwillbesharedbetweenallphysicalroutersthatarepartoftheHSRPgroup.
ThefollowingarethetwostatesofanHSRProuter:
Active
Standby
TheActiverouterisonethatisactivelyforwardingthepacketasthedefaultgateway.IntheeventthattheActiveroutergoesoffline,theStandbyrouterwillassumetheroleofbeingthenewActiverouterandtrafficwillberoutedthroughthenewActiverouter.
ThefollowingtableoutlinesthedifferencesbetweenHSRPversion1andversion2:
Telegram Channel : @IRFaraExam
Figure8.57–HSRPversions
WhenconfiguringHSRP,therouterwiththehighestIPv4addresswillbeselectedastheActiverouterwithinthegroup,whileallotherswillbeStandbyrouters.ThedefaultHSRPpriorityis100onallrouters;therouterwiththe
highestHSRPpriorityvaluewillbeelectedastheActiverouter.Thepreempt
commandenablespreemptionandforcesanHSRPre-electionprocess.ThisshouldbedonetoensureaspecificrouterbecomestheActiverouter.
ImportantNote
Bydefault,preemptionisdisabledinHSRP.
Sincepreemptionisdisabled,therouterthatbootsupfirstwilltaketheroleofbeingtheActiverouter.HSRPusesHelloPacketsthataresentevery3secondsbydefault.IfaStandbyrouterdoesnotreceiveaHelloPacketfromtheActiverouterafter10seconds,itwillassumethattheActiverouterisdownandtakeuptheroleofbeingthenewActiverouter.Furthermore,thereisHSRPforIPv6networks.ThisversionofHSRPhasthesamefunctionalityasitsIPv4version.
Lab–implementingHSRPInthishands-onlab,youwilllearnhowtoimplementHSRPasthepreferredFHRPonaCiscoenvironment,ensuringthedefaultgatewayisalwaysavailable.ThefollowingtopologycanbebuiltwithintheCiscoPacketTracerapplication:
Telegram Channel : @IRFaraExam
Figure8.58–HSRPlabtopology
Pleaseensureyouusethefollowingguidelineswhenrunningthislabtoensureyougetthesameresults:
AssigntheIPaddressesshowninthetopologytoeachdeviceaccordingly.
Eachrouterinterfacemustbeconfiguredasshowninthetopology.
ConfigurethedefaultgatewayonbothPCsas192.168.1.1.
Telegram Channel : @IRFaraExam
EnsurethedefaultgatewayonthePublicServerissetto192.0.3.1.
CreateanEtherChannelusingLACPbetweenCore1andCore2usingportsFastEthernet0/23and0/24onbothswitches.
Nowthatyourlabisready,usethefollowinginstructionstocreateavirtualrouterusingHSRP:
1. EnsureR1andR2havethefollowingdefaultrouteswithintheirroutingtables:
R1(config)#iproute0.0.0.00.0.0.0192.0.2.1
R2(config)#iproute0.0.0.00.0.0.0192.0.2.5
2. OnR1,enableHSRPversion2ontheLANinterfaceontherouterusingthefollowingcommands:
R1(config)#interfaceGigabitEthernet0/1
R1(config-if)#standbyversion2
3. Next,createthevirtualIPaddressthatwillbeusedasthedefaultgatewayforclientsonthenetwork:
R1(config-if)#standby1ip192.168.1.1
4. SettheHSRPprioritynumbertobegreaterthan100toensurethisrouterbecomestheActive(desired)routerbyusingthefollowingcommand:
R1(config-if)#standby1priority150
5. Configurethisroutertopreemptthestandbyrouter:
R1(config-if)#standby1preempt
Telegram Channel : @IRFaraExam
R1(config-if)#exit
NowthatyouhaveconfiguredR1astheactiverouter,let'sheadonovertoR2asitrequiressomeconfigurationinordertobecometheStandbyrouterwithintheHSRPgroup.TheStandbyrouterwilltaketheplaceoftheActiverouterintheeventR1goesdownoroffline.ToconfigureR2astheStandbyrouter,usethefollowinginstructions:
1. OntheR2LANinterface,enableHSRPversion2:
R2(config)#interfaceGigabitEthernet0/1
R2(config-if)#standbyversion2
2. Next,configurethevirtualIPaddressofthedefaultgateway:
R2(config-if)#standby1ip192.168.1.1
R2(config-if)#exit
3. Lastly,toensuretheinternetsideportionofourlabisworking,configurethefollowingdefaultroutesontheISProuter:
ISP(config)#iproute0.0.0.00.0.0.0192.0.2.2
ISP(config)#iproute0.0.0.00.0.0.0192.0.2.62
Nowthatyouhavefinishedtheconfigurationaspectofthislab,let'stakealookatvalidatingandtroubleshootingtheconfigurationsonourlabenvironment.
OneofthemostimportanttroubleshootingcommandsforHSRPistheshow
standbycommand.Theoutputofthiscommandprovidesuswithvital
informationabouttheHSRPstatusonthelocalrouter,suchasthefollowing:
Telegram Channel : @IRFaraExam
TheHSRProuter'sstate,whetherit'sActiveorStandby
ThevirtualIPaddressandMACaddressforthevirtualrouter
TheHelloandHolddowntimersontheinterface
Whetherpreempthasbeenconfiguredontheinterfaceornot
WhetherthelocalrouteristheActiveorStandbyrouter
TheIPaddressoftheStandbyrouter
TheHSRPpriorityvalue
Thefollowingsnippetshowstheoutputoftheshowstandbycommandon
R1inourlab:
Telegram Channel : @IRFaraExam
Figure8.59–HSRPstatusonR1
Let'stakealookattheshowstandbycommand'soutputonR2.You'llnotice
thatthestateofR2issettoStandbyandthattheActiverouterinthegroupis
192.168.1.1,whichisR1'sIPaddress:
Telegram Channel : @IRFaraExam
Figure8.60–HSRPstatusonR2
Furthermore,toseeasummaryHSRPstatusoneitherrouter,usetheshow
standbybriefcommand:
Telegram Channel : @IRFaraExam
Figure8.61–HSRPstatussummary
Theshowstandbybriefcommand'soutputprovidesuswiththelocal
interfacethat'sbeenconfiguredwithHSRP,theHSRPgroupnumber,theHSRPpriorityvalue,theinterfacestate,theHRSProuterstate,thestandbyrouter,andthevirtualIPaddressofthevirtualrouter.
Forourfinalconnectivitytest,let'sperformatraceroutefromPC1(192.168.1.10)tothePublicServerat192.0.3.10:
Figure8.62–Tracerouteconnectivitytest
Accordingtotheoutputshownintheprecedingsnippet,thepackettookthepathviaR1astheActiverouterwithintheHSRPgroup,asexpected.
Let'screateanetworkfailurebyshuttingdownGigabitEthernet0/1and
GigabitEthernet0/2onR1only.ThiswillcreatetheeffectofR1going
offlineonthenetwork.Afterafewseconds,performanothertraceroutetestfromPC1totheserveroncemore.
Telegram Channel : @IRFaraExam
ThefollowingarethenewtracerouteresultswhenR1hasgoneoffline:
Figure8.63–Newtracerouteresults
R2hasassumedtheroleofbeingtheActiverouterwithintheHSRPgroup,andthepacketsarenowtakinganewpathviaR2(192.168.1.3)toreachthe
PublicServer.Thedefaultgatewayconfiguredontheclientdevicesremainsas192.168.1.1.
Havingcompletedthissection,youhavegainedhands-onexperiencewithconfiguringfirsthopredundancyusingHSRP.YoucreatedavirtualroutertoensuretheinternaldevicesonthecorporateLANcanaccesstheinternet.Inthenextsection,wewillconfigureVRRPtoprovideredundancyforourdefaultgateway.
VirtualRouterRedundancyProtocolTheVirtualRouterRedundancyProtocol(VRRP),currentlyatversion2,isavendor-neutralFHRPthatalsosupportsgroupingtogethertwoormorephysical
Telegram Channel : @IRFaraExam
routerstocreateavirtualrouteronanIPv4network.VRRPv2allowsmultiplerouterstojointheVRRPgroupandsharethesamevirtualIPaddresstoprovidedefaultgatewayredundancyonanenterprisenetwork.
ImportantNote
PreemptionisenabledbydefaultinVRRP.
VRRPusesthefollowingtworouterstates:
Master
Backup
TheMasterrouteristheonethatcurrentlyhastheresponsibilityofactingasthedefaultgatewayandforwardingpacketsbackandforthbetweennetworks.TheBackuproutertakestheroleofMasteronlyintheeventoftheactualMasterroutergoingoffline.
Additionally,VRRPv3supportsfirsthopredundancyonanIPv6networkenvironmentandisabitmorescalablecomparedtoVRRPv2.
Lab–implementingVRRPInthishands-onlab,youwilllearnhowtoimplementVRRPonaCiscoenvironmenttoensurethedefaultgatewayisalwaysavailable.Thefollowingtopologyisthesameaswehaveusedinthepreviouslabsinthischapter.However,youwillneedeitherphysicalCiscoroutersorCiscoIOSvimagestocompletethislab:
Telegram Channel : @IRFaraExam
Figure8.64–VRRPlab
FollowthesameguidelinesthatyoufollowedforthelabforHSRPwhenrunningthislabtoensureyougetthesameresults.
Nowthatyourlabisready,usethefollowinginstructionstocreateavirtualrouterusingVRRP:
1. EnsureR1andR2havethefollowingdefaultrouteswithintheirroutingtables:
Telegram Channel : @IRFaraExam
theBackuprouter:
Figure8.65–VerifyingVRRP
R1hasthelowerIPv4address,192.168.1.2,configuredontheVRRP
LANinterface,whereasR2hasthehigherIPv4addressof192.168.1.3.R2waselectedtobetheMasterrouterandR1became
theBackuprouter.Furthermore,youcanseethevirtualIPv4andMACaddressesthattheclientswillbeusingasthedefaultgateway.
6. Let'susetheshowvrrpbriefcommandtoverifyadditionalVRRP
details:
Figure8.66–Theshowvrrpbriefcommand'soutput
Theshowvrrpbriefcommandprovidesuswiththeinterfacethatis
usingVRRP,theVRRPgroupnumber,theVRRPinterfacepriorityvalue,theVRRProuterstate,theMasterIPaddress,andthevirtualgroupIPaddress.
Telegram Channel : @IRFaraExam
7. Lastly,thefollowingsnippetshowstheoutputofshowvrrponR2:
Figure8.67–VRRPoutputonR2
TheoutputshowsthatR2isdefinitelytheMasterrouterwithintheVRRPgroupandhasthesamevirtualIPandMACaddresses.Furthermore,wecanverifythatpreemptionisindeedenabledbydefaultonVRRP-enabledroutersandhasadefaultpriorityof100.
Havingcompletedthislab,youhavegainedhands-onexperiencewithimplementingVRRPasanFHRPonaCiscoenvironment.Inthenextsection,youwilllearnhowtoimplementandconfigureGLBPforloadbalancing.
GatewayLoadBalancingProtocolTheGatewayLoadBalancingProtocol(GLBP)isabitdifferentfromtheaforementionedFHRPs.GLBPallowsloadbalancingbetweentheroutersthatarepartoftheGLBPgroup.Toputthissimply,ifyouhavetwophysicalrouterswithinaGLBPgroup,trafficthatissenttothedefaultgatewayIPaddresswillbeload-balancedbetweenalltheroutersusingaround-robintechnique.
Telegram Channel : @IRFaraExam
ImportantNote
GLBPisanotherCisco-proprietaryFHRP.PreemptionisdisabledbydefaultonGLBP.
GLBPensuresthatonerouterdoesnothandlealltheloadandconstraintsofbeingthedefaultgateway;itallowstheotherrouterstosharetheloadaswell.GLBPusesthefollowingrouterstatuses:
Active
Standby
SimilarlytoHSRP,theActiverouteristheonethathasthecurrentroleasthedefaultgateway,whiletheStandbyrouterprovidesfailoverintheeventthattheActiveroutergoesdown.GLBPforIPv6supportsthisimplementationwithinanIPv6environment.
Lab–implementingGLBPInthishands-onlab,youwilllearnhowtoimplementGLBPonaCiscoenvironmenttoensurethedefaultgatewayisalwaysavailable.Thefollowingtopologyisthesameonethatweusedinthepreviouslabsinthischapter.However,youwillneedeitherphysicalCiscoroutersorCiscoIOSvimagestocompletethislab:
Telegram Channel : @IRFaraExam
Figure8.68–GLBPlab
PleasefollowthesameguidelinesthatyoudidintheHSRPlabwhenrunningthislabtoensureyougetthesameresults.
Nowthatyourlabisready,usethefollowinginstructionstocreateavirtualrouterusingGLBP:
1. EnsureR1andR2havethefollowingdefaultrouteswithintheirroutingtables:
Telegram Channel : @IRFaraExam
R1(config)#iproute0.0.0.00.0.0.0192.0.2.1
R2(config)#iproute0.0.0.00.0.0.0192.0.2.5
2. OnR1,enterinterfacemodeandusethefollowingcommandtocreatetheGLBPgroupandsetthevirtualrouterIPaddress:
R1(config)#interfaceGigabitEthernet0/1
R1(config-if)#glbp1ip192.168.1.1
3. OnR2,enterinterfacemode,settheGLBPgroupto1,andconfigurethe
virtualrouterIPaddress:
R2(config)#interfaceGigabitEthernet0/1
R2(config-if)#glbp1ip192.168.1.1
4. Lastly,toensuretheinternetsideofourlabisworking,configurethefollowingdefaultroutesontheISProuter:
ISP(config)#iproute0.0.0.00.0.0.0192.0.2.2
ISP(config)#iproute0.0.0.00.0.0.0192.0.2.62
Nowthatyouhavefinishedtheconfigurationpartofthislab,let'stakealookatvalidatingandtroubleshootingtheconfigurationsonourlabenvironment,asshowninthefollowingsteps:
1. UsetheshowglbpcommandtoverifytheGLBPstate,asshowninthe
followingsnippet:
Telegram Channel : @IRFaraExam
Figure8.69–GLBPoutput
Fromtheprecedingsnippet,wecandetermineR1istheActiverouterwithintheGLBPgroup,thedefaultGLBPpriorityis100,andthat
preemptionisdisabledbydefault.
2. Let'susetheshowglbpbriefcommandtoverifythestatusofthe
localinterfacesonR1:
Figure8.70–Theshowglbpbriefcommand'soutput
TheoutputprovidesuswithvariousGLBPdetails,suchastheinterfacesthatare
Telegram Channel : @IRFaraExam
participatinginGLBPgroup1,thevirtualIProuter'sIPaddress,andwhich
devicesaretheActiveandStandbyrouters.
Havingcompletedthislab,youhavegainedtheessentialskillsrequiredtoimplementGLBPwithinaCiscoenvironment.
SummaryInthischapter,we'vediscussedanddemonstratedhowtoestablishIPconnectivitybetweenremotenetworksusingCiscorouters.HavingcompletedthischapteronIPconnectivity,youhavegainedtheskillstosetupbothstaticanddynamicroutingonanenterprisenetworktoensureend-to-endconnectivity.Furthermore,you'velearnedhowtopropagateadefaultrouterthroughaCiscoenvironment,whichallowsuserstoreachtheinternetfromtheirclientdevice.
IhopethischapterhasbeeninformativeforyouandishelpfulinyourjourneytowardlearninghowtoimplementandadministrateCiscosolutionsandpreparefortheCCNA200-301certification.Inthenextchapter,Chapter9,ConfiguringNetworkAddressTranslation(NAT),wewilllearnhowtoimplementvarioustypesofnetworkaddresstranslationonaCiscorouter.
QuestionsThefollowingisashortlistofreviewquestionstohelpreinforceyourlearningandhelpyouidentifyareasyoumightneedtoworkon:
1. WhatisthedefaultAdministrativeDistanceofastaticroute?
A.0
Telegram Channel : @IRFaraExam
B.1
C.2
D.90
2. Whichofthefollowingcommandswillallowyoutoconfigureastaticroute?
A.network
B.route
C.ip
D.iproute
3. WhichcommandwillallowaroutertoperformIPv6routing?
A.enableipv6routing
B.ipv6router
C.ipv6unicast-routing
D.ipv6enable
4. WhichIPv4addressrepresentsadefaultroute?
A.0.0.0.0255.255.255.255
B.0.0.0.00.0.0.0
Telegram Channel : @IRFaraExam
C.255.255.255.255255.255.255.255
D.255.255.255.2550.0.0.0
5. WhatistheAdministrativeDistanceoftheOSPF?
A.110
B.120
C.90
D.170
6. WhichroutingprotocolisusedbetweenISPs?
A.IS-IS
B.OSPF
C.BGP
D.MPLS
7. WhichcommandallowsyoutoviewtheforwardingdatabaseinOSPF?
A.showsipospfinterfacebrief
B.showipospfinterface
C.showipospfdatabase
D.showiproute
Telegram Channel : @IRFaraExam
8. WhatisthedefaultHelloTimerinOSPF?
A.30
B.10
C.5
D.15
9. WhichcommandallowsyoutoverifytheHSRPstatusonarouter?
A.showhsrp
B.showrouterstandby
C.showrunning-config
D.showstandby
10. WhichFHRPisopensource?
A.VRRP
B.HSRP
C.GLBP
D.ICMP
FurtherreadingThefollowinglinksarerecommendedforadditionalreading:
Telegram Channel : @IRFaraExam
Understandingstaticrouting:https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/unicast/configuration/guide/l3_cli_nxos/l3_route.html
RIProuting:https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_rip/configuration/15-mt/irr-15-mt-book/irr-cfg-info-prot.html
EIGRProuting:https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-mt/ire-15-mt-book/ire-enhanced-igrp.html
OSPFrouting:https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-16/iro-xe-16-book/iro-cfg.html
UnderstandingHSRP:https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swhsrp.html
Telegram Channel : @IRFaraExam
Thissectionteachesyoutheimportanceofvariousnetworkservicesthatarecriticaltodailyoperations.Youwillthenlearnhowtoimplementvariousservicesusingindustrybestpracticesonnetworks.Furthermore,youwilllearnhowtotroubleshooteachserviceasyouaretakenthrougheachsectionandchapter.
Thissectioncontainsthefollowingchapters:
Chapter9,ConfiguringNetworkAddressTranslation(NAT)
Chapter10,ImplementingNetworkServicesandIPOperations
Telegram Channel : @IRFaraExam
Chapter9:ConfiguringNetworkAddressTranslation(NAT)Howdodevicesonprivatenetworksaccesstheinternet?Networkaddresstranslation(NAT)iswhatconnectsthemagicbetweentheprivateandpublicnetworks.Inthischapter,youwilllearnaboutthevarioustypesofNATandhowtoimplementstaticNAT,dynamicNAT,andportaddresstranslation(PAT)onaCisconetwork.YouwillalsolearnhowtoimplementNATtoensurethatyouhaveinternetconnectivityonanenterprisenetwork.
Inthischapter,wewillcoverthefollowingtopics:
ThechallengeofusingIPv4ontheinternet
UnderstandingNAT
TypesofNAT
ConfiguringPAT
ConfiguringstaticNATwithportforwarding
ImplementingdynamicNAT
TechnicalrequirementsTofollowalongwiththeexercisesinthischapter,pleaseensurethatyouhavemetthefollowinghardwareandsoftwarerequirement:
Telegram Channel : @IRFaraExam
CiscoPacketTracer:https://www.netacad.com
Thecodefilesforthischapterareavailableathttps://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions/tree/master/Chapter%2009.
CheckoutthefollowingvideotoseetheCodeinAction:https://bit.ly/3clR4Qr
ThechallengeofusingIPv4ontheinternetOneofthemanyissueswefaceisthattherearen'tenoughpublicIPv4addressestoassigntoeachuniquedeviceontheinternet.AsyoulearnedinChapter3,IPAddressingandSubnetting,eachdevicethatisdirectlyconnectedtotheinternetmustbeassignedauniqueIPaddress.Furthermore,thereare232publicIPv4addresses,whichmeansthatthereareapproximately4,294,967,296public
IPv4addressesthatareroutableontheinternet.Thisnumberseemshuge,buttherealityisthatmostinternet-connecteddeviceshavealreadybeenassignedapublicIPv4addressandtherestofthepublicIPv4poolisreservedbyvariousorganizationsforspecialuse.
Intheworldtoday,therearemorethan4billiondevicesconnectedtotheinternet.HowisitpossibletohavemoredevicesonlinethanthenumberofavailablepublicIPv4addresses?RFC1918definesthreeclassesofIPv4addressesthatareassignableonprivatenetworksandarenotroutableontheinternet.
ThefollowingtableshowstheprivateIPv4addressclasses:
Telegram Channel : @IRFaraExam
Figure9.1–PrivateIPv4addressclasses
EachclassofprivateIPv4addressneedstobeuniquebetweenorganizationsandprivatenetworks.EachorganizationcanusewhicheverclassofprivateIPv4addresstheyseefit.EachclassofprivateIPv4addressprovidesarangeofusableIPv4addressespernetwork,rangingfrom254toover16millionusable
addresses.
RFC1918addressesallowanorganizationofanysizetoassignoneoftheseaddressestoauniquedevicewithoutneedingtoassignapublicIPv4addresstoeachdevice.Therefore,theseaddressesarestrictlyforuseonprivatecomputernetworksonly.
TheInternetAssignedNumbersAuthority(IANA)hasdesignatedthesespecificIPv4classesasprivateandnonroutableontheinternet.InternetServiceProviders(ISPs)haveimplementedsecuritymechanisms,suchasaccess-controllists(ACLs),topreventRFC1918addressesfromenteringtheISPnetworkandtheinternet.
Anotherimportantconcernishow,sinceRFC1918addressesarenonroutableontheinternet,doesadevicewithaprivateIPv4addresscommunicateandaccessresourcesontheinternet?Inthenextsection,wewilldiscusshowdevicesthat
Telegram Channel : @IRFaraExam
areonprivatenetworksareabletocommunicateontheinternet.
UnderstandingNATAdevicethatisassignedaprivateIPv4addressisnotabletosimplycommunicatewithdevicesontheinternetonitsown—itneedssomeassistance.Forexample,yourcomputerorsmartdeviceismostlylikelyassignedaprivateIPv4addressonyournetwork,butit'sabletoconnecttodevicesontheinternet.ThisisbecauseofsomethingcalledNAT.NATmakesourlivesinnetworkingthatbiteasierasitallowsaroutertotranslateaprivateaddressintoapublicaddress.Let'stakealookatthefollowingdiagramtogetaclearideaofhowNATreallyworks:
Figure9.2–NATtopology
Intheprecedingfigure,therearetwonetworks—acorporatenetworkandtheinternet—andinbetweenbothisaNATrouter.Let'simaginethatthereisadeviceonthecorporatenetwork,PC1,withanIPaddressof192.168.1.10.
Telegram Channel : @IRFaraExam
PC1wantstosendamessagetoadeviceontheinternet,let'ssayaCiscowebserverat23.10.104.199.Thefollowingaretheactionstakenbytherouter:
1. PC1sendsthemessagetoitsdefaultgateway,therouterinourtopology.
2. Whenthepacketisreceivedbytherouter,theLayer3headerisinspectedtodeterminethedestinationIPaddress.
3. SincethedestinationaddressisapublicIPaddress,therouterwilltranslatethesourceIPaddressfrom192.168.1.10totherouter's
publicIPaddressof209.65.1.2.ThisprocessisknownasNAT.
4. AftertheNATprocessiscompleted,therouterforwardsthepackettoitsdestination,23.10.104.199.
Ifanotherdeviceonthecorporatenetworkwishestocommunicatewithanotherdeviceontheinternet,thentheprocessisrepeated.Devicesontheinternetdonotseethecorporate,privatenetwork.TheyonlyseetheinternetIPaddressof209.65.1.2.Therefore,thereturningtrafficwillbesenttothe209.65.1.2
addressandtherouterwillreversethetranslationprocessandforwardthemessagebacktoPC1.
AfeaturesuchasNATallowsustoconservetheIPv4publicaddressspace,allowingustoassignasinglepublicIPv4addressperorganizationorprivatenetworkowner.Asimpleexampleisyourhomemodem,whichhasasinglepublicIPv4addressassignedtoitsinternet-facinginterface(port)andontheinternalsideofyourhomenetwork;you'reusingaprivateaddressschemewithmanydevicesbeingNATedthroughthatsinglepublicIPaddress.Thesameconceptappliestoorganizationswithhundredsofdevicesontheirprivatenetwork;theyallhaveasinglepublicIPv4addressviaNATontheirinternet
Telegram Channel : @IRFaraExam
routerormodem.
Importantnote
TheprimarybenefitofusingNATistoconservethepublicIPv4addressspace.
TherearemanyadvantagesofusingNATonanetwork.ThefollowingarethekeybenefitsofusingNAT:
TheprimarybenefitistheconservationofthepublicIPv4addressspace.
NATallowstheflexibilityofusingpoolsofaddresses,suchaspublicIPv4addressesforload-balancingtraffictotheinternet.Thisfeatureensuresthereliabilityofconnectionstopublicnetworkssuchastheinternet.
NAThidesusersanddevicesthatareusingRFC1918addressingschemes.Inotherwords,NATpreventsusersanddevicesthatarelocatedontheinternetfromseeingintoyourprivatenetwork—instead,theywillonlyseeyourpublicIPaddress.
NATallowsthenetworkadministratorstomaintainconsistencyfortheirinternalnetworkaddressingstandards.ThisallowsallinternaldevicestouseRFC1918addresseswithouthavingtobeassignedapublicIPv4addresstoaccesstheinternet.TheNATrouterhandlesthetranslationsofaddressesbetweentheinternalandpublicnetworks.
WhilethereareclearadvantagestousingNAT,wemustalsounderstandthatNAThassomedisadvantagesonanetwork,suchasthefollowing:
OneofthemajordisadvantagesofusingNATisrelatedtothedegradation
Telegram Channel : @IRFaraExam
ofnetworkperformanceonvarioustypesofnetworktraffic,suchasvoiceoverIP(VoIP).AstrafficpassesthroughaNAT-enabledrouter,thereissomedelayastherouterhastoperformtheaddresstranslationprocess.Aseachpacketenterstherouter,therouterhastoinspecttheLayer3headerofeachpackettodeterminewhethertoperformNATbeforeforwardingthepackettoitsdestination.
Anotherimportantdisadvantagetonoteisthatend-to-endaddressingislostwithNAT.AsapacketpassesthroughNAT-enabledrouters,thesourceIPaddressofthepacketischanged,andthismakesithardertotracetheactualsourceorsenderofapacket.
Virtualprivatenetwork(VPN)technologies,suchasIPsecurity(IPSec),donotworkwellwithNAT.SinceNATmodifiestheLayer3headerofpackets,itcausesamajorproblemforIPSecVPNstryingtoestablishasecuretunnelbetweenremotebranches.
NowthatwehaveunderstoodthebasicsofNAT,let'slookatitsoperationandterminology.
UnderstandingNAToperationandterminologyIntheworldofCiscoandNAT,thereareafewtermsthatareusedtohelpusidentifywhetheranIPv4addressisontheprivatenetworkorthepublicnetwork.Inthissection,youwilllearnabouttheNATterminology.
Let'sinspectthefollowingfiguretobetterunderstandNAToperations:
Telegram Channel : @IRFaraExam
Figure9.3–SimpleNAToperations
Intheprecedingnetworktopology,therearetwotypesofnetworks:theprivatenetwork,whichistypicallythecorporatenetworkownedbyanorganization,andthepublicnetworkknownastheinternet.Bydefault,theCiscoIOSrouterdoesnotknowwhichtypeofnetworkPC1ortheserverbelongsto.AlltherouterknowsisthattherearetwodifferentIPv4networksanditsjobistoforwardpacketsbetweenthem.However,whenweashumanslookatthetopologyhere,wecansimplysaythatPC1isontheprivatenetworkwithaprivateIPv4addressclassthatisnonroutableontheinternet,whilethepublicserverhasapublicIPv4addressandisontheinternet.
Themainquestionnow,whentherouterhastoperformNAToperationsbytranslatingtheprivateIPv4addressintoapublicaddress,ishowdoestherouterknowwhichsideofthenetworkeachIPaddressbelongsto?Tounderstandthis,wemustfirstidentifytheinsideaddressandtheoutsideaddress.
TheinsideaddressistheIPaddressthatistobetranslatedbytherouter.Intheprevioustopology,wecanidentifytheinsideaddressasanyaddressontheprivateorinternalnetwork.Theoutsideaddressissimplytheaddressofthedestinationdevice.So,ifthePCisattemptingtocommunicatewiththeserver,
Telegram Channel : @IRFaraExam
thentheoutsideaddressis209.65.1.10;however,assimpleasitseems,the
routerdoesnotseethisasplainlyaswedo.Furthermore,NATusesthelocalandglobalparameterstotelltherouteradditionaldetailsabouttheaddressesthataretobetranslated.ThelocaladdressisanyIPaddressthatisontheinsidenetworkwhiletheglobaladdressisanyaddressonthepublicsideofthenetwork.
Toexplorethisfurther,let'stakealookatthefollowingfigure:
Figure9.4–NATprocesspart1
Intheprecedingdiagram,PC1hascreatedamessageforthepublicserver.WhenNATisenabledontheCiscoIOSrouter,itseestheinsidelocaladdressas192.168.1.10andtheoutsidelocaladdressasthedestinationdevice,which
is209.65.1.10.Theaddressasshownintheprecedingfigureispriortothe
NATprocess.
Telegram Channel : @IRFaraExam
ThefollowingfigureshowstheresultsaftertheaddresshasbeentranslatedbyNAT:
Figure9.5–NATprocesspart2
Whenthepacketenterstherouter,theprocessofNATtakesplace.Theroutertakesalookatthesourceanddestinationaddress.Ifthedestinationaddressbelongstotheglobalnetwork,thentherouterperformsNATontheinsidelocaladdress,convertingittotheinsideglobaladdress.Inotherwords,NATtranslatestheprivateIPv4addressofthePCtothepublicIPv4addressontherouter'sinterface.
Importantnote
TheoutsidelocalandoutsideglobaladdressesareusuallythesameIPaddress.
Telegram Channel : @IRFaraExam
Theseaddressesarethosethatbelongtothedestinationdevice.
Inthenextsection,wewilldiscussthevarioustypesofNAT,theiruses,andhowtoconfigureeachoneonaCiscoIOSrouter.
TypesofNATTherearemanytypesofNATtranslations.Eachtypehasitsownadvantages,disadvantages,andreal-worlduse.Inthissection,youwilllearnabouttheircharacteristicsandoperations,andhowtoconfigureeachtypeofNATonaCiscoIOSrouter.
StaticNATStaticNATusesaone-to-onemappingoftheinsidelocaladdresswiththeinsideglobaladdress.ThistypeofNATmappingdoesnotchange—asthenameimplies,themappingremainsconstant.ThistypeofNATisveryusefulwhenyouwanttoallowexternalusersontheinternettoaccessadevicesuchasawebserverthatsitsonyourinternalprivatenetworkinyourorganization.
Let'simaginethatyourorganizationhasawebserverlocatedonaprivatenetworkandyouaretaskedtoallowusersfromtheinternetaccesstotheserver.Tocompletethistask,youcancreateaone-to-onestaticmappingbetweenthewebserver'sprivateIPaddress(insidelocal)andthepublicIPaddressontherouter(insideglobal).ThiswillallowanyoneontheinternettosimplyenterthepublicIPaddress(insideglobal)ontheirwebbrowserand,whentherouterreceivestraffic,itwillsimplyforwardittotheinsidelocaladdress,whichistheserver.
Telegram Channel : @IRFaraExam
ThefollowingfigureshowshowPC2isabletoaccesstheinternalwebserverviastaticNAT:
Figure9.6–StaticNAT
Thedevicesthatareontheinternet,suchasPC2,willnotseetheinsidelocaladdressoftheserver—theywillonlyseetheinsideglobaladdress.Additionally,devicesontheinternetwillnotbeawarethattherouterisperformingNATinthebackground.
Telegram Channel : @IRFaraExam
ToconfigurestaticNATonaCiscoIOSrouter,gothroughthefollowinginstructions:
1. Configuretheinsideinterfaceontherouter.Thisinterfaceisconnectedtotheinsidenetwork:
Router(config)#interfaceinterface-ID
Router(config-if)#ipnatinside
Router(config-if)#exit
2. Configuretheoutsideinterface.Thisinterfaceisconnectedtotheoutsidenetwork:
Router(config)#interfaceinterface-ID
Router(config-if)#ipnatoutside
Router(config-if)#exit
3. Createthemapbetweentheinsidelocaladdressandtheinsideglobaladdress:
Router(config)#ipnatinsidesourcestatic
inside-local-ipinside-global-ip
Now,let'sseehowdynamicNATworks.
DynamicNATDynamicNATusesapoolofinsideglobaladdressesthatareautomaticallytranslatedonafirst-comefirst-servedbasisbytheNAT-enabledrouter.UnlikestaticNAT,whichmanuallycreatesastaticmappingbetweenaninsidelocal
Telegram Channel : @IRFaraExam
addressandaninsideglobaladdress,dynamicNATallowsyoutoallocatearangeofavailableaddressesviaaNATpool.
Let'ssaythatyourcompanyhasarangeofpublicIPv4addressesallocatedtoyourorganizationbythelocalISP,andyouwanttoallowasmallIPsubnetofenddevicestouseanyaddresswiththeallocatedrangewhencommunicatingwiththeoutsidenetwork.DynamicNATsimplyallowsyoutocreateanACLtospecifywhichIPsubnetsareallowedtousetherange(pool)ofpublicIPaddresses.
ThefollowingfigureshowsarouterthatisconfiguredwitharangeofpublicIPv4addresses:
Telegram Channel : @IRFaraExam
Figure9.7–DynamicNAT
TheoutsideinterfaceoftherouterisconfiguredwithaNATpoolofaddressesrangingfrom209.65.1.2–209.65.1.5.Theseaddressesareallocatedfor
usebytheinsidenetwork.WhenPC1communicatesontheoutsidenetwork,
Telegram Channel : @IRFaraExam
theroutercheckstheNATpoolforanavailableIPv4addressandtranslatestheinsidelocaladdresstoanavailableinsideglobaladdress.Inthissituation,theinsidelocaladdressis192.168.1.10,whichwillthenbetranslatedto
209.65.1.2.Ifanotherdevice,suchasPC2(192.168.1.11),wantsto
communicateovertheinternet(outsidenetwork),thentheprocessisrepeated,andthistimetherouterwillusethenextavailableaddressfromthepool,209.65.1.3.
ThedisadvantageofdynamicNATisthatsinceeachaddressinthepoolcanbemappedtoonlyoneinsidelocaladdress,thenumberofaddressesinthepoolislimited.Therefore,ifmoredevicesontheinsidenetworkareattemptingtosimultaneouslycommunicateontheoutsidenetwork,thepoolofavailableaddresseswillbecomeexhausted.
Whendynamicmappingoccurs,itisonlytemporaryforthedurationofthesessionbetweentheinsidedeviceandthedestinationdevice.TheroutermonitorsforinactivityindynamicNAT.WhenitdetectsthatdynamicNATtranslationisnolongerbeingused,itwillmaketheinsideglobaladdressavailableforfuturetranslations.
Importantnote
Theclearipnattranslation*commandwillallowyoutoclearall
NATtranslationontherouter.
KeepinmindthatifyouareimplementingdynamicNATwithinyournetwork,youshouldensurethatthereareenoughpublicIPaddressestosatisfythenumberofsimultaneoussessionsthatwillbegeneratedbytheinsidenetwork.
Telegram Channel : @IRFaraExam
ToconfigureDynamicNATonaCiscoIOSrouter,usethefollowinginstructions:
1. Configuretheinsideinterfaceontherouter.Thisinterfaceisconnectedtotheinsidenetwork:
Router(config)#interfaceinterface-ID
Router(config-if)#ipnatinside
Router(config-if)#exit
2. Configuretheoutsideinterface.Thisinterfaceisconnectedtotheoutsidenetwork:
Router(config)#interfaceinterface-ID
Router(config-if)#ipnatoutside
Router(config-if)#exit
3. CreateapoolofglobalinsideaddressestousewithdynamicNAT:
Router(config)#ipnatpoolpool-namestart-ip
end-ip[netmasksubnet-mask|prefix-length
prefix-length]
4. CreateanACLtoallowtheaddressesthataretobetranslated:
Router(config)#ipaccess-liststandardaccess-
list-name
Router(config-std-nacl)#permitnetwork-ID
wildcard-mask
Telegram Channel : @IRFaraExam
Router(config-std-nacl)#exit
Additionally,youcanusetheaccess-list<acl-number>permit
<network-ID><wildcard-mask>commandtocreateanumbered
standardACL.
5. MergethedynamicNATpoolofaddresseswiththeACLoftheaddresstobetranslated:
Router(config)#ipnatinsidesourcelistaccess-
list-namepoolpool-name
Next,let'slearnaboutPAT.
ConfiguringPATPAT,alsoknownasNAToverload,differsfrombothstaticanddynamicNATtranslations.PATallowsaroutertotranslatemultipleprivateIPv4addressesintoasinglepublicaddress.ThistypeofNATiscommonlyusedwithinhomenetworks.TheISPusuallyassignsasinglepublicIPaddresstotheinternetmodem/router.ThemodemisconfiguredwithPAT(NAToverload),whichtranslatesanynumberofprivateaddressesontheinsidenetworktothesinglepublicaddressassignedonthemodem/routerinterfaceontheoutsidenetwork.
Ifyourecallfrompreviouschapters,whenadevicewantstoinitiateaconnectionwithanotherdevice,thesendergenerateseitheraTCPorUDPsourceportanddestinationport,basedontheapplicationlayerprotocol/service.PATtakesadvantageofthisandkeepstrackoftheportnumbersbeingusedforeachsessionandIPaddress.Withineachsession,thesenderalwaysgeneratesauniquesourceportwithitssourceIPaddress;thisensuresthattheIP-to-port
Telegram Channel : @IRFaraExam
combinationisalwaysunique,andthusPATcantracktheseuniquesessionstoidentifyspecificNATtranslations.
Importantnote
PATalsoensuresthatdevicesalwaysuseuniqueTCPportsforsessionswithwebserversontheinternet.
TogetabetterunderstandingofhowPATworks,let'stakealookatthefollowingfigure.Therearetwodevicesontheinsidenetwork—PC1andPC2—thatwanttocommunicatewiththewebserversontheinternet:
Figure9.8–PAToperations
Telegram Channel : @IRFaraExam
EachdeviceontheinsidenetworksendsitsmessagecontainingthesourceIPaddress,sourceport,destinationIPaddress,anddestinationporttotherouter.Whentherouterreceivesmessagesonitsinsideinterface,itwillinspectthedestinationIPaddressintheLayer3header.Sincethedestinationdevicesarelocatedontheoutsidenetwork,therouterperformsPAT.Theroutertranslatestheinsidelocaladdresstotheinsideglobaladdresswhilekeepingtrackoftheportnumber,asshowninthefollowingfigure:
Figure9.9–PAToperations
Whenthemessageleavestherouter'soutsideinterface,itwillcontainthenewsourceIPaddressof209.65.200.228.Devicesontheinternetsuchasthe
Telegram Channel : @IRFaraExam
webserversintheprecedingfigurewillsee209.65.200.228asthesender
andnotthedevicesontheinsidenetwork(PC1andPC2).
Duringsessionsbetweentheinsideandoutsidenetwork,PATtriestomaintaintheoriginalportnumbersthatarebeingused;however,ifasourceportnumberisalreadybeingusedbyanotherinsidedevice,PATwillattempttousethenextavailableportnumberandkeeptrackofthesessionandtranslationmapping.
TherearetwomethodstoconfigurePAT(NAToverload)onaCiscoIOSrouter.ThefirstmethodconfiguresPATtouseapoolofinsideglobaladdresses.ThismethodisusefulinsituationswhereallportnumbersarebeingusedbyasinglepublicIPaddress.PATthenmovesontothenextavailablepublicIPaddresswithinthepoolandbeginsallocatingportnumbers.
ToconfigurePATwithapoolofaddresses,usethefollowinginstructions:
1. Configuretheinsideinterfaceontherouter.Thisinterfaceisconnectedtotheinsidenetwork:
Router(config)#interfaceinterface-ID
Router(config-if)#ipnatinside
Router(config-if)#exit
2. Configuretheoutsideinterface.Thisinterfaceisconnectedtotheoutsidenetwork:
Router(config)#interfaceinterface-ID
Router(config-if)#ipnatoutside
Router(config-if)#exit
Telegram Channel : @IRFaraExam
3. CreateapoolofglobalinsideaddressestousewithNAToverload:
Router(config)#ipnatpoolpool-namestart-ip
end-ip[netmasksubnet-mask|prefix-length
prefix-length]
4. CreateanACLtoallowtheaddressesthataretobetranslated:
Router(config)#ipaccess-liststandardaccess-
list-name
Router(config-std-nacl)#permitnetwork-ID
wildcard-mask
Router(config-std-nacl)#exit
5. MergethedynamicNATpoolofaddresseswiththeACLoftheaddressfortranslationusingtheoverloadkeyword:
Router(config)#ipnatinsidesourcelistaccess-
list-namepoolpool-nameoverload
Additionally,youcanalsouseanumberedstandardACLratherthanusinganamedACL.
ThesecondmethodofconfiguringPATallowsyoutotranslateallinsideaddressestoasinglepublicIPaddress.ThismethodisusefulwhenyouhaveonlyonesinglepublicIPaddressandmultipleinsidedevicesthatrequireconnectivitytotheinternet.
ToconfigurePATtouseasingleinsideglobaladdress,usethefollowinginstructions:
Telegram Channel : @IRFaraExam
1. Configuretheinsideinterfaceontherouter.Thisinterfaceisconnectedtotheinsidenetwork:
Router(config)#interfaceinterface-ID
Router(config-if)#ipnatinside
Router(config-if)#exit
2. Configuretheoutsideinterface.Thisinterfaceisconnectedtotheoutsidenetwork:
Router(config)#interfaceinterface-ID
Router(config-if)#ipnatoutside
Router(config-if)#exit
3. CreateapoolofglobalinsideaddressestousewithNAToverload:
Router(config)#ipnatpoolpool-namestart-ip
end-ip[netmasksubnet-mask|prefix-length
prefix-length]
4. CreateanACLtoallowtheaddressesthataretobetranslated:
Router(config)#ipaccess-liststandardaccess-
list-name
Router(config-std-nacl)#permitnetwork-ID
wildcard-mask
Router(config-std-nacl)#exit
5. MergetheDynamicNATpoolofaddresseswiththeinterfaceonthe
Telegram Channel : @IRFaraExam
routerthathastheinsideglobaladdress:
Router(config)#ipnatinsidesourcelistaccess-
list-nameinterfaceinterface-IDoverload
Lastly,wecanuseNATtoperformportforwardingonaCiscorouter.
ToconfigureportforwardingonaCiscoIOSrouter,usethefollowinginstructions:
1. Configuretheinsideinterfaceontherouter.Thisinterfaceisconnectedtotheinsidenetwork:
Router(config)#interfaceinterface-ID
Router(config-if)#ipnatinside
Router(config-if)#exit
2. Configuretheoutsideinterface.Thisinterfaceisconnectedtotheoutsidenetwork:
Router(config)#interfaceinterface-ID
Router(config-if)#ipnatoutside
Router(config-if)#exit
3. Createthemapbetweentheinsidelocaladdressandtheinsideglobaladdress:
Router(config)#ipnatinsidesourcestatic
inside-local-iplocal-portinside-global-ip
global-port
Telegram Channel : @IRFaraExam
Havingcompletedthissection,youhavelearnedhowtoconfigurevarioustypesofNATtranslationsonaCiscoIOSrouter.Inthenextsection,youwillgainhands-onexperienceofimplementingeachtypeofNATonaCiscoenvironment.
Lab–implementingNAToverload(PAT)Inthishands-onlab,youwilllearnhowtoimplementPAT.Thefollowingnetworktopologyshowsanorganization'snetworktotheleftoftheISPthatisconnectedtotheinternet.Forthislab,we'llbeusingCiscoPacketTracertobuildourlabandcompletetheexercise:
Figure9.10–NAToverloadtopology
TheobjectiveofthislabistoconfiguretheHQrouterwithNAToverloadtoalldevicesonthecorporatenetwork,suchasthePC1privateIPaddress(10.1.2.10/24),tobetranslatedtoapublicIPaddresswhenit'sattempting
Telegram Channel : @IRFaraExam
toconnecttothePublicWebServer(209.65.1.3/28).
Pleaseusethefollowingguidelineswhencreatingthislab:
AssigntheIPaddressestoeachdeviceaccordingly,asshowninFigure9.10.
UseonlyCisco2911models.Ensurethateachinterfaceisconfiguredasshowninthetopology.
ConfigureeachenddevicewiththecorrespondingIPaddress,subnetmask,anddefaultgateway,asshowninthetopology.
ConfigureadefaultrouteonHQtopointtotheISProuterat192.0.2.1.
ConfigureadefaultrouterontheISProuterthatpointstoHQat192.0.2.2.Thisistosimulatetheinternetonthenetwork.
EnableOSPFv2ontheprivatenetwork,whichisbetweentheHQandBranch-Anetworks.UseOSPFtopropagatethedefaultroutetotheBranch-Arouter.
Nowthatyourlabenvironmentisready,usethefollowinginstructionstoconfigureNAToverload:
1. ConfiguretheinsideinterfacesontheHQrouterforNAT:
HQ(config)#interfaceGigabitEthernet0/1
HQ(config-if)#ipnatinside
HQ(config-if)#exit
Telegram Channel : @IRFaraExam
HQ(config)#interfaceGigabitEthernet0/2
HQ(config-if)#ipnatinside
HQ(config-if)#exit
2. ConfiguretheoutsideinterfaceontheHQrouterforNAT:
HQ(config)#interfaceGigabitEthernet0/0
HQ(config-if)#ipnatoutside
HQ(config-if)#exit
3. CreateanACLwithawildcardmaskontheHQroutertoonlyallowtheprivateaddressestobetranslatedviaNAT:
HQ(config)#ipaccess-liststandardNAT-LIST
HQ(config-std-nacl)#permit172.16.1.00.0.0.255
HQ(config-std-nacl)#permit10.1.2.00.0.0.255
HQ(config-std-nacl)#exit
We'veusedanamedACLcalledNAT-LISTtohelpusunderstandthe
purposeoftheaccesslistontherouter.
4. MergetheNAT-LISTACLtotheinterfacewiththepublicIPaddress
(192.0.2.2):
HQ(config)#ipnatinsidesourcelistNAT-LIST
interfacegigabitEthernet0/0oveorload
5. OnPC1,openthewebbrowser,entertheIPaddressofthePublicWebServer,andhitEnter:
Telegram Channel : @IRFaraExam
Figure9.11–Webpage
ThisisagoodindicatorofwhetherPC1hasconnectivitytothePublicWebServer.
6. OnHQ,usetheshowipnattranslationscommandtovalidate
theprivateIPaddressesthatarebeingtranslatedtothepublicIPaddressusingNAToverloadorPAT:
Figure9.12–PATtranslations
Thetranslationisusingtcpasexpected,sinceweaccessthedefaultweb
pageontheserverviaHTTP.TheinsideglobaladdressisthepublicIPv4
Telegram Channel : @IRFaraExam
addressontheoutsideinterfaceonHQ:192.0.2.2withasourceport
of1025.TheinsidelocaladdressistheprivateIPv4addressofPC1:
10.1.2.10withasourceportof1025.Boththeoutsidelocaland
outsideglobaladdressesbelongtothePublicWebServer:209.65.1.3withadestinationportof80.
7. OnHQ,usetheshowipnatstatisticscommandtoverifythe
NATinterfacesandpool:
Figure9.13–NATstatistics
TheoutputprovidesuswithinformationaboutwhichinterfacesareusedasinsideandoutsideinterfacesontherouterforNAT,thenumberoftranslationsthathaveoccurred,andwhetherthereareanydynamicmappings.SincethelabistranslatingprivateIPv4addressestoasinglepublicIPv4addressviatheGigabitEthernet0/0interface,therearenodynamicmappingsinthe
output.Additionally,Totaltranslationsindicateswhethertherouteris
usingstaticNAT,dynamicNAT,orextended(NAToverload(orPAT)).
Havingcompletedthislab,youhaveacquiredtheskillsneededtoimplementandvalidateNAToverload(PAT)configurationsonaCiscoenvironment.Inthe
Telegram Channel : @IRFaraExam
nextlab,youwilllearnhowtoconfigurestaticNATtoperformportforwardingtoaninternalwebserverwithinaprivatecorporatenetwork.
Lab–implementingstaticNATwithportforwardingInthislab,youwilllearnhowtoimplementstaticNATonanorganizationroutertoforwardtrafficthatisoriginatingfromtheinternettoaninternalprivateserver.Thisexerciseisanextensionofthepreviouslab.We'llbeusingthefollowingtopologyandthesameguidelinesasbefore:
Figure9.14–StaticNATwithport
Theobjectiveofthislabistoallowusers(PublicPC)ontheinternettoaccesstheinternalwebserverontheprivatecorporatenetworkviaNAT.Therefore,
Telegram Channel : @IRFaraExam
whenthePublicPCentersthepublicIPaddressintothewebbrowser,theHQrouterwilltranslateandforwardthetraffictoonlytheinternalwebserver.
ToimplementstaticNATwithportforwarding,usethefollowinginstructions:
1. ConfiguretheinsideinterfaceontheHQrouterthatpointstotheinternalwebserver:
HQ(config)#interfaceGigabitEthernet0/1
HQ(config-if)#ipnatinside
HQ(config-if)#exit
2. ConfiguretheoutsideinterfaceontheHQrouterforNAT:
HQ(config)#interfaceGigabitEthernet0/0
HQ(config-if)#ipnatoutside
HQ(config-if)#exit
3. Configureastatictranslationbetweentheinsideglobaladdressandtheinsidelocaladdressoftheinternalwebserverusingthefollowingcommand.Sinceit'sawebserver,usethedefaultservice80:
HQ(config)#ipnatinsidesourcestatictcp
172.16.1.1080190.0.2.280
ThisstaticmappingwillallowanydevicethatisontheinternetsideofthetopologytoaccesstheinternalwebserverbysimplyusingthepublicIPaddressoftheHQrouter:192.0.2.2withadestinationportof80.
4. OnHQ,usetheshowipnattranslationscommandtoverify
Telegram Channel : @IRFaraExam
thestaticNATmap:
Figure9.15–StaticNATmapping
WheneveryoucreateastaticNATmaponaCiscoIOSrouter,boththeinsideglobalandinsidelocalmapareshownwithintheshowipnat
translationsoutput.Keepinmindthatiftheportnumberswerenot
specifiedduringthepreviousstep,theywon'tappearintheprecedingsnippet.
5. OnPC2(PublicPC),openthewebbrowserandenterthepublicIPaddressoftheHQrouterandhitEntertoverifythatyouhaveconnectivity:
Figure9.16–Connectivitytestviawebbrowser
Telegram Channel : @IRFaraExam
Theprecedingsnippetvalidatesthatthereisconnectivitytotheinternalwebserverontheprivatecorporatenetworkfromtheinternetsideofthetopology.
6. OnHQ,usetheshowipnattranslationscommandtoshow
thatthestaticNATtranslationisworkingwithportforwarding:
Figure9.17–StaticNATtranslationsonHQ
Asshownintheprecedingsnippet,NATisworkingasexpected.ThetrafficisoriginatingfromPC2(PublicPC)withIPaddress209.65.1.2andtheHQrouterisperformingastaticNATtranslation
withportforwardingtotheinternalwebserverat172.16.1.10:80.
ThepublicPCisseeingtheinternalwebserveras190.0.2.2,butHQ
translatesandforwardsthetraffictotheprivateIPaddress172.16.1.10.
7. OnHQ,usetheshowipnatstatisticscommandasshownin
thefollowingfigure:
Telegram Channel : @IRFaraExam
Figure9.18–NATstatistics
Fromtheoutput,wecandeterminethatthereisastaticNATmapontheHQrouterwithtwoporttranslationshavingtakenplace.Furthermore,theNAToutsideandinsideinterfacesaredisplayedasthisinformationhelpsusdeterminewhetheranymisconfigurationsexistonaNATedinterface.
Havingcompletedthislab,youwillhavelearnedhowtoconfigureaCiscoIOSroutertoperformstaticNATwithportforwarding.Thisexercisealsodemonstrateshowtoallowusersontheinternettoaccessinternalserversonacorporatenetwork,specificallyviaaserviceportsuchasport80fortheHTTP
server,asinourlab.Inthenextlab,youwilllearnhowtoimplementdynamicNATonaCiscoenvironment.
Lab–implementingdynamicNATInthislab,youwilllearnhowtoimplementdynamicNATwithapoolofIPaddresses.Thefollowingnetworktopologyshowsanorganizationnetwork(left)thatisconnectedtotheinternetviatheISProuter:
Telegram Channel : @IRFaraExam
Figure9.19–DynamicNATtopology
TheobjectiveofthislabistoallowtheIPaddressesofdevicesinthecompanyattemptingtocommunicateontheinternettobetranslatedtoanavailablepublicIPaddress,viadynamicNAT,ontheHQrouter.
Pleasebesuretousethefollowingguidelineswhencreatingthislabtoensurethatyougetthecorrectresults:
AssigntheIPaddressesasshownintheprecedingfiguretoeachdeviceaccordingly.
Eachrouter(Cisco2911model)interfacemustbeconfiguredasshowninthetopology.
ConfigureeachenddevicewiththecorrespondingIPaddress,subnetmask,anddefaultgateway,asshowninthetopology.
ConfigureadefaultrouteonHQtopointtotheISProuterat192.0.2.1.
Telegram Channel : @IRFaraExam
ConfigureadefaultrouterontheISProuterthatpointstoHQat192.0.2.2.Thisistosimulatetheinternetonthenetwork.
ToconfigureDynamicNATonaCiscoIOSrouter,usethefollowinginstructions:
1. ConfiguretheinsideinterfacesontheHQrouterforNAT:
HQ(config)#interfaceGigabitEthernet0/1
HQ(config-if)#ipnatinside
HQ(config-if)#exit
2. ConfiguretheoutsideinterfaceontheHQrouterforNAT:
HQ(config)#interfaceGigabitEthernet0/0
HQ(config-if)#ipnatoutside
HQ(config-if)#exit
3. CreateaNATpooltospecifytherangeofusablepublicIPaddresses.BeginwiththestartingIPaddressof190.0.2.2andtheendingIP
addressof192.0.2.5,andanetworkmaskof255.255.255.240:
HQ(config)#ipnatpoolNAT-IPAdd192.0.2.2
192.0.2.5netmask255.255.255.240
4. CreateanACLwithawildcardmaskontheHQroutertoonlyallowtheprivateaddressestobetranslatedviaNAT.UsetheACLnameNAT-
List:
HQ(config)#ipaccess-liststandardNAT-List
Telegram Channel : @IRFaraExam
HQ(config-std-nacl)#permit172.16.1.00.0.0.255
HQ(config-std-nacl)#exit
5. MergetheACLlist(NAT-List)withtheNATIPpool(NAT-IPAdd)to
createthedynamicmapping:
HQ(config)#ipnatinsidesourcelistNAT-List
poolNAT-IPAdd
6. OnPC1,openthewebbrowser,entertheIPaddressofthewebserver,andhitEnter:
Figure9.20–Webserver
7. OnHQ,useshowipnattranslationstoverifywhether
dynamicNATisworking:
Telegram Channel : @IRFaraExam
Figure9.21–DynamicNATtranslations
TheoutputprovesthatdynamicNATisworkingasexpected.Ifanotherclientdeviceonthecompanysideofthenetworkestablishesaconnectiontothewebserver,thenanotherpublicIPaddresswillbeusedfromtheNATpoolandthiswillreflectinthetranslationwindow.
8. OnHQ,usetheshowipnatstatisticscommandtovalidate
dynamicNATconfigurations:
Telegram Channel : @IRFaraExam
Figure9.22–DynamicNATstatistics
TheoutputshowsthenameofthedynamicNATpool,theIPrangesandsubnetmask,thenumberofIPaddressesthatarebeingusedatthatpointintime(allocated),andtheinsideandoutsideNATinterfaces.
Havingcompletedthislab,youhavegainedtheessentialskillsneededtoconfiguredynamicNATinaCiscoenvironment.
SummaryInthischapter,wehavediscussedtheimportantrolethatNATplaysinalmostallprivatenetworksofallsizes.WeexploredthecharacteristicsandfunctionsofeachtypeofNATandinwhichsituationstheywouldbeused.Bycompletingthischapter,youhavegainedbothatheoreticalunderstandingoftheoperationsofNATonanenterprisenetwork,andthehands-onskillstoimplementstaticNAT,dynamicNAT,andPATonaCisconetwork.
IhopethatthischapterhasbeeninformativeandhelpsyouinyourjourneytowardlearninghowtoimplementandadministrateCiscosolutionsandpreparefortheCCNA200-301certification.InthenextChapter10,ImplementingNetworkServicesandIPOperations,wewilllearnhowtoimplementtheNetworkTimeProtocol(NTP),DynamicHostConfigurationProtocol(DHCP),andotherIPservicesonaCiscoenvironment.
QuestionsThefollowingisashortlistofreviewquestionstohelpreinforceyourlearningandhelpyouidentifywhichareasofyourknowledgerequiresome
Telegram Channel : @IRFaraExam
improvement:
1. Whichofthefollowingnetworkaddressesarenonroutableontheinternet?
A.192.167.68.200
B.192.169.87.23
C.172.31.1.5
D.172.32.1.6
2. WhichofthefollowingisabenefitofusingNAT?
A.HidesusersbehindasinglepublicIPaddress
B.AllowsVoIPcommunicationovertheinternet
C.Ensuresend-to-endconnectivitybetweeninternalandexternaldevices
D.SupportsIPSec
3. IntermsofNAT,whatisdefinedastheinsideaddress?
A.ThepublicIPaddress
B.TheMACaddress
C.Theaddressthatisvisibleontheinternet
D.Theaddresstobetranslated
4. Howwouldyoudescribetheaddressofthedestinationdevice?
Telegram Channel : @IRFaraExam
A.Insidelocal
B.Outsidelocal
C.Insideglobal
D.Outsideglobal
5. WhichtypeofNATisrecommendedforforwardingalltraffictoaninternalserverifauserontheinternetknowsthepublicIPaddress?
A.Portforwarding
B.PAT
C.DynamicNAT
D.StaticNAT
6. WhenconfiguringNAT,whichkeywordmustbeusedtotelltheroutertoperformportaddresstranslation?
A.ipnat
B.overload
C.source
D.static
7. Whichcommandtellstherouterthataninterfacebelongsontheinsidenetwork?
Telegram Channel : @IRFaraExam
A.ipnatinside
B.ipnat
C.ipnatinternal
D.ipnatenable
8. Whatisanothernameforportaddresstranslation(PAT)?
A.NATportaddresstranslation
B.NATport
C.NAToverload
D.NAToverwork
9. WhichcommandallowsyoutoseethepoolofNATaddresses?
A.shownat
B.showipnatstatistics
C.shownatstatistics
D.showstatistics
10. HowmanyinsidelocaladdressescanbemappedwhenusingdynamicNAT?
A.65,535
Telegram Channel : @IRFaraExam
B.0
C.1
D.Noneoftheoptionspresentedhere
FurtherreadingThefollowinglinksarerecommendedforadditionalreading:
Networkaddresstranslation:https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html
ConfiguringNAT:https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/nat-15-mt-book/iadnat-addr-consv.html
Telegram Channel : @IRFaraExam
Chapter10:ImplementingNetworkServicesandIPOperationsTheCiscoIOSoperatingsystemisfilledwithmanyfeaturesthatweareyettoexplore.Theoperatingsystemcontainsawidevarietyofnetworkservicesthataredesignedtoprovidescalabilityandflexibilityonanetwork;thesefeaturesarecommonlyreferredtoasIPservices.IPservicesaretheessentialserviceseachnetworkneeds,suchastheDynamicHostConfigurationProtocol(DHCP)toassistwiththeautomaticassignmentofIPaddressestoclientdevices,theDomainNameSystem(DNS)toresolvehostnamestoIPaddresses,andevennetworkmonitoringandmanagementprotocolstoprovideaccountabilityandvisibilityonanetwork.
Duringthecourseofthischapter,youwilllearnhowtoimplementtheNetworkTimeProtocol(NTP)toensurealldevices'clocksaresynchronizedandthatpropertimekeepingismaintainedonanetwork.You'lllearnhowtoimplementDHCPonaCiscosystemtodistributeIPconfigurationstoenddevicestoallownetworkconnectivity,understandtheimportanceofDNSonanetworkandthevitalroleitplaysontheinternet,andconfigureSimpleNetworkManagementProtocol(SNMP)andSyslogtoassistinnetworkmanagement.Lastly,youwilllearnabouttheimportanceofusingQualityofService(QoS)toimprovenetworkperformance.
Inthischapter,wewillcoverthefollowingtopics:
UnderstandingNTP
UnderstandingDHCP
Telegram Channel : @IRFaraExam
DNS
UnderstandingthebenefitsofusingSyslog
SNMP
QoStrafficclassification
TechnicalrequirementsTofollowalongwiththeexercisesinthischapter,pleaseensurethatyouhavemetthefollowingsoftwarerequirement:
CiscoPacketTracer:https://www.netacad.com
Thecodefilesforthischapterareavailableathttps://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions/tree/master/Chapter%2010.
CheckoutthefollowingvideotoseetheCodeinAction:https://bit.ly/3mKumGp
UnderstandingNTPTime...whatanimportantroleitplaysinourdailylives.FromhelpingusmeasurehowlongittakesustoarriveatadestinationoreventtocalculatinghowquicklyathletesperformattheOlympicgames.Timeissimplythemeasurementbetweenpast,present,andfutureevents.
Timeisusedtohelpustakeaccountofanevent.Timestampsareusedonelectronicdevices,surveillancesystems,andcomputerandnetworkingdevices
Telegram Channel : @IRFaraExam
toprovideanaccountofwhencertainactionsandeventsoccur.Onanenterprisenetwork,itiscriticaltoensurepropertimekeepingismaintainedthroughouttheorganization.
Whyistimekeepingacriticalfactoronanetwork?Ensuringalldevicesareconfiguredwithaccuratetimeisimportantforlogandeventmanagementonanenterprisenetwork.Eventsoccurfrequentlyonnetworks;inallthelabsyou'vecompletedthusfar,whenyoumakeachangeonaCiscodevice,aSyslogmessageisgeneratedandpresentedontheconsolewindow.Themessageusuallycontainsinformationandspecificdetailsabouttheeventthatoccurred,whichisknownasaSyslogmessage.
Logmessagesaregeneratedallthetimeforvariouspurposes,suchasindicatingthataninterfacestatusmayhavechanged,checkingsecurity-relatedevents,andtroubleshootingnetworkissues.Timehelpsuscoordinateandgainabetterpictureofthesequencesthatoccuronanetwork.Therefore,itisimportanttoensurealldevices'systemclocksareaccuratelyconfiguredwithintheorganization.CiscoIOSdeviceshaveaninternalclockknownasthesystemclockthatthedeviceusesasitsprimarysourceoftimekeeping.Thesystemclockbeginstickingwhenthedevicebootsup.
Importantnote
Bydefault,thesystemclockonCiscoIOSdoesnotautomaticallyassumethecurrenttimeanddateasexpected,simplybecauseCiscostartsitsdevices'clocksatUTCMonday,March1,1993.
TherearetwomethodsbywhichwecanconfiguretimekeepingonaCiscoIOSdevice:
Telegram Channel : @IRFaraExam
Manually
UsingtheNTP
Withthemanualmethod,weusetheclocksetcommandfollowedbythe
timeanddateinprivilegemode.Thefollowingisanexampleofthesyntaxforconfiguringthetimemanually:
clocksethh:mm:ssmonthdayyear
Theissuewefacewhenconfiguringtimemanuallyonanetworkisit'saverytime-consumingprocessand,mostimportantly,thetimemaynotbesynchronouswithotherdevicesonthenetwork.Asmentionedpreviously,accuratetimekeepingisveryimportantonanetwork,astimestampsareinsertedwithineventlogssuchasSyslogmessagesgeneratedbyyourdevices.Ifthetimeisnotaccurate,whentrackingthesequenceoflogmessagesforanevent,theremaybeinconsistencies.Theseinconsistencieswillresultininaccuratelogeventsbetweendevices.
ToviewthesystemclockonaCiscoIOSdevice,usetheshowclock
commandasshowninthefollowingsnippet:
Figure10.1–SystemclockonaCiscorouter
Asanetworkgrows,itbecomesevenhardertomaintainaccuratetimekeepingondevices.UsingtheNTPhelpsuseasilysynchronizetimethroughoutanentirenetworkofanysize.CiscoIOSdevices,suchasroutersandswitches,can
Telegram Channel : @IRFaraExam
synchronizetheirsystemclockswithNTPserversastheirsourceoftime,thusenablingtheroutersandswitchestobecomeNTPclientsonanetwork.
Importantnote
NTPusesUDPport123bydefault.
NTPusesahierarchicalsystemtomanagethetimesourcesthroughyournetworkandtheinternet.EachlevelwithinthehierarchyisreferredtoasaStratum.AStratumlevelisusedtomeasurethedistancebetweenanauthoritativesourceandtheNTPclients.
Importantnote
Anauthoritativesourceisthedevicethatismanuallyconfiguredtoprovidetimeandhasthemostaccuratetimeonthenetwork.Theauthoritativesourceisatthetopofthehierarchyatalltimes.
ThefollowingdiagramshowstheNTPStratumhierarchicalstructure:
Telegram Channel : @IRFaraExam
Figure10.2–Stratumhierarchy
Theauthoritativesourcesarethedeviceswiththemostaccuratetimeandare
Telegram Channel : @IRFaraExam
locatedwithintheStratum0layer.Stratum0devicesareverypreciseattimekeepinganditisassumedthattherearenodelaysorinaccuraciesintheirtimemanagement.Stratum1devicesarethosethatareassociatedwithStratum0.Stratum2arethosethatareassociatedwiththeupperlayer,andsoon.WhenadevicehasalowerStratumnumber,it'sanindicationtheNTPclientisclosertotheauthoritativesourceoftime,whileahigherStratumnumberindicatestheNTPclientisfurtheraway.However,themaximumnumberofhopswithinNTPis15.
Importantnote
Stratumlevelsrangefrom0–15.
AnydevicethatexistsinaStratum16layerisconsideredtobeunsynchronizedwiththenetworktimeprotocol.Inthenextsection,youwilllearnhowtoconfigureCiscodevicesasbothanNTPserverandNTPclients.
Lab–configuringNTPInthishands-onlab,youwilllearnhowtoimplementNTPthroughoutaCiscoenvironmenttoensuretimeissynchronizedbetweentheCiscoswitchesandrouters.Forthislab,wewillbeusingthefollowingnetworktopology:
Telegram Channel : @IRFaraExam
Figure10.3–IPservicelabtopology
Pleaseensureyouusethefollowingguidelineswhencreatingthislabtoensureyougetthesameresults:
UseswitchestorepresenttheMetroEthernetWANandtheinternetconnections.
UseCisco2911routersandCisco2960switches.
ConfigureastaticrouteontheHQroutertoreachthe172.16.1.0/24
networkviatheBranch-Arouterusingtheiproute172.16.1.0
255.255.255.0192.0.2.2command.Youalsohavetheoptionto
usedynamicroutingbetweentheHQLANandBranch-ALAN.
ConfigureadefaultrouteontheBranch-ArouterthatpointstoHQvia192.0.2.1usingtheiproute0.0.0.00.0.0.0
192.0.2.1command.
ConfigurealltheIPaddressesonalltheinterfacesontheroutersandservers.
Telegram Channel : @IRFaraExam
Ensureyouconfigurethedefaultgatewayoneachserverto209.65.200.2.
ThislabtopologywillbeusedtoconfigureNTP,DHCP,DHCPrelay,andDNS.
NowthatyourCiscolabisready,usethefollowinginstructionstoimplementNTP:
1. Firstly,let'sconfiguretheNTPserverwiththecurrenttime.ClickonNTPServer,choosetheServicestab,andclickonNTP,asinthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure10.4–NTPServerconfigurations
EnsuretheNTPserviceisonandthetimeisaccuratelyconfigured.TheNTPserverwilloperateasaStratum0devicewithinthetopology.
2. ConfiguretheHQroutertobeanNTPclientandsynchronizeitwiththeNTPserverbyusingthefollowingcommandsinglobalconfigmode:
HQ(config)#ntpserver209.65.200.10
TheprecedingcommandisusedtoinformtheHQroutertouse
Telegram Channel : @IRFaraExam
209.65.200.10asitsNTPserverforitstimesource.Afterafew
minutes,therouter'ssystemclockwillbeinsyncwiththetimeontheNTPserver.SometimesthereisalongdelayforanNTPclienttosynchronizewithanNTPserver.
3. UsetheshowntpstatuscommandtovalidatethattheNTPclient
andserverhavebeensynchronized:
Figure10.5–NTPsynchronization
TheoutputvalidatesthattheHQrouter(NTPclient)issynchronizedwiththeNTPserver,209.65.200.10,andtherouterisoperatingasa
Stratum2device.ThisindicatesthattheNTPserverisaStratum1device.
4. UsetheshowntpassociationscommandtovalidateanyNTP
associationsontheHQrouter:
Telegram Channel : @IRFaraExam
Figure10.6–NTPassociations
TheoutputverifiesthattheHQrouterisconfiguredandpairedwiththedevice209.65.200.10asaStratum1NTPserver.Sometimesthe
sys.peer(*)codetakesabitoftimetoappearnexttotheIPaddress.
5. Usetheshowclockcommandtoverifythatthetimeisnowaccurate
andisthesameastheNTPserver:
Figure10.7–Systemclock
6. Let'smaketheHQrouteranNTPserverfortheHQLANandBranch-ALANnetworks.Toperformthistask,usethentpmaster
<stratum-number>command,orwecansimplyusethentp
mastercommandandtherouterwillautomaticallyincrementthe
Stratumnumberby1fromtheNTPserver:
HQ(config)#ntpmaster
7. Usetheshowntpassociationscommandoncemoretovalidate
Telegram Channel : @IRFaraExam
thattheHQrouterisnowanNTPserver:
Figure10.8–NTPassociations
ThesecondlineindicatesthattheHQrouterisoperatingasanNTPserverbecauseitisrepresentedbyaloopbackIPaddress(link-local)andthereferenceclockissettolocal.
8. Next,configuretheBranch-ArouterasanNTPclientanduseHQfortimesynchronization:
Branch-A(config)#ntpserver192.0.2.1
TheshowntpassociationscommandverifiesthattheBranch-A
routerissynchronizedwithHQastheNTPserver:
Telegram Channel : @IRFaraExam
Figure10.9–NTPassociationsontheBranch-Arouter
9. Next,beforewecanconfiguretheswitchwithintheHQLANasanNTPclient,weneedtoconfigureaSwitchVirtualInterface(SVI)byusingthefollowingcommands:
SW1(config)#interfacevlan1
SW1(config-if)#ipaddress192.168.1.2
255.255.255.0
SW1(config-if)#noshutdown
SW1(config-if)#exit
TheconceptofusingSVIswascoveredinChapter2,GettingStartedwithCiscoIOSDevices.
10. Configurethedefaultgatewayontheswitchusingthefollowingcommand:
SW1(config)#ipdefault-gateway192.168.1.1
11. UsethentpservercommandtoconfiguretheswitchasanNTP
client:
SW1(config)#ntpserver192.168.1.1
12. Lastly,usetheshowntpassociationscommandtovalidatethat
theswitchisassociatedwithHQ:
Telegram Channel : @IRFaraExam
Figure10.10–NTPassociationontheswitch
Bycompletingthislab,youhavegainedthehands-onskillsyouneedtoimplementbothNTPclientsandNTPserversonaCisconetwork.Inthenextsection,youwilllearnabouttheimportanceofDHCPasanIPserviceonanenterprisenetwork.
UnderstandingDHCPOnanycomputernetwork,therearemanyenddevices,networkintermediarydevices,andevenservers.EachdevicerequiresanIPaddresstoexchangemessagesandshareresourceswitheachother.AnetworkadministratorusuallyassignsstaticIPaddressestodevicesthatprovideaserviceorresourcetothenetwork–devicessuchasswitches,routers,firewalls,andservers.WhenadeviceisassignedastaticIPaddress,itallowsnetworkadministratorstoremotelyaccessandmanagethedevice,astheaddresswillneverchange.
Sinceanetworkismostlymadeupofacomputerandotherenddevicesthatoftenchangephysicallocations,it'snotwisetoalwaysassignstaticIPaddressestosuchdevices.WhenadevicewithastaticIPaddressismovedtoanotherlocation,whetherphysicalorlogical,theIPschemeatthenewlocationmaynotbethesameastheIPconfigurationsonthedeviceitself.Therefore,thenetwork
Telegram Channel : @IRFaraExam
administratorwillberequiredtoreconfigurethedevicewiththeappropriateIPconfigurationstomatchtheaddressingschemeatthenewlocationonthenetwork.
Asanetworkgrows,itbecomeschallengingandabittimeconsumingtomanuallyconfigurestaticIPaddressesonnewdevicesasusersmovebetweenlocations.Additionally,staticIPaddressconfigurationisalsovulnerabletohumanerror.Forexample,theadministratormightmisconfigureadevicewithaduplicateIPaddressthatisassignedtoanothermachineorevenanincorrectsubnetmask.
TheDHCPservercanbeimplementedonalocalnetworktoautomaticallyprovideIPconfigurations,suchasanIPaddress,subnetmask,defaultgateway,andDNSserversettings.HavingaDHCPserveronanetworksimplifiesandautomatesthetaskofassigningIPconfigurationstoenddevicesefficiently.
ACiscoIOSrouterhasmanynetworkservices;anetworkadministratorcanconfigureaCiscoIOSroutertoprovideDHCPservicesonanetwork.TheDHCPserverfeaturewithinCiscoIOSallowstheroutertoalsoprovideDHCPservicestoclientsonanetwork.Thisfeatureisusefulforsmalloffices,asadedicatedDHCPserverisnotrequired.TheCiscoIOSrouteriscapableofprovidingtheDHCPservicestothelocalnetwork.
DHCPoperationsWheneveraclientisconnectedtoanetwork,whetherit'sawiredorwirelessconnection,mostclientsautomaticallysearchforanactiveDHCPserver,whichwillassignorleaseanIPaddressandotherIPconfigurationstotheclient.TheIPaddressesthatareprovidedbytheDHCPserverarealwaysleasedforaperiodof
Telegram Channel : @IRFaraExam
time.
TogetabetterideaofDHCPoperations,let'stakealookatthefollowingDHCPprocess:
1. Whenaclientisconnectedtoanetwork,itstartslookingforalocalDHCPserver.ItcreatesaDHCPDiscovermessageandsendsitasabroadcastonthenetwork,asshown:
Figure10.11–DHCPDiscover
TheDHCPDiscoverpacketcontainsthesourceMACaddressastheDHCPclient,withasourceportof68,adestinationMACaddressof
FF:FF:FF:FF:FF:FF,andadestinationportof67.TheDHCPclient
usesUDPport68,whiletheDHCPserverusesUDPport67.Thesource
IPaddressisleftasblank,whilethedestinationIPaddressis255.255.255.255.
2. WhentheDHCPserverreceivestheDHCPDiscovermessage,itwill
Telegram Channel : @IRFaraExam
respondwithaDHCPOffer.Atthisphase,theDHCPserverusesthesourceMACaddressfromtheDHCPDiscovermessagetocreatealeaseforanavailableIPaddressfortheclient.TheDHCPserverwillsendtheinformationintheDHCPOffermessagebacktotheclient,asshown:
Figure10.12–DHCPoffer
TheDHCPserverrespondswithabroadcastandsetsthedestinationMACaddressasthelayer2broadcast,FF:FF:FF:FF:FF:FF.
3. WhentheclientreceivestheDHCPofferfromtheserver,aDHCPRequestmessageissentbacktotheDHCPserverasaformofacceptancefortheIPconfigurationstheclienthasreceived,asshowninthefollowingdiagram:
Telegram Channel : @IRFaraExam
Figure10.13–DHCPrequest
TheDHCPRequestmessageissentasabroadcasttotheserver.
4. WhentheDHCPserverreceivestheDHCPrequestfromtheclient,theserververifiesthattheleaseinformationisnotbeingusedalreadybysendinganICMPpingmessagetotheIPaddressithasassignedtothenewclient.TheDHCPserverrespondswithaDHCPAcknowledgementtocompletetheDHCPprocess,asshown:
Telegram Channel : @IRFaraExam
Figure10.14–DHCPacknowledgement
TheDHCPAcknowledgementmessageisalsosentasabroadcasttotheclientonthenetwork.
TheleaseprovidedtotheDHCPclientisvalidforaperiodoftime.IfaclientwantstocontinueusingtheIPaddressassignedbytheDHCPsever,theclientsendsaDHCPRequest(unicast)messagetotheDHCPserverrequestingtheleaseberenewed.
Importantnote
Fortherenewalofleases,bothDHCPRequestandDHCPAcknowledgmentmessagesaresentasunicastmessages.
TheDHCPserverwillverifythattheleaseinformationisavailableandreturnaDHCPAcknowledgment(unicast)message.TheclientwillcontinueusingthecurrentIPaddressonceit'savailable.Keepinmindthattheclientdoesnotwaituntilaleasehasexpiredtorequestarenewal;itdoesthisrenewalprocesspriortotheexpiration.
Cisco'sDHCPconfigurationsConfiguringtheDHCPserviceonaCiscoIOSdeviceisquitesimple.UsethefollowingstepsasaguidelinewhenconfiguringDHCPonaCiscorouter.
ExcludingaddressesWhencreatingaDHCPpoolofaddresses,theCiscoIOSrouterbegins
Telegram Channel : @IRFaraExam
distributingIPaddressesautomatically.It'srecommendedtocreateanexclusionpoolorrangeofaddressesthatyoudonotwanttheDHCPservertodistributeonthenetwork.Theseaddressesmayincludethosethatarestaticallyassignedtodevicesandanyreservations:
Toexcludeasingleaddress,usetheipdhcpexcluded-address
ip-addresscommand.
Toexcludearangeofaddresses,usetheipdhcpexcluded-
addressstart-addressend-addresscommand.
Next,you'lllearnhowtocreateaDHCPpoolonaCiscoIOSrouter.
CreatingtheDHCPpoolTheDHCPpoolcontainsalltheIPconfigurationsthatwillbesenttoDHCPclientsonthenetwork,suchastheIPaddress,subnetmask,defaultgateway,DNSserver,andsoon.TakethefollowingstepswhencreatingaDHCPpoolonaCiscoIOSrouter:
1. TocreateaDHCPpool,usetheipdhcppoolpool-name
command.Onceyou'vecreatedapool,youwillentertheDHCPconfigurationmodeforthepool.
2. Usethenetworknetwork-IDsubnet-maskcommandtodefine
theaddresspool.
3. Thedefault-routerip-addresscommandisusedtospecifythe
defaultgatewayaddress.
Telegram Channel : @IRFaraExam
4. Thedns-serverip-addresscommandisusedtodefinetheDNS
servers.
5. Thedomain-namedomaincommandisusedtodefinethedomain
nameonthenetwork.
Importantnote
TodisableDHCPservicesonaCiscoIOSrouter,usethenoservice
dhcpcommandinglobalconfigurationmode.ToenableDHCPservices,
usetheservicedhcpcommand.
MultiplepoolscanbecreatedonthesameDHCPserverorCiscoIOSdevicetofacilitateanorganizationwithmultiplenetworksandasingleDHCPserver.
Tip
ACiscodeviceinterfacecanbeconfiguredasaDHCPclientbyusingtheip
addressdhcpcommand.
Inthenextsection,wewilllearnabouttheconceptsandbenefitsofusingDHCPrelayonaCisconetwork.
DHCPrelayInmanyorganizationswithlargeandcomplexnetworks,theserversareusuallylogicallylocatedwithinadatacenteroradifferentsubnet.Theseserversusuallyprovidenetworkservicesandhostapplicationsfortheentireorganization'susersanddevices.TheseservicesincludeDHCP,DNS,filehostingservices,andso
Telegram Channel : @IRFaraExam
on.Whenaclientwantstoaccessthesenetworkservices,theclientdevicesendsabroadcastmessageinthehopeoflocatingtherelevantserver.
Let'simagineaclientisconnectedtoanetwork.ItbroadcastsaDHCPDiscovermessagetolocateaDHCPserverbecauseitneedsanIPaddress.IftheDHCPserverisnotonthesamesubnetastheDHCPclient,therouterwillpreventtheDHCPDiscovermessagefrompropagatingbelowthelocalsubnet.ThiscausesanissuebecausetheclientwillnotreceiveanIPaddressandotherIPconfigurationstocommunicatewithotherdevicesonthenetwork.
ThefollowingdiagramshowsaDHCPserverislocatedonanothersubnet:
Figure10.15–Therouterdoesnotforwardbroadcastmessages
ADHCPDiscovermessageissentasabroadcast,androuters(layer3devices)blockanybroadcastmessagesfrompropagatingbydefault.However,CiscoIOShasasolutiontoallowtheforwardingofDHCPDiscoverandDHCPRequestmessagestoaDHCPserveronadifferentsubnet.
Telegram Channel : @IRFaraExam
Theiphelper-addresscommandcanbeappliedtotheinterfaceofthe
routerthatreceivesDHCPDiscoverandDHCPRequestmessages.Therefore,wecanusethefollowingcommandstoconfiguretheroutertoforwardDHCPbroadcastmessages:
R1(config)#interfaceGigabitEthernet0/0
R1(config-if)#iphelper-address172.16.1.2
R1(config-if)#exit
Thefollowingdiagramshowstheeffectofapplyingtheiphelper-
addresscommand:
Figure10.16–DHCPpropagation
iphelper-addressshouldalwaysbeappliedtotheinterfacethatis
connectedtoorfacingtheDHCPclientsonthenetwork.Inthenextsection,youwilllearnhowtoconfigureDHCPservicesandDHCPrelayonaCiscoIOS
Telegram Channel : @IRFaraExam
router.
Lab–configuringDHCPandDHCPrelayInthislab,youwilllearnhowtoconfigureDHCPservicesinaCiscoenvironment.PleasekeepinmindthatthislabissimplyanextensionofthepreviouslabonNTPservices,sowewillbeusingthesamenetworktopologyasshowninthefollowingscreenshot:
Figure10.17–DHCPlab
Togetstarted,usethefollowinginstructionstoimplementDHCPonthetopology:
1. ExcludeaddressesthatyoudonotwanttobeassignedtoclientdevicesbytheDHCPserver:
HQ(config)#ipdhcpexcluded-address192.168.1.1
192.168.1.10
HQ(config)#ipdhcpexcluded-address172.16.1.1
172.16.1.10
Telegram Channel : @IRFaraExam
Wehaveexcludedthefirst10addressesofeachprivatenetwork:192.168.1.0/24and172.16.1.0/24.Thisisanexampleto
demonstratehowtousetheDHCPexclusioncommand.
2. CreateaDHCPpoolfortheHQLANnetworkontheHQrouter:
HQ(config)#ipdhcppoolHQ-LAN
HQ(dhcp-config)#network192.168.1.0
255.255.255.0
HQ(dhcp-config)#default-router192.168.1.1
HQ(dhcp-config)#dns-server209.65.200.20
HQ(dhcp-config)#exit
ForeachDHCPpool,configuretherangeofaddressestobedistributedviatheserverbyusingthenetworkcommand.Thedefault-router
commandisusedtospecifythedefaultgatewayforDHCPclients.(TheDNSserverinformationwillbeusedinthenextlab.)
3. CreateanotherDHCPpoolfortheBranch-ALANnetworkontheHQrouter:
HQ(config)#ipdhcppoolBranch-A-LAN
HQ(dhcp-config)#network172.16.1.0255.255.255.0
HQ(dhcp-config)#default-router172.16.1.1
HQ(dhcp-config)#dns-server209.65.200.20
HQ(dhcp-config)#exit
Telegram Channel : @IRFaraExam
4. ConfiguretheBranch-ArouterasaDHCPrelaytotheHQrouter:
Branch-A(config)#interfaceGigabitEthernet0/0
Branch-A(config-if)#iphelper-address192.0.2.1
Branch-A(config-if)#exit
iphelper-addressisalwaysconfiguredontheLANsideofthe
routerwiththeIPaddressoftheDHCPserver.
5. OntheBranch-Arouter,usetheshowipinterfacecommandto
validatethattheDHCPhelperaddressisconfigured:
Figure10.18–Helperaddress
6. ClickonPC1andPC2,selecttheDesktoptab,thenclickonIPConfigurationandsetittoDHCP,asshown:
Telegram Channel : @IRFaraExam
Figure10.19–IPaddressing
Afterawhile,eachDHCPclient–PC1andPC2–willreceiveitsIPconfigurationsfromtheDHCPserver,theHQrouter.
7. OntheHQrouter,theshowipdhcpbindingcommandshowsthe
numberofclientdevicesthatareusinganIPaddressfromtheDHCPserver,theclient'sMACaddress,theleasetime,andthetype:
Telegram Channel : @IRFaraExam
Figure10.20–DHCPbindingtable
SinceaDHCPpoolhasafinitenumberofavailableIPaddresses,aleaseisusedtosetthedurationofhowlongaclientcanuseanIPaddress.Whentheleaseexpires,theIPaddressontheclientmachineisreturnedtotheDHCPserver.However,clientscanrenewtheleasepriortoexpirationtokeeptheIPaddressinuse.TheTypecolumnsimplydefineshowa
clientwasassignedanIPaddressfromtheDHCPserver.
8. Lastly,theshowipdhcppoolcommandprovidesdetailsabout
statisticswithineachDHCPpoolontheCiscoIOSrouter:
Telegram Channel : @IRFaraExam
Figure10.21–DHCPpool
Havingcompletedthislab,youhavegainedthehands-onskillstouseaCiscoIOSrouterasaDHCPserverandaDHCPrelayonanetwork.Inthenextsection,wewilltakealookatDNSasanetworkservice.
DomainNameSystemLet'simagineyouwanttoresearchadditionalinformationabouttheCiscoCertifiedNetworkAssociate(CCNA)certification.ThebestplacetostartresearchingwouldbeCisco'swebsiteatwww.cisco.com.OpenyourfavoritewebbrowserandsimplyentertheURLintotheaddressbarandhitEnter.Afterafewseconds,theCiscowebsiteappearsandyoucancontinueyourresearch.Everythingseemstoworklikemagic,buthaveyoueverwonderedhowyour
Telegram Channel : @IRFaraExam
computerdeterminestheIPaddressforthewebserverthatishostingCisco'swebsite?
AsmentionedinChapter3,IPAddressingandSubnetting,eachdevicethatisconnectedandexchangingmessagesonacomputer-basednetworkmustbeassignedauniqueIPv4orIPv6address.Thesameisalsoappliedtoalldevicesontheinternet,suchaswebandmailexchangeservers.IfawebserverisidentifiedbyitsIPaddress,whydoesithaveawebsiteURLaddresssuchaswww.cisco.com?
Tohelpyouunderstandthesituationabitbetter,imaginehavingtorememberalltheIPaddressesofeachwebsiteyouwanttovisitontheinternet.ThatwouldbeverychallengingasIPaddressesmaychangeorbereassignedtoanotherdeviceonanetworkandeventheinternet.YoucannotconnecttoaserverordeviceontheinternetifyoudonothaveknowledgeoftheIPv4orIPv6address.
Tosolvethisissue,theDNSnetworkserviceprotocolwascreatedwiththeprimarypurposeofresolvingthehostnametotheIPaddress.Inreality,it'saloteasiertorememberaUniformResourceLocator(URL)ordomainnameofawebsite.WiththebenefitandconvenienceofusingDNS,ITprofessionalscaneasilypurchaseadomainnameandpointittoawebserverordevice.Thisallowsanyonewhoknowsthedomainname,suchaswww.cisco.com,toeasilyvisittheCiscowebsiteusingacomputerorsmartdevicewithastandardwebbrowser.
BeforethedaysofDNS,eachcomputerhadafileknownasthehostsfile.The
hostsfilewouldcontainthehostnameforIPaddressmapping.Whenevera
userwantstovisitawebsite,theyenterthehostname,andthecomputerthenqueriesthelocalhostsfileinsearchofanavailablemapthatinformsthe
Telegram Channel : @IRFaraExam
computeroftheIPaddresstoreachthehostname.However,ifthehostsfile
doesnothaveanavailableentryforthehostname,thecomputerwillnotknowhowtoreachtheserver.Usershavetoensurethatthehostsfileisfrequently
updatedtocontainthemostup-to-daterecords.
ToviewthehostsfileonaWindowsoperatingsystem,goto
C:\Windows\System32\drivers\etc\hosts.Thefollowingisthe
contentswithinthehostsfileonaWindows10operationsystem:
Telegram Channel : @IRFaraExam
Figure10.22–Thehostsfile
Frequentlyupdatingthehostsfileisnotagoodstrategyastheinternetis
continuouslygrowing,andnewdevicesarecomingonlinewithnewanduniquehostnames.ThecreationofDNSserverscameabout,witheachserverbeingtherootforitsdomainandcontainingalltheDNSrecordsforaspecificTop-LevelDomain(TLD).ATLDisadomainthathastheroot(.)andendswithaname
suchas.com,.net,.org,.xyz,andsoon.Adomainnameisadomainthat
containsanamewithaTLD,suchascisco.com.AFullyQualifiedDomain
Name(FQDN)containsanadditionalextension,ahostname,andadomainsuchaswww.cisco.com.TheFQDNspecifiedtheexactlocationordevice.Forexample,cisco.comissimplyadomainnamethatmaycontainmanydevices,
butspecifyinganFQDNsuchaswww.cisco.comsimplysayswearetryingtoconnecttothedevicewiththehostnamewwwthatbelongswithinthe
cisco.comdomain.
DNSrootserversAsmentioned,therearevariousrootDNSserversthatcontaintheDNSrecordsforeachobjectthatbelongstotheparentdomain.Asshowninthefollowingdiagram,the.comrootservercontainsalltheDNSrecordsforcisco.com
anditssub-domains,suchascommunity.cisco.com:
Telegram Channel : @IRFaraExam
Figure10.23–DNShierarchy
WheneveradevicewantstolookuptheIPaddressforahostname,itwillsendaDNSquerytoitsconfiguredDNSserver.Oncetherecordisfound,theDNSserverwillsendaDNSreplywiththeIPaddressforthehostnamebacktothecomputer.ThecomputerwillusetheIPaddresstoreachthehostnameordevice.
ThefollowingdiagramshowstheDNSprocesswhenauserentersaURLwithinthewebbrowser:
Telegram Channel : @IRFaraExam
Figure10.24–DNSprocess
TherearemanyfreepublicandreliableDNSserversontheinternet;thefollowingaresomeofmypersonalrecommendationsastheyprovidespeedandsecurity:
CloudflareDNS:https://1.1.1.1/
CiscoOpenDNS:https://www.opendns.com/
GoogleDNS:https://developers.google.com/speed/public-dns
WhatifyourDNSserverdoesnothavetherecordofaspecifichostnameordomainname?Whatwillitdo?DNSserversoftenexchangeinformationwitheachothertoensuretheirrecordsarealwaysuptodate.IfaDNSserverdoesnot
Telegram Channel : @IRFaraExam
havearecord,itcanrespondbyinformingtheclientitdoesnothaveoneorbysimplyaskinganotherDNSserverfortheinformationandthenrelayingtheresponsebacktotheclient.
DNSrecordtypesTherearemanyDNSrecordtypesthatareusedonaDNSserver:
A:ResolvesthehostnametoanIPv4address
AAAA:ResolvesthehostnametoanIPv6address
MX:Mapsthedomaintomailexchange(email)servers
NS:Pointstothedomain'snameservers
CNAME:Allowsyoutocreateanaliasnameforthedomain
SOA:Usedtospecifytheauthorityforthedomain
SVR:Specifiestheservicerecords
PTR:MapsanIPaddresstoahostname
RP:Specifiestheresponsiblepersonforadomain
HINFO:Specifieshostinformation
TXT:AllowsyoutoaddtextasaDNSrecord
Therefore,ifacomputerwantstodeterminetheIPv4addressforCisco'swebsite,www.cisco.com,thecomputerwillneedtosendaDNSquery
Telegram Channel : @IRFaraExam
requestingtheArecordfromtheDNSserver.Thenslookuputilityonboth
MicrosoftWindowsandLinuxoperatingsystemsareusedtotroubleshootDNSissuesontheclientsideofthenetwork.
Lab–configuringDNSInthislab,youwilllearnhowtoconfigureDNSservicesinaCiscoenvironment.PleasekeepinmindthatthislabissimplyanextensionofthepreviouslabonNTPandDHCPservicesandwewillbeusingthesamenetworktopologyasshowninthefollowingdiagram:
Telegram Channel : @IRFaraExam
209.65.200.20viaDHCP,wecanmoveontothenextstep.
3. OnPC1andPC2,clickonDesktopandopentheWebBrowserapplication.Enterthewebaddressofthewebserver,http://websvr.local,andclickonGo:
Figure10.27–Webpage
TheoutputshowsPC1isabletoreachthewebserverviathehostname,websvr.local.ThisisvalidationthattheDNSserverisabletoresolve
thewebsvr.localhostnametoitsIPaddressinthebackground.
4. OnPC1,opentheCommandPromptapplication.Usethenslookup
utilitytoverifytheDNSconfigurationsonthelocalmachine:
Telegram Channel : @IRFaraExam
Figure10.28–DNSvalidation
Afterenteringthenslookupcommand,thesystemprovidesuswiththeDNS
settingsitiscurrentlyusing–209.65.200.20–asitsDNSserver.Next,by
enteringthehostname,websvr.local,thesystemqueriestheDNSserver
(209.65.200.20)toretrievetheDNSARecordtothehostname.TheDNS
server(209.65.200.20)wasabletoresolvethewebsvr.localhostname
totheIPaddress209.65.200.30.Additionally,ifyouattempttopingthe
domainname,websvr.local,theDNSserverwillresolvetheIPaddressand
willrespond.
Havingcompletedthislab,youhavegainedtheessentialskillsneededtoconfigureandunderstandDNSconceptsonaCiscoenterprisenetwork.
UnderstandingthebenefitsofusingSyslog
Telegram Channel : @IRFaraExam
Wheneventsoccuronanetwork,networkingdevices,suchasrouters,switches,andfirewalls,generatealogmessagetonotifytheadministratorwithdetailsabouttheevent.Theselogmessagescancontaindetailsaboutcriticalornon-criticalevents.Networkprofessionalsuseawiderangeoftoolsandoptionsformanagingtheselogmessages,suchasstoring,displaying,interpreting,andnormalizing.Thishelpsnetworkprofessionalstofocusonthemorecriticallogmessagesanddeterminethetimelineofaneventthathasoccurred.
Syslogisbothaprotocolandstandardforaccessing,creating,andmanaginglogmessagesonacomputerandnetworkdevice.Syslogdefinesthemethodofhowsystemmessages,suchaslogs,aregenerated,formatted,andaccessed.
Importantnote
TheSysloglogusesUDPport514tosendeventmessagesacrossanetworktoa
centralizedSyslogserverformanagement.
Implementingproperlogmanagementonanetworkhasseveralbenefits,suchasthefollowing:
Havingproperlogmanagementwithinanetworkhelpsnetworkprofessionalstoimprovebothmonitoringandtroubleshooting.
YoucanconfiguredevicestosendlogmessagesofacertainseverityleveltothecentralizedSyslogserveronthenetwork.
Asanetworkprofessional,youcanspecifythedestinationofyourSyslogmessage,suchasaserver.
Bydefault,Ciscodeviceslogtheirsystemmessagestotheconsoleline.
Telegram Channel : @IRFaraExam
However,adevicecanbeconfiguredtologitsmessagestoaninternalbufferwithinthedeviceitself,onaTerminalline(VTY),andeventoaSyslogserveronthenetwork.It'srecommendedtosetupacentralizedlogserveronthenetworktocapturelogmessagesfromallnetworkdevices;thisstrategywillallowyoutoviewallthecorrelatedlogsinsequentialorder.Thisallowsyoutoseeatimelineofeventsthroughoutthenetworkthroughasingledashboardinterfaceontheserver.
SyslogseveritylevelsEachSyslogmessagecontainsaseveritylevelandafacility.Thefollowingtableshowsalltheseveritylevelsindescendingorderandtheirdescription:
Telegram Channel : @IRFaraExam
Figure10.29–Syslogseveritylevels
Here'sasimplewaytoremembertheSyslogseveritylevels–takeeachinitialletterfromeachlevelandcreateaphrase.Ifoundthefollowingphraseontheinternetandthoughtitwasabitgoofybutanawesomewaytoremembereachseveritylevel:EveryAwesomeCiscoEngineerWillNeedIce-creamDaily.
ThefollowingisthedefaultSyslogmessageformatonCiscoIOSdevices:
seqno:timestamp:%facility-severity-MNEMONIC:
description
ThefollowingisabreakdownofeachpartoftheSyslogformatmessage:
seqnorepresentsthesequencenumberassignedtoeachlogmessage.
Toenablethesequencenumber,usetheservicesequence-
numberscommandontheglobalconfigurationmode.
Thetimestampareaincludesthedateandtimeoftheevent.Toenablea
timestamp,usetheservicetimestampscommandontheglobal
configurationmode.
facilityrepresentswhatthelogmessageisreferringto,suchasa
protocol,module,orthesourceoftheproblem.
severityprovidesaseveritycodeintherange0–7,whichdescribes
howcriticalthealarmis.
MNEMONICissimplytextthatisusedtouniquelydescribethealarm.
descriptionsimplycontainsabriefdescriptionoftheeventoralarm.
Telegram Channel : @IRFaraExam
ThefollowingisanexampleofaSyslogmessagegeneratedbyaCiscoIOSrouter:
*Apr28,15:53:58.5353:%LINEPROTO-5-UPDOWN:Line
protocolonInterfaceGigabitEthernet0/1,changed
statetoup
WecanseethatthetimestampisApr28withthetimeas15:53:58.5353,
facilityisLINEPROTO,theseveritylevelis5,MNEMONICisUPDOWN
andthedescriptionisLineprotocolonInterface
GigabitEthernet0/1,changedstatetoup.
ThefollowingisanexampleofaSyslogmessagecontainingasequencenumber:
000019:%SYS-5-CONFIG_I:Configuredfromconsoleby
vty2
Thesequencenumberintheexampleis000019.
Importantnote
Toforcethelogmessagestodisplayadateandtime,usetheservice
timestampslogdatetimecommandintheglobalconfigurationmode.
Bydefault,Syslogmessagesaregeneratedwithoutdatesandthiscanbeaproblemwhenweneedtotrackissuesbydate.
Whenitcomestoacquiringaloggingserver,therearemanyfreeandcommercialproductsfromreputedvendorsthatallowyoutosimplydownloadandinstallthemonyouroperatingsystem.Forexample,SolarwindshasitsKiwiSyslogServer(www.kiwisyslog.com)asacommercialproduct,while
Telegram Channel : @IRFaraExam
PRTG(www.paessler.com)isabletofunctionasafreeSyslogserver.
Inthenextsection,youwilllearnhowtoimplementSyslogonaCisconetwork.
Lab–configuringSyslogInthislab,youwilllearnhowtoconfigureCiscoIOSdevicestouseSyslogandforwardlogmessagestoacentralizedlogmanagementserveronthenetwork.Thefollowingdiagramisthetopologywe'llbeusingforthisexercise;pleasenoteit'sthesameastheoneweusedinpreviouslabswiththeadditionofaSyslogserveronthe192.168.1.0/24networkwithastaticIPaddressof
192.168.1.5:
Figure10.30–Syslogtopology
Pleaseensureyouusethefollowingguidelineswhencreatingthislabtoensureyougetthesameresults:
Asmentionedpreviously,theonlyadditiontothetopologyistheSyslog
Telegram Channel : @IRFaraExam
server.
ConfiguretheSyslogserverwiththeIPaddressandsubnetmaskasshowninthediagram.
EnsuretheSyslogserverisconfiguredwithadefaultgatewayaddressof192.168.1.1.
Nowthatyou'relab-ready,usethefollowinginstructionstoconfigureSyslogonyournetworktopology:
1. Firstly,wewillconfigurethenewservertoacceptSyslogmessages.Clickonthenewserver(192.168.1.5),selecttheServicestab,thenclickon
SYSLOG,asinthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure10.31–SyslogServer
EnsuretheSyslogserviceissettoOn,asintheprecedingscreenshot.
2. ConfiguretheBranch-AroutertosendSyslogmessagestotheSyslogserver:
Branch-A(config)#logging192.168.1.5
3. ConfiguretheBranch-AroutertosendallSyslogmessagetotheSyslogserverbyspecifyingtheseveritylevelas7,debugging:
Telegram Channel : @IRFaraExam
Branch-A(config)#loggingtrapdebugging
Whenyouspecifyaseveritylevel,therouterwillsendallseveritylevelmessagesthatrangefromseveritylevel0totheseveritylevelyouspecify.Byspecifyingdebugging,therouterwillsendallSyslogseverity
messagesfromlevel0–7,asdebuggingisseveritylevel7.
4. Toenabletheservicetimestampwithmillisecondsonlogmessages,usethefollowingcommands:
Branch-A(config)#servicetimestampslogdatetime
msec
5. OntheBranch-Arouter,eitherdisconnectandreconnecttheLANcableoradministrativelyshutdowntheLANinterfacetogeneratesomeSyslogmessagesonthedevice.
6. ConfiguretheHQroutertosendSyslogmessagestotheSyslogserver.
7. HeadonovertotheSyslogserverandchecktheSyslogservice:
Telegram Channel : @IRFaraExam
Figure10.32–Syslogmessages
TheSyslogmessagesthatappearherearethosethataregeneratedbytheBranch-Arouter.
8. Usetheshowloggingcommandtoverifythedefaultloggingservice
settingsontherouter:
Telegram Channel : @IRFaraExam
Figure10.33–Loggingservice
Wecandeterminethatthelocalrouterlogstotheconsoleandincludesallmessagetypes,fromEmergencytoDebugging.10messageshavebeen
loggedsofar.
Havingcompletedthislab,youhavegainedthehands-onskillstoimplementSyslogonCiscoIOSdevices.Inthenextsection,wewilldiscoverhowtomonitorandmanageyournetworkusingSNMP.
SimpleNetworkManagementProtocol
Telegram Channel : @IRFaraExam
SNMPwasdesignedtoenableITadministratorstomanagenetworkandenddevices,suchasworkstations,servers,switches,routers,andsecurityappliances,easilyonanIP-basednetwork.SNMPprovidesthefunctionalitytoallowdeviceadministratorstomonitor,manage,andtroubleshootnetworkperformance.
SNMPismadeupofthefollowingthreecomponents:
SNMPmanager
SNMPagent
ManagementInformationBase(MIB)
ThesethreecomponentsallworktogethertocreateaNetworkManagementSystem(NMS).TheSNMPmanageristheapplicationthatisinstalledandrunningontheadministrator'scomputer.TheSNMPmanagerisresponsibleforcollectingtheinformationfromtheSNMPagentsusingSNMPGETmessages.
Themanagerisabletomakemodificationstothenetworkdevice'sconfigurationbyusingSNMPSETmessages.
TheSNMPagentandMIBexistontheactualnetworkingdevice,suchasaswitchorrouter.TheSNMPagentisthecomponentthatcommunicateswiththeSNMPmanageracrossthenetwork.TheuserinteractswiththeSNMPmanager,whichthenrelaystheinformationtotheSNMPagent.TheSNMPagenteithergathersinformationandsendsitbacktotheSNMPmanagerorexecutesasetofinstructions.
TheMIBislikeadatabasethatcontainsdataonthenetworkdeviceanditsoperationalstate.ThisinformationisavailableonlytouserswhoareauthenticatedviaSNMPonthelocaldevice.Putsimply,theSNMPagentmust
Telegram Channel : @IRFaraExam
beconfiguredonanetworkdevice,thentheuseropensanSNMPmanagerapplicationontheircomputerandsimplyspecifiestheIPaddressofthetargetdeviceandusercredentials,suchasacommunitystring.Ifthecredentialsarevalid,theSNMPmanagerwillauthenticatetheSNMPagentonthenetworkdevice,allowingtheusertointeractwiththedeviceandgatherinformationandmakeadjustmentsonit.
Importantnote
SNMPoperatesonUDPport161.However,SNMPagentssendSNMPtrap
messagestotheSNMPmanageronUDPport162.
ThefollowingdiagramshowstheoverallflowofmessagesontheNMS:
Figure10.34–SNMPmessages
TheSNMPGETrequestisusedtogatherorquerythedeviceforinformationand
theSNMPSETrequestisusedtomodifytheconfigurationonthedeviceviathe
Telegram Channel : @IRFaraExam
SNMPagent.TrapmessagesarelikenotificationsthataregeneratedandsentbyanSNMPagenttoalerttheSNMPmanageraboutaneventonthenetworkdevice.
ThefollowingfigureshowsanSNMPmanagerinterface:
Figure10.35–SNMPmanager
Theprecedingscreenshotshowssomeinformationaboutaswitchonanenterprisenetwork.Togatherthisinformation,theSNMPmanager(Solarwinds)
Telegram Channel : @IRFaraExam
hassentanSNMPGETmessagetoretrievetheinformationforus.Oncethe
informationisgathered,itispresentedontheSNMPmanagerGUI.TheSNMPprotocolwasabletogatherdetailssuchastheCPUandmemoryload,latency,andpacketlossstatistics.Withoutusingthecommandline,theSNMPmanagerisabletoshowusthedaysandtimeswhennetworklatencywashigherthanothers.Thisinformationcanbeusedtogeneratereports,createnetworkbaselines,andassessanynetworkperformanceissues.
TheSNMPtrapsarecontinuouslyexchangedbetweentheSNMPmanagerandtheSNMPagenttogatherinformationaboutthenetworkdevice.ThedownsideoftheSNMPpollingmechanismisthedelaybetweenaneventoccurringonanetworkdeviceandtheSNMPmanagertakingnoticeofit.SomeorganizationsconfiguretheirSNMPpollingintervalsto10minutes,whichallowstheNMStodetectanevent/issuewithin10minutesofoccurrence.However,thisintervalmaybetoolongwhenitcomestodetectingafailureonacriticalnetwork,sopollingintervalscanbeadjustedtofittheorganization'sresponsetimetomeetnetworkissues.Keepinmindthattoomanypollingmessagesmayfloodtheavailablebandwidthonthenetwork.
SNMPversionsThereareseveralversionsofSNMP.Theseareasfollows:
SNMPv1
SNMPv2c
SNMPv3
SNMPv1doesnotprovideanyformofauthentication,privileges,orencryption
Telegram Channel : @IRFaraExam
betweentheSNMPmanagerandtheSNMPagent.SNMPv2cusescommunitystrings–publicandprivate–foradministrativetasks.Thepublicstring
isusedforread-onlytasks,whiletheprivatestringisusedforread-write
actions.However,SNMPv2cdoesnotprovideanyauthenticationorencryption.SNMPv3comeswithimprovedsecuritytoprovideauthenticationforusersandusergroups.SNMPv3usesMessageDigest5(MD5)orSecureHashingAlgorithm(SHA)duringitsauthenticationphase,andDataEncryptionStandard(DES)orAdvancedEncryptionStandard(AES)fordataencryption.
SNMPv1andSNMPv2cbothusecommunitystringstoaccessMIBonanetworkorcomputerdevice.ThefollowingaretwotypesofcommunitystringsusedinSNMP:
Read-only(ro):ThisstringallowsyoutoaccesstheMIBonthenetwork
devicebutdoesnotallowyoutomakemodificationsonthedevice,henceread-only.
Read-write(rw):Allowsyoutobothreadandwritetoallobjectswithin
theMIBonthedevice.
Next,youwilldiscoverthepurposeoftheMIBandthekeyrolesitplaysinSNMP.
ManagementinformationbaseTheMIBisadatabasethatcontainsalltheObjectIDs(OIDs)foreachcomponentonthenetworkdevice.Toputitsimply,fortheSNMPmanagertointeractwithaninterfaceofarouter,togathernetworkstatisticsfromthe
Telegram Channel : @IRFaraExam
interface,forexample,anOIDmustexistforthatspecifictaskontherouter.
OIDsarerepresentedasvariableswithintheMIB.TheMIBisdesignedasahierarchicaltreestructurecontainingmanychildsub-sectionsknownasbranches.ThefollowingdiagramshowstheMIBOIDsusedbyCiscodevices:
Figure10.36–MIB
TheSNMPmanagerusestheOIDvaluesfromtheMIBtogatherinformationormakechangestoobjectsontheSNMPagentdevice.ThehierarchicalstructuredefineswhereanSNMPmanagercanfindspecificinformationaboutadevice.
Telegram Channel : @IRFaraExam
Tip
TheCiscoSNMPObjectNavigatortoolisafreeonlinetooltohelpyoutranslateOIDsintotheirrespectiveobjectnamesanddetails.
Inthefollowingexercise,youwilllearnhowtoconfigureSNMPonCiscodevices.
Lab–configuringSNMPInthislab,youwilllearnhowtoconfiguretheSNMPserviceinaCiscoenvironment.PleasekeepinmindthatthislabissimplyanextensionofthepreviouslabonDNSservicesandwewillbeusingthesamenetworktopologyasshowninthefollowingdiagram:
Telegram Channel : @IRFaraExam
Figure10.37–SNMPlabtopology
TheobjectiveofthislabistoenableSNMPonboththeHQandBranch-Arouters.OnceSNMPisenabled,we'llusePC1astheSNMPmanagertoretrievedeviceinformationandmakeconfigurationstotherunning-configfileon
therouter.
ToconfigureSNMPontheCiscoIOSrouter,usethefollowinginstructions:
Telegram Channel : @IRFaraExam
1. OntheBranch-Arouter,configurethecommunitystring(public)and
theaccesslevelforread-only(ro)usingthefollowingcommands:
Branch-A(config)#snmp-servercommunitypublicro
2. Next,configureacommunitystring(private)withaccesslevelfor
read-write(rw)ontheBranch-Arouter:
Branch-A(config)#snmp-servercommunityprivate
rw
Read-writewillallowtheSNMPmanagertousetheprivate
communitystringtomakemodificationstotheconfigurationsofthedevice.
3. Applysteps1and2ontheHQrouter:
HQ(config)#snmp-servercommunitypublicro
HQ(config)#snmp-servercommunityprivaterw
4. HeadonovertoPC2,opentheDesktoptab,andselectMIBBrowser,asinthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure10.38–PC2Desktopinterface
5. ClicktheAdvanced…button,asinthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure10.39–MIBBrowser
6. Anewwindowwillappear.SettheReadCommunityvalueaspublic,
WriteCommunityasprivate,andSNMPVersionasv3andclick
OK:
Figure10.40–SNMPbrowsersettings
7. Intheleftpanel,expandtheMIBtreestructuretoios>org>dod
>internet>mgmt>mib-2>system>sysUpTime,set
Telegram Channel : @IRFaraExam
OperationsasGet,andclickonGO:
Figure10.41–Deviceuptime
TheSNMPmanageronPC2wasabletoretrieve(GET)thedevice's
uptimefromtheSNMPagentontherouter.
8. Tomakeamodificationtothedevice'sconfiguration,wecanusetheSNMPSEToperation.Tochangethedevice'shostnametoBranch-A-
Telegram Channel : @IRFaraExam
RTR,navigatetothesysNamebranch,usetheSEToperation,andset
DataTypetoOctetStringandValuetoBranch-A-RTR,asshown
inthefollowingscreenshot:
Figure10.42–TheSNMPSEToperation
OnceyouclickonGO,theMIBmanagerwillusetheSNMPSETmessageto
informtheSNMPagentontheroutertomaketheadjustmentonthedevice.
Telegram Channel : @IRFaraExam
Havingcompletedthislab,youhavelearnedhowtoenableSNMPonaCiscoIOSdeviceandsawtheoperationsofSNMPonaCisconetwork.Inthenextsection,wewilltakealookatunderstandingthekeyroleQoSplaysinanenterprisenetwork.
QoStrafficclassificationLet'simaginetheroadwaysofacitydonotwidenautomaticallyandiftherearetoomanyvehiclesusingthemedium(roadways)andtheyarenotexitingquicklyenough,trafficstartsaccumulatingandresultsincongestion.Therefore,eachpersonmaytakeamuchlongertimetoreachtheirdestination.
Inaproductionenvironment,you'rethenetworkengineerforaverylargeorganizationwithalotofusersandmanynetworkapplications.Eachday,usersaresimultaneouslyaccessingbothinternalresourcesonthenetwork,suchaslocallyhostedapplications,andexternalresources;therearetonsofvarioustraffictypesthataretravelingalongthenetworkeachday.Whatwouldyoudoifusersbeganexperiencinganunacceptableuserexperienceonthecorporatenetwork,suchasveryslowresponsetimes?
Eachday,therearethousandsandevenmillionsofpacketsbeinggeneratedbydevicesandtheyaresentwithmessagestoanotherdeviceasaformofdigitalcommunication.Sometimes,whenthereistoomuchtrafficonthenetworkthatexceedsthebandwidthbetweenasenderanddestination,networkcongestionoccurs.
Onanetwork,someofthesetraffictypesincludevoiceandvideotransmissionforonlineandvirtualcollaborationwithothermembersofstaff,whileothertraffictypesmaybeusingUserDatagramProtocol(UDP)astheirtransport
Telegram Channel : @IRFaraExam
layerprotocol,whichdoesnotguaranteethedeliveryofamessage.UsingQoStoolsonanetwork,professionalscanclassifyandprioritizenetworktraffictypes,suchasvoiceandvideo,overnon-time-sensitivetraffic,suchaswebbrowsingandemail.
Whiledevicessuchascomputers,servers,andIPphonesaresendingtraffictothenetworkswitchandrouters,theyarenotconsideringwhetherthenetworkingdevicesareabletotransmitmessagesasfastasit'sbeingreceived.Switchesandroutersareusedtoconnectdevicesandnetworks;theysitatthecoreofallexchangepointsonanenterprisenetwork.Thismeanstheyacceptthousandsofpacketsperminuteontheirphysicalinterfacesandhavetoprocesseachincomingmessageandforwarditthroughanoutgoinginterfacetowarditsdestination.Allnetworkingdeviceshaveabufferoflimitedsizethattemporarilystoresincomingmessages(inaqueue)untilthedeviceisabletoprocessandforwardthem.Whenadevice,suchasarouter,receivestoomanyincomingmessagesandthebufferisfull,newincomingmessagesmaybediscardeduntiltherouterisabletoprocesstheexistingmessagesandfreethebuffermemory.
Importantnote
Thequeuingoftrafficincreasesthedelayonanetwork.Hence,networkcongestioncausesdelays.
Thisisnotgoodforanetworkthathascriticalapplicationsthatgeneratetime-sensitivetraffic,suchasvoiceandvideo.ImagineyourorganizationhasaVoiceoverIP(VoIP)solutionandduringeachphonecallwithanotheremployeeorexternalparty,forthedurationofthecall,theotherpersonandyourselfhaveanunacceptableexperience,suchasnothearingeachwordtheotherpersonis
Telegram Channel : @IRFaraExam
saying,hearingstatic,andevenexperiencingdelays.VoiceandvideotrafficuseUDPastheirpreferredtransportlayerprotocolbecauseUDPcreatesalotlessoverheadonthenetworkandit'smuchfasterthanTransmissionControlProtocol(TCP).However,thedisadvantageofusingUDP,especiallyforvoiceandvideotraffictypes,isthatUDPisaconnectionlessprotocolandthereisnoguaranteeofdeliveryforanymessages.Therefore,voiceandvideotraffichasamuchhigherpossibilityofbeingdiscardedordroppedonanetworkifcongestionoccursalongthepath.UsingQoStools,anetworkengineercanconfigurenetworkdevicestoprioritizecertaintraffictypesoverotherstoensureusershaveanacceptableexperienceonthenetwork.
Importantnote
AnetworkdevicewillonlyimplementQoSwhenitisexperiencingsomeformofcongestion.
QoSterminologiesThroughoutyourjourneyinthefieldofnetworking,youwillencountermanytechnologiesandterminologies.Inthissection,youwilllearnabouttheterminologiesthatareusedtodescribecertaincharacteristicsofanetworkandhowtheyhelpustodefinenetworktransmissionquality.
Bandwidth:Bandwidthreferstotheamountofbitsthatcanbetransmittedinasecond.Thisiscommonlymeasuredasbitspersecond(bps).Onnewernetworkdevices,therearehighercapacityinterfaces,suchasGigabitEthernetports,whichcansupportuptoonegigabitpersecondoftraffic.
Congestion:Asmentionedearlier,congestioncausesdelaysonanetwork.
Telegram Channel : @IRFaraExam
Congestionoccurswhenthereisalotmoretrafficonanetworkthanitcanhandle.Thebufferwithinnetworkdevicesbecomesoverwhelmedwhenthereisalotofincomingtrafficfillingupthebuffermemoryfasterthanthenetworkdevicecanprocessitandforwardittoanoutgoinginterface.Networkdevicesareusuallylocatedatthecongestionpointsonanetwork,whichiswhereQoSshouldbeapplied.
Delay:Delayisalsoreferredtoaslatency.Thisisthetimeittakesapackettotravelbetweenasourceandadestination.Anetworkwithhighlatencywillresultinusersexperiencingslowerresponsetimestonetwork-basedapplicationsthatarehostedonalocalserver.Theobjectiveistoensureanetworkhasaverylowresponsetimebetweenanysenderanddestination.
Jitter:Jitteristhevariationofthedelayofincomingpackets.Onastablenetwork,thelatencyofacontinuousstreamofpacketsreceivedfromasinglesourcewillbethesame.However,networkcongestion,improperqueuing,andinterfaceerrors(collisions)affectthelatencybetweeneachpacketbeingreceivedonadevice.
Packetloss:Oncethebufferisfull,newincomingpacketswillbediscardedordroppedfromthenetwork.Thisresultsinpacketloss.Havingtoomuchpacketlossonanetworkmakesitdifficulttotransmitamessagebetweenasourceanddestination.IfthemessageisusingTCP,thesenderwillre-transmitthedroppedpacketuntilthedestinationsendsanacknowledgement,unlikeUDP,wherethesenderwillnotre-transmitthemessage.
TraffictypecharacteristicsMoreusersaremovingtheirbusinessapplicationstothecloud,employeesare
Telegram Channel : @IRFaraExam
workingremotelyathome,andacademicinstitutionsareusingtheinternetandtechnologiestodelivertheirclassestoaglobalaudience.Theincreaseinvoiceandvideotrafficovertheyearshasbeenrapid,anditiscontinuingtosurpassdatatrafficonanenterprisenetwork.
Voicetrafficisquitepredictableandsmoothflowing.However,itisverysusceptibletopacketlossanddelaysoveranetwork.SincevoicetrafficusesUDP,ifapacketislost,thesenderdoesnotre-transmitthemessage.Therefore,voicetrafficshouldbeconfiguredwithahigherpriorityoverallothertrafficonthenetwork.Voicetrafficcantoleratesomelevelsofpacketloss,latency(delay),andjitterbeforeitbecomesnoticeablebythereceiver.
Voicetrafficshouldusethefollowingrecommendations:
Thedelayorlatencyshouldnotexceedmorethan150milliseconds(ms).
Jittershouldnotexceedmorethan30milliseconds(ms).
Packetlossshouldnotexceedmorethan1%.
Voicetrafficrequiresaminimumof30kbpsofbandwidth.
Unlikevoicetraffic,videotrafficusesalotofextrabandwidthandwithoutanyQoSmechanismtoprioritizethetraffictype,thequalityofthevideostreamdegrades.Fromauserpointofview,thevideowillbegintoappearblurryandjaggedandtheaudiomaynotbesynchronouswiththepicture.Comparedtovoicetraffic,videotrafficisknowntobeinconsistent,unpredictable,andlessresilient.Withvideotraffic,packetsmaybereceivedat20-millisecondtime
intervals,whichthenchangesrandomlyto40-millisecondintervals,thenback
againto20milliseconds.Additionally,eachvideopacketisnotalwaysthesame
Telegram Channel : @IRFaraExam
sizeinbytes;thiscausesinconsistencywhentransportingsmallandlargevideopacketsalonganetwork.
Toputitsimply,videotrafficusesUDPasitstransportlayerprotocol,whichisveryvulnerabletopacketlossanddelaysonanetwork.Videotrafficalsousesalotofnetworkbandwidthandthemessagesizevariesfrompackettopacket.
Videotrafficshouldusethefollowingrecommendations:
Latencyshouldnotexceedover400milliseconds(ms).
Jittershouldnotexceedmorethan50milliseconds(ms).
Packetlossshouldnotbemorethan1%.
Videotrafficrequiresaminimumof384kbpsofbandwidth.
Anothertraffictypeisdata.Therearemanyapplicationsandnetworkresourcesthatdonothavetoleranceforpacketlossduringtransmission,sotheyuseTCPasthetransportlayerprotocol.DuringaTCPstream,ifanypacketislostduringthetransmission,thesenderwillre-transmitthemessagetothedestination.Therearecertaintraffictypes,suchaswebbrowsing,thatuseHypertextTransferProtocol(HTTP)andHTTPSecure(HTTPS);theseprotocolssometimesoccupyalotofbandwidthonanetworkanddonotleaveroomforothertime-sensitiveprotocols.IfTCPtraffictakesupallthebandwidthonanetwork,theUDPtrafficwillhaveahigherchanceofbeingdiscardedordropped.
Althoughsomedatatraffictypesmaybemission-criticaltotheorganizationtoimprovetheQualityofExperience(QoE),anetworkadministratorcansimplyconfiguretheQoStoolstoprioritizecertaindatatraffictypesonthenetwork.
Telegram Channel : @IRFaraExam
QoSqueuingalgorithmsOnemethodaCiscodeviceusestoqueueincomingtrafficiscalledFirst-In,First-Out(FIFO).Thistechniqueisquitesimple;itoperateslikethephrasefirstcome,firstserve.Whenpacketsentertheinterfaceofanetworkdevice,theyareplacedinaqueuewhilethedeviceprocesseseachmessageoneatatime,thenforwardsthemessageoutofanexitinterfacetoitsdestination.WithFIFO,thepacketsareprocessedintheordertheyarrive.Nopacketisprioritizedovertheother,asthereisonlyasinglequeueandallpacketsaretreatedequally.Packetswillbeprocessedandsentoutinthesameorderastheyarriveonthedevice,hencethenameFIFO.
ThefollowingareadditionalQoSqueuingalgorithms:
AnotheralgorithmisWeightedFairQueuing(WFQ).WFQensuresfairbandwidthallocationisgiventoalltrafficonthenetwork.Thisalgorithmusestheconceptofapplyingweights(priority)toidentifyandclassifynetworktrafficintowhatitcallsconversationsorflows.Oncethetraffichasbeenclassified,WFQthenautomaticallydeterminestheamountofbandwidththatshouldbeallocatedtoeachflow.
Importantnote
TheTypeofService(ToS)fieldwithinanIPpacketcanbeusedtoclassifytraffictypes.TOSiswhereDSCP(layer3marking)islocatedintheIPpacketfield.
ThedownsideofusingWFQisitdoesnotsupportencryptiontunnelingsimplybecausethesesecurityfeaturesmodifythepacketcontent
Telegram Channel : @IRFaraExam
informationthatisrequiredbyWFQforitsclassificationmechanism.
TheClass-BasedWeightedFairQueuing(CBWFQ)algorithmissimplyanextensionofWFQ.WithCBWFQ,trafficclassescanbedefinedbasedonvariousmatchingcriteria,suchasnetworkprotocols,Access-ControlLists(ACLs),andeventheinputinterfacesonnetworkdevices.Onceamatchisfound,aFIFOqueueisreservedforeachclassandthetrafficthatbelongstoaclassisthensenttothequeue.Foreachclassoftraffic,youcanassignvariouscharacteristics,suchasbandwidth,maximumpacketlimit,andevenweights.Duringtimesofcongestion,theallocatedbandwidthisdeliveredtotheclass.
TheLow-LatencyQueuing(LLQ)algorithmaddsverystrictpriorityqueuingtoCBWFQ.Priorityqueuingenablestraffictypessuchasvoicetraffictobesentbeforepacketsthatareinotherqueues.WithLLQ,thereisjitterreductiononvoiceconversationsonanetwork.WithLLQ,traffictypesthatarevulnerabletodelayaresentfirstbeforeallotherpacketsinotherqueues.
Next,wewilldiscussvariousQoSpolicymodels.
QoSpolicymodelsWhenitcomestochoosingtheappropriateQoSpolicyforanetwork,wemustfirstunderstandthefollowingthreeQoSpolicymodels:
Besteffort
Integratedservices(IntServ)
Telegram Channel : @IRFaraExam
Differentiatedservices(DiffServ)
Usingbesteffortasapolicymodelsimplyprovidesnoguaranteeorreassuranceofthedeliveryofamessageonanetwork.Asimpleanalogytohelpexplainthismodelisthelocalpostalservice.Whenyousendaletterusingthestandardpostalservice,yourletteristreatedthesameasallotherletterswithinthepostalcompany.Thereisnoprioritization.Whentheletterisdeliveredtotheintendedrecipient,thereisn'tanynotificationthattheletterhasbeendeliveredsuccessfully.Onbothprivateandpublicnetworks,besteffortisthepredominantmethodusedontheinternettodayandwillcontinuetobeusedformostgeneralpurposesbyapplicationandprotocolvendors.
Thebesteffortmodelhasthefollowingadvantages:
Itisveryscalable.
NoQoSmechanismsarerequired.
Itisverysimpleandavailabletodeployonanetwork.
Thefollowingarethedisadvantagesofusingthebesteffortmodel:
Itdoesnotprovideanyguaranteeofmessagedelivery.
Packetsmayarriveoutoforderandnotallatonce.
Thereisnoprioritizationappliedtomission-criticalapplicationsortime-sensitivetraffictypes.
SincebesteffortisnotanimplementationofQoS,it'snotconfiguredbythenetworkadministrator.However,itisstillusedbyQoSonthenetworkeven
Telegram Channel : @IRFaraExam
thoughitisnotrequired.Keepinmindthatwhenusingthismodel,allmessagesaretreatedexactlythesameasallothermessagesthataretravelingacrossthenetwork.Thismeansvoicetrafficwillbetreatedthesameaswebbrowsingtraffic;noprioritizationisapplied.
AnotherQoSmodelisIntServ.IntServsupportsreal-timetraffictypes,suchasremotevideo,onlineconferencing,andvirtualrealityapplications.ThismodelwasdesignedtosupportmultipleQoSrequirements.Ithasthecapabilitytoprovideend-to-endQoSbetweenasourceanddestination,unliketheothermodels.Suchafeatureisusuallyrequiredbyreal-timeapplicationstomanagepacketstreamsoftraffic;thisisknownasmicroflow.
IntServusesaconnection-orientedtechnique,whichallowseachuniqueorindividualconnectionbetweenasourceanddestinationtospecifyrequestedresourcesonthenetwork.Theseresourcesmayincludebandwidth,delay,andevenpacketlossmetricstoensurethedeliveryofeachmicroflow.Toensureeachnetworkdevicebetweenthesourceanddestinationismadeawareoftherequiredresources,IntServusestheResourceReservationProtocol(RSVP).However,iftheresourcesarenotavailableonthepath,thesendingapplicationdoesnotforwardanydataalongthepath.
ThefollowingaretheadvantagesofusingIntServ:
Itprovidesend-to-endadmissioncontrolofresources.
Individualconnectionsbetweenasourceanddestinationhavetheirownper-requestpolicyadmissioncontrolsalongthenetwork.
ThefollowingarethedisadvantagesofIntServ:
Telegram Channel : @IRFaraExam
IntServisveryresource-intensive.
Theflow-basedapproachisnotscalableinlargenetworks.
ThethirdpolicymodelisknownasDiffServ.DiffServusesasimpleandscalablemechanismtoclassifyandmanagetraffictypesusingQoS.Thismodelisabletoprovidelow-latencyformission-criticalandtime-sensitivetraffictypes,suchasvoiceandvideo,whileusingbesteffortfornon-criticaltraffictypes,suchaswebbrowsingandemail.OnemajoradvantageDiffServhasoverIntServisthatitcanprovideanalmostguaranteedQoStopacketstreamswhileremainingscalable.
DiffServdoesnotprovidetheend-to-endQoSfeature.However,beingscalableonlargeimplementationshasitsadvantages.Whenasenderforwardsitstraffictoarouter,therouterwillclassifythetrafficflowinaclassandprovidetheappropriateQoSpolicyfortheclass.
QoSimplementationmethodsInthissection,youwilldiscoverhowQoSmechanismsareappliedtotraffictypes.
ClassificationQoStoolsareappliedtoadevice'sinterface.Thisenablestherouterorswitchtomatchthefieldsinapacket(message)tomakeachoiceontakingorapplyingsomeQoSaction.Afterthedevicehasclassifiedpackets,theyareplacedinawaitingqueuefortheoutgoinginterface.Thequeuingtoolwillthenschedulewhichpacketshouldbetakenfromthewaitingqueuetoforward.Theschedule
Telegram Channel : @IRFaraExam
isbasedonthepriorityplacedonapacket(message).
Thefollowingdiagramshowstheclassificationprocess:
Figure10.43–Traffictypeclassification
Next,let'slearnaboutmarking.
MarkingMarkingistheprocesswheretheQoStoolchangesoneormoreheaderfieldsinapacket,settingavalueintheheader.WithinanIPpacket,therearecertainheaderfieldsthataredesignedforthepurposeofmarkingbyaQoStool.Whenthemarkedpacketispassedalongtoothernetworkingdevices,itmakesclassificationmucheasier.
Telegram Channel : @IRFaraExam
Importantnote
TheDifferentiatedServicesCodePoint(DSCP)fieldisa6-bitfieldwithinanIPpacket,whichisusedforQoSmarking.ClassofService(COS)islayer2markinginQoS.
ThefollowingdiagramshowstheDSCPfieldwithinanIPpacketusingWireshark:
Figure10.44–DSCPfield
CiscohascreatedatoolcalledNetwork-BasedApplicationRecognition(NBAR),whichisusedtomatchpackets(traffic)forclassification.
Telegram Channel : @IRFaraExam
QueuingQueuingreferstotheQoStoolsformanagingthequeuesthatholdpacketswhiletheywaitfortheirturntoexitaninterfaceonanetworkdevice,suchasaswitchorrouter.Allnetworkdevicesplacepacketsinaqueuewhiletheymakeadecisiononwhethertoforwardthepacketoutofanexitinterfacetoitsdestination.
Whenusingaqueuingsystem,thetrafficmustfirstbeclassifiedsothatitcanbeplacedinanappropriatequeue(iftherearemultiplequeuespresent).Additionally,aschedulerisusedtodeterminewhichpacketistobesentwhentheinterfaceofthedevicebecomesavailable.
Ciscodevicesuseascheduleralgorithmknownasround-robin.Thisalgorithmcyclesthrougheachqueue,takingeitheronemessageoranumberofbytesfromeachqueue.Inotherwords,thealgorithmtakesafewmessagesfromthefirstqueue,thenafewfromthesecondqueue,andsoon,thenstartsbackatqueue1untilthealgorithmacquiresenoughmessagestocreateatotalnumberofbytestosendtoanexitinterface.
TherouterusestheCBWFQtooltoensureaminimumamountofbandwidthisneededforeachclassoftraffic.Thenetworkengineerwillconfiguretheweightsasapercentage–thepercentageofbandwidthneededpertrafficclass.
PolicingandshapingTheseQoStoolsaretypicallyusedontheWANedgeofatypicalenterprisenetwork.Bothofthesetoolsnoteeachpacketasitpassesandmeasuresthenumberofbitspersecondovertime.Thepolicertoolisresponsiblefor
Telegram Channel : @IRFaraExam
discardingpackets,whiletheshapertoolisresponsibleforholding/keepingpacketsinthequeue.Thesetoolsaredesignedtokeepthebitratebelowacertainspeed.
CongestionavoidanceCongestionavoidanceisusedtoreducetheoverallpacketlossbypreemptivelydiscardingsomepacketsinaTCPconnection.
Havingcompletedthissection,youhavegainedessentialknowledgeoftheoperationsofQoSanditsimportanceonanetwork.
SummaryInthischapter,wecoveredawidearrayofIPservicesthatarecrucialforimprovingtheefficiencyofanenterprisenetwork.YoulearnedabouttheimportanceofpropertimekeepingandhowtoimplementNTPtoensuredevices'systemclocksaresynchronized.Furthermore,yousawthebenefitsofimplementingDHCPonanetworktoautomaticallydistributeIPaddressestoenddevicesandDNStohelpresolvehostnamestoIPaddresseseasily.
Next,yousawhownetworkmanagementprotocolssuchasSNMPcanbeusedtohelpnetworkengineerstoeasilymonitorandmanagenetworkdevices,andSyslogcanbeusedtoimprovelogmanagementusingacentralizedloggingserver.Lastly,yougainedaninsightintothedifferencethatQoScanmakeonanetwork.
IhopethischapterhasbeeninformativeforyouandishelpfulinyourjourneytowardlearninghowtoimplementCiscosolutionsandpreparefortheCCNA
Telegram Channel : @IRFaraExam
200-301certification.Inthenextchapter,Chapter11,ExploringNetworkSecurity,youwilllearntheessentialsofprotectingyournetworkfromcyberthreatsandimprovingyourorganization'ssecurity.
QuestionsThefollowingisashortlistofreviewquestionstohelpreinforceyourlearningandidentifyareasthatrequiresomeimprovement:
1. WhatisthedefaultportforNTP?
A.143
B.110
C.123
D.1234
2. Whichcommandallowsyoutoconfigurethesystemclockonadevice?
A.ntpserver
B.ntpmaster1
C.ntpmaster
D.clockset
3. WhichStratumlevelhasthemostaccuratetimeonanetwork?
A.0
Telegram Channel : @IRFaraExam
B.4
C.1
D.All
4. DHCPhaswhichofthefollowingopenports?
A.68
B.67
C.69
D.53
5. AfteraDHCPserverreceivesaDHCPrequestmessage,whatmessagewilltheserversendtotheclient?
A.None
B.Discover
C.Acknowledgement
D.Offer
6. WhichDNSrecordisusedtoresolveanIPaddresstoahostname?
A.SOA
B.MX
Telegram Channel : @IRFaraExam
C.A
D.PTR
7. Sysloguseswhichofthefollowingports?
A.123
B.161
C.512
D.514
8. WhichportdoesSNMPuse?
A.TCP123
B.UDP161
C.TCP161
D.UDP514
9. WhichSNMPmessageisusedtomodifyadevice'sconfiguration?
A.Set
B.Trap
C.Get
D.Create
Telegram Channel : @IRFaraExam
10. WhichofthefollowingisthedefaultQoSmethodforforwardingtraffic?
A.CBWFQ
B.Besteffort
C.LLQ
D.DiffServ
FurtherreadingThefollowinglinksarerecommendedforadditionalreading:
ConfiguringNTP:https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/configuration/guide/sm_nx_os_cg/sm_3ntp.html
ConfiguringDHCP:https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/xe-3se/3850/dhcp-xe-3se-3850-book/config-dhcp-server.html
ConfiguringDNS:https://www.cisco.com/c/en/us/support/docs/ip/domain-name-system-dns/24182-reversedns.html
ConfiguringSyslog:https://www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/SysMsgLogging.html
ConfiguringSNMP:https://www.cisco.com/c/en/us/td/docs/ios-
Telegram Channel : @IRFaraExam
xml/ios/snmp/configuration/xe-16/snmp-xe-16-book/nm-snmp-cfg-snmp-support.html
ConfiguringQoS:https://www.cisco.com/c/en/us/td/docs/routers/access/800M/software/800MSCG/QoS.html
Telegram Channel : @IRFaraExam
Thissectionbeginsbyintroducingyoutotheessentialsofcyberthreatsandhowtheycanimpactanetwork.Then,youwilllearnhowtousevarioustoolstodiscoversecurityvulnerabilitiesandimplementsecuritycontrolstohelpmitigateandpreventbothinternalandexternalcyberthreatsinanenterprisenetwork.
Thissectioncontainsthefollowingchapters:
Chapter11,ExploringNetworkSecurity
Chapter12,ConfiguringDeviceAccessControlandVPNs
Chapter13,ImplementingAccessControlLists
Chapter14,ImplementingLayer2andWirelessSecurity
Telegram Channel : @IRFaraExam
Chapter11:ExploringNetworkSecurityDesigningandimplementinganetworkwithoutsecurityinmindislikeleavingallofthewindowsanddoorsopenathomewhenyougoout.Anunauthorizedvisitorcansimplyaccessyourpersonalspaceandremoveyourvaluables,simplybecauseallpointsofentryareopen.Thesameconceptsshouldbeappliedtoanetwork;securityisoneofthemostimportantfactorsanetworkengineershouldalwaysrememberwhendesigninganynetwork.
Duringthecourseofthischapter,we'lllookathowtoidentifyvariousthreatactionsandattacks,understandtheneedfornetworksecurityonanenterprisenetwork,andunderstandhowtodevelopasecurityprogramtoimproveuserawarenessandtraining.
Inthischapter,wewillcoverthefollowingtopics:
Securityconcepts(threats,vulnerabilities,andexploits)
Passwordmanagement
Vulnerabilityassessmenttools
Authentication,Authorization,andAccounting(AAA)
Wireshark101elementsofasecurityprogram
TechnicalrequirementsTofollowalongwiththeexercisesinthischapter,pleaseensurethatyoumeetthefollowinghardwareandsoftwarerequirements:
Telegram Channel : @IRFaraExam
CiscoPacketTracer:https://www.netacad.com
Wireshark:https://www.wireshark.org
NessusEssentials:https://www.tenable.com/products/nessus/nessus-essentials
Thecodefilesforthischapterareavailableathttps://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions/tree/master/Chapter%2011.
CheckoutthefollowingvideotoseetheCodeinAction:https://bit.ly/361vb7B
SecurityconceptsAsanetworkprofessional,ourprimaryresponsibilityistoensurealldeviceshaveend-to-endconnectivity.However,withtheriseofcyber-crime,organizationsmustensuretheirassetsarewellprotectedfromcybercriminalstryingtocompromisesystemsandnetworks.
Whendesigningasecuritynetwork,it'simportanttofirstidentifyallassetswithintheorganization.Anassetissimplyanythingthatisvaluabletoanorganization.Assetsareusuallybrokendownintothefollowingcategories:
Tangible
Intangible
People
Tangibleassetsareitemsthatarephysicallywithintheorganizationsuchas
Telegram Channel : @IRFaraExam
furniture,computers,servers,networkdevices,andcomponents.Theseassetsusuallystoredataabouttheorganizationandsometimescontainsystemlogsthatareusefulduringanincident.Intangibleassetsareitemsthatarenon-physical—theseincludeintellectualproperty,procedures,data,andanythingdigitalthatisworthvaluetotheorganization.Anothertypeofassetthatsomebusinessesdonotfocusonispeople."People"referstoemployees,customers,andevensuppliers.Anorganizationalsoneedstoprotectitshumanresourcesfromcyber-attacksandthreats.
Manyorganizationsinvariousindustriesusuallysellaproductorservicetotheircustomers,sothey'llkeeprecordsofcustomerinformationsuchasnames,locations,andcontactdetails.ThistypeofdataisreferredtoasPersonallyIdentifiableInformation(PII).Suchdatamustbesecuredatalltimesandkeptawayfromhackers.
Nowadayshackersaren'tjustlaunchingdisruptiveattackstopreventusersfromaccessingaresource—theyarecreatingmoresophisticatedattackstostealmoneyandotherfinancialassetssuchascryptocurrency(forexample,Bitcoin).Hackershaverealizedtheycanmakemoneybysimplystealingyourdataandsellingitonthedarkweborholdingithostageandencouragingyoutopayaransomtoretrieveit.
Theneedforinformationsecurityisalwaysrising,andsoistheneedforsecurityprofessionalsinallindustriestohelporganizationstoprotecttheirassetsfromhackersandotherthreats.Thefoundationsofinformationsecuritystartwiththreemainpillars:Confidentiality,Integrity,andAvailability.ThesethreepillarsformwhatiscommonlyreferredtoastheCIAtriadwithinthefieldofinformationsecurity.
Telegram Channel : @IRFaraExam
TheCIAtriadAsmentionedpreviously,dataisthemostimportantassettoanorganization.Thewaydataismanagediscrucialtoitssecurity.Dataitselfexistsinthreestates:
Dataatrest
Datainuse
Datainmotion
Dataatrestreferstoanydatathatisstoredonamediumordevice.ThiscanbedatathatiscurrentlystoredonaHardDiskDrive(HDD),inonlinestoragesuchasAWSS3buckets,orevenatanoff-sitelocation.Dataatrestissimplydatathatisnotcurrentlybeingusedbyanapplicationorauser.Datainmotionissimplydatathatistravelingalonganetworkorbeingaccessedremotelybyanapplicationorauser.Anexampleofdatainmotioncanbeausercopyingafilefromthelocal/remotefileserverontotheirlocalcomputer.Datainuseisdefinedasanydatathatiscurrentlybeingaccessed/usedbyanapplicationorauser.AsimpleexampleofdatainuseisopeningaPDFfileonyourharddiskandreadingitscontents—whiletheapplicationiscurrentlyaccessingthePDFfile,thestatechangesfromdataatresttodatainuse.Asasecurityprofessional,ourtaskistoprotectallformsandstatesofdatawithinanorganization.ApplyingConfidentiality,Integrity,andAvailability(CIA)willhelpustoachieveinformationsecurity.
Confidentiality
Telegram Channel : @IRFaraExam
Confidentialityensuresthatonlyauthorizedpersonshaveaccesstoviewasystemordata.Wecanapplycryptography,suchasencryption,toanydatatokeepitprivate.Duringtheencryptionprocess,anencryptionalgorithmandsecretkeyareusedtoperformtheencryptionprocess.Asecretkeyisusedtoencryptanddecryptthemessage.Thesecretkeyshouldalwaysbekeptprivateandsafeatalltimes;ifthekeyislostorstolen,thedataiscompromised.
Confidentialityplaysanimportantroleinensuringhackersandotherthreatactorsdonotgainaccesstoanorganization'sdata.TheMicrosoftWindows10operatingsystemcontainsadataencryptionapplicationknownasBitLocker.Thisapplicationallowsausertocreateanencryptedstoragecontainertostoredataatrest.IfahackerisabletoaccesstheWindows10system,thehackerwillnotbeabletoaccessthecontentsoftheBitLockercontaineraslongasit'slockedandthesecretkeyissafe.However,iftheattackerhasthesecretkeyandaccesstotheBitLockercontain,he/shecanretrievethecontentsandthereforethedataiscompromised.
Tip
TogetmoreinformationaboutBitLockeronWindows10,pleasevisitthefollowinglink:https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview.
IntegrityIntegrityplaystheroleofensuringdataisn'tmodifiedbetweensourceanddestination.Inthedigitalworld,whenadevicereceivesamessage,itneedstovalidatewhetherthatmessagewasmodifiedduringtransmissionfromthesource
Telegram Channel : @IRFaraExam
tothedestination.Hackersandothermaliciousthreatscaninterceptmessagesastheyarepassingalonganetworkandmodifythemessagebeforesendingitofftothedestination.Hackersusethistechniqueforvariouspurposes,suchasspoofing,pretendingtobesomeoneorsomethingelseonanetwork,andattemptingtotrickanunsuspectingpersonintofallingvictimtoacyber-attack.
Importantnote
TheDataLinklayeroftheTransmissionControlProtocol/internetProtocol(TCP/IP)insertedaCyclicRedundancyCheck(CRC)valueintoeachmessagebeforesendingitonanetwork.ThisCRCvalueisacryptographichashvalueusedtodeterminewhetherthemessagewasmodifiedornot.
Integrityplaysanimportantpartininformationsecurity,ensuringareceiverisabletodetectwhetheramessagewascompromised.
AvailabilityTheroleofavailabilityisasimplebutchallengingone—toensureasystemorresourceisalwaysavailabletothosewhohaveaccesstoit.Duringacyber-attack,anorganization'sresources,data,applications,networkdevices,andevensystemmaybecomeunreachableandunusable.Onceasystemorresourceisunusablebylegitimatelyauthorizedpersons,anorganizationmaynotbeabletocontinueworkingatoptimalperformance.
AnexampleofavailabilitybeingdisruptedisaDenialofService(DoS)attack.ADoSattackisdesignedtoexhaustalloftheavailablecomputingpowerofatargetsystem,hencemakingitunavailabletolegitimateusers.Suchanattackcanbeappliedtoascenariowithanonlinewebserver;ifanattackerlaunchesa
Telegram Channel : @IRFaraExam
DoSattackonthewebserver,thewebapplicationwillprocessalloftheincomingHTTP/HTTPSwebrequestmessagesandeventuallybecome
overwhelmedwiththehighvolumeofmessagesoriginatingfromtheattacker.Therefore,whenlegitimateusersontheinternetareattemptingtoretrievethewebpagesfromtheserver,theservermaynotrespondtothem.Hence,availabilityhasbeencompromised.
PuttingthethreepillarsofCIAtogetherOneoftheobjectivesofinformationsecurityistoensureallthreepillarsareappliedequallywithinanorganization.Maintainingthisbalanceissomewhatdifficultassomeorganizationsfocusmoreonconfidentiality;thismeanstheball(representinganorganization'sfocus)inthefollowingdiagramwouldbeplacedclosertotheconfidentialitypillar,movingawayfromintegrityandavailability.Thismeansdatawillbemoresecure(confidentiality),butaccesstothedatawillbemoredifficult(availability)andcheckinganymodificationofdatawillalsobemoredifficult(integrity).
ThefollowingdiagramshowstheCIATriadinatriangularformat:
Telegram Channel : @IRFaraExam
Figure11.1–CIATriad
Ifanorganizationmakesitsdataandresourcesveryeasytoaccessandfocusonavailabilitymorethantheotherpillars,therewillbefewersecuritycontrolsinplacetoensurethedataiskeptprivatetoonlyauthorizedpersonsonly(confidentiality)andthecheckingofanyunauthorizedchangesonthedata.
Asasecurityprofessional,it'simportanttounderstandwhatthreats,exploits,vulnerabilities,andattacksstandtocompromisetheassetsofanorganization.Inthefollowingsections,thesetermswillbecoveredingreaterdetail.
ThreatsIntheworldofinformationtechnology,asmoredevicesaremovingonlineandpeopleareconnectingtotheinternet,wefindourselvesfacingsecuritythreats
Telegram Channel : @IRFaraExam
eachday.Athreatisdefinedasanythingwiththemotivationtocauseharmordamagetoaperson,system,ornetwork.Asmoredevicesaregoingonlineandpersonsareconnectingtotheinternet,thereisalsoahighincreaseincyberthreats.Intoday'sworld,manyorganizationsaregoingonlinetoexpandtheircustomerreachandsupportfortheirproductsandservices.Therearemanycompaniesthatarenolongerareconsideredtraditionalbrickandmortarcompanies,butinstead,usetheinternetasatooltosupporttheirorganization.OnesuchorganizationisAmazon,whichsellsmanyitems,includingbooks.Amazonisnotatraditionalwalk-inbookstorebut,rather,anonlinebookstorethatallowspotentialbuyerstoreadtheoutline,descriptions,andreviewsofbooksandevengetapreviewbeforemakingthechoicetopurchaseone.
Almostallmodern-daybusinesseshaveaninternetconnection.Thiscreatesahugerisk—anattackerormalwarecanaccesstheorganization'sinternalnetwork.Throughoutmycareer,I'veseenmanyorganizationsfromvariousindustrieswhoinvestinscalablenetworkinfrastructure,whichisresilientandhasredundancytoensurealldeviceshaveend-to-endconnectivity.However,securityissuchanimportantfactorthatisn'talwaysacknowledged.Designinganetworktoperformatoptimalcapacityisgreatbutwithoutsecurity,yourentirenetworkinfrastructureisleftvulnerabletobothinternalandexternalthreats.
Threatsexistinmanyforms;ahackermayattempttoretrieveavictim'susernameandpasswordfortheironlineaccounts,gainunauthorizedaccessintoasystembyexploitingasecurityvulnerabilityonacomputer,orevencrackthepassphraseforthewirelessnetworkinyourorganization.
AssetsAsasecurityprofessional,it'simportanttosecuretheorganization'sassets.An
Telegram Channel : @IRFaraExam
assetisanythingofvaluetoanorganization.
Tangibleassetsarephysicalobjectssuchascomputers,servers,andfurniture.Thistypeofassetneedstobeprotectedjustasequallyaseverythingelse.Tangibleassetsarevulnerabletophysicaldamageandeventheft.Imagineasmallbusinessthathasacustomerserviceoutletthatallowscustomerstowalkinandconducttransactionsonadailybasis.Let'ssayeachcustomerservicerepresentativewasassignedalaptopattheirdesktoperformtheirdutiesandcompletetasks.IfeachlaptopwasnotphysicallysecuredusingaKensingtonCable,acustomerwithbadintentmaysimplypickupalaptopwhiletheemployeeisnotlookingandwalkaway.Somecompaniesmaylookattheincidentasphysicaltheft,butacybersecurityprofessionalwilldetermineitasbothphysicalanddatatheft;thelaptophasstoragemediasuchasanHDD,uponwhichimportantandconfidentialdatamaybestored.AmalicioususercansimplyretrievethedatafromtheHDDandsellitonthedarkweb.
Themostvaluableassettoanyorganizationisdata.Hackersarecontinuouslydevelopingnewstrategiesandtechniquestogainaccesstosystemsandnetworkstostealdata.Ourjobasnetworkprofessionalsisnotonlytocreateanefficientnetworkbutalsotocreateasecurenetworkdesigntopreventvariouscyberthreats.Creatingasecurenetworkdesignextendstoallareaswhereanorganizationstoresitsdata;thesewillincludethelocalareanetworkandeventhecloud.
Thecloudisanimportantlocationmanyprofessionalsdonotconsidertobevulnerable.Withcloudcomputingbecomingcheaperastimepasses,moreorganizationsaremigratingtheirphysicalinfrastructuretoacloudserviceprovider.Therearemanycompaniesthathavealmostalloftheirdataandotherassetssuchasserversandapplicationsonthecloud.However,thecloudisjust
Telegram Channel : @IRFaraExam
asvulnerableasaphysicalnetwork.Equalattentionmustbegiventothesecurityofyourcloudplatformasyouwouldforyourphysicalnetwork.
ThreatactorsThreatactorsareusuallysomeoneorsomethingthatisresponsibleforasecurityeventorincident.Threatactorscanbecategorizedbytheircharacteristicsandtheirmotivations.
Thefollowingarevarioustypesofthreatactorsinthecybersecurityworld:
Onetypeofthreatactorisknownasscriptkiddies.Ascriptkiddieisn'tnecessarilyachildoryoungperson,butrathersomeonewhoisanovicewithinthecybersecurityrealmwhousesinstructionsandtutorialsprovidedbythereal,malicioushackerstoguidehis/heractions.Thistypeofhackerdoesnotfullyunderstandthetechnicaldetailsoftheactualcyber-attackorthetoolsbeingused.However,bysimplyfollowinginstructionsandlaunchingthesametypeofattack,theyhavetheabilitytocompromiseasystemornetwork.
Thehacktivistisanothertypeofhackerwhoisbetweenanactivistandahacker.Thispersonusestheirtechnicalskillstoserveasocialorpoliticalagenda.Somehacktivistactionsincludedefacingpoliticalandgovernmentwebsites,coordinatingDoSattacksagainstanorganization'snetworkresources,andleakingconfidentialdatasuchasdocumentstovariousonlinesites.
Hackersoftenworkingroupsusingthemostelitetoolsandresourcesmoneycanbuy;thisisreferredtoasorganizedcrime.Withinthisgroup,
Telegram Channel : @IRFaraExam
eachhackerisanexpertwithintheirownfieldandisassignedauniqueroleandfunction,sothatonepersonmayberesponsiblefordevelopinganexploitkitwhileanotherisperformingextensivereconnaissanceonthetarget.Thistypeofhackinggroupiswell-fundedandhasthebesthackingtools;theirmotivationistostealcurrencyfromtheirvictims.
Eachnationusuallyhasitsownteamofhackersandthesearereferredtoasstate-sponsoredhackers.Thisgroupofhackersarewell-fundedandareprovidedwiththebesttoolsandresourcesthegovernmentcanbuy.Thesetypesofhackersareusuallyhiredtoprotectthesecurityoftheircountryandevenperformcyber-attacksonothernations.Therearemanymoviesthatexplainthistypeofhackinggroup,oneofwhichwasSnowden(2016),whichexplainshowvariousnationsarepreparingforcyberwarfare.
Tip
Tolearnmoreaboutcyberwarfare,checkoutthebookCyberWarfare–Truth,Tactics,andStrategiesbyDr.ChaseCunninghampublishedbyPacktPublishingathttps://www.packtpub.com/security/cyber-warfare-truth-tactics-and-strategies.
Somepeoplethinkallcyberthreatsoriginatefromtheinternet.Sometimesaninsiderthreatcanoccurandremainundetectedbecausetheorganizationisbusylookingattheinternetandneglectingitsowncorporatenetworkforinternalthreatsandattacks.Aninsiderissimplysomeonewhohasgainedemploymentwithatargetorganizationundertheguiseofbeingatrustedpersonwhocanfillarolewithinthecompany.
Telegram Channel : @IRFaraExam
However,thispersonhasotherintentions;oncewithintheorganization,he/shewilllearntheins-and-outsofthenetworkandinfiltratetheorganizationfromwithin.
Withtheriseincyber-attacks,organizationsareinvestingincybersecuritysolutionsandpeopletohelptosafeguardtheirnetworkandassets.Ineverynetworkandsystem,therearevulnerabilitiesthatareknownandthosethathaven'tbeendiscoveredyet.Organizationshireaspecialtypeofhackerknownasawhitehathacker—thesearecommonlyreferredtoasethicalhackers.Thesearethegoodguyswhousetheirskillsettohelporganizationstodiscovervulnerabilitieswithintheirowninfrastructurebeforethebadguysfindandexploitthem.Whitehathackersobtainlegalpermissionbeforetheirengagementinapenetrationtestexercise;thisisareal-worldsimulationattackonthesystemsandnetwork,toseehowamalicioushackermightbeabletoexploitvulnerabilitiesandgainaccessintothenetwork.
Ablackhathackerusestheirskillsettoperformmaliciousandunethicalactionsoncomputersandnetworksforpersonalgain.Thesearethetypeofhackersthatyourorganizationandassetsneedtobewellprotectedandfortifiedagainst.Agrayhathackersimplysitsbetweenawhitehatandblackhathacker.Thistypeofhackercouldcommitcrimesandperformmaliciousactions.However,theycanusetheirskillsetforbothgoodandbadthings.
Now,let'slookatvulnerabilities.
Vulnerabilities
Telegram Channel : @IRFaraExam
Onequestionstudentsfrequentlyaskatthebeginningoftheircybersecurityjourneyis:howarehackersabletobreakintoasystemornetwork?Thesimpleanswerishackersandotherthreatactorslookforvulnerabilitiesonatargetsystem.Avulnerabilityisasecurityweaknessorflawinasystemthatcouldbeexploitedbyathreat.Thecompetitionbetweensecurityresearchersandhackershasbeenanongoingone—aracetodiscoversecurityflawsfirst.Securityresearchersarealwayslookingfornewvulnerabilitiestohelpsoftwareandproductvendorstofixandclosesecurityweaknesseswhilehackersarelookingtoexploitandgainaccesstotheirvictims'systems.
Tip
Nessusisoneofthemostpopularvulnerabilityassessmenttoolswithinthecybersecurityindustry.FurtherinformationonNessuscanbefoundathttps://www.tenable.com/products/nessus.
Avulnerabilitycanexistintheformofaweaknessorflawinaconfiguration,securitypolicy,orevensomethingtechnologicalinnature.Let'slookatanexample.AnetworkdevicesuchasarouterisconfiguredtouseTelnetandnotSSHasthepreferredmethodforremoteaccessmanagement.TelnetisanunsecuredprotocolthattransfersdatainplaintextwhereasSSHencryptsalltraffic.Asyouhavelearnedsofar,TCP/IPisthelanguagealldevicesspeakwhenconnectedtoanEthernetnetwork,soyoumaythinktheTCP/IPprotocolsuiteisdesignedwithgoodsecuritybutinreality,it'snot.
ManyvulnerabilitiesexistinthevariousprotocolswithinTCP/IP.TheseprotocolsincludeInternetProtocol(IP),InternetControlMessageProtocol(ICMP),HypertextTransferProtocol(HTTP),andevenSimpleNetwork
Telegram Channel : @IRFaraExam
ManagementProtocol(SNMP).IftheIPwasnotdesignedwithgoodsecurity,anattackercansimplyspooftheIPaddressofanotherdeviceonthenetwork.SNMPv1doesnotsupportuserauthentication,sothismeansanattackerisabletoremotelyconnecttoanSNMPenabled-deviceandgathersensitiveinformation.Attackerscantakeadvantageofvariousweaknesseswithintheseprotocolsandcapturesensitiveinformationwhilenetworktrafficistravelingalonganetwork.
Hackersarealwayslookingforawayinsideyournetworkanddevices,andyournetworkcomponentsprovideaneasywayiniftheyarenotupdatedandsecuredproperly.
ThefollowingscreenshotshowstheNMaptoolhasfoundtheEternalBlue
vulnerabilityonaWindowssystem:
Telegram Channel : @IRFaraExam
Figure11.2–EternalBlue
Intheprecedingscreenshot,NMapreportedthatthetargetsystemisvulnerabletotheEternalBlueexploit,whichwillallowanattackertoexploitthe
vulnerabilityinServerMessageBlock(SMB)version1andexecuteremotecode.Furthermore,NMapreportstheriskishighonthetargetandprovidesreferenceURLsforadditionalresearch.
Also,someenterprisenetworkdevicessuchasroutersandswitchessupportnetworksecurityfunctionstohelptopreventvariousmaliciousthreatsandattacksonyournetwork.Sometimes,amisconfigurationonaroutercangiveanattackerremoteaccessintothemanagementpaneofthedevice.
Eachdevicerequiresafirmwareoranoperatingsysteminordertoworkandperformfunctions.Operatingsystemvendorsarealwaysresearchingforvulnerabilitieswithintheirproducttoquicklyreleaseupdatesandsecuritypatchestofixanyissuesfortheircustomers.Manyorganizationsdonotupdatetheircomputers'operatingsystemsformanymonths,andthisincreasestheriskofitbeingcompromised.Imagineifanewthreatcameaboutandtheoperatingsystemvendorreleasesasecuritypatchtofixtheissuesbuttheorganizationignorestheupdatesandpatchesbythevendor;theirsystemswillbevulnerabletothethreatuntilsecuritypatchingoccursontheirnetwork.Remember,eachdayhackersarealwayslookingforwaysintoyoursystems,sooperatingsystemvendorsreleaseupdatesveryfrequentlytohelptoprotectyou.
Manyconfigurationvulnerabilitiesexistonanetwork.Thistypeofsecurityweaknessexistswithinuseraccountmanagement,misconfigurednetworkservices,anddefaultconfigurationsondevices.Whenloggingintoasystem,yourusercredentialsmaybesentacrossthenetworkviaanunsecuredprotocol.
Telegram Channel : @IRFaraExam
ThefollowingscreenshotshowsaWindowsusercredentialwascapturedasitwassenttotheActiveDirectoryserveronthenetwork:
Figure11.3–Useraccountdetails
Intheprecedingscreenshot,wecanseetheuser,Bob,entershisusernameandpasswordonaWindows10systemtoauthenticatehimselfonthenetwork.However,inthisscenario,theActiveDirectoryserver(WindowsServer)isusingthedefaultdirectoryqueryprotocol,LightweightDirectoryAccessProtocol(LDAP).LDAPdoesnotencrypttheuserinformationbydefault;onlytheuser'spasswordishashedusingNTLMv2andsentacrossthenetwork.Intheprecedingscreenshot,thehashwascaptured,allowingtheattackertoperformofflinedecryptionofthehashtoretrieveBob'spassword.Thisisanexampleofanunsecureduseraccountandinsecureprotocolsonanetwork.
Configurationvulnerabilitiesalsoexistwhenanadministratorconfiguresweakorinsecurepasswordsforuseraccounts.Suchvulnerabilityenablesahackertoeasilycompromiseuseraccountsonasystemandquicklygainaccess.Another
Telegram Channel : @IRFaraExam
vulnerabilityoccursifdefaultconfigurationsareusedonasystemornetworkdevice.Defaultconfigurationsareappliedonadeviceatthepointitleavesthemanufacturer;theyallowustoeasilygetthedeviceupandworkingquicklywithouthavingtospendtoomuchtimetryingtofigureouthowtogetitworking.Defaultconfigurationsoftencontainmanyconfigurationweaknessessuchassecurityfeaturesareabsentandremoteaccessisenabledforall.It'simportanttoensuredefaultconfigurationsareneverusedonsystemsanddevicesonaproductionnetwork.
HumanvulnerabilitiesOnemajorvulnerabilityweoftenoverlookwhendesigningasecurenetworkisthehumanfactor.Humansarealsovulnerabletovariousonlineandofflinecyber-attacks,suchasbeingavictimofsocialengineeringattacks.Socialengineeringissimplywhenanattackerisabletomanipulateapersontorevealsensitiveinformationorperformacertaintask.
Importantnote
Socialengineeringisusuallyanon-technicalinnature.Thismeansacomputerisnotrequiredtoperformvarioustypesofsocialengineeringattacksonavictim.Theattackusuallyexploitsthetrustandsocialbehaviorofthevictim.
Thefollowingarevarioustypesofcyber-attacksthattargethumanvulnerabilities:
Phishingisaformofsocialengineeringthatisdoneusingacomputer;theattackercreatesandsendsafakeemailtoapotentialvictim.Theemailiscraftedtolookandsoundasifitcamefromalegitimatesource,suchasa
Telegram Channel : @IRFaraExam
financialinstitution.Themessageusuallycontainssomeinstructionsandamaliciouslinkembeddedwithinthemessage.Theinstructionsmightsay,Youruseraccounthasbeenhackedandclickthefollowinglinktoresetit.Iftheuserfollowstheseinstructions,they'llendupdownloadingmalwareandinfectingthesystem,visitingasitethatallowstheattackerisabletocapturethevictim'susernameandpassword.
Anothertypeofsocialengineeringisspearphishing.Inaspearphishingattack,theattackermakesafakemessageoremaillookmorelegitimateandbelievable.Thistypeofattackisusuallyfocusedonaspecificgroupofpeople.AnexamplewouldbeanattackerwhocraftsanemailthatlookslikeitoriginatesfromBankXandsendsittoeveryoneassociatedwiththatbank.PeoplewhohaveanaccountwithBankXwillbemoresusceptibletothescam,clickanymaliciouslinks,orfollowanyinstructionswiththemessagewhereasapersonwhodoesnothaveanaccountwithBankXwillsimplyblock,delete,orignorethemessage.
WhalingisatypeofphishingattackthatfocusesonthehighprofilepersonswithinanorganizationsuchasaCEOorevenadirector.Theobjectiveoftheattackistocompromiseahighprofileperson'saccountandusetheaccounttoconducttransactions.ImagineifaCEO'semailaccountiscompromised,theattackercouldsendemailstotheaccountingdepartmentrequestingconfidentialfinancialdetailsabouttheorganization.PeoplewithintheaccountingdepartmentwillseetheemailoriginatingfromtheCEOandtrustit'stheactualCEOrequestingtheinformation.Insuchanattack,trustisbeingexploitedbetweentheemployeeandtheCEO.
Socialengineeringattackscanbedoneoveratelephoneconversation—
Telegram Channel : @IRFaraExam
thisisknownasvishing.Invishing,theattackercallsthepotentialvictimwhilepretendingtobesomeonewithauthorityorapersonthevictimmaytrust.Duringtheconversation,theattackermayalsotrytobuildorimprovethetrustbetweenthevictimandtheattackerandtakeadvantageofthattrust.Invishingattacks,theattackermaypretendtobecallingfromthevictim'sbankandrequestthevictim'sonlinebankingusercredentialsorperhapsrequesttheircreditcardnumberandpin.
SocialengineeringcanalsobedoneusingShortMessageService(SMS),aformofattackknownassmishing.Thisiswhenanattackerattemptstoperformsocialengineeringusingthetextmessagingserviceonmobilephones.
Sometimesanattackermaytakeamoreaggressiveapproachtogetvictimstovisitacompromisedwebsite.HackersareabletocompromisevulnerableDomainNameSystem(DNS)serversandcanmodifytheDNSrecords,forexample,bychangingtheDNSArecordfora
hostnametopointtoacompromisedwebsiteratherthanthelegitimateIPaddress.ThismeansanydevicerequestingtheIPaddressofacertainwebsitewillberedirectedtoamaliciouswebsite.Thistypeofsocialengineeringisknownaspharming.
It'simportanttobuildafortressaroundandwithinyourorganizationtoprotectitfrombothinternalandexternalcyber-attacksandthreats.Sometimes,whenanattackerrealizeshe/sheisunabletocompromisethetarget'snetwork,theattackermayattempttoperformawaterholeattack.Inawaterholeattack,theattackerwillattempttocompromiseasiteorlocationtheemployeesofthetargetorganizationcommonlyvisit,suchasalocalcoffeeshop.BycompromisingthecoffeeshopWi-Finetwork,any
Telegram Channel : @IRFaraExam
deviceconnectedtothatnetworkwilldownloadapayloadandthemobiledevicewillbeinfected.Whenanemployeeconnectstheirinfectedmobiledevicetothecorporatenetwork,itwillcompromisetheorganization.However,anyonewhoconnectstotheWi-Finetwork,orthewaterhole,willbeinfected,notjustthetargetuserswhobelongtotheorganization.
Next,let'sgoaheadandlearnaboutpasswordvulnerabilitiesandmanagement.
PasswordvulnerabilitiesandmanagementToproveouridentitytoasystem,wemustprovideavalidusernameandpassword.Manypeopleoftencreatesimpleandeasy-to-rememberpasswordsfortheironlineaccounts.Whileit'ssimplefortheusertoremember,it'sasecurityvulnerabilityasahackercaneasilygainaccesstothevictim'saccount.Creatingasecureandcomplexpasswordisimportantandpreventshackersandotherthreatactorsfromcompromisingauseraccountandgainingaccesstosensitiveinformation.
Whencreatingsecureandcomplexpasswords,usethefollowingguidelines:
Passwordsshouldatleast8charactersinlength.
Ensurethepasswordincludesacombinationofuppercaseandlowercaseletters,numbers,specialcharacters,andsymbols.
Ensurethepasswordisnotbeingusedonanotheraccountyoumayown.
Passwordsshouldnotberegularwordsyou'dfindinthedictionary.
Passwordsshouldnotcontainanypersonaldetailssuchasbirthdaysorrelativenames.
Telegram Channel : @IRFaraExam
Passwordsshouldbechangedfrequently.
Passwordsshouldnotbewrittendownanywherearoundyourworkplace.
Usingapasswordmanagercanhelpyoutocreate,store,andmanagesecurepasswords.Therearemanyfreepasswordmanagersavailableontheinternet.
ThefollowingscreenshotshowsasecurepasswordgeneratedbytheLastPasspasswordmanager:
Figure11.4–Securepassword
Passwordsarestillbreakablebyahackerwhohasalotoftimeandcomputingpower.UsingMultifactorAuthentication(MFA)addsanextralayerof
Telegram Channel : @IRFaraExam
securitytoouruseraccounts;therefore,theuserhastoprovidemultiplesetsofinformationtoprovehis/heridentity.
Sometimes,afterausernameandpasswordcombinationhasbeenvalidatedbyasystem,itrequestsasecondformofauthenticationtovalidateyouridentity.Thisissometimesreferredtoas2-FactorAuthentication(2FA).Authenticatorappsonyoursmartphonecanbeassociatedwithasupportedwebsite.Ciscoisanexampleofthisasitsuseraccountssupport2FA,whichallowsyoutoaddathird-partyauthenticator,suchasGoogleAuthenticator,onyourCiscouseraccount.EachtimeyouattempttologintotheCiscowebsite,auniquecodeisrequiredfromtheauthenticatorapp.Thiscodechangesapproximatelyevery30
seconds,makingitdifficultforahackertoguessthesequenceofcodesbeinggeneratedeachtime.
Ratherthanusingpasswords,youcanusebiometrics.Biometricsallowsyoutouseapartofyourbodytoauthenticatetoasystem.Mostnewsmartphonessupportbiometricauthentication,whichallowsapersontounlocktheirsmartphoneusingtheirfingerprint.OnMicrosoftWindows10,WindowsHellousesfacialrecognitiontechnology.
Importantnote
Otherformsofbiometricsarevoice,iris,andretinascans.
Digitalcertificatesareanalternativemethodtoauthenticatetoasystem.DigitalcertificatesaregrantedbyaCertificatesAuthority(CA),whichverifiestheidentityandauthenticityoftherequester.TheCAfunctionsasatrustedthirdpartywhocanverifytheholderofthecertificateiswhotheyclaimtobe.
Telegram Channel : @IRFaraExam
Lab–UsingNessustoperformavulnerabilityassessmentInthislab,youwilllearnhowtoperformavulnerabilityassessmentonatargetsystemusingNessusEssentials.
Togetstarted,usethefollowinginstructions:
1. Gotohttps://www.tenable.com/products/nessus/nessus-essentialsandregisterforanActivationCode:
Telegram Channel : @IRFaraExam
Figure11.5–NessusEssentialshomepage
2. YouwillberedirectedtoaThankYoupagecontainingaDownloadbutton—clickit:
Telegram Channel : @IRFaraExam
Figure11.6–Downloadbutton
3. ChoosethelatestversionofNessusEssentialsthatisavailableforyouroperatingsystem:
Figure11.7–NessusEssentialsdownloadpage
Telegram Channel : @IRFaraExam
4. Oncethefilehasbeendownloadedontoyourcomputer,installitusingallofthedefaultsettings.
5. Afterinstallation,yourwebbrowserwillopenthefollowingURL:http://localhost:8834/WelcomeToNessus-
Install/welcome.
6. ClickonConnectviaSSLtoensureyourconnectionissecure:
Figure11.8–EnsureSSL
Ifyourwebbrowsergivesasecuritywarning,addanexception.ThiswarningiscreatedbecauseNessusisusingaself-signeddigitalcertificate.
7. Choosethedeploymenttype:NessusEssentialsandclickContinue.
8. AnActivationCodeRequestpagewillappear.SimplyclickSkipaswehavealreadycompletedthistaskinstep1:
Telegram Channel : @IRFaraExam
Figure11.9–Skipregistration
9. CheckyourinboxforaconfirmationemailwithyourNessusEssentialsLicenseKey.
10. InserttheActivationCodeinthefieldasshowninthefollowingscreenshotandclickContinue:
Telegram Channel : @IRFaraExam
Figure11.10–Activationwindow
11. CreatealocaluseraccountfortheNessusEssentialsapplicationandclickSubmit.
12. Afterthesetupprocess,NessusEssentialswillinitializeonyourcomputer.
13. IftheNessusPluginsfailtodownloadduringtheinitializationphase,openCommandPromptwithAdministratorprivilegesandexecutethecommandshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure11.11–ReinitializingtheNessusPluginsdownloadphase
14. Oncetheprocessiscomplete,gotohttps://localhost:8834/#/
andloginusingyourusercredentials.
15. Onceyou'reloggedin,clickNewScan.You'llseethefollowingscantemplatestochoose:
Telegram Channel : @IRFaraExam
Figure11.12–Nessuspre-configurationtemplates
Youcanchooseanyscantemplateandevencustomizeittofityourneeds.
16. ClickonBasicNetworkScan.
17. Completethebasicinformationwithinthefields,asshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure11.13–ConfiguringabasicscanonNessus
Importantnote
Forlegalpurposes,donotscananydevicesornetworksthatyouhavenotbeenlegallyauthorizedto.Forthisexercise,Iamperformingavulnerabilityscanonapersonalmachinewithinmyownnetwork.
18. ClickSave.
Telegram Channel : @IRFaraExam
19. Oncethescanhasbeensaved,clickthePlay/Launchicononthefurthestrightcolumntolaunchthescan.
20. Oncethescanisfinished,clickonittoaccessthedetails.Youwillseeanoverviewofallofthevulnerabilitiesfoundwithaseveritylevel.
21. ClickonVulnerabilitiestoseeallofthesecurityweaknessesfoundonthetargetmachine:
Figure11.14–Vulnerabilities
Asshownintheprecedingscreenshot,NessusprovidesalistofallofthevulnerabilitiesfoundonthetargetsystemandsortsthelistfromCriticaltoInformational.
22. Selectingavulnerabilitywillprovideyouwithadescriptionandsolutiononhowtofixthesecurityflaw,asshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure11.15–SecurityflawinVNCServer
23. Also,youcanclicktheExport/Reportbuttoninthetop-rightcornertoexportareportoftheassessmentinPDF,CSV,orHTMLformat.NessuscangenerateanExecutiveSummaryoraCustomreport.
TheExecutiveSummarywillcontainasummarylistofallofthevulnerabilitiesfound,theseveritylevels,andtheirCommonVulnerabilityScoringSystem(CVSS)score.TheCustomreportcontainsspecificdetailssuchasthedescription,solutions,references,andevenriskfactorsforeachvulnerability.
Havingcompletedthislab,youhavegainedtheskillstoperformabasic
Telegram Channel : @IRFaraExam
vulnerabilityscanandcreatereportsusingtheNessusvulnerabilityscanner.Inthenextsection,youwilllearnaboutexploits.
ExploitsExploitsarethemaliciouscodeoractionsanattackerusestotakeadvantageofavulnerabilityonasystem.Withineachoperatingsystem,application,anddevice,thereareknownandunknownvulnerabilities.Onceahackerhasdiscoveredavulnerabilityonhis/hertargetsystem,thenextstepistoacquireanexploitthatwillleveragethesecurityflaw.OnepopularwebsitetofindexploitsisExploitDatabase(www.exploit-db.com).ThiswebsiteismaintainedbyOffensiveSecurity,thecreatorsofthepopularpenetrationtestingLinuxdistro,KaliLinux.Thepurposeofsuchawebsiteisinformationsharingforothercybersecurityprofessionalssuchaspenetrationtesterswhorequireexploitsduringtheirjobs.
Tip
Tounderstandhowthreats,vulnerabilities,andexploitsallfittogether,considerthefollowingsentence:athreatusesanexploittotakeadvantageofavulnerabilityonasystem.
OnesuchvulnerabilityisknownasEternalBlue(MS17-010);thisvulnerabilityisaweaknessfoundinMicrosoftWindowsoperatingsystemswithMicrosoftServerMessageBlock1.0(SMBv1).AnattackerwithanexploitforEternalBluewillbeabletoperformremotecodeexecutiononavulnerable
machine.
Importantnote
Telegram Channel : @IRFaraExam
FurtherinformationabouttheMS17-010securitybulletincanbefoundathttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010.
ThefollowingarethesearchresultsfortheEternalBlue(MS17-010)
vulnerabilityonExploitDatabase:
Figure11.16–SearchResultsforEternalBlue
Additionally,theattackerorthepenetrationtestercanuseanexploitationdevelopmentframeworksuchasMetasploittocreateacustompayloadanddeliveritontothetarget.Metasploitallowsacybersecurityprofessionaltobuildcustompayloadstoleveragetheweaknessesfoundinapplicationsandoperatingsystems;however,anattackercandothisaswell.
Tip
Telegram Channel : @IRFaraExam
IfyouwanttolearnmoreaboutMetasploit,pleaseseethefollowinglink:https://www.offensive-security.com/metasploit-unleashed/.
Onceanattackerhasgainedaccesstoasystem,he/sheisabletoescalatetheiruserprivilegesonthevictim'ssystemandevenpivottheattackthroughthecompromisedsystemtoallotherinternaldevicesonthenetwork.
AttacksInthissection,youwilllearnaboutvarioustypesofcyber-attacksandhowtheycancauseharmtosystemsandnetworks.
MalwareMalwareiscodethatisdesignedtoperformmaliciousactionsonasystem.Thetermmalwareistakenfromthewordsmalicioussoftware,whichhasthecapabilitytoexfiltratedata,makeasystemunusable,orevendeleteimportantfilesonitslocaldisk.Therearemanytypesofmalwareontheinternetandeachdaysecurityresearchersandcybersecurityprofessionalsarediscoveringthesenewthreats.
Thefollowingaredescriptionsofthemostcommonlyknowntypesofmalware:
Onetypeofmalwareweallknowisthevirus.Acomputervirusissimilartoahumanvirus;onceasystemisinfected,thevirusbeginstounleashitspayloadandcausemoreharm.Computervirusesaremaliciouscodethatisdesignedtoreproducethemselvesonaninfectedsystemandcauseadditionaldamage.Computervirusesarenotself-executable;thismeansauserhastodownloadavirusontheirsystemandmanuallyexecuteit,then
Telegram Channel : @IRFaraExam
thepayloadisunleashedonthevictim'ssystem.
Importantnote
Thereareothertypesofvirusessuchasbootsectorvirus,programvirus,macrovirus,andevenfirmwareviruses.
Anothertypeofmalwareistheworm.Awormisself-replicatingandautomaticallypropagatesinanetwork.Onceasystemisinfectedwithaworm,itautomaticallyattemptstospreadtoothervulnerablesystemsonthenetwork.Awormisdesignedtoexhaustthecomputingresourcesonasystem,whichwillmaketheinfectedsystemworkveryslowlyorrenderitunusable.
Hackersarecreatingcrypto-malwareandransomware.Thesetypesofmalwarearedesignedtoinfectasystem,encryptallofthevictim'sdata,andrequestaransombepaidtoreleasethehostage(data).Onceasystemisinfectedwithransomware,alldataisencryptedexcepttheoperatingsystemfiles.Hackerswanttoensureyouroperatingsystemisstillworkingsotheycanpresentyouwithanon-screenbanneraskingyoutopaytheransombyprovidingyourcreditcardnumber,Bitcoin,oranothercryptocurrency.It'sneverrecommendedtopaytheransomasthereisnoguaranteeorassurancethehackerswillkeeptheirwordandprovideyouwiththedecryptionkey.It'simportanttoregularlybackupyourdatasothatintheeventsystemsarenotrecoverable,thesystemscanbewipedanddatacanberestored.
TheTrojanHorseisatypeofmalwarethatdisguisesitselftolooklikealegitimateprogramorapplicationbutcontainsamaliciouspayload.Once
Telegram Channel : @IRFaraExam
anunsuspectinguserexecutestheTrojanHorse,themaliciouspayloadexecutesinthebackgroundandthesystemiscompromised.Thistypeofmalwareistypicallyusedtotrickauserintoinstallingitandthepayloadopensabackdoortoonthevictim'ssystem.Onceabackdoorisopenedonthevictim'ssystem,thehackercangainaccess.TrojanHorsesaresometimesintheformoffakeanti-virussoftware,games,andevenapplications.TheRemoteAdministrationTrojan(RAT)isanothertypeofTrojanHorse.ARATsimplyallowsthehackertogainremoteaccessandcontroloverthevictim'ssystem.Theattackerisabletomodifyconfigurations,enablemicrophonestorecordaudio,enablewebcamstorecordvideo,performactions,andexfiltratedata.
There'satypeofmalwarethatinfectsthekernelofanoperatingsystem.Thisisknownasarootkit.Oncearootkitinfectsthekernel,isgainsrootlevelaccessonthesystem.TherootkitistakenfromtheLinuxworld,thehighestleveluseraccountonaLinuxsystemistherootaccount.Therootaccountisabletoperformunrestrictedtasksandactionsonasystem.Similarly,arootkitcancontrolthekernelandthereforecanperformadministrativeactionsonacompromisedsystem.Sincerootkitsinfectthekernel,thisareaintheoperatingsystemisusuallyinaccessiblebyanti-virusprograms,however,someanti-virusprogramsallowyoutoperformabootsystemscan,whichisdonebeforeanoperatingsystemisloadedinmemory;thistypeofscanisabletodetectrootkits.
Adwareisatypeofmalwarethatdisplaysadvertisementsintheformofpopupsonyourdesktopandwithinyourbrowser.Adwareisusuallydistributedbysoftwarefromtheinternet.Duringtheinstallationofsoftware,adwaremaybeinstalledinthebackgroundandwillonlyappear
Telegram Channel : @IRFaraExam
aftertheinstallationprocessiscomplete.
Spywareisatypeofmalwarethatspiesonthevictim'sactivitieswithoutconsent.Thisinformationissentbacktothehacker.Auser'sactivitymayseemabitharmlessinthecybersecurityindustrybutit'sactuallyworthalotofmoneytovariousorganizationsonthedarkwebandevencompaniesthatperformdataanalyticsonhumanbehaviorfortargetedadvertisements.
Now,let'sreadaboutreconnaissance.
ReconnaissanceThefirstphaseinhackingisinformationgatheringorreconnaissance.Duringthisphase,theattackerattemptstogatherasmuchinformationaspossibleaboutthetargetpriortoexploitinganyweaknesses.Theattackerusuallyattemptstodiscoveranyoperatingsystems,openportsonsystems,vulnerabilities,andevenrunningservicesonthetarget.SuchinformationcanbegatheredusingOpenSourceIntelligence(OSINT)techniquessuchasperformingvariousonlinesearchesusingGoogleHackingtechniquesandcheckingthetarget'swebsite,databases,andevenDomainNameSystem(DNS)records.
Tip
Nmapisoneofthebestnetworkscannerstodetectopenports,profileoperatingsystems,serviceversions,andmuchmore.
Furthermore,anattackerusesvulnerabilityscannerstodetectopenportsandvulnerabilitieswithinanoperatingsystemandapplications.Somewell-known
Telegram Channel : @IRFaraExam
vulnerabilityscannersintheindustryareNessus,Saint,andCoreImpact.
Tip
Tolearnmoreabouthowtoperformethicalhackingandpenetrationtestingtechniques,checkoutmybookLearnKaliLinux2019byGlenD.SinghpublishedbyPacktPublishingathttps://www.packtpub.com/networking-and-servers/learn-kali-linux-2018.
Oncevulnerabilitiesarefound,theattackercanthenuseexploitationtoolssuchasMetasploit,SQLmap,CoreImpact,andevenSocialEngineerToolkit(SET)togainaccesstoavulnerablesystem.
SpoofingSpoofingisthetechniqueanattackerusestofakehis/heridentityonanetwork.Intechnicalterms,whenadevicesuchasacomputerissendingamessagetoanotherdevice,thesenderinsertsitssourceIPaddresswithintheLayer3headerofthepacket.Thisinformationisneededtoidentifythesourceandsenderofthemessage.AttackersareabletospoofboththeirMACaddressandIPaddress,simplytofaketheiridentitywhenlaunchinganyattack.
ThefollowingdiagramshowsanattackersendingamessagetoatargetwithaspoofIPaddress:
Telegram Channel : @IRFaraExam
Figure11.17–Spoofingattack
Asyoucanseeintheprecedingdiagram,theattackusesBob'sIPaddressasthesourceIPaddress.Therefore,whenthevictimchecksthesourceofthetraffic,itshowstheattackcamefromBob'scomputer.
DenialofServiceSometimesgainingaccessorstealingdatafromavictim'ssystemisn'tthegoal;somehackerssimplywanttodisruptserviceandpreventlegitimateusersfromaccessingresources.ThistypeofattackisknownasaDoS.ADoSattackis
Telegram Channel : @IRFaraExam
typicallylaunchedfromasinglesourceagainstatargetsuchasawebserver;theattackersendsacontinuousstream(flood)ofunsolicitedmessagestothetarget.Thetargetdevicehastoprocessallofthemessagesitisreceivingfromboththeattackerandlegitusersonthenetwork.SincetheDoSattackissendinghundredsandeventhousandsofmessagesperminute,thetargetwilleventuallybecomeoverwhelmedbyprocessingeachmessage.
ThefollowingdiagramshowsanattackerislaunchingaTCPSYNfloodattacktoaserver:
Figure11.18–HTTPDoSattack
Whenthetargetisoverwhelmed,itwon'tbeabletorespondtolegitimateusers'requestsandhencecreatetheeffectofdenyingthelegitimateusersaccesstotheresources/services.SinceaDoSattackisusuallyfromasinglesource,it'seasytoblocktheattackasithappens.Whenadenialofserviceattackislaunchedfrommultiplegeographiclocations,theattackisamplifiedandmoredifficulttoblock
Telegram Channel : @IRFaraExam
astherearemultiplesourcesoftheattack.ThisisknownasaDistributedDenialofService(DDoS).
AmplificationandreflectionAnothertypeofDoSattackisareflectiveattack.Inareflectiveattack,theattackerspoofstheIPaddressofthetargetdevice.Theattackerthensendsafloodofunsolicitedrequestmessagestoaserveronthenetworkorinternet.Theserverwillrespondtoeachrequestandtheresponseswillbesenttotheactualtargetandnottheattacker.
Thefollowingdiagramshowsanexampleofareflectiveattack:
Figure11.19–DoSreflectiveattack
Onthetargetsystem,thelogswillindicatetheattackisoriginatingfromtheserverandnottheattacker'smachine.
Telegram Channel : @IRFaraExam
Inanamplificationattack,theattackersendsspoofedrequestmessagestomultipleserversontheinternet;eachserverwillthenrespondtoeachmessage.Therefore,thevictim'smachinewillreceiveafloodofmessagesfrommultipleservers.
Thefollowingdiagramshowsanexampleofanamplificationattack:
Figure11.20–Amplificationattack
Theattackerspoofsthevictim'sIPaddressandsendsrequestmessagestomultipleservers(reflectors).Wheneachserverreceivesarequest,theywillprocessandsendareply.However,thereplymessageissenttothevictim
Telegram Channel : @IRFaraExam
instead.
Man-in-the-MiddleInaMan-in-the-Middle(MiTM)attack,theattackersitsbetweenthesourceanddestinationofnetworktraffic.Thisallowsanattackertointerceptandcapturealldatathatisflowingbetweenavictim'smachineanditsdestination.Thistypeofattackisusuallydoneonaninternetnetworkwithinanorganizationtocaptureanysensitivedataandusercredentialsthatarepassingalongthenetwork.
Forthisattacktoworkproperly,theattacker'smachinemustbeconnectedtothelocalareanetwork.ItlearnsboththeIPaddressandMACaddressesassociatedwiththevictimmachinesandthedefaultgateway.TheattackerthensendsgratuitousARPmessagestothevictimmachine,informingitthattheattackermachineisthedefaultgateway.Therefore,anytrafficwithadestinationtotheinternetwillnowbesenttotheattacker'smachine.TheattackermachinealsosendsgratuitousARPmessagestothedefaultgateway,trickingtherouterintobelievingtheattackermachineisthevictim'sdevice.
ThefollowingdiagramshowstheeffectofaMiTMattackonanetwork:
Telegram Channel : @IRFaraExam
Figure11.21–MiTMattack
Alltrafficbetweenthevictimmachinesandtheinternetwillflowthroughtheattackermachine.ThistypeofattacktakesadvantageofavulnerabilitywithintheAddressResolutionProtocol(ARP).ARPwasnotdesignedwiththesecuritytopreventsuchtypesofattacks.However,CiscoIOSswitchesdosupportmanysecurityfeaturestopreventtheseattacks.Inlaterchapters,wewillcoverhowtoimplementLayer2securityonanenterprisenetwork.
BufferoverflowOperatingsystemsandsoftwaredeveloperscancreateaspecialareainmemorytotemporarilystoredatawhileanapplicationisrunning;thisareaisknownasabuffer.Abufferislimitedtotheamountofdataanapplicationcanstoreatanytime,softwaredeveloperscontinuallytesttheirsoftwareorapplicationtoensuredataisbeingprocessedaccuratelyandefficiently.
Telegram Channel : @IRFaraExam
Therearetimeswhenapplication/softwaredevelopersdonotproperlytesttheirapplications,andsometimesabufferoverflowvulnerabilitymayexist.Inabufferoverflow,surplusdatathatcannotbestoredinthebufferspillsoverontoreservedareasofmemorythatarenotallocatedforcodeexecution.Ifanattackerisabletodeterminethatanapplicationisvulnerabletosuchsecurityweakness,maliciouscodecanbeinjectedintothebuffer,causingittooverflow.Thespilledcode/dataisthemaliciouscodesentbytheattacker;thiscodewillthenbeexecutedinthereservedareaofmemory.
Attackerscancreatecustompayloadstocreatebackdoorsonavictim'ssystemandevensetupareverseshell/connectionfromthevictim'smachinebacktotheattacker.
Inthissection,youhavelearnedaboutcyber-attacksandtheircharacteristics.Inthenextsection,wewillcovertheimportanceofimplementingAuthentication,Authorization,andAccounting(AAA)onanetwork.
Authentication,Authorization,andAccountingImplementingAAAwithinanetworkisveryimportanttoensureauthorizedpersonscanaccessasystemornetwork.Theappropriateprivilegesoruserrightsaregrantedtotheuser,andeachactionperformedbytheuserisaccountedfor.Let'simagineyourorganizationhasmultiplenetworkdevicessuchasswitches,routers,andfirewallsatvariousremotebranchesandatheadquarterslocations.YourteamofITprofessionalsisresponsibleforensuringtheITinfrastructureoftheorganizationiswellmaintainedandoperatingefficiently.SinceeachITprofessionalmayberequiredtologintovariousnetworkdevices,auseraccount
Telegram Channel : @IRFaraExam
containingtheappropriateprivilegesisrequiredforeachuser.
Creatingindividualuseraccountsforeachuserforeachdeviceisatediousandredundanttask.Imagineauserhastochangetheirpassword;thismeansthepasswordfortheuseraccounthastobemanuallychangedoneachindividualdevicetheusercanaccess.Whatifausermakesanunauthorizedchangeonadevice'sconfigurationandcausesanetworkoutage?Howcanwedeterminewhenthechangewasmade?Whomadethechange?Onwhichdevice(s)wasthechangemade?UsingAAAcanhelpustobettermanageuseraccountsandtheirprivilegesandlogallactionsperformedbyauserforaccountabilityandrecordkeeping.
Theissuewithasystemsuchasacomputeroradeviceisitcannotrecognizeatrusteduserthesamewayashumanscan.Asasimpleexample,youcanidentifyafamilymembersuchasasiblingbysimplylookingattheirface.Onceyourecognizetheperson,trustisestablished.However,asystemisunabletodothis.Therefore,computersidentifyahumanuserbysimplycheckingtheiruseraccountsdetails—ausername(identity)andpasswordcombination.Tologintoacomputer,youmustprovideavalidusernameandpassword.Ifthecomputerdeterminestheusercredentialsarevalid,theuserisauthenticatedtothesystemandaccessisgranted.Authenticationistheprocessofverifyinganaccountholderisabletousetheaccount.Withoutauthentication,anyonecouldaccessasystemandperformanytask,goodorbad.
Toauthenticateyourselftoasystem,auserwillneedcredentialstoprovetheiridentity.Thefollowingareexamplesofusercredentials:
Somethingtheuserknows:Thisisapassword,aPIN,orevenapassphrase.
Telegram Channel : @IRFaraExam
Somethingtheuserhas:Thiscanbeaphysicalsecuritytokenorasmartcard.
Somethingyouare:Thisissomethingsuchasyourfingerprint,iris,orretina,orpatternsonyourbody.
Afterauserhasbeenauthenticatedonasystem,theuserisnowabletoperformanytasksoractionsuntiltheauthorizationphaseiscomplete.Authorizationistheprocessbywhichanauthenticateduserisgrantedorassignedprivilegestoaccessandmodifyresourcesonthesystemornetwork.Toputitsimply,authorizationsimplydetermineswhatausercanandcannotdoonasystem.Withinanorganization,therearemanygroupsofuserswithvariousrolesandresponsibilities.Eachpersonmaynothavethesameroleandtasks,therefore,eachpersonshouldbegrantedonlytheprivilegestocompletethetasksbasedontheirjobdescriptionandnothingmore.
Onceauserhasbeengrantedthenecessaryprivileges,logsaregeneratedasarecordforalloftheactionsperformedbytheuserwhilehe/sheisloggedintothesystem.ThisisknownasAccounting.Havinglogsforeachuser'sactionsonanetworkcanhelptodeterminewhoperformedanaction,whichdevicewasaffected,andthetimeanddatetheactionwascompleted.
Withinanenterpriseorganization,anAAAserverisusuallydeployedatacentralizedlocationonthenetwork.Thisserverisusedtocentrallymanagealluseraccounts,assignprivileges,andlogalluseractions.
ThefollowingdiagramshowsanAAAserveronanetwork:
Telegram Channel : @IRFaraExam
Figure11.22–AAAserver
Intheprecedingdiagram,thenetworkadministratorwantstologintotheswitchtomakeaconfigurationchange.Theswitchpromptstheusertoprovideausernameandpassword.TheusercredentialsarethensenttotheAAAservertoverifytheidentityoftheuser.TheAAAserverconfirmstheuser'sidentityandappliesuserprivileges.Theinformationissentbacktotheswitchandtheuserisgrantedaccess.Whiletheuserisloggedin,allactionsarebeingloggedontheAAAserverforaccountability.
TherearecurrentlytwoAAAservers:
Telegram Channel : @IRFaraExam
RemoteAuthenticationDial-inUserService(RADIUS):RADIUSisanAAAservicethatsupportsamulti-vendorenvironmentandusesUDPport1812forauthenticationandUDPport1813foraccounting.However,
thecommunicationbetweenanAAAclientandaRADIUSserverisnotcompletelyencrypted.RADIUSencryptsonlythepasswordthatisexchangedbetweentheclientandtheserver.
TerminalAccessControllerAccess-ControlSystem+(TACACS+):TACACS+isaCisco-proprietaryAAAservicethatissimilartoRADIUSbutprovidesmoreflexibility.TACACS+separateseachAAAfunctionintoitsownsecure,encryptedcommunicationbetweenaAAAclientandaTACACS+serveroverTCPport49.
Importantnote
IntheCiscoworld,theCiscoIdentityServicesEngine(ISE)securityapplianceisusedasanAAAserver.
Inthenextsection,youwilllearnhowtoimplementAAAinaCiscoenvironmenttoprovideauthenticationforanadministratortoremotelyconnectandmanageanetworkdevice.
Lab–ImplementingAAAInthislab,you'lllearnhowtoimplementAAAwithinaCiscoenvironmentbetweenaCisco2911routerandanAAAserverusingtheTACACS+protocol.Forthislab,wewillbeusingthefollowingtopologywithinCiscoPacketTracer:
Telegram Channel : @IRFaraExam
Figure11.23–AAAlabtopology
ConfigurethefollowingIPschemeoneachdevicewithinthetopology:
Figure11.24–IPscheme
Nowthatyourlabisready,usethefollowinginstructionstoimplementAAA:
1. Ontheserver,enabletheAAAService,configuretheclientinformation(ClientName:R1,ClientIP:192.168.1.1,Secret:aaa-secret,
andServerType:Tacacs),andconfigureauseraccountforremote
accessfromthePCtotherouter:
Telegram Channel : @IRFaraExam
Figure11.25–AAAserverconfigurations
2. Next,enablethenewAAAfeaturesontherouterusingthefollowingcommands:
R1(config)#aaanew-model
3. SpecifytheTACACSserverandthesecretkeyontherouter:
Telegram Channel : @IRFaraExam
R1(config)#tacacs-serverhost192.168.1.5key
aaa-secret
4. CreateanAAAmethodlist(AAA-Login)forauthentication(login)
usingtheservergroup(group)usingTACACS+:
R1(config)#aaaauthenticationloginAAA-Login
group
tacacs+
5. Applythemethodlist(AAA-Login)totheVirtualTerminal(VTY)linesontherouter:
R1(config)#linevty015
R1(config-line)#loginauthenticationAAA-Login
R1(config-line)#exit
6. OnthePC,clicktheDesktoptab,opentheTelnet/SSHClient,andconnecttotherouterusingTelnet:
Telegram Channel : @IRFaraExam
Figure11.26–Telnet/SSHClient
7. Onceyou'reloggedin,entertheusercredentialstotesttheAAAservicebetweentherouterandtheAAAserver:
Figure11.27–AAAservice
Asshownintheprecedingscreenshot,theAAAserviceworksbetweentherouterandtheAAAserver.HavingcompletedthislabyouhavegainedtheessentialskillsindeployingAAAonaCisconetworkforauthenticationusingTelnet.
Elementsofasecurityprogram
Telegram Channel : @IRFaraExam
Oftenwhendesigningasecuritynetwork,weforgettotrainalluserswithintheorganizationoncybersecurityawareness.Notallcorporateusersareabletoidentifythreatsandattacksorperhapsunderstandwhatproceduresshouldbetakeniftheircomputergetsinfectedwithavirus.Therefore,it'simportanttodesignapropersecurityprogramtotrainalluserswithintheorganization.
Userawarenessisakeyfactorofanysecurityprogram.Thiselementteachesauserabouttheimportanceofconfidentialitytokeepdatasafeandsecureitfromunauthorizedpersons.Usersshouldbetaughtaboutpotentialthreatsandattacksandproceduresonhowtoreportasecurityincidentwithintheorganization.
Continualusertrainingisimportanttomakesureeachuserismadeawareofanyupdatestothesecuritytrainingprogramandensuringtheyarefamiliarwiththesecuritypoliciesandprocedureswithintheorganization.
Physicalaccesscontrolshouldbemademandatoryinrestrictedareasoftheorganization,suchasaccesstodatacenters,networkclosets,andanyotherareasunauthorizedpersonsarenotallowed.
Wireshark101Wiresharkisoneofthemostpopularnetworkprotocolanalyzersandsnifferswithinthenetworkingandcybersecurityindustry.Thistoolallowsanetworkengineertodissecteachmessageanddeterminewhetherit'saframeorpacketasitpassesthroughanetwork,henceallowingnetworkengineersandcybersecurityprofessionalstoperformvarioustaskssuchaspacketanalysisandnetworkforensics.
Tip
Telegram Channel : @IRFaraExam
TodownloadWireshark,pleasevisittheURL:https://www.wireshark.org/.
Furthermore,Wiresharkallowsyoutoseeallthedetailscontainedwithinamessage,suchassourceanddestinationIPaddresses,MACaddresses,andTransportlayerinformationsuchasportsandprotocols.Suchinformationisveryusefulwhetheryou'retroubleshootinganissueonthenetworkorlookingforanyabnormalbehavioronnetworktraffic.
Thefollowingisabrieflistofhowto'swithWireshark:
Tocapturenetworkpacketsbetweenyourcomputerandtheirdestination,simplyopenWiresharkanddouble-clickontheinterfaceonwhichyouwishtocapturenetworkpackets:
Telegram Channel : @IRFaraExam
Figure11.28–Wiresharkinterfaces
Eachinterfacewillshowanactiveflowoftraffictoindicatewhichinterfacesaresendingandreceivingdata.Afterdouble-clickinganinterface,Wiresharkwillbeginpopulatingitsuserinterfacewithreal-timetrafficdetails.
Telegram Channel : @IRFaraExam
Bydefault,WiresharkwilldisplayIPaddressesandportnumbersinitsnumericalformat.ToallowWiresharktoresolvepublicIPaddressestohostnamesandportnumberstoaservicenetwork,clickEdit|Preferencesandenabletheoptionsshowninthefollowingscreenshot:
Figure11.29–NameresolutioninWireshark
Todisplaytrafficfromaspecificsource,usetheip.src==<ip
address>displayfilter,asshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure11.30–SourceIPaddressdisplayfilter
Additionally,youcanright-clickonasourceIPaddressontheSourcecolumn,thenchooseApplyasFilter|Selectedtoautomaticallycreateadisplayfilter,asshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure11.31–Automaticdisplayfilters
Todisplaytrafficbetweenaspecificsourceanddestination,usethe(ip.src==<ipaddress>)&&(ip.dst==<ip
address>)displayfiltershowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure11.32–SourceandDestinationdisplayfilter
Tip
TolearnmoreaboutWiresharkdisplayfilters,pleaseseetheURL:https://wiki.wireshark.org/DisplayFilters.
Toviewasummaryofallnetworkconversationsbetweenalldevices,clickStatistics|Conversations,asshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure11.33–Networkconversations
ThiswindowwillprovideyouwithvarioustabssuchasEthernet,IPv4,IPv6,TCP,andUDP,whichwillallowyoutoviewspecifictypesoftrafficbasedon
Telegram Channel : @IRFaraExam
Layer2,Layer3,orLayer4details.
Importantnote
TodiscoverthefullpotentialofWireshark,besuretocheckoutthebookLearnWireshark,byLisaBockpublishedbyPacktPublishingattheURL:https://www.packtpub.com/networking-and-servers/learn-wireshark-fundamentals-wireshark.
Inthenextsection,youwilllearnhowtouseWiresharktoexportobjectsfromapacketcapture.
Lab–AnalyzingpacketsInthelab,youwilllearnthefundamentalsofgettingstartedwithWireshark.
Tobegin,usethefollowinginstructions:
1. Gotohttps://www.wireshark.org/,anddownloadandinstallWiresharkonyourcomputer.
2. Gotohttps://wiki.wireshark.org/SampleCaptures,downloadthehttp_with_jpegs.cap.gzfile,andopenwithWireshark.Oncethe
captureisloaded,youcanseeeachpacketanditsdetails.
3. Double-clickonthefirstpackettoviewthecontents:
Telegram Channel : @IRFaraExam
Figure11.34–Packetdetails
Here,youcanseeallofthespecificdetailsaboutthispacketsuchasthesourceanddestinationMACaddresses,sourceanddestinationIPaddresses,andthetransportlayerprotocolandportnumbersbeingused.
4. Toseealistofalloftheconversationsthathappenedduringthiscapture,clickonStatistics|Conversations:
Telegram Channel : @IRFaraExam
Figure11.35–Networkconversations
EachtabwillprovideyouwithdetailsaboutthetransactionsbetweenalldevicesviatheirMACaddresses(Ethernet),IPv4andIPv6addresses,andTCPandUDPportnumbers.
5. Duringacapture,Wiresharkisalsocapturingallfilesanddatabeingsentacrossthenetwork.Toseealistofallfilesthatwereeitheruploadedordownloadedduringthecapture,clickonFile|ExportObjects|HTTP:
Telegram Channel : @IRFaraExam
Figure11.36–ViewingfileswithWireshark
Theprecedingsnippetshowsalistoffiles,theirsourceoforigin,filetype,size,andfilename.
6. Toexportafileontoyourdesktop,clickonafile(packet72)andclick
Save.Oncethefilehasbeensaved,youcanviewitlocallyonyoursystem.Additionally,theSaveAlloptionwillautomaticallyexportallfilesonyourlocalcomputer.
Telegram Channel : @IRFaraExam
Havingcompletedthissection,youhavelearnedhowtoviewallconversationsonanetwork,exportfilesthatweretransmittedbetweenasourceanddestination,andseefulldetailswithinapacket.
SummaryInthischapter,youhavelearnedabouttheimportanceofinformationsecurityandtheneedtoprotectallassetswithinanorganization.Wehavecoveredthevarioustypesofthreats,vulnerabilities,andattacks.Furthermore,we'vediscussedtheimportanceofimplementingAAAwithinanorganizationtohelpmanageuseraccessonacorporatenetwork.
IhopethischapterhasbeeninformativeforyouandishelpfulinyourjourneytowardlearninghowtoimplementandadministrateCiscosolutionsandpreparefortheCCNA200-301certification.Inthenextchapter,ConfiguringDeviceAccessControlsandVPNs,youwilllearnhowtosecureyournetworkdevicesandlearnaboutVirtualPrivateNetworks(VPNs).
QuestionsThefollowingisashortlistofreviewquestionstohelptoreinforceyourlearningandidentifywhichareasyoumightneedtoworkon:
1. Whichofthefollowingisanexampleofanintangibleasset?
A.Computer
B.Operationprocedures
C.Customer
Telegram Channel : @IRFaraExam
D.Employee
2. Ensuringamessageisnotalteredduringtransmissionbetweenasourceanddestinationisreferredtoaswhichofthefollowing?
A.Hashing
B.Confidentiality
C.Integrity
D.Availability
3. Whichofthefollowingbestdescribesapersonwhodoesn'tfullyunderstandhowtoperformhackingtechniquesbutfollowstheinstructionsgivenbyrealhackers?
A.Hobbyist
B.Disgruntledemployee
C.Insiderthreat
D.Scriptkiddie
4. Ahackerisattemptingtotrickpeopleintoclickingamaliciouslinkwithatextmessage.Whattypeofattackisthis?
A.Smishing
B.Vishing
C.Phishing
Telegram Channel : @IRFaraExam
D.Spearphishing
5. AnattackerdecidedtocompromiseaDNSservertoredirectalluserstoamaliciousdomaininthehopetheunsuspectinguserenterstheirusercredentialsonthefakewebsite.Whatisthenameofthisattack?
A.Whaling
B.Spearphishing
C.Pharming
D.Hoax
6. Whichtypeofmalwareencryptsallthedataonyourlocaldriveandasksformoney?
A.Worm
B.TrojanHorse
C.RAT
D.Ransomware
7. Anattackerisattemptingtopreventusersfromaccessingawebsiteontheinternet.Whichtypeofattackwilltheattackermostlylikelyuse?
A.Virus
B.DoS
C.RAT
Telegram Channel : @IRFaraExam
D.Worm
8. WhichAAAprotocolworksonallvendorequipment?
A.RADIUS
B.TACACS+
C.aaanew-model
D.Kerberos
9. WhichcommandenablesthenewAAAfeaturesonaCiscodevice?
A.aaa-newfeatures
B.aaa-newmodel
C.aaanew-model
D.new-modelaaa
10. Howcanauserimprovethemanagementoftheirpasswords?
A.Usethesamepasswordonalluseraccounts.
B.Useeasy-to-rememberpasswords.
C.Writethepasswordsonpapernotesandstorethemaway.
D.Userapasswordmanager.
Furtherreading
Telegram Channel : @IRFaraExam
Thefollowinglinksarerecommendedforadditionalreading:
Typesofmalware:https://www.cisco.com/c/en/us/products/security/advanced-malware-protection/what-is-malware.html
ConfiguringAAA:https://www.cisco.com/c/en/us/td/docs/routers/connectedgrid/cgr1000/1_0/software/configuration/guide/security/security_Book/sec_aaa_cgr1000.html
Wiresharkuser'sguide:https://www.wireshark.org/docs/wsug_html/
Telegram Channel : @IRFaraExam
Chapter12:ConfiguringDeviceAccessControlandVPNsAkeytopicwithinthefieldofInformationTechnology(IT)isensuringsecureconfigurationsarealwaysappliedtoourdevices.Secureconfigurationshelptoensureunauthorizedpersonsarenotgrantedaccesstoadeviceduetoadevice'smisconfiguration.Quiteoften,hackerscangainaccesstocompanies'perimeterdevicessuchasroutersandfirewallssimplybyguessingtherequiredpassword,andattimes,deviceadministratorsusedefaultconfigurationsanddefaultuseraccounts.Sometimes,administrativeaccessisnotsecurelyconfigured,andattackersareabletoaccessdevicesandperformmaliciousactions.EnsuringsecureaccesstonetworkingdevicesshouldbeatoppriorityforallITprofessionals.
Inthischapter,youwilllearnhowtosecureyournetworkingdevicestopreventunauthorizedaccessbyimplementingsecureconfigurationbestpractices.Furthermore,youwilldiscoverandlearnabouttheimportanceofusingVirtualPrivateNetworks(VPNs)toestablishsecurecommunicationbetweenremoteofficesandremoteworkers.
Inthischapter,wewillcoverthefollowingtopics:
Deviceaccesscontrol
VPNs
Technicalrequirements
Telegram Channel : @IRFaraExam
Tofollowalongwiththeexercisesinthischapter,pleaseensureyouhavetheCiscoPacketTracerapplicationinstalledonyourcomputer.
CheckoutthefollowingvideotoseetheCodeinAction:https://bit.ly/2RSWn0m
DeviceaccesscontrolWearealwaysexcitedtoconfigureournetworkingdevicessothatwecanforwardtrafficefficientlyeitheronalocalnetworkorbetweensubnets.It'salwaysafascinatingexperiencetodesignanefficientandrobustnetworkforyourorganizationorcustomer.However,ournetworkingdeviceshaveimportantandconfidentialinformationbeingstoredonthem,suchasthedevice'sconfigurations,routingprotocol,andnetworkrouters;MACaddresses;andevenSysloginformation.Ifanattackerorunauthorizedpersonisabletosuccessfullyaccessyournetworkdevices,thatpersoncanperformalotofmaliciousactions,suchasreconfiguringyournetworkroutestoforwardtraffictoanotherpath,erasingtheCiscoIOSimageanddevice'sconfigurations,adjustingSpanning-Treepaths,andsoon.
Inthissection,wewillfocusonsecuringphysical,remote,andadministrativeaccesstoyourCiscodevices.
SecuringconsoleaccessWhenyouacquireanewCiscoIOSdevice,aconsolecableisusuallyprovidedinthebox.ThiscableallowsyoutoconnectyourcomputertotheconsoleportofaCiscodeviceforthepurposeofdevicemanagement.Bydefault,nosecurityisappliedtothisinterface.Anyonewhohasphysicalaccesstoyournetwork
Telegram Channel : @IRFaraExam
devicesandaconsolecableonhandwillbeabletoaccessyourCiscoswitches,routers,firewalls,andeventheAccessPoints(APs),allowingthepersontomakeunauthorizedchangestothesecomponents.SecuringtheconsoleportonallCiscodevicesismandatorytoensureanunauthorizedpersonisnotabletophysicallyaccessthedevice.
Lab–SecuringtheconsoleportInthishands-onlab,youwilllearnhowtosecureandenableauthenticatedaccesstotheconsoleportofaCiscoIOSrouter.Forthislab,wewillbeusingthefollowingnetworktopologywithinCiscoPacketTracer:
Figure12.1–Consolelabtopology
Pleaseensureyoufollowtheseguidelineswhencreatingthislabtoensureyougetthesameresults:
UseaCisco2911routeronthistopology.
UseaconsolecablebetweenPC1andtherouter.
EnsuretheconsolecableisconnectedtotheRS-232interfaceonPC1andthattheotherendisconnectedtotheconsoleportontherouter.
Telegram Channel : @IRFaraExam
NowthatyourCiscolabisready,usethefollowinginstructionstounderstandthedefaultconfigurationsontheconsoleportandhowtosecurephysicalaccesstoit:
1. ClickonPC1,selecttheDesktoptab,andclickonTerminal:
Figure12.2–AccessingtheTerminalonCiscoPacketTracer
Inaproductionenvironment,youwillneedtouseaTerminalemulationapplicationsuchasPutty,SecureCRT,orTeraTermtointerfacewithaCiscodeviceoveraconsoleconnection.
2. EnsurethefollowingparametersaresetontheTerminalapplicationand
Telegram Channel : @IRFaraExam
clickOKtoestablishasession:
Figure12.3–Terminalsettings
ThesettingsshownintheprecedingscreenshotareusedtoensurethePC'sserialinterfacematchesthesettingsontheconsoleportoftheCiscodevice.
3. Theinitialsystemconfigurationdialogwillappear.TypenoandhitEnter
twice:
Telegram Channel : @IRFaraExam
Figure12.4–Terminalconnection
NoticethatyouhavegainedaccesstotheUserExecmodeontherouterwithoutanyprompttoauthenticateyourselftothedevice.Thisisthedefaultsettingontheconsoleport;thereisnoauthentication.
4. Usetheshowuserscommandtoverifythemethodyouarecurrently
usingtoaccesstherouter:
Figure12.5–Verifyingaccess
Theasterisk(*)indicatesthecurrentmethodyouareusingtoaccessthe
device.Toputitsimply,wearecurrentlyaccessingtherouterviaitsconsoleinterface.
Telegram Channel : @IRFaraExam
5. InUserExecmode,theuserhastheleastprivilegesandcanperform
theleastactions.Usetheshowprivilegecommandtoverifythe
privilegelevels:
Figure12.6–CheckinguserprivilegeinUserExecmode
Privilegelevelsrangefrom1-15.Auserwithprivilegelevel1accessis
notabletoperformorexecutemanyactionscomparedtoauserwithprivilegelevel15access,whohasfulladministrativerightstoperform
anyactiononthedevice.
ImportantNote
AdditionalinformationontheCiscoIOSprivilegelevelscanbefoundathttps://www.cisco.com/c/en/us/td/docs/ios/sec_user_services/configuration/guide/12_4/sec_securing_user_services_12-4_book/sec_cfg_sec_4cli.html#wp1054522.
6. AccessPrivilegeExecmodeusingtheenablecommand,thenusethe
showrunning-configcommandtoverifytheconfigurationsonthe
consoleline:
Telegram Channel : @IRFaraExam
Figure12.7–Checkingtheconfigurations
Asshownhere,therearenoconfigurationsontheconsoleport.Therefore,anyoneisabletoaccessthedeviceviathisinterface.
7. Let'sapplyapasswordandenableauthenticationontheconsoleport:
Figure12.8–Securingtheconsoleport
Thelineconsole0commandwasusedtoaccesstheconsoleline
mode,thepasswordcommandwasusedtosetthepassword,andthe
logincommandwasusedtoenableuserauthenticationontheconsole
port.Withoutthelogincommand,anyunauthenticatedusercanaccess
thedevice.
Telegram Channel : @IRFaraExam
8. Uponre-establishingaconsoleconnectionbetweenPC1andtherouter,theCiscoIOSwillprovideanauthenticationprompt,asfollows.Thepasswordthat'sbeenconfiguredundertheconsolelineis
consolepass:
Figure12.9–Verifyingconsoleauthentication
9. Lastly,wecanusetheshowrunning-configcommandtoverify
thattheconfigurationhasbeenupdatedontheconsoleport:
Figure12.10–Verifyingconsoleconfigurations
Inthislab,youhavegainedtheskillstobothsecureandverifyphysicalaccesstoaCiscoIOSdeviceviaitsconsoleport.
SecuringanAUXline
Telegram Channel : @IRFaraExam
Onolder,legacyCiscodevices,youwouldfindanauxiliary(AUX)port.ThisinterfacewasusedtoconnectamodemthatallowsausertoremotelyaccessaCiscorouteroveracommand-lineinterface(CLI)session.Bydefault,theAUXportisnotsecureandallowsunauthenticatedaccess.
Lab–SecuringtheAUXportInthishands-onlab,youwilllearnhowtosecureandenableauthenticatedaccesstotheAUXportofaCiscoIOSrouter.Forthislab,wewillbeusingthefollowingnetworktopologywithinCiscoPacketTracer:
Figure12.11–AUXlinetopology
Pleaseensureyouusethefollowingguidelineswhencreatingthislabtoensureyougetthesameresults:
Telegram Channel : @IRFaraExam
Thistopologyisanextensionofthepreviouslabexercise;thatis,Securingtheconsoleport.
SimplyaddanadditionalPC2tothetopology.
UseaconsolecablebetweenPC2andtheAUXportontherouter.
NowthatyourCiscolabisready,usethefollowinginstructionstounderstandthedefaultconfigurationsontheAUXportandhowtosecurephysicalaccesstoit:
1. OnPC2,openaTerminalconnectiontotherouterviaitsAUXport.PressEnteracoupleoftimestoseetheCLIprompt.
2. Usetheshowuserscommandtoverifythemethodandinterfacebeing
usedtoaccesstherouter:
Figure12.12–AUXconnection
Asshownhere,therouterindicatesthatthecurrentconnectionisbeingmadeviatheAUXport.Additionally,yougainunauthenticatedaccesstoUserExecmode.ThismeansnosecurityisappliedtotheAUXportby
default.
Telegram Channel : @IRFaraExam
3. Let'susetheenablecommandtogointoPrivilegeExecmodeto
verifytheconfigurationsundertheAUXline:
Figure12.13–AccessrestrictedtoPrivilegeExecmode
Bydefault,accessisrestrictedtoPrivilegeExecmodeviatheAUXport,butonlyifnopasswordhasbeenconfiguredforPrivilegeExecmode.
4. TosecuretheAUXport,openaTerminalonPC1totherouterviatheconsoleport.
5. UsethefollowingcommandstoaccesstheAUXport,configureapassword,andenableauthentication:
Router(config)#lineaux0
Router(config-line)#passwordauxpass
Router(config-line)#login
Router(config-line)#exit
6. Uponre-establishinganAUXsessionbetweenPC2andtherouter,auserauthenticationpromptwillbepresented:
Telegram Channel : @IRFaraExam
Figure12.14–VerifyingAUXauthentication
7. Lastly,usetheshowrunning-configcommandtoverifythatthe
configurationsarepresentundertheauxline,asshownhere:
Figure12.15–AUXconfigurations
Telegram Channel : @IRFaraExam
Inthislab,youhavegainedtheskillstobothsecureandverifyaccesstoaCiscoIOSdeviceviaitsAUXinterface.
VTYlineaccessOnaCiscoIOSrouterorswitch,thereare16virtualterminal(VTY)lines
rangingfrom0–15.TheseVTYlinesallowanetworkengineertoremotely
connecttothedeviceformanagement.Asanetworkengineer,youdon'talwayshavephysicalaccesstothenetworkcomponents,astheymaybedeployedataremotelocationsuchasanotherbranchofficeoratacustomer'ssite.Furthermore,theseVTYlinesalsosupportoutgoingconnectionstootherCiscodevices.VTYlinesallowbothinboundandoutboundTelnetandSSHsessions.
Telnetisanetworkprotocolthatallowsyoutoestablisharemoteterminalsessionbetweenaclientandaserver.OnaCiscodevice,there'sabuilt-inTelnetserverthatallowsnetworkengineerstoremotelyconnecttoandperformremoteadministrationonthedevice.However,Telnetisanunsecuredprotocolandtransfersalldatainplaintext.Duetothissecurityvulnerabilitywithintheprotocol,it'shighlyrecommendedtonotuseTelnetforanythingasanattackercouldcapturethedatabetweentheclientandserver.
ImportantNote
Telnetoperatesonport23bydefault.
SinceTelnetcontainsthisvulnerability,SecureShell(SSH)isthepreferredprotocolforremoteterminalaccessonanetwork.SSHprovidesdataencryptionforallthemessagesbetweentheclientandtheserver.Additionally,ausermust
Telegram Channel : @IRFaraExam
providetheiridentitydetails,suchasausernameandpassword,tobeauthenticatedtotheSSHserver.ThisfeatureaddsimprovedsecuritycomparedtoTelnet.
ImportantNote
SSHoperatesonport22bydefault.
Lab–ConfiguringTelnetonaCiscorouterInthishands-onlab,youwilllearnhowtoconfigureTelnetaccessonaCiscoIOSrouter.Forthislab,wewillbeusingthefollowingnetworktopology:
Figure12.16–Telnetlabtopology
Pleaseensureyouusethefollowingguidelineswhencreatingthislabtoensureyougetthesameresults:
UseaCisco2911routerandaCisco2960switch.
EnsureyouconfiguretheIPaddressesandsubnetmaskaccordingly.
EnsurePC1canpingtherouter.
Telegram Channel : @IRFaraExam
NowthatyourCiscolabisready,usethefollowinginstructionstoconfigureTelnetforremoteaccessfromthePCtotherouter:
1. Accesstheconsoleaspectoftherouterandusetheshowrunning-
configcommandtoverifytheTelnetsettingsontheVTYlines:
Figure12.17–VTYdefaultconfiguration
OnVTYlines0-4,Telnetisenabledbydefaultandauthenticationisalsoenabled.However,ifwetrytoaccesstherouterremotelyusingTelnet,theconnectionwillautomaticallyterminatesimplybecausenopasswordhasbeensetontheVTYlines.
2. ToconfigureTelnetonall16VTYlinesontherouter,usethefollowingconfigurations:
Router(config)#linevty015
Router(config-line)#passwordtelnetpass
Router(config-line)#login
Telegram Channel : @IRFaraExam
Router(config-line)#exit
Thelogincommandisnotrequiredinthisinstanceasit'salreadythere
fromthedefaultconfigurations;however,it'sgoodpracticetostillenableauthenticationontheVTYlines.
3. Usetheshowrunning-configcommandoncemoretoverifythe
configurationsarepresentundertheVTYlines:
Figure12.18–VerifyingTelnetconfigurations
4. TotesttheTelnetconnection,openTelnet/SSHClientontheDesktoptabonPC1:
Telegram Channel : @IRFaraExam
Figure12.19–Telnetclient
5. ChangeConnectionTypetoTelnet,settherouter'sIPaddress,and
clickConnect:
Telegram Channel : @IRFaraExam
Figure12.20–Telnetclientsettings
6. You'llbepromptedforapassword.UsetheTelnetpassword(telnetpass)wehaveassignedundertheVTYlines:
Telegram Channel : @IRFaraExam
Figure12.21–Telnetconnection
Sincetheauthenticationpromptwaspresent,thisisanindicationthatTelnetwasenabledontherouter.Additionally,theshowuserscommandverifiesthat
thecurrentconnectiontotherouterisviatheVTYlinefrom192.168.1.10
(PC1).
Havingcompletedthislab,youhavegainedhands-onexperiencewithenablingTelnetonaCiscoIOSdevice.Inthenextlab,youwilllearnhowtoconfigure
Telegram Channel : @IRFaraExam
SSHforremoteaccess.
Lab–EnablingSSHonaCiscoIOSdeviceInthishands-onlab,youwilllearnhowtoconfigureSSHaccessonaCiscoIOSrouter.Forthislab,wewillbeusingthefollowingnetworktopology:
Figure12.22–SSHlabtopology
Pleasenotethatthislabissimplyanextensionofthepreviousexercise;youdonotneedtorebuildthenetwork.NowthatyourCiscolabisready,usethefollowinginstructionstoconfigureSSHforremoteaccessfromthePCtotherouter:
1. Changethedefaulthostnameontherouter:
Router(config)#hostnameR1
2. Jointhedevicetoadomain:
R1(config)#ipdomain-nameccnalab.local
3. CreatealocaluseraccountfortheSSHuser:
Telegram Channel : @IRFaraExam
R1(config)#usernameuser1secretsshpass
4. GenerateRSAencryptionkeysandsetthekeysizeto1024:
R1(config)#cryptokeygeneratersageneral-keys
modulus1024
5. EnableSSHversion2toimprovesecurity:
R1(config)#ipsshversion2
Bydefault,SSHv1isenabled.
6. ConfigureVTYlines0-15sothattheyonlyacceptSSHconnections(thisdisablesTelnet):
R1(config)#linevty015
R1(config-line)#transportinputssh
7. ConfiguretheVTYlinestoquerythelocaluserdatabaseforauthentication:
R1(config-line)#loginlocal
8. SinceTelnetisdisabledandthelocaldatabasewillbeusedforuserauthentication,removethepasswordundertheVTYlines:
R1(config-line)#nopassword
9. ConfigureaninactivitytimeoutforidlesessionsontheVTYlines.Let'suse2minutes:
R1(config-line)#exec-timeout2
Telegram Channel : @IRFaraExam
10. TotestSSH,headonovertoPC1andopenTelnet/SSHClient.
11. SetConnectionTypetoSSH,specifytheIPaddressoftherouter,anduse
theusernamefromtheuseraccount,asshownhere:
Figure12.23–SSHclientconfigurations
12. Youwillreceiveanauthenticationpromptaskingforapassword(theusernamewasalreadyspecifiedontheSSHclient).SimplyenterthepasswordfortheaccountandhitEnter:
Telegram Channel : @IRFaraExam
Figure12.24–SSHsession
Asshownintheprecedingscreenshot,weareconnectedtotherouteronVTYline0withtheuser1account.
13. Additionally,theshowipsshcommandverifiestheSSHversion,the
authenticationtimevalue,andthenumberofauthenticationretries,asshownhere:
Telegram Channel : @IRFaraExam
Figure12.25–VerifyingSSHdetails
Furthermore,showsshverifiesthecurrentSSHsessionsandusers.Theip
sshtime-outsecondscommandallowsyoutomodifythedefaultSSH
timeoutvalues,whiletheipsshauthentication-retriesnumber
commandallowsyoutochangetheauthenticationretryvalue.
ImportantNote
Theloginblock-forsecondsattemptstrieswithin
secondscommandisusedtodisableuserloginafteraspecifiednumberof
failedauthenticationattemptswithinaspecifictimeinterval.
Bycompletingthislab,youhavegainedhands-onexperiencewithconfiguringandenablingSSHforremoteaccessonaCiscoIOSrouter.
SecuringPrivilegeExecmode
Telegram Channel : @IRFaraExam
Bynow,youmayhavenoticedthatoncesomeoneisabletoaccessPrivilege
Execmode,theuserisabletogathersensitiveandconfidentialinformation
aboutthenetworkandthedevice.Furthermore,ausercanescalatetheirprivilegestoGlobalConfigmode,wheretheuserisabletoapply
configurationsandmakemodificationstothedevice.Thiscreatesasecurityrisk.
ImportantNote
Thesecureboot-imagecommandpreventsauserfromeitherpurposelyor
accidentallydeletingtheCiscoIOSimage,whilethesecureboot-config
commandisusedtoprotecttherunningconfigurations.
TheCiscoIOShasmanysecurityfeaturesbuiltintoitthatenableustopreventunauthorizedaccess.OnesuchfeatureispreventingunauthorizedaccessspecificallytoPrivilegeExecmode.Onemethodistousetheenable
password<mypassword>commandtorestrictaccesstoPrivilege
Execmode.
ImportantNote
TheautosecurecommandisusedtoinitializetheCiscoIOSlockdown
featureonthedevice.
Thefollowingisanexampleofusingtheenablepasswordcommandwith
apasswordofcisco123:
R1(config)#enablepasswordcisco123
Oncethisconfigurationisapplied,eachtimeausermovesfromUserExec
Telegram Channel : @IRFaraExam
modetoPrivilegeExecmode,theCiscoIOSwillprompttheuserto
authenticatebeforeproceeding.Thedownsideofusingtheenable
passwordcommandisthatitdoesnotprovideanyencryptionoftheactual
password.Ifausercanaccesstherunning-configorstartup-config
files,thepasswordisvisibleinplaintext,asshownhere:
Figure12.26–Enablingpasswordinplaintext
Duetothissecurityvulnerability,Ciscohasimplementedasecureversionoftheenablepasswordcommand.Thisimprovedmethodusestheenable
secretcommand,whichencryptsthepasswordbydefaultusingtheMessage
Digest5(MD5)hashingalgorithm.
ThefollowingisanexampleofsecuringaccesstoPrivilegeExecmode
usingtheenablesecretcommand,followedbycisco456,whichisthe
password:
Telegram Channel : @IRFaraExam
R1(config)#enablesecretcisco456
Thefollowingsnippetshowsthatthepasswordhasbeenencryptedwithintherunning-configfile:
Figure12.27–Theenablesecretcommand
Ciscousesanumericalvaluetoindicatethetypeofpasswordstoredwithinrunning-configandstartup-config.Thefollowingarevarious
passwordtypesonCiscoIOSdevices:
enablepassword:Plaintextpassword,encodingType0.
enablesecret:MD5algorithmusedtoencryptthepassword,
encodingType5.
Sincethedevicehasbeenconfiguredwithbothenablepasswordand
enablesecret,whichpasswordwillbeacceptedbytheCiscoIOS?The
simpleansweristhatitwillalwaysbethestrongerpassword,whichistheonethat'sappliedusingtheenablesecretcommand.Sincethestronger
Telegram Channel : @IRFaraExam
passwordwillbeusedbythedevice,enablepasswordisnowobsoleteand
shouldberemoved.UsingtheGlobalConfigcommand,noenable
passwordwillremoveenablepasswordfromthedevice'srunning-
configfile,asshownhere:
Figure12.28–Removingenablepassword
Overtheyears,securityresearchersandhackershavebeenabletocompromisetheMD5hashingalgorithm.ThismeansanattackerhasbeenabletoreversetheMD5hashvalueofthepasswordandretrievetheactualpassword.Inlightofthissecurityvulnerability,CiscohasimplementedamoresecurehashingalgorithmknownasSCRYPT.
Thefollowingsnippetshowsthecommandthat'susedtocreateasecurepasswordusingSCRYPTonaCiscoIOSdevice:
Telegram Channel : @IRFaraExam
Figure12.29–EnablingSCRYPTonCiscodevices
SCRYPTismoresecurethanMD5andthereforeusesanencodingofType9
withtheSHA256hashingalgorithm.Thefollowingsnippetshowsthatthe
SCRYPThashisalotlongerthantheenablesecretMD5hash:
Figure12.30–Type9encoding
Telegram Channel : @IRFaraExam
WhenconfiguringaccesstoPrivilegeExecmode,ensureyouusethemost
securemethodavailableonthedevice.SomedevicesmaynotsupportSCRYPT.Inthissituation,enablesecretwillbethemoresecureoptioncomparedto
enablepassword,whichdoesnotprovideanyencryption.
EncryptingallplaintextpasswordsWithinsomemodesontheCiscoIOS,wearenotabletoconfiguresecurepasswords,suchaslineconsole0,lineaux0,andeventheVTY
lines.Withinthesemodes,theonlycommandthatallowsustocreateandsetapasswordisthepasswordcommand.Fromourdiscussionsintheprevious
sectionsofthischapter,youhavelearnedthatthepasswordcommanddoes
notencryptthepasswordsstoredwithinthedevice'sconfiguration.
Thefollowingsnippetshowshowpasswordsarestoredwhenthepassword
commandisused:
Telegram Channel : @IRFaraExam
Figure12.31–Plaintextpasswords
Additionally,withintheCiscoIOS,thereareothermodesandconfigurationsthatrequireapasswordtobeconfiguredbutonlysupportthepasswordcommand.
AsimpleexampleisconfiguringPoint-to-Point(PPP)usingthePasswordAuthenticationProtocol(PAP)onaWideAreaNetwork(WAN).TheCiscoIOSconfigurationsrequireapasswordtobesentacrosstheWANlinktoauthenticatebothroutersbeforeestablishingtheWANconnection.InPAPauthentication,thepasswordcommandisavailable.Thismeansthepassword
isstoredinplaintextontherouter.
OnaCiscoIOSdevice,theservicepassword-encryptioncommandis
appliedtoGlobalConfigmodetoencryptallplaintextpasswords.Oncethis
commandhasbeenappliedtoadevice,allthepasswordsthathavebeenconfiguredinplaintextwillautomaticallybeencrypted.ThefollowingisanexampleofusingthiscommandonaCiscoIOSrouter:
R1(config)#servicepassword-encryption
Thefollowingsnippetshowsthatthepasswordsundertheconsole(con)and
auxiliary(aux)linesarenowencrypted:
Telegram Channel : @IRFaraExam
Figure12.32–Theservicepassword-encryptioncommand
PasswordencodingType7isnotstrongencryptiononadevice.Thistypeof
encryptioncaneasilybebrokenbyanattacker.However,thisistheonlyformofencryptionforplaintextpasswordsonaCiscoIOSdeviceatthistime.
VirtualPrivateNetworksLet'simagineyou'vestartedabusinesswhereyouprovideproductsandservicestoyourpotentialcustomers.Youbeginbyopeningasinglephysicallocationandhirestafftohelprunyourcompanyandensureday-to-daytransactionsareconductedefficiently.Aftersometime,yourealizethebusinessneedsyourequireinordertoexpandandprovidemoresupportandservicestocustomerswhoarelocatedwithinanothercountry.Duetothis,youhavedecidedthatanotherbranchofficeisbettersuitedtomeetthedemandsatthenewlocation.However,oneconcernishowtheemployeesatthenewremotelocationwillaccesstheresourcesatthemainbuildinginyourhomecountry.
Thereareafewsolutionstothisissue.OnemethodistoreplicatetheITinfrastructureofthehomebranchatthenewremotebranch,butthiswillbeabit
Telegram Channel : @IRFaraExam
costlyasthenewbranchonlyrequiresafewemployeesandhavingadedicatedITteamisnotnecessary.AnothersolutionmaybetosetupaWANviayourlocalInternetServiceProvider(ISP)toextendyourlocalareanetworkfromyourmainoffice,overtotheremotebranch.HavingadedicatedWANconnectionwillensurebothofficeswillbeabletointerconnectandsharenetworkresources.However,thedownsideofhavingaWANserviceisitssubscriptionfees,whicharepayabletotheserviceprovider.ThecostofadedicatedWANservicemaynotbewithinyourbudgetandperhapsanalternativesolutionmayberequired.
AnothersolutionistocreateaVirtualPrivateNetwork(VPN)betweenthetwooffices.AVPNcreatesanencryptedtunnelbetweentwoormoredevicesoveranunsecurednetworksuchastheinternet.ThismeansalltrafficthatissentthroughtheVPNtunnelwillbeencryptedandkeptconfidentialfromhackersonanetworkortheinternet.
ThefollowingarethebenefitsofusingaVPN:
UsingaVPNwillsaveyoumoneyasit'sfree.
VPNsprovidesecurityforallyourtrafficthatissentacrosstheVPNtunnel.
AVPNsupportsscalability,somoreremotesitesanduserscanconnecttothecorporatenetworksecurely.
Sincemanyorganizationsalreadyhaveafirewallattheirnetworkperimeter,mostfirewallsalreadyhavebuilt-insupportforVPNcapabilitiesintheiroperatingsystems.Therefore,youdon'tneedtopurchaseadditionalcomponentsordevices.SinceaVPNencryptsalltrafficsentacrossitstunnel,youdon'thave
Telegram Channel : @IRFaraExam
toworryaboutwhetherahackerisinterceptingandreadingyourdata.Dataencryptionprovidesanextralayerofsecurityasthetrafficispassingthroughtheinternet.Additionally,VPNsuseauthenticationprotocolstoensureyourdataisprotectedfromunauthorizedaccesswhileit'sbeingsenttothedestination.VPNsallowtwoormorebranchnetworksanduserstoestablishasecureconnectionovertheinternettothecorporatenetwork.
SinceVPNscanbeusedovertheinternet,thismakesitverysimpletoaddnewremoteworkerswithouthavingtoexpandtheinfrastructureoftheservice.Toputitsimply,onceauserhasaccesstotheinternet,theycanaccessthecorporatenetworkusingaVPNconnection.
Inthenextsection,youwilllearnaboutatypeofVPNthatallowsyoutoconnectremotebranchnetworkstogetheroverthenetwork.
Site-to-SiteVPNsOnechallengemanyorganizationsexperienceisensuringalltheirremotebranchofficesarealwaysconnectedtotheircorporateheadquarters'location.Thisissimplybecausemostresources,suchasapplicationservers,arecentrallystoredatthemainoffice.Aswementionedpreviously,therearemanydifferenttypesofWANsolutions,fromvariousISPssuchasMetroEthernet(MetroE)andMultiprotocolLabelSwitching(MPLS)solutions.
ImportantNote
TolearnabouttheessentialsofMPLS,pleaseseethefollowingURL:https://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/mpls/4649-mpls-faq-4649.html.TolearnmoreaboutMetroEthernet,see
Telegram Channel : @IRFaraExam
thefollowinglink:https://www.cisco.com/c/dam/global/fr_ca/training-events/pdfs/Deploying_Metro_Ethernet.pdf.
However,thesesolutionsaresubscription-basedservicesandacustomermaynothavetherequiredbudgetormaybelookingforanalternativesolution.
ImportantNote
AnInternetServiceProvidercanuseMPLStocreateLayer2orLayer3virtualpathsbetweensites.OnaLayer2MPLSVPN,theISPisnotresponsibleforroutingthecustomer'straffic;instead,theISPimplementsaVirtualPrivateLANService(VPLS)toemulateEthernetovertheMPLSnetwork.OnaLayerMPLSVPN,thecustomerandtheISProutersarepeered,andthecustomer'sroutersareredistributedviatheMPLSnetworktothecustomer'sremotesites.
AsimplesolutionistocreateaSite-to-SiteVPNbetweentheHQlocationandthebranchoffice.Sincebothlocationswillalreadyhaveaninternetconnection,thereisnoneedtopurchaseanyadditionalservicesfromyourlocalISP.However,eachlocationwillrequireaVPNconcentratordeviceforbothestablishingandterminatingtheVPNtunnel.AVPNconcentratorisarouterorfirewallwiththecapabilitiesofestablishingaVPNconnectionbetweenitselfandaVPNclientoranotherVPNconcentrator.
ThefollowingdiagramshowstwobranchnetworksinterconnectedusingaSite-to-SiteVPN:
Telegram Channel : @IRFaraExam
Figure12.33–Site-to-SiteVPN
Asshownintheprecedingdiagram,theVPNtunnelisestablishedbetweenthetwofirewallsonly.Therefore,trafficbetweentheremotebranchandHQnetworkswillbesentacrosstheVPNtunnelandalldatawillbeencryptedbythefirewalls.KeepinmindthatalltrafficwithineachLANwillnotbeencrypted;onlythetrafficthatispassingthroughtheVPNtunnelwill.
ThistypeofVPNallowsanorganizationtoreduceitsexpenditureonconnectingremotesitesandusesitsexistinginfrastructureanddevices.Additionally,aSite-to-SiteVPNcanbeusedasaredundantconnectionbetweenbranchoffices.
RemoteaccessVPNsTherearemanyemployeeswhoworkremotelyathomeorwhoaremostlyinthefield,andawayfromtheoffice.Theymayneedtoaccessresourcesonthecorporatenetwork,andgoingintotheofficetoretrieveoraccesssuchresourcesmaynotbeconvenient.AsimplesolutionistodeployaremoteaccessVPN,whichallowsremoteworkerstoestablishaVPNtunnelbetweentheirdevice,
Telegram Channel : @IRFaraExam
suchasacomputer,andthecorporatenetworkthroughtheinternet.
ThefollowingdiagramshowstheVPNtunnelbetweenaremoteworker'sPCandthecorporatenetwork:
Figure12.34–RemoteaccessVPN
WitharemoteaccessVPN,aVPNclientsuchasCiscoAnyConnectSecureMobilityClientmustbeinstalledontheremoteworker'sdevice.WhentheremoteworkermustaccessaresourceattheHQnetwork,theVPNclientisusedtoestablishasecuretunnelbetweenthedeviceandtheVPNconcentrator,suchasafirewallorrouteratthecorporatesite.
ThefirewalladministratorcanconfiguretheremoteaccessVPNforusersinoneofthefollowingmodes:
FullTunnel
SplitTunnel
Telegram Channel : @IRFaraExam
InFullTunnelmode,alltrafficthatmustgoouttotheinternetfromtheclient'sPCwillbesentacrosstheVPNtunneltotheVPNconcentrator,whereitwillbesentouttotheinternet.Allreturningtrafficwilltakethesamepathbacktotheclient'sPC.
InSplit-Tunnelmode,onlytrafficwiththecorporatenetworkasitsdestinationwillbeencryptedandsentacrosstheVPNtunnel.TrafficthathastheinternetasitsdestinationwillnotbesentviatheVPNtunnelbutratherdirectlyouttotheinternetfromtheuser'sPC.ThismodecreateslessoverheadontheVPNtunnelandreducestheCPUandRAMconsumptionontheVPNconcentrator.
AnothertypeofVPNconnectionisusingaclientlessVPN.WithaclientlessVPN,thereisnoneedtoinstallaVPNclientontheuser'smachine.However,theconnectionisencryptedandsecurebetweenaclient'swebbrowserusingSecureSocketsLayer(SSL)orTransportLayerSecurity(TLS)encryptionoverHTTPS.KeepinmindthattrafficbetweenthewebbrowserandtheVPNconcentratorisencrypted;allothertrafficisnot.
IPsecInternetProtocolsecurity(IPsec)isaframeworkthatsimplydefineshowVPNscanbesecuredoveranIP-basednetwork.ThefollowingarethebenefitsofusinganIPsecVPN:
Confidentiality:ConfidentialitysimplyensuresalldatasentacrosstheIPsecVPNtunnelisencryptedwithanencryptionalgorithmsuchastheDataEncryptionStandard(DES),TripleDES(3DES),orAdvancedEncryptionStandard(AES).Dataencryptionpreventseavesdroppingwhiledataisbeingtransmitted.
Telegram Channel : @IRFaraExam
Integrity:IntegrityensuresthatalldatasentacrosstheIPsecVPNtunnelisnotalteredormodified.OnanIPsecVPN,hashingalgorithmssuchasMD5andSHAareusedtodetectanyalterationofmessagesovertheIPsectunnel.
Originauthentication:AuthenticationonanIPsecVPNensureseachuserisidentifiedcorrectlyandthatthemessagesarenotoriginatingfromsomeoneelse.InIPsec,theInternetKeyExchange(IKE)isusedtoauthenticateusersandVPNclients.IKEusesvariousmethodstovalidateuserssuchasdigitalcertificatessuchasRSA,apre-sharedkey(PSK),orausernameandpassword.
Anti-replay:Anti-replaypreventsauserfromcapturingandattemptingtoperformareplayattackontheIPsecVPNtunnel.
ImportantNote
IPseccontainstwoprotocols:AuthenticationHeader(AH)andEncapsulatingSecurityPayload(ESP).ThedifferencebetweenthesetwoprotocolsisthatAHauthenticatestheLayer3packetonly,whileESPencryptstheentireLayer3packet.Keepinmindthattheseprotocolsarenotcommonlyusedtogether.
Diffie-Hellman(DH)isdefinedasanalgorithmusedtosecurelydistributepublickeysoveranunsecurednetwork.Thepublickeysarepartofakeypair:theprivatekeyandapublickeyareusedfordataencryptionanddecryption.TherearevariousDHgroups,suchas1,2,4,14,15,16,19,20,21,and24.
Inthenextsection,youwilllearnhowtoconfigureaSite-to-SiteVPNusing
Telegram Channel : @IRFaraExam
IPseconaCiscoenvironment.
Lab–Configuringasite-to-siteVPNInthishands-onlab,youwilllearnhowtoconfigureandimplementaSite-to-SiteIPsecVPNusingCiscoIOSrouters.Forthislab,wewillbeusingthefollowingtopologywithinCiscoPacketTracer:
Figure12.35–Site-to-siteVPNtopology
Pleaseusethefollowingguidelineswhencreatingthislabtoensureyougetthesameresults:
Telegram Channel : @IRFaraExam
UseCisco2911routers.
ConfigureadefaultroutefromboththeHQandR1routersthatpointstotheISP.
OntheISP,configurenetworkstaticrouterstotheLANofHQandtheLANofR1.
EnsureyouassignanIPaddresstoeachdevice,asshowninthefollowingtable:
Figure12.36–IPscheme
Nowthatyourlabenvironmentisready,usethefollowinginstructionstoconfigureanIPsecSite-to-SiteVPNbetweenR1andtheHQrouter:
1. Configurethefollowingstaticroutesoneachroutertosimulatetheinternet:
HQ(config)#iproute0.0.0.00.0.0.0192.0.2.1
R1(config)#iproute0.0.0.00.0.0.0192.0.2.5
ISP(config)#iproute10.10.10.0255.255.255.0
Telegram Channel : @IRFaraExam
192.0.2.2
ISP(config)#iproute192.168.1.0255.255.255.0
192.0.2.6
2. UsethefollowingcommandonboththeHQandR1routerstobootthesecurityk9license.Thesecurityk9licenseenablesfeaturessuch
asIPsec,SSL,SSH,andothersecuritycapabilitiesonarouter.ThiscommandenablestheVPNcapabilitiesoneachdevice:
HQ(config)#licensebootmodulec2900technology-
packagesecurityk9
3. AccepttheuseragreementbyenteringyesandhittingEnter.
4. Savethedeviceconfigurationsandrebooteachforthelicensetotakeeffect:
HQ#copyrunning-configstartup-config
HQ#reload
5. Onceeachdevicehasbeenrebooted,usetheshowversioncommand
toverifythatthesecuritytechnologypackagehasbeenabledonboththeHQandR1routers:
Telegram Channel : @IRFaraExam
Figure12.37–Verifyingthesecuritypackage
6. CreateanAccessControlList(ACL)onHQtoidentifytrafficthatisallowedbetweentheLANonHQandtheLANonR1.ThistrafficwillbeencryptedandsentacrosstheIPsecVPNtunnelbetweentheLANs:
HQ(config)#ipaccess-listextendedVPN-Traffic
HQ(config-ext-nacl)#permitip10.10.10.0
0.0.0.255192.168.1.00.0.0.255
HQ(config-ext-nacl)#exit
7. ConfiguretheInternetKeyExchange(IKE)Phase1ISAKMPpolicy
ontheHQrouter.IKEPhase1createsanoutertunnelthatbothVPN
routers/firewallsusetonegotiatesecurityparametersbeforeestablishingtheIKEPhase2tunnelfordatatransfer.Thefollowingcommandsare
usedtocreatetheIKEPhase1ISAHMPpolicy:
HQ(config)#cryptoisakmppolicy5
Telegram Channel : @IRFaraExam
HQ(config-isakmp)#encryptionaes256
HQ(config-isakmp)#authenticationpre-share
HQ(config-isakmp)#group5
HQ(config-isakmp)#exit
HQ(config)#cryptoisakmpkeymyipseckeyaddress
192.0.2.6
8. ConfiguretheIKEPhase2IPsecpolicyontheHQrouter.IKE
Phase2isestablishedaftertheIKEPhase1tunnelandisusedto
transporttheactualdatabetweennetworksorenddevices.Createthetransformset,nameitIPsec-VPN,anduseesp-aesandesp-sha-
hmacforconfidentialityandintegrity:
HQ(config)#cryptoipsectransform-setIPsec-VPN
esp-aesesp-sha-hmac
9. CreateacryptomapontheHQrouter,whichwillbeusedtoactuallyapplysecuritytothetrafficthatissentalongtheVPNtunnel,nameitIPsec-Map,andbindittotheVPN-TrafficACL:
HQ(config)#cryptomapIPsec-Map5ipsec-isakmp
HQ(config-crypto-map)#descriptionIPsecVPN
betweenHQandR1
HQ(config-crypto-map)#setpeer192.0.2.6
HQ(config-crypto-map)#settransform-setIPsec-
VPN
Telegram Channel : @IRFaraExam
HQ(config-crypto-map)#matchaddressVPN-Traffic
HQ(config-crypto-map)#exit
10. AssignthecryptomaptotheoutboundinterfaceontheHQrouter:
HQ(config)#interfacegigabitEthernet0/0
HQ(config-if)#cryptomapIPsec-Map
HQ(config-if)#exit
Now,wewillstartconfiguringtheIPsecSite-to-SiteVPNonR1usingthefollowinginstructions:
1. CreateanACLonR1toidentifytrafficthatisallowedbetweentheLANonR1andtheLANonHQ.ThistrafficwillbeencryptedandsentacrosstheIPsecVPNtunnelbetweentheLANs:
R1(config)#ipaccess-listextendedVPN-Traffic
R1(config-ext-nacl)#permitip192.168.1.0
0.0.0.25510.10.10.00.0.0.255
R1(config-ext-nacl)#exit
2. ConfiguretheIKEPhase1ISAKMPpolicyontheR1router:
R1(config)#cryptoisakmppolicy5
R1(config-isakmp)#encryptionaes256
R1(config-isakmp)#authenticationpre-share
R1(config-isakmp)#group5
R1(config-isakmp)#exit
Telegram Channel : @IRFaraExam
R1(config)#cryptoisakmpkeymyipseckeyaddress
192.0.2.2
3. ConfiguretheIKEPhase2IPsecpolicyontheR1router.Create
thetransformset,nameitIPsec-VPN,anduseesp-aesandesp-
sha-hmacforconfidentialityandintegrity:
R1(config)#cryptoipsectransform-setIPsec-VPN
esp-aesesp-sha-hmac
4. Createacryptomap,nameitIPsec-Map,andbindittotheVPN-
TrafficAPL:
R1(config)#cryptomapIPsec-Map5ipsec-isakmp
R1(config-crypto-map)#descriptionIPsecVPN
betweenR1andHQ
R1(config-crypto-map)#setpeer192.0.2.2
R1(config-crypto-map)#settransform-setIPsec-
VPN
R1(config-crypto-map)#matchaddressVPN-Traffic
R1(config-crypto-map)#exit
5. AssignthecryptomaptotheoutboundinterfaceontheR1router:
R1(config)#interfacegigabitEthernet0/2
R1(config-if)#cryptomapIPsec-Map
R1(config-if)#exit
Telegram Channel : @IRFaraExam
6. Atthispoint,boththeR1andHQroutersshouldestablishanIPsectunnel.OnPC1,openCommandPromptandsendapingtotheserverat
10.10.10.10.AfewpacketsmaydropsincetheIPsectunnelmaystill
beinitializing.
7. ToverifythestatusoftheIPsectunnel,performatraceroutetest
betweenPC1andtheserver:
Figure12.38–TraceroutebetweenPC1andtheserver
Basedontheprecedingresults,thepacketwentfromPC1toR1,thenfromR1toHQ,and,lastly,fromHQtotheserver.NoticethatthepacketdidnotgototheISProuterbutratherstraightfromR1toHQ.ThisisbecausethepacketwasencryptedandsentacrossIPsectunnelon
thenetwork.
8. ToviewtheIKEPhase1tunnel,usetheshowcryptoisakmp
sacommand,asshownhere:
Telegram Channel : @IRFaraExam
Figure12.39–IKEPhase1tunnel
9. ToviewtheIPsecPhase2tunnel,whichistransportingtheusers'
traffic,usetheshowcryptoipsecsacommand,asshownhere:
Figure12.40–IPsecPhase2tunnel
10. Toviewthedetailsaboutthecryptomaponthelocalrouter,usetheshow
Telegram Channel : @IRFaraExam
cryptomapcommand:
Figure12.41–Cryptomap
Thedetailsshownintheprecedingsnippetvalidatetheconfigurationswehaveappliedtothedevice.WecanseethattheVPNpeerisHQ,theACLforthepermittedtrafficontheVPNtunnel,andotherdetailsabouttheIPsectunnel,suchastheactiveinterface.
Havingcompletedthislab,youhavegainedthehands-onskillstoimplementanIPsecSite-to-SiteVPNinaCiscoenvironment.Inthenextlab,youwilllearnhowtoconfigureaCiscoIOSrouterinordertosupportaremoteaccessVPNbetweenaclientdeviceandacorporatenetwork.
Lab–ConfiguringaremoteaccessVPN
Telegram Channel : @IRFaraExam
Inthishands-onlab,youwilllearnhowtoconfigureaCiscoIOSroutersothatitactsasaVPNgatewaytosupportaremoteaccessVPN.Inthislab,wewillbeusingthefollowingtopologyinCiscoPacketTracer:
Figure12.42–RemoteaccessVPNlabtopology
Pleaseusethefollowingguidelineswhencreatingthislabtoensureyougetthesameresults:
UseCisco2911routers.
ConfigureadefaultroutefromboththeHQandR1routersthatpointstotheISP.
Telegram Channel : @IRFaraExam
OntheISP,configurenetworkstaticrouterstotheLANofHQandtheLANofR1.
EnsureyouassignanIPaddresstoeachdevice,asshowninthefollowingtable:
Figure12.43–IPscheme
Nowthatyourlabenvironmentisready,usethefollowinginstructionstoconfigureanIPsecremoteaccessVPNontheHQrouter:
1. Configurethefollowingstaticroutesoneachroutertosimulatetheinternet:
HQ(config)#iproute0.0.0.00.0.0.0192.0.2.1
R1(config)#iproute0.0.0.00.0.0.0192.0.2.5
Telegram Channel : @IRFaraExam
ISP(config)#iproute10.10.10.0255.255.255.0
192.0.2.2
ISP(config)#iproute192.168.1.0255.255.255.0
192.0.2.6
2. UsethefollowingcommandonHQtobootthesecurityk9license.
ThiscommandenablestheVPNcapabilitiesoneachdevice:
HQ(config)#licensebootmodulec2900technology-
packagesecurityk9
3. AccepttheuseragreementbyenteringyesandhittingEnter.
4. Savethedeviceconfigurationsandrebooteachforthelicensetotakeeffect:
HQ#copyrunning-configstartup-config
HQ#reload
5. Onceeachdevicehasbeenrebooted,usetheshowversioncommand
toverifythatthesecuritytechnologypackagehasbeenabledontheHQrouter:
Telegram Channel : @IRFaraExam
Figure12.44–Verifyingthesecuritypackage
6. CreateanIPaddresspoolforremoteaccessusersviatheVPN;therangeiswithintheHQcorporatenetwork:
HQ(config)#iplocalpoolRA-VPN-Pool
10.10.10.10010.10.10.110
7. EnabletheAAAservicesontheHQrouterandconfiguretheauthenticationloginmethodinordertousethelocaluserdatabase:
HQ(config)#aaanew-model
HQ(config)#aaaauthenticationloginRA-UserVPN
local
8. ConfiguretheAAAauthorizationfornetworkservicesontheHQcorporatenetworkinordertousethelocaluserdatabase:
HQ(config)#aaaauthorizationnetworkRA-Group-
VPNlocal
Telegram Channel : @IRFaraExam
9. Createausernameandpasswordfortheremoteaccessuser:
HQ(config)#usernameuser1secretciscovpn1
10. ConfiguretheIKEPhase1ISAKMPpolicyontheHQrouter:
HQ(config)#cryptoisakmppolicy10
HQ(config-isakmp)#encryptionaes256
HQ(config-isakmp)#authenticationpre-share
HQ(config-isakmp)#group5
HQ(config-isakmp)#exit
11. Createtheremoteuserclientconfigurationsandthepasswordforthegroup(RA-Group-VPN)ontheHQrouter:
HQ(config)#cryptoisakmpclientconfiguration
groupRA-Group-VPN
HQ(config-isakmp-group)#keyremoteaccessvpn
HQ(config-isakmp-group)#poolRA-VPN-Pool
HQ(config-isakmp-group)#exit
12. ConfiguretheIKEPhase2IPsecpolicyontheHQrouter.Create
thetransformset,nameitRA-VPN,anduseesp-aesandesp-sha-
hmacforconfidentialityandintegrity:
HQ(config)#cryptoipsectransform-setRA-VPN
esp-aesesp-sha-hmac
13. CreateadynamiccryptomapontheHQrouter,nameit
Telegram Channel : @IRFaraExam
RemoteAccessVPN,andsetthesequencenumberto100:
HQ(config)#cryptodynamic-mapRemoteAccessVPN
100
HQ(config-crypto-map)#settransform-setRA-VPN
HQ(config-crypto-map)#reverse-route
HQ(config-crypto-map)#exit
14. Createthestaticcryptomapfortheclientconfigurationforbothauthenticationandauthorization:
HQ(config)#cryptomapStaticVPNMapclient
configurationaddressrespond
HQ(config)#cryptomapStaticVPNMapclient
authenticationlistRA-UserVPN
HQ(config)#cryptomapStaticVPNMapisakmp
authorizationlistRA-Group-VPN
15. Specifyasequencenumbertoinsertthecryptomapentry:
HQ(config)#cryptomapStaticVPNMap20ipsec-
isakmpdynamicRemoteAccessVPN
16. Configuretheinternet-facinginterfaceonHQwiththecryptomap:
HQ(config)#interfacegigabitEthernet0/0
HQ(config-if)#cryptomapStaticVPNMap
HQ(config-if)#exit
Telegram Channel : @IRFaraExam
17. OnPC1,opentheDesktoptabandclientontheVPNclient,asshownhere:
Figure12.45–VPNclientonPC1
18. EnterthefollowingconfigurationsintotheVPNclientinterfaceandclickConnect:
Telegram Channel : @IRFaraExam
Figure12.46–VPNclientconfigurations
ThisprocessmaytakesometimetoestablishtheVPNtunnelbetweenthePCandHQrouters.
19. OncetheVPNtunnelhasbeenestablished,openCommandPromptandusetheipconfig/allcommandtoverifythatPC1hasaVPNtunnel
interfacewithanIPaddressfromtheHQnetwork:
Telegram Channel : @IRFaraExam
Figure12.47–VPNtunnel
20. PerformaconnectivitytestfromPC1totheserverontheHQnetworkusingthepingcommand:
Telegram Channel : @IRFaraExam
Figure12.48–Connectivitytest
21. ToverifythatthepacketsaregoingthroughtheremoteaccessVPNtunnel,performatraceroutefromPC1totheserver:
Figure12.49–CheckingtheVPNtunnel
Telegram Channel : @IRFaraExam
Asshownintheprecedingresults,thepacketwassentfromPC1to192.0.2.2,whichistheHQrouter.ThisissimplybecausetheVPNtunnel
wasestablishedbetweenPC1andtheHQrouter.AllpacketsfromPC1tothe10.10.10.0/24networkwillbeencryptedandsentthroughtheremote
accessVPNtunnel.Hence,theR1andISProuterswerenotshownasanyhopsalongthepath.
Havingcompletedthislab,youhavegainedthehands-onskillstoimplementaremoteaccessVPNonaCiscoIOSrouter.
SummaryDuringthecourseofthischapter,youlearnedhowtosecureaccesstotheconsole,AUXports,andtheVTYlines,howtosetupsecureremoteaccess,andhowtolockdownadministrativeaccessonaCiscodevice.Furthermore,youdiscoveredhowtoestablishasecuretunnelbetweentworemotesites,suchasCiscoIOSrouters,tosimplyextendtheLANattheHQcorporateofficetoaremotebranchsiteusingaVPN.
IhopethischapterhasbeeninformativeforyouandishelpfulinyourjourneytowardlearninghowtoimplementandadministerCiscosolutionsandpreparefortheCCNA200-301certification.Inthenextchapter,ImplementingAccessControlsLists(ACLs),youwilllearnhowtocreateandimplementLayer3securitycontrolsonaCiscoIOSroutertofiltertraffic.
QuestionsThefollowingisashortlistofreviewquestionstohelpreinforceyourlearningandhelpyouidentifyareasthatrequiresomeimprovement:
Telegram Channel : @IRFaraExam
1. Whichcommandisusedtoenableauthenticationontheconsoleline?
A.enablelogin
B.loginenable
C.login
D.loginall
2. WhichcommandisusedtosetapasswordontheAUXline?
A.password
B.passwordenable
C.enablepassword
D.passwordlogin
3. WhichshowcommandallowsyoutoverifythemethodusedtoconnecttoaCiscodevice?
A.showssh
B.showlogin
C.showusers
D.showipssh
4. WhichcommandisusedtodisableTelnetonVTYlines?
Telegram Channel : @IRFaraExam
A.notransport
B.transportinputssh
C.transportsshonly
D.transportnotelnet
5. WhichcommandisrecommendedwhencreatingasecurepasswordtoaccessPrivilegeExecmode?
A.enablepasswordsecret
B.enablepassword
C.enablesecure
D.enablesecret
6. Whichencodingtypeisusedontheenablepasswordcommand?
A.Type0
B.Type9
C.Type2
D.Type5
7. Whichcommandcanbeusedtoencryptallexistingandfutureplaintextpasswords?
A.enableserviceencryption
Telegram Channel : @IRFaraExam
B.servicepassword-encryption
C.serviceencryption
D.serviceencryption-password
8. WhichofthefollowingisarequirementforaremoteaccessVPN?
A.MetroE
B.Wi-Fi
C.VPNclientsoftware
D.MPLS
9. Whichprotocol/standarddoesIPsecusetosecurelyexchangesecretskeysoveranunsecurednetwork?
A.AES
B.EncapsulatingSecurityProtocol
C.AuthenticationHeader
D.Diffie-Hellman
10. WhichIPsecprotocolencryptstheentireIPpacket?
A.ESP
B.DH
C.AH
Telegram Channel : @IRFaraExam
D.AES
FurtherreadingThefollowinglinksarerecommendedforadditionalreading:
CiscoGuidetoHardeningCiscoIOSDevices:https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
ConfiguringaSite-to-SiteIPsecVPN:https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/configuration-professional/113337-ccp-vpn-routerA-routerB-config-00.html
Telegram Channel : @IRFaraExam
Chapter13:ImplementingAccessControlListsWhenevertheneedarisestointerconnecttwoormorenetworks,arouterisalwaysthepreferredchoice,simplybecausetheprimaryfunctionofarouteristoforwardpacketsbetweennetworks.However,theCiscoIOSrouterhasmanymorefeaturesasidefromsimplyforwarding.Onemajorfeatureistofiltertrafficbasedonitssourceanddestination.ThisfeaturesimplyenablestheCiscoIOSroutertoperformpacketfilteringinasimilarfashiontoafirewallapplianceonthenetwork.
Throughoutthischapter,youwilllearnhowAccessControlLists(ACLs)canbeappliedtoaCiscoIOSroutertofilterbothinboundandoutboundtraffic.Furthermore,youwilldiscoverthevarioustypesofACLsandhowtheycanbeusedinvarioussituationstoallowordenytrafficbetweennetworks.
Inthischapter,wewillcoverthefollowingtopics:
WhatareACLs?
ACLoperation
ACLwildcardmasks
WorkingwithstandardACLs
WorkingwithextendedACLs
Technicalrequirements
Telegram Channel : @IRFaraExam
Tofollowalongwiththeexercisesinthischapter,pleaseensurethatyouhavemetthefollowinghardwareandsoftwarerequirement:
CiscoPacketTracer
Thecodefilesforthischapterareavailableathttps://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions/tree/master/Chapter%2013.
CheckoutthefollowingvideotoseetheCodeinAction:https://bit.ly/3cqh8JX
WhatareACLs?Asyouhavelearnedsofar,routersareusedtoforwardtrafficbetweendifferentnetworks.Asapacketentersaninboundinterfaceofarouter,theoperatingsystemhastoreadtheLayer3headerinformation,suchasthesourceanddestinationIPaddresses,andchecktheroutingtableforasuitableroute.Oncearoutehasbeenfound,therouterforwardsthepacketthroughanoutboundinterfacetoitsdestination.Ensuringthatallusersareabletosendandreceivemessagesisexcellentintermsofconnectivity,butwhatdosecurityandtherestrictionoftrafficflowbetweencertainnetworksmean?
TheCiscoIOSrouterhasmanyamazingfeaturesandcanperformavarietyofrolesonanetwork.Onesuchfeatureistoperformtrafficfilteringbetweennetworks.Thisisdoneusingaveryspecialmethodthatfirewallappliancesusetofiltertraffic,knownasanACL.
Importantnote
Telegram Channel : @IRFaraExam
Firewallappliancesuseavarietyofmethodstofilterinboundandoutboundtraffic.ACLsaresimplyoneofmanymethods.
ACLscanbeappliedtotheinterfacesofaroutertofiltertrafficasitiseitherenteringorleavingtherouter.ACLsfiltertrafficbasedontheirsourceordestinationinformation.ACLsaretypicallyrulescreatedonarouterthatdeterminehowtrafficshouldbefiltered,suchaswhetheritisallowedordenied.ImplementingACLsonaCiscoIOSrouterdoesnotconverttherouterintoafirewallappliance,nordoesitreplacetheneedforadedicatedfirewallonyournetwork.ACLsaresimplyusedtofiltertrafficpassingthroughyourrouter,suchasfilteringmessagesbetweenIPsubnetsandVirtualLocalAreaNetworks(VLANs).
Bydefault,theCiscoIOSrouterisnotconfiguredwithanyACLsandtrafficisabletoflowwithoutanyrestrictions.However,whenanACLiscreated,itmustbeappliedtoaninterfacetotakeeffect.ACLscanbeusedtofilterinboundoroutboundtrafficonarouter'sinterface.Whenappliedtoaninboundinterface,therouterhastoperformadditionalchecksonalltrafficenteringtheinterfacebeforecheckingtheroutingtableforasuitablepath.Additionally,whenanACLisappliedtoanoutboundinterface,therouterstillhastoperformadditionalchecksbeforeallowingthemessagetoleavetherouter.
TherearetwotypesofACLs.Theyareasfollows:
StandardACLs
ExtendedACLs
AstandardACLisusedtofilteralltraffictypesofasourcehostornetwork.ThistypeofACLisverystraightforwardintermsofapplication.Ifyouwanttodeny
Telegram Channel : @IRFaraExam
alltrafficoriginatingfromasinglehostornetwork,astandardACListhebetterchoice.
AnextendedACLallowsyoutobemoregranularwhenfilteringtraffic.ThistypeofACLallowsyoutofilterpacketsbasedonthefollowingcriteria:
Protocoltype
SourceIPaddress
Sourceportnumber(TCPorUDP)
DestinationIPaddress
Destinationportnumber(TCPorUDP)
ExtendedACListhebetterchoicewhenfilteringspecifictraffictypesbetweenasourceandadestination.
BenefitsofusingACLsTherearemanybenefitsassociatedwithusingACLstofiltertrafficwithinanorganization.Inthissection,you'lllearnaboutthevariousscenarioswhereACLscanhelpimprovesecurityandtrafficflowonanetwork.
Imaginewithinyourorganizationthattherearemanyuserswhofrequentlystreamonlinevideosduringtheirworkschedule.Thisvideotrafficcanconsumealotofbandwidthsimplybyincreasingtheloadonthenetwork.ByimplementinganACL,youcanenforceandrestrictvideotrafficwithintheorganizationandincreasenetworkperformance.Additionally,byimplementingACLsonacorporatenetwork,youcanrestrictorlimitaccesstovariousnetwork
Telegram Channel : @IRFaraExam
resourcestoaspecificgroupofusers.Thisaddsalayerofnetworksecuritybygrantingaccesstoresourcestoauthorizedusersonly.
ACLscanbeusedtofilterunwantednetworkservicesandtraffic.Someorganizationsmayhavesecuritypoliciestopreventunsecuredcommunicationprotocolsontheirnetwork.OneexampleofanunsecuredprotocolisTelnet.AnACLcanbeusedtoenforcethispolicywithintheorganizationandrestrictallTelnettraffic.
Inthepreviouschapter,youlearnedhowtoimplementsecureremoteaccesstoyourCiscodevices.ImagineconfiguringremoteaccessonallyourdevicesandanyoneisabletoestablishanSSHsessionwithyourroutersandswitches.ByimplementinganACL,youcanrestrictremoteaccesstobegrantedtoaspecificusergroup,suchasthosewithintheITdepartmentofyourorganization.TheACLcanbeappliedtotheVirtualTerminal(VTY)linestofilterinboundtraffic.
WhenapplyingQualityofService(QoS)toanetwork,it'simportanttoidentifythetraffictypescorrectlyforclassificationandprioritization.ACLscanbeusedwithQoStoidentifyvarioustraffictypes,suchasVoiceoverIP(VoIP),therebyenablingtheQoStoolstoprocessthetrafficquickly.
Havingcompletedthissection,youhavelearnedabouttheneedforACLsandtheirbenefitstoanetwork.Inthenextsection,youwilllearnhowACLsoperateinpermittingordenyingtrafficbetweennetworks.
ACLoperationACLsarerulescreatedbyanetworkprofessionalontherouterorfirewall
Telegram Channel : @IRFaraExam
appliancetofiltertrafficeitherenteringorleavingthedevice.ACLsarealistofsecurityrules,witheachACLcontainingeitherapermitordenystatement.
EachstatementwithinanACLisreferredtoasanAccessControlEntry(ACE).TheseACEsaretherealworkersthatallowandblockpacketsbetweennetworks.Whenarouterreceivespacketsonaninterface,theroutercheckseachACE,startingwiththefirstentryatthetopofthelistandmovingdownuntilamatchisfound.OnceamatchingACEisfound,therouterstopssearchingandexecutestheruleontheACE,eitherpermittingordenyingthetraffic.Thisprocessisknownaspacketfiltering.
Importantnote
IfnomatchesarefoundintheACLs,thepacketisdiscardedbytherouter.ThelastACEwithinallACLsisanimplicitdenystatement.Animplicit
denystatementsimplystatesthatifnomatchesarefoundinthepreviousACEs,
thepacketshouldbedeined.Theimplicitdenystatementisautomatically
insertedasthelastentrywithinanACL.Itisusuallyinvisible.
Withpacketfiltering,youcanconfiguretheCiscoIOSroutertoanalyzetrafficandcontrolaccessbetweennetworks.ACLscanbeusedtofilterinboundoroutboundtrafficortopermitordenytrafficbasedonitssourceanddestinationIPaddress(Layer3)and/orbythesourceanddestinationportnumbers(Layer4).
Importantnote
StandardACLsaredesignedtofiltertrafficfoundatLayer3only.ExtendedACLsareabletofiltertrafficatLayer3and4oftheOSImodel.
Telegram Channel : @IRFaraExam
ACLscanbeconfiguredonaroutertofilterinboundtrafficoroutboundtraffic:
InboundACLs:WithinboundACLs,packetsenteringarouterareprocessedbeforetheyareforwardedtotheirdestination.TheplacementoftheinboundACLsallowstheroutertoconserveitsresources,suchasperformingroutinglookups,sincetheinboundACLcanfilterpacketsastheyenterthedevice.IfthepacketisallowedbytheinboundACL,therouterwillthenperformaroutelookupandforwardthepackettoitsdestination.ItisrecommendedtouseinboundACLstoperformpacketfilteringwhenthesourceofthetrafficisattachedorconnectedtotheinboundinterfaceofarouter.
OutboundACLs:OutboundACLsareplacedontheoutgoinginterfaceofarouter.OutboundACLsfilterpacketsaftertheyhavebeenprocessedbytherouter.TheplacementofthisACLisusefulwhenfilteringtrafficthatoriginatesfrommultipleinterfacesorsources.
ThefollowingdiagramshowstheconceptsofinboundandoutboundACLsonarouter:
Figure13.1–InboundandoutboundACLs
Telegram Channel : @IRFaraExam
TogetabetterunderstandingofhowACLsareappliedtoarouter,let'stakealookatthefollowingoutput:
Figure13.2–VerifyingACLsonaninterface
TheshowipinterfacecommandisusedtoverifywhetheranACLis
appliedtoaninterfaceanditsdirectiontofiltertraffic.Asdemonstratedintheprecedingcodesnippet,thereare2ACLsappliedtotheGigabitEthernet
0/2interface.AnumberedACL,10,isappliedtofilteroutboundpackets
leavingtheinterface,andanamedACL,Restrict-FTP,isappliedtofilter
inboundpacketsontherouter'sinterface.
ThefollowingsnippetshowstheACEsfortheoutboundACLontheGigabitEthernet0/2interface:
Telegram Channel : @IRFaraExam
Figure13.3–VerifyingACEswithinACL10
Asshown,ACL10containstwoACEs.ThefirstACEisapermitstatement
toonlyallowtrafficfromthehostdevicewithanIPaddressof192.168.1.10.ThehostcommandisusedtospecifyasingleIPaddressin
thisstatement.Therefore,awildcardmaskisnotrequiredwhenthehost
commandisinvoked.Thewildcardmaskissimplyaninverseofthesubnetmask,whichtellstherouterwhichbitsintheIPaddresstomatchandwhichpartstoignore.
ThesecondACEisapermitstatementtoallowalltrafficoriginatingfromthe
10.1.1.0/24network.Whenspecifyinganetworkrange,wildcardmasksare
usedtotelltherouterwhichbitstomatchintheaddressandwhichbitstoignore.
Next,let'sexaminethecontentsoftheinboundACLontheGigabitEthernet0/2interface:
Telegram Channel : @IRFaraExam
Figure13.4–VerifyingACEswithinACLRestrict-FTP
Asshownintheprecedingcodesnippet,therearetwoACEswithintheinboundACL.ThefirstACEisadenystatementtopreventanyTCPtrafficoriginating
fromthehostIPaddress,172.16.1.10,fromreachinganydestination
networkthathasaportof21openforFileTransferProtocol(FTP).The
secondACEindicatesthatIPtrafficispermittedfromanysourcetoanydestination.
Importantnote
Thekeywordisalsousedtoindicateport21withinanACL.
ThesecondACEisapermitstatementtoallowallIPtrafficfromanysource
toanydestination.SinceneitherasourcenordestinationportwasspecifiedwithintheACE,allportsareautomaticallyconsidered.Keepinmindthatthereare65,535logicalnetworkports.
Additionally,inordertoviewalltheACLsonarouter,theshowaccess-
listscommandcanbeexecutedwithoutspecifyinganACLnameornumber.
ThefollowingisalistofalltheACLspresentonaCiscoIOSrouter:
Telegram Channel : @IRFaraExam
Figure13.5–ViewingallACLs
Theoutputisabitdifferentasitcontainsplacementvaluessuchas10,20,and
30.WhencreatinganACL,it'simportantthattheACEsareplacedinorderas
youwanttheroutertoprocesseachpacket.Toputitsimply,therouterreadsanACLfromtoptobottomeachtimeithastoreferenceanACLonaninterface.ItisrecommendedtoplacemorespecificACEsatthetopoftheACLandlessspecificACEsatthebottom.Asanexample,takealookatthefollowingsnippet:
Telegram Channel : @IRFaraExam
Figure13.6–AnalyzinganACL
Asshown,theACEsareplacedaccordingtotheirnumericalvalue.Bydefault,therouterautomaticallyinsertsaplacementvaluefornewACEsunderanACLwithincrementsof10.ThisallowsanetworkengineertoinsertACEsbetween
eachotheronanACL.
ACLwildcardmasksWhencreatinganACE,youmayneedtospecifyanetworkIDandthesubnetmask.However,withinACLsandACEs,youcannotuseasubnetmaskasCiscoIOSontherouterwasnotbuiltordesignedtoacceptsubnetmasksaspartofanACE.ACLsuseawildcardmask,whichisa32-bitbinarystringusedbytheCiscoIOSroutertodeterminewhichbitswithintheaddresstomatchandwhichbitstoignore.
Aswithasubnetmask,onesandzeroesareusedtoindicatethenetworkandhostportionsofanIPaddress.Forexample,theoneswithinasubnetmaskareusedtoidentifythenetworkportionofanaddress,whilethezeroesareusedtoidentifythehostportion.Withinawildcardmask,thesebitsareusedforadifferentpurpose.Here,theonesandzeroesareusedtofiltereitheragroupofaddressesorasingleIPaddresstodecidewhethertopermitordenyaccesstoanetworkresource.
Inawildcardmask,thezeroesareusedtomatchthecorrespondingbitvalueintheaddress,whiletheonesareusedtoignorethecorrespondingbitvalueintheaddress.Youcanthinkofawildcardmaskastheinverseofasubnetmask.
Togetabetteridea,let'stakealookatthefollowingexamplesofusingwildcard
Telegram Channel : @IRFaraExam
masking:
00000000:Sinceallthebitsarezeroes,thiswildcardindicatestomatch
allcorrespondingbitsintheaddress.
11110000:Thisindicatestoignorethefirstfouraddressbits.
00001111:Thisindicatestomatchthefirstfouraddressbits.
11111111:Thisignoresallthebitswithintheoctet.
11111100:Thisignoresthefirstsixaddressbits.
Let'stakealookatapplyinga0.0.255.255wildcardmasktoa32-bit
address:
Figure13.7–Wildcardmaskingexample1
Asshownintheprecedingtable,awildcardmaskof0.0.255.255isusedto
matchthefirst16-bitsintheaddress.Thezeroswithinthewildcardmaskindicateamatch,whiletheonesindicatethattheroutershouldignorethecorrespondingbitsintheaddress.
Let'stakealookatanotherexampleofhowtomatchallthecorrespondingbitsonanaddress:
Telegram Channel : @IRFaraExam
Figure13.8–Wildcardmaskingexample2
Asshownintheprecedingtable,awildcardmaskof0.0.0.0isusedtomatch
allthecorrespondingbitsintheaddress.ThisensuresthattheexactIPaddressof172.16.10.1mustmatchtheACL.Next,wearegoingtotakeadeeplook
intocalculatingthewildcardmaskforACLs.
CalculatingthewildcardmaskThisisastraightforwardtechniquethatwillquicklyprovideyouwithawildcardwhenconfiguringACLs.Tocalculatethewildcardmask,simplysubtractthesubnetmaskfrom255.255.255.255.
Inourfirstexample,imagineyouwanttopermitaccesstoalluserswithinthe192.168.20.0/24network.Sincethesubnetmaskis255.255.255.0,
wecansubtractthesubnetmaskfromthe255.255.255.255address,as
shownhere:
Telegram Channel : @IRFaraExam
Figure13.9–Calculatingawildcardmask
Ourresultingwildcardmaskis0.0.0.255.Thisallowsustocreatethe
followingACLstatement:
Router(config)#access-list10permit192.168.20.0
0.0.0.255
Inournextexample,imagineyouwanttodenytrafficfromalluserswithinthe172.16.24.64/28network.Thesubnetmaskis255.255.255.240.We
canusethesametechniqueasinthepreviousexample:
Figure13.10–Calculatingawildcardmask
Theresultingwildcardmaskis0.0.0.15.Thisallowsustocreatethe
followingACLstatement:
Router(config)#access-list10deny172.16.24.64
0.0.0.15
Sometimes,workingwithwildcardmaskscanbeabitcomplex.Whatifyouneedtospecificallyallowasinglehostdevice,suchas192.168.1.10,within
anACL?Ratherthanusingthe0.0.0.0wildcardmask,youcanusethehost
keywordcommand,asshownhere:
Telegram Channel : @IRFaraExam
Router(config)#access-list20permithost
192.168.1.10
Thehostkeywordcommandsimplystatesthatallthebitswithintheaddress
mustmatchwithintheACL.
Inanotherscenario,youmayneedtocreateanACLtoignoretheentireIPv4addressortoacceptanyaddresses.TocreateanACEtorepresentanyaddress,wecanwritethe0.0.0.0255.255.255.255statement.However,wecan
alsousetheanykeywordcommandasashortcuttorepresenttheentire
statement,asshownhere:
Router(config)#access-list30permitany
TheprecedingACLsimplystatesthatanytrafficispermittedfromanysourceaddressornetwork.Inthenextsection,wewilldiscusssomeimportantguidelinesandbestpracticeswhencreatingACLs.
ACLguidelinesandbestpracticesCreatingandconfiguringACLsonaroutercanbesomewhatcomplexandabitconfusingatfirstuntilyougetthehangofit.Inthissection,youwilllearnaboutsomeguidelinesandbestpracticestohelpyoucreateandimplementACLsefficientlyonaCiscoIOSrouter.
ThefirstruleofthumbisthatyouneedtoknowthethreePswhenapplyingACLstoarouter.Theyareasfollows:
OneACLperprotocol(IPv4orIPv6)
Telegram Channel : @IRFaraExam
OneACLperdirection(inorout)
OneACLperinterface
YoucannothavetwoACLsonthesameinterfacefilteringinboundIPv4traffic.YoucannothavethesameACLfilteringinboundandoutboundtrafficonthesameinterface.However,youcanhavetwodifferentACLsonthesameinterface,whereoneACLisfilteringinboundtrafficwhiletheotherisfilteringoutboundtraffic.
UsethefollowingguidelineswhenconsideringtheapplicationofACLstoarouter:
ACLsshouldbeappliedtoyouredgerouteronthenetworktofiltertrafficbetweenyourinternalnetworkandtheinternet.
ACLsshouldbeappliedtoarouterthatisconnectedbetweentwoormoredifferentnetworksforthepurposeofcontrollingtrafficenteringandleavinganetwork.
UseACLstofilterspecifictraffictypesbetweennetworks.
ThefollowingaresomebestpracticeswhencreatingACLsonyournetworkrouters:
TheACLsshouldbealignedwithyourorganization'ssecuritypolicies.
WhencreatinganACL,ensurethatyouusetheremarkcommandto
insertadescriptionandpurposeoftheACLforfurtherreference.
WhenmodifyinganACL,useatexteditortohelpyoucreate,edit,and
Telegram Channel : @IRFaraExam
saveACLs.
BeforecreatingACLs,ensurethattheyhavebeentestedwithinalabordevelopmentenvironmentbeforeapplyingthemtoaproductionnetwork.
Afteryou'vecreatedACLsonyourrouter,thenextstepistoapplythemtotheappropriateinterface.TheplacementofACLsisveryimportant.ThefollowingaresomerecommendationsbasedonthetypeofACL:
StandardACLsareconfiguredtofilter(permitordeny)trafficoriginatingfromasinglehostornetwork.ThistypeofACLshouldbeplacedclosesttothedestinationofthepacketsonthenetwork.
ExtendedACLsareconfiguredtofilterspecifictraffictypesonanetwork.Therefore,it'srecommendedtoplacethistypeofACLclosesttothesourcewherethetrafficisoriginating.Thismethodwillsimplyfilterthedeniedtraffictypebeforeitisprocessedandforwardedbytherouter.
Let'stakealookatthefollowingnetworktopologytogainabetterunderstandingofACLplacement:
Telegram Channel : @IRFaraExam
Figure13.11–ACLplacement
Basedontheprecedingtopology,let'screatethefollowingscenariostobetterunderstandthemostsuitableplacewhereACLsshouldbeappliedonarouter:
Ifyouwanttofilter(restrict)trafficfromthesourcenetwork,192.168.20.0/24,tothedestinationnetwork,172.16.1.0/24,
thebestplacetoapplythestandardACLwillbeonR2'soutboundGigabitEthernet0/1interface.TheplacementofthisACLwill
filtertrafficthatisdestinedonlytothe172.16.1.0/24network.Ifthe
ACLisplacedonR2'sinboundGigabitEthernet0/0interface,the
ACLwillfiltertrafficoriginatingfromboththe192.168.10.0/24
and192.168.20.0/24networks.
IfyouwanttofilterFTPtrafficoriginatingfromthe172.16.1.0/24
networktoanydestination,themostsuitableplacetoapplytheextended
Telegram Channel : @IRFaraExam
ACLwillbeonR2'sinboundGigabitEthernet0/1interface.The
placementofthisACLwillfilterallFTPtrafficoriginatingfromthe172.16.1.0/24networkonly.IftheACLisplacedonR2'soutbound
GigabitEthernet0/2interface,itwillfiltertrafficfromboththe
172.16.1.0/24and172.20.1.0/24networks.
Inthenextsection,youwilllearnhowtoconfigureandapplystandardACLstoaCiscoIOSrouter.
WorkingwithstandardACLsWhencreatinganumberedstandardACLonaCiscoIOSrouter,theACLmustfirstbecreatedonthedeviceandthenappliedtoaninterfacetofiltertraffic.NumberedstandardACLsusethefollowingrangeofnumbers:
1to99
1300to1999
TocreateanumberedstandardACLonaCiscoIOSrouter,usetheglobalconfigurationcommandfollowedbyanumberwithintherangeof1to99or
1300to1999onthedevice.Therefore,withthisrangeofnumbers,therecan
beupto798uniquestandardACLsonasinglerouter.
CreatinganumberedstandardACLThefollowingisthefullsyntaxusedtocreateanumberedstandardACL:
Router(config)#access-listaccess-list-number[
Telegram Channel : @IRFaraExam
deny|permit|remark]source[source-wildcard][
log]
TheremarkcommandwillallowyoutoinsertadescriptionfortheACLand
thelogcommandwillgenerateaSyslogmessagewhenmatchesarefound.
Additionally,therecanbemorethanoneACEwithinanACL.
ThefollowingaresomeexamplesofnumberedstandardACLs:
Router(config)#access-list10permithost
172.16.1.5
Router(config)#access-list20deny192.168.20.0
0.0.0.255
ToremoveanACLfromaCiscorouter,usethefollowingguidelines:
1. Usetheshowaccess-listscommandwithinPrivilegeExec
modetoverifytheexactACLanditsnumberthatyouwanttoremove.
2. Enterglobalconfigurationmodeandusethenoaccess-lists
commandwiththeACLnumber.ThefollowingisanexampleofhowtoremoveanumberedstandardACL:
Telegram Channel : @IRFaraExam
Figure13.12–RemovinganACL
ThereisnoneedtospecifytheentireACEorACL.Simplyusethenocommand
andtheACLnumbertodeleteanentireACLfromtherunning-configfile.
AftercreatinganACL,youneedtoapplyittoarouter'sinterfacetofiltereitherinboundoroutboundtraffic.ThefollowingisthesyntaxtoapplytheACLunderinterfacemode:
Router(config-if)#ipaccess-group[access-list-
number|access-list-name][in|out]
Thesyntaxenabledyoutousetheipaccess-groupcommandtospecify
eithertheACLnumberortheACLname,andthedirectiontofiltertraffic.
ThefollowingsnippetshowsanexampleofapplyinganumberedACLtoaninterface:
Telegram Channel : @IRFaraExam
Figure13.13–ApplyinganACLtoaninterface
Next,wewilllearnhowtoimplementanamedstandardACL.
ImplementinganamedstandardACLOccasionally,numberedACLscanbeabitconfusingwhentherearemanyACLsonarouter.CiscoIOSallowsustocreatenamedstandardACLs,whichmakethingseasierforus.
HerearesomeguidelineswhencreatinganamedACL:
AnamedACLcancontainbothlettersandnumbers.
Itisrecommendedtousecapitalletters.
NamedACLscannothaveanyspacesorpunctuationcharacters.
AnexampleofcreatinganamedstandardACLisipaccess-list
standardfilter-ftp.
TocreateanamedstandardACL,usethefollowinginstructions:
1. EnterglobalconfigurationmodeandthenusethefollowingsyntaxtocreateanamedstandardACL:
Telegram Channel : @IRFaraExam
Router(config)#ipaccess-liststandardname
Youwillthenenteranewmode–standard(std)namedACL(nacl)
configurationmode.
2. Next,usethefollowingsyntaxtocreateACEswithintheACL:
Router(config-std-nacl)#[deny|permit|
remark]source[source-wildcard][log]
ThefollowingsnippetshowsanexampleofcreatingandapplyinganamedstandardACL:
Figure13.14–CreatinganamedstandardACL
Now,let'sseehowtodeleteanACL.
DeletinganACLToremoveanACLfromaCiscoIOSrouter,takethefollowingsteps:
1. RemovetheACLfromtheinterfacebyusingthenoipaccess-
groupcommandwiththeACLnumberanditsdirection(inorout).
Telegram Channel : @IRFaraExam
2. Enterglobalconfigurationmodeandusethenoaccess-lists
commandwiththeACLnumbertoremovetheentireACLfromthedevice.
Havingcompletedthissection,youhavegainedanessentialunderstandingofstandardACLoperations,andhowtoconfigureandapplythemcorrectlytoaCiscodevice.Inthefollowingsection,youwillgainhands-onexperiencewithcreatingandapplyingbothstandardandextendedACLstoaCiscoenvironment.
Lab–implementingastandardnumberedACLInthishands-onlab,youwilllearnhowtoimplementstandardACLstofiltertrafficfromasourcehostandnetwork.Thefollowingtopologyshowsanorganizationnetwork(left)thatisconnectedtotheinternet(right)viaanInternetServiceProvider(ISP):
Telegram Channel : @IRFaraExam
Figure13.15–StandardACLlabtopology
TheobjectiveofthislabistodemonstratehowtoapplystandardnumberedACLstoaCiscoroutertofiltertrafficbetweendevicesandnetworks.We'lluseanumberedACLtorestricttrafficoriginatingfromalldevicesonthe192.168.1.0/24network,exceptPC1,whichisgoingtothe
172.16.1.0/24network.
Telegram Channel : @IRFaraExam
Forthislab,we'llbeusingCiscoPacketTracertosimulatetheCiscoenvironment.Additionally,ensurethatyou'veassignedtheIPaddressestoeachdeviceaccordingtothefollowingIPaddresstable:
Figure13.16–IPaddressscheme
Pleaseobservethefollowingguidelineswhenfollowingthislabtoensurethatyougetthesameresults:
ConfigureadefaultrouteonHQtopointtotheISProuterat192.0.2.1.
ConfigureadefaultrouteontheISProuterthatpointstoHQat
Telegram Channel : @IRFaraExam
192.0.2.2.Thisistosimulatetheinternetonthetopology.
Ensurethateachdevicehasend-to-endconnectivitybyusingtheping
utility.Ifyouareunabletopingacertaindevice,besuretodoublethephysicalconnectionsandconfigurationsonyourdevices.
Havingbuiltyourlabenvironment,usethefollowinginstructionstoimplementastandardnumberedACLonyourHQrouter:
1. Firstly,let'screateanumberedACLtoonlyallowtrafficfromPC1onthe192.168.1.0/24networktothe172.16.1.0/24networkwhile
restrictingallotherdevices:
HQ(config)#access-list10permithost
192.168.1.10
HQ(config)#access-list10permit10.1.1.0
0.0.0.255
PleasekeepinmindthatifwedidnotcreateasecondACEtopermittrafficfromthe10.1.1.0/24networkto172.16.10/24,PC3and
PC4wouldnotbeabletoreachdevicesontheinternetsideofthetopology.
2. Next,let'sapplyACL10totheinterfaceclosesttothedestinationofthe
trafficandconfigureittofilteroutboundtrafficonly:
HQ(config)#interfaceGigabitEthernet0/2
HQ(config-if)#ipaccess-group10out
HQ(config-if)#exit
Telegram Channel : @IRFaraExam
3. Usingtheshowaccess-listscommand,youcanverifytheACEs
andtheirsequentialorder,asshownhere:
Figure13.17–VerifyingACLs
4. Usingtheshowipinterfacecommand,youcanverifytheACL
thatisassignedtoaninterfaceandthedirectioninwhichitisfilteringtraffic:
Figure13.18–VerifyingACLsonaninterface
Asshownintheprecedingsnippet,ACL10isappliedtofiltertraffic
leavingtheGigabitEthernet0/2interfaceontherouter.
5. Now,let'scheckwhetherACL10willallowPC1tocommunicatewith
devicesonthe172.16.1.0/24network:
Telegram Channel : @IRFaraExam
Figure13.19–Verifyingconnectivity
Asshownintheprecedingsnippet,PC1isabletocommunicatewithPC3onthe172.16.1.0/24network.
6. Let'stestwhetherourACLisworkingcorrectlytorestrictotherdevicesonthe192.168.1.0/24network.TrytopingfromPC2toanydevice
withinthe172.16.1.0/24network:
Telegram Channel : @IRFaraExam
Figure13.20–Checkingconnectivity
Asexpected,PC2isunabletocommunicatewithdevicesonthe172.16.1.0/24networksimplybecauseourACLwasconfiguredto
allowonlyPC1withahostaddressof192.168.1.10.
7. Lastly,wecanusetheshowaccess-listscommandoncemoreto
verifywhichACEshavebeenmatchedwithinanACL:
Telegram Channel : @IRFaraExam
Figure13.21–VerifyingmatchesonACEs
Asshownintheprecedingsnippet,thepermitACEinACL10hasbeen
matchedfourtimessimplybecausefourICMPmessagesweresentfromPC1toPC3.TocleartheACLcounters,usetheclearaccess-listcounters
command.
Duringthislab,youhavelearnedhowtocreateastandardnumberedACLonaCiscoIOSroutertofiltertrafficbetweennetworks.Inthenextlab,we'lluseanamedACLtoonlypermittrafficfromthe172.16.1.0/24networkto
accessdevicesontheinternetsideofthetopology.
Lab–configuringastandardnamedACLInthislab,youwilllearnhowtoconfigureastandardnamedACLtoallowdevicesonthe172.16.1.0/24networktocommunicatewithdevicesonthe
internetsideofournetworktopology.OurACLwillensurethatdevicesonthe192.168.1.0.24networkwillbedenied.Tocompletethisexercise,we'llbe
continuingfromwhereweleftofffromthepreviouslab.
We'llbeusingthefollowingtopologyandthesameguidelinesasbefore:
Telegram Channel : @IRFaraExam
Figure13.22–StandardACLlabtopology
TheobjectiveofthislabistodemonstratehowtoapplystandardnamedACLstoaCiscoroutertofiltertrafficbetweendevicesandnetworks.
TogetstartedwithconfiguringastandardnamedACLtomeetourobjective,takethefollowingsteps:
1. UsethefollowingcommandtocreateastandardnamedACLwiththe
Telegram Channel : @IRFaraExam
nameINT_Access,asshownhere:
HQ(config)#ipaccess-liststandardINT_Access
2. UsetheremarkcommandtoinsertadescriptionfortheACL:
HQ(config-std-nacl)#remarkAllowingdeviceson
the172.16.1.0/24networkonly.
3. CreateanACEwithaplacementof10toallowalltrafficfromthe
172.16.1.0/24network:
HQ(config-std-nacl)#10permit172.16.1.0
0.0.0.255
HQ(config-std-nacl)#exit
4. AssigntheINT_AccessACLtotheoutboundinterfaceandconfigureit
tofiltertrafficleavingtheHQrouter:
HQ(config)#interfaceGigabitEthernet0/0
HQ(config-if)#ipaccess-groupINT_Accessout
HQ(config-if)#exit
Let'sverifywhetherdevicesonthe172.16.1.0/24networkareable
tocommunicatewithdevicesontheinternetsideofthetopology.OnPC3,performapingtesttothewebserver:
Telegram Channel : @IRFaraExam
Figure13.23–Connectivitytest
Asshownintheprecedingsnippet,PC3isabletocommunicatewiththe10.1.1.0/24networksuccessfully.
5. Next,let'sverifywhetherdevicesonthe192.168.1.0/24networkare
abletoreachdevicesonthe10.1.1.0/24network.OnPC1,perform
apingtesttothewebserver,asshownhere:
Telegram Channel : @IRFaraExam
Figure13.24–Connectivityrestricted
Asexpected,ournewACLisworkingperfectly,sincedevicesonthe172.16.1.0/24networkarepermittedtoaccessandcommunicate
withdevicesonthe10.1.1.0/24network,whileallothernetworkson
theHQrouteraredenied.
6. Oncemore,wecanusetheshowipinterfacecommandtoverify
thattheACLhasbeenappliedcorrectlytotheinterfaceasintended:
Telegram Channel : @IRFaraExam
Figure13.25–VerifyingACLplacementonaninterface
7. Lastly,wecanusetheshowaccess-listscommandtoverifythe
numberofhitsanACEisreceivingforanACL:
Figure13.26–VerifyingACEs
Havingcompletedthislab,youhavegainedtheessentialskillsrequiredtoconfigureandimplementstandardnamedACLsonaCiscoIOSrouter.Inthenextlab,youwillgainhands-onexperienceintermsofrestrictingaccesstoVTY
Telegram Channel : @IRFaraExam
linesonarouter.
Lab–securingVTYlinesusingACLsInthislab,youwilllearnhowtouseACLstorestrictremoteaccessonyourCiscoIOSroutertoonlyspecifichostsordevicesonanetwork.Tocompletethisexercise,we'llbecontinuingfromwhereweleftoffinthepreviouslab.
We'llbeusingthefollowingtopologyandthesameguidelinesasbefore:
Telegram Channel : @IRFaraExam
Figure13.27–StandardACLlabtopology
TogetstartedsettingupsecureremoteaccessandimplementingACLsontheVTYlines,usethefollowinginstructions:
1. ConfigureapasswordontheHQrouterusingtheenablesecret
commandtorestrictaccesstoPrivilegeExecmode:
Router(config)#enablesecretcisco456
Telegram Channel : @IRFaraExam
2. ChangethedefaulthostnameoftheHQrouter:
Router(config)#hostnameHQ
3. JointheHQroutertoadomain:
HQ(config)#ipdomain-nameccnalab.local
4. CreateauseraccountforremoteaccessontheHQrouter:
HQ(config)#usernameuser1secretsshpass
5. GenerateRSAencryptionkeystosecuretheSSHtraffic:
HQ(config)#cryptokeygeneratersageneral-keys
modulus1024
6. ConfiguretheVTYlinesontheHQroutertoacceptonlySSHconnectionsandcheckthelocaluserdatabaseforauthentication:
HQ(config)#linevty015
HQ(config-line)#transportinputssh
HQ(config-line)#loginlocal
HQ(config-line)#exit
NowthatwehaveconfiguredremoteaccesswithSSHontheHQrouter,thefollowinginstructionswilloutlinehowtocreateanACLtopermitonlyPC3toSSHintotheHQrouter.
7. CreateastandardnamedACLusingthenameSecure-VTY,asshown
here:
Telegram Channel : @IRFaraExam
HQ(config)#ipaccess-liststandardSecure-VTY
8. UsetheremarkcommandtoinsertadescriptionoftheACLandthe
ACEs:
HQ(config-std-nacl)#remarkSecuringincoming
connectionsonVTYlines
9. CreateapermitstatementtoallowonlyPC3accesstotheHQrouter
andthehostcommandtospecifytheIPaddressofPC3only:
HQ(config-std-nacl)#permithost172.16.1.10
10. InsertanotherACEtodenyallotherdevicesfromestablishingaremotesessionwiththeHQrouter:
HQ(config-std-nacl)#denyany
HQ(config-std-nacl)#exit
11. Next,applytheSecure-VTYACLtotheVTYlinesontheHQrouterto
filterinboundtrafficontheVTYlines:
HQ(config)#linevty015
HQ(config-line)#access-classSecure-VTYin
HQ(config-line)#exit
12. Usetheshowaccess-listscommandtoverifythenewlycreated
ACLanditsACEsontheHQrouter:
Telegram Channel : @IRFaraExam
Figure13.28–VerifyingACLs
13. Wecanusetheshowrunning-configcommandtoalsoverifythat
theACLsontherouterandtheinterface/lineshavebeenapplied:
Telegram Channel : @IRFaraExam
Figure13.29–Checkingtherunning-configfile
14. Let'snowattempttoestablishanSSHsessionfromPC1toHQtoverifywhethertheSecure-VTYACLisworkingasexpected.ClickonPC1,
selecttheDesktoptab,andthenclickonTelnet/SSHClient:
Telegram Channel : @IRFaraExam
Figure13.30–Telnet/SSHClient
15. InserttheIPaddressoftherouter,choosetheSSHprotocol,andsettheusernameasshownintheprecedingscreenshot.TheHQrouterwilldenytheconnectionfromPC1oranydevicethatislocatedonthe192.168.1.0/24network.
ThefollowingsnippetshowsthattheHQrouterhasterminatedtheSSHsessionbecausetheACLontheVTYlinesrestrictedaccesstotherouter:
Telegram Channel : @IRFaraExam
Figure13.31–Sessionterminated
16. ThefollowingscreenshotillustratesanattempttoestablishanSSHsessionfromPC3totheHQrouter:
Telegram Channel : @IRFaraExam
Figure13.32–Remoteaccess
Asshownintheprecedingscreenshot,PC3isabletoremotelyconnecttotheHQrouter.
17. Lastly,wecanusetheshowaccess-listscommandtoverifythe
ACLsandtheirentriesonarouter:
Telegram Channel : @IRFaraExam
Figure13.33–VerifyingACEs
Havingcompletedthislab,yougainedthehands-onskillstoimplementACLstosecuretheVTYlinesonaCiscoIOSrouter.Inthenextsection,wewilltakeadeepdiveintolearningaboutthecharacteristicsandusecasesofextendedACLs.
WorkingwithextendedACLsExtendedACLsaresometimesthepreferredchoiceastheyallowyoutofilterspecifictraffictypescomparedtostandardACLs.ExtendedACLsusethefollowingrangeofnumbers:
100to199
2000to2699
TocreateanumberedextendedACLonaCiscoIOSrouter,usetheglobalconfigurationaccess-listscommand,followedbyanumberwithinthe
rangeof100to199or2000to2699onthedevice.
Telegram Channel : @IRFaraExam
CreatinganumberedextendedACLThefollowingisthefullsyntaxusedtocreateanumberedextendedACL:
Router(config)#access-listaccess-list-number[
deny|permit|remark]protocol[sourcesource-
wildcard][operatorport][port-numberorname]
[destinationdestination-wildcard][operatorport]
[port-numberorname]
ThefollowingisadescriptionofthenewsyntaxusedwithinanextendedACL:
protocol:Specifiestheprotocoltype,suchasIP,ICMP,TCP,andUDP.
operator:Usedtocomparethesourceordestinationports.Theeq
operatormeansequal,gtmeansgreaterthan,ltmeanslessthan,neq
meansnotequal,andrangeallowsyoutospecifyarangeofports.
port:Allowsyoutoindicateasourceordestinationportnumber.
ThefollowingaresomeexamplesofnumberedextendedACLs:
ThefollowingcommandwilldenyallFTPtrafficfromthe192.168.1.0/24sourcenetworkthatisgoingtoanydestination:
Router(config)#access-lists100denytcp
192.168.1.00.0.0.255anyeq20
Router(config)#access-lists100denytcp
192.168.1.00.0.0.255anyeq21
ThefollowingcommandwillblockallICMPtrafficoriginatingfromthe
Telegram Channel : @IRFaraExam
172.16.1.0/24networkthathasadestinationof10.0.0.0/8:
Router(config)#access-lists101denyicmp
172.16.1.00.0.0.24410.0.0.00.255.255.255
Next,let'stakealookathowtoimplementanamedextendedACL.
ImplementinganamedextendedACLSinceanumberedextendedACLdoesnotcontainadescriptionunlessacommentisinsertedusingtheremarkcommand,thenetworkengineerwill
haveabitofdifficultyunderstandingthepurposeofit.Ontheotherhand,ifanetworkengineercreatesanamedextendedACL,theycanuseadescriptivenametoimprovehumanreadability.
TocreateanamedextendedACL,takethefollowingsteps:
1. EnterglobalconfigurationmodeandusethefollowingsyntaxtocreateanamedextendedACL:
Router(config)#ipaccess-listextendedname
Youwillthenenteranewmode,extended(ext)namedACL(nacl)
configurationmode.
2. Next,usethefollowingsyntaxtocreateACEswithintheACL:
Router(config-ext-nacl)#[deny|permit|
remark]protocol[sourcesource-wildcard]
[operatorport][port-numberorname]
[destinationdestination-wildcard][operator
Telegram Channel : @IRFaraExam
port][port-numberorname]
ThefollowingsnippetshowsanexampleofcreatingandapplyinganamedextendedACL:
Figure13.34–CreatinganamedextendedACL
Additionally,youcanusevariouskeywordsratherthanspecifyinganactualTCP/UDPportnumberaftertheoperator(eq)command.Thefollowingsnippet
showsanexampleofsomekeywordsthatcanbeusedinplaceofaTCP/UDPportnumber:
Figure13.35–Keywords
Telegram Channel : @IRFaraExam
PleasekeepinmindthatthesekeywordsareonlyapplicabletoextendedACLsandtheirconfigurations.Inthenextlab,youwilllearnhowtoimplementextendedACLsinaCiscoenvironment.
Lab–implementingextendedACLsInthislab,youwilllearnhowtoconfigureanextendedACLtorestrictcertaintraffictypesbetweennetworks.Tocompletethisexercise,we'llbecontinuingfromwhereweleftoffinthepreviouslab.
We'llbeusingthefollowingtopologyandthesameguidelinesasbefore:
Telegram Channel : @IRFaraExam
Figure13.36–StandardACLlabtopology
TheobjectiveofthislabistofilterFTPtrafficbetweenthe172.16.1.0/24
networkandthewebserver.However,wewanttopermitonlyPC4touseFTPwhileblockingallotherswithinthenetwork.
TogetstartedsettingupsecureremoteaccessandimplementingACLsontheVTYlines,takethefollowingsteps:
Telegram Channel : @IRFaraExam
1. Firstly,let'sconfiguretheFTPserviceontheserver.ClickonServer,selecttheServicestab,thenFTP,andcreateauseraccountwiththeprivilegesshownhere,andthenclickSave:
Figure13.37–FTPserverconfigurations
2. Next,let'sattempttoremotelyaccesstheFTPserverfromPC4toverifyconnectivityandthattheFTPisworkingcorrectly:
Telegram Channel : @IRFaraExam
Figure13.38–VerifyingFTP
Asshownintheprecedingsnippet,weareabletoauthenticatetotheFTPserverandexecutevariousFTPcommands.
3. UsethefollowingcommandstocreateanextendednamedACLandaddadescription:
HQ(config)#ipaccess-listextendedRestrict-FTP
Telegram Channel : @IRFaraExam
HQ(config-ext-nacl)#remarkRestrictingFTP
servicetoonlyPC4
4. CreateanACEwithaplacementvalueof10todenyonlyPC3from
accessinganyremoteFTPservers:
HQ(config-ext-nacl)#10denytcphost172.16.1.10
anyeq20
HQ(config-ext-nacl)#10denytcphost172.16.1.10
anyeq21
5. CreateanotherACE,usingaplacementvalueof20toallowallotherIP
traffictypesoriginatingfromthe172.16.1.0/24network:
HQ(config-ext-nacl)#20permitipanyany
HQ(config-ext-nacl)#exit
6. ApplytheextendedACLtotheinboundGigabitEthernet0/2
interfaceontheHQrouter:
HQ(config)#interfacegigabitEthernet0/2
HQ(config-if)#ipaccess-groupRestrict-FTPin
HQ(config-if)#exit
Pleasekeepinmindthatit'srecommendedtoapplyextendedACLsclosesttothesourceofthetraffic,whilestandardACLsaretobeappliedclosesttothedestinationofthetraffic.
7. Let'snowusetheshowaccess-listscommandtoverifytheACLs,
asshownhere:
Telegram Channel : @IRFaraExam
Figure13.39–VerifyingACLs
8. Next,headonovertoPC3toverifyconnectivitytotheserverandcheckwhetherPC3isabletoaccesstheFTPservice:
Telegram Channel : @IRFaraExam
Figure13.40–PC3checkingtheFTPservice
Asshownintheprecedingsnippet,ICMPmessagesandotherIPtrafficcanbesentbetweenthe172.16.1.0/24networkandanyremote
networks.However,theACLdoesnotallowFTPtrafficfromPC3toanyotherremotedevices.
Telegram Channel : @IRFaraExam
9. Now,let'scheckwhetherPC4isabletoaccesstheremoteFTPserver:
Figure13.41–PC4checkingtheFTPservice
Asshownintheprecedingscreenshot,PC4isabletoaccesstheFTPserviceontheremoteserver.Thiscorroboratesthefactthatourextended
Telegram Channel : @IRFaraExam
ACLisconfiguredcorrectlyandworkingasexpected.
10. Lastly,wecanverifythenumberofmatchesonourextendedACLbyusingtheshowaccess-listscommand:
Figure13.42–VerifyingACEmatches
Havingcompletedthislab,youhavegainedhands-onexperienceintermsofconfiguringandimplementingextendedACLsonaCisconetworktofiltervarioustraffictypesbetweendevicesandnetworks.
SummaryThroughoutthischapter,we'vediscussedtherolesandfunctionsthatACLsplayonanenterprisenetwork.WealsodivedintodiscussingtheoperationsofACLsonaCiscoIOSrouterandhowtheyareappliedtoaninterface.Lastly,wecoveredbothstandardandextendedACLsandhowtheycanbeusedinvarioussituations.
Havingcompletedthischapter,youhavelearnedhowtoconfigurebothstandardandextendedACLsonaCiscorouter.Furthermore,youhavelearnedhowACLsfunctionandfiltertrafficbasedontheirACEs.
Ihopethischapterhasbeeninformativeforyouandthatitwillprovehelpfulin
Telegram Channel : @IRFaraExam
yourjourneytowardlearninghowtoimplementandadministrateCiscosolutionsandpreparefortheCCNA200-301certification.Inthenextchapter,Chapter14,ImplementingLayer2andWirelessSecurity,youwilllearnaboutvariousLayer2attacksandhowtoimplementmitigationtechniquesandcountermeasures.
QuestionsThefollowingisashortlistofreviewquestionstohelpreinforceyourlearningandhelpyouidentifyareasthatmayrequiresomeimprovement:
1. WhichtypeofACLallowsyoutofilterTelnettraffic?
A.Inbound
B.Outbound
C.Standard
D.Extended
2. WhichtypeofACLallowsyoutofiltertrafficbasedonitsorigin?
A.Outbound
B.Standard
C.Inbound
D.Extended
3. IfapacketdoesnotmatchanyACEswithinanACL,whatwilltherouterdo?
Telegram Channel : @IRFaraExam
A.Allowthepacket.
B.Returnthepackettothesender.
C.Dropthepacket.
D.Donothing.
4. AninboundACLhaswhichofthefollowingcharacteristics?
A.Itfilterstrafficasitentersarouter.
B.Itfilterstrafficbeforeitleavesarouter.
C.Itstopsarouterfromperformingaroutelookup.
D.Itfilterstrafficafteritleavesarouter.
5. WhichcommandcanbeusedtoverifythedirectioninwhichanACLisfilteringtraffic?
A.showaccess-lists
B.showaccesscontrollists
C.showinterface
D.showipinterface
6. Whichofthefollowingwildcardmasksisusedtomatchallcorrespondingbitsinanoctet?
A.11111111
Telegram Channel : @IRFaraExam
B.00000001
C.00000000
D.10000000
7. WhichACLstatementaccuratelyblocksalltrafficfromthe192.168.50.0/24network?
A.access-list20deny192.168.50.00.0.0.255
B.access-list101deny192.168.50.00.0.0.255
C.access-list20deny192.168.50.0any
D.access-list20denyany192.168.50.00.0.0.255
8. WhichofthefollowingACLstatementsblocksSSHtrafficoriginatingfromthe172.16.1.0/24network?
A.access-list101denyip172.16.1.00.0.0.255anyeq22
B.access-list101denytcp172.16.1.00.0.0.255anyeq22
C.access-list101denyudp172.16.1.00.0.0.255anyeq22
D.access-list101denytcp172.16.1.00.0.0.255eq22any
Telegram Channel : @IRFaraExam
9. WhichcommandallowsyoutoapplyanACLtotheVTYlines?
A.ipaccess-group
B.access-group
C.access-class
D.ipaccess-class
10. WhichcommandallowsyoutoapplyanACLtoaninterface?
A.ipaccess-group
B.access-group
C.access-class
D.ipaccess-class
FurtherreadingThefollowinglinksarerecommendedforadditionalreading:
ConfiguringIPaccesslists:https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
CommonlyusedIPACLs:https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html
Telegram Channel : @IRFaraExam
Accesslistcommands:https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-0/addr_serv/command/reference/ir40asrbook_chapter1.html
Telegram Channel : @IRFaraExam
Chapter14:ImplementingLayer2andWirelessSecurityImplementingnetworksecuritypracticesandconfigurationsshouldbelikesecondnaturetoanetworkengineer.Asaprofessional,it'simportantthatyoulearnaboutvariousLayer2threatsandhowathreatactorcantakeadvantageofvulnerabilitiesfoundwithinvariousLayer2networkprotocols.Ourjobistomaketheorganization'snetworksafeandfreefromcyberattacks.
Duringthecourseofthischapter,youwilllearnabouttheneedtouseadefense-in-depth(DiD)approachtosecurebothyourusersanddevicesonanetwork.Furthermore,youwilllearnhowtoidentifyvariousLayer2threatsandattacksthatareusedtocompromiseanorganization.Lastly,youwillgaintheknowledgeandhands-onexperiencetoimplementvariousLayer2securitycontrolstopreventandmitigatesuchattacks.
Inthischapter,wewillcoverthefollowingtopics:
TypesofLayer2attacksonanetwork
ProtectingagainstLayer2threats
Wirelessnetworksecurity
TechnicalrequirementsTofollowalongwiththeexercisesinthischapter,pleaseensurethatyouhavemetthefollowingsoftwarerequirements:
Telegram Channel : @IRFaraExam
CiscoPacketTracer:https://www.netacad.com
Thecodefilesforthischapterareavailableat:https://github.com/PacktPublishing/Implementing-and-Administering-Cisco-Solutions/tree/master/Chapter%2014.
CheckoutthefollowingvideotoseetheCodeinAction:https://bit.ly/3coKE2Q
TypesofLayer2attacksonanetworkThroughoutyourjourney,youwillbeexposedtomanyexcitingtechnologiesandenvironments.OnesuchareaanITprofessionalneedstoknowiscybersecurityandnetworksecurity.Asanetworkengineer,youwon'talwaysbedesigningandimplementingnetworkingtechnologies,butwillalsoberesponsibleforthesecurityofthenetworkanditsusers.Today,newlyemergingthreatsaresurfacing–andwillcontinueto–ashackersaredevelopingnewstrategiesandtoolstocompromisetheirtargets.
Nowadays,hackersdon'tjusthackforfun.Somehackerscreatesophisticatedmalwaresuchasransomwaretoencryptallyourdataonyourcomputerandrequestyoupayaransomtoreleaseyourassets(data).Currently,there'sahugeshortageofcybersecurityprofessionalsintheworldtocombatthegrowingnumberofcyberthreatsontheinternet.Asanetworkengineer,youalsoplayanimportantpartinhelpingorganizationssecuretheirnetworkandpreventvarioustypesofcyberthreatsandattacks.
Inthefollowingsections,youwilllearnaboutvariousnetworkattacksandhowusingamultilayeredapproachsuchasDiDisusedtoreducetheriskofacyberattack.
Telegram Channel : @IRFaraExam
NetworkattacksEachdayonvariouscybernewsmedia,youreadabouthowbothlargeandsmallorganizationshavesuccumbedtosometypeofcyberattack.AstheformerCEOofCisco,JohnChambers,oncesaidbackin2015:
Therearetwotypesofcompanies:thosewhohavebeenhacked,andthosewhodon'tyetknowtheyhavebeenhacked.
Thisstatementisveryaccurateasmanyorganizationsdonotpayagreatamountofattentiontotheirnetworksecurityposture.Somehavethemindsetthattheirorganizationis100%protectedorthattheirnetworkhasnothingvaluableforattackers.
Inreality,nosystemornetworkis100%secure.Therearemanyvulnerabilitiesthatexist–thoseweknowaboutandotherswehavenotyetdiscovered.Thegreatchallengewefaceassecurityprofessionalsistodiscoverallhiddenvulnerabilitiesbeforeathreatactorsuchasahackerhastheopportunitytodoso.
Everysystemandnetworkalwaysholdssomethingofvalue.Asmartphonehasgigabytesofvaluabledatapertainingtoitsuser,includinggeolocationdata,contactdetails,imagesandvideos,logsrelatingtoalltheiractivities,andmuchmore.Onanetwork,yournetworkdevicesandsystemsarestoringdataastheyexchangemessages.YournetworkswitchesandroutersstoreMediaAccessControl(MAC)andIPaddresses,containuseraccountsforremoteaccess,logmessagesofvarioustransactions,includingtheforwardingofframesandpackets,andsoon.Toahacker,suchdataisveryvaluable.
Tip
Telegram Channel : @IRFaraExam
Keepinguptodatewiththelatestcybersecuritynewscanbesomewhatchallenging.IpersonallyrecommendcheckingTheHackerNewswebsiteforthelatestcybernews:https://thehackernews.com
Organizationsareusuallyvictimsofthefollowingcyberattacks:
Databreaches
Malware
DistributedDenialofService(DDoS)
Themostvaluableassetinanyorganizationtodayisdata.Hackersaresimplynotjusthackingforfunanymore;well,somedo,butothersareevolvingthegameintoorganizedcrime.Threatactorsareaimingtogainaccesstoyournetworkandstealyourdata.Onceanattackerisabletoexfiltratedatafromyourcomputersorservers,thehackercanpublishorsellyourorganization'sconfidentialrecordsonthedarkwebortoyourcompetitor.
Sometimes,athreatactorsuchasahackermaydevelopmalwaretocompromiseyoursystemsandnetworks.Somemalware,suchasransomwareandcrypto-malware,canholdyourdatahostage.Thesetypesofmalwarearedesignedtoexploitavulnerabilitywithinyoursystem,compromisethehostmachine,andencryptallthedataonthelocaldiskdriveexcepttheoperatingsystem.OnesuchransomwareisWannaCry,whichexploitedavulnerabilitywithintheMicrosoftWindowsoperatingsystemandtookadvantageofasecurityweaknessinSMB1.0asdefinedbyMicrosoftSecurityBulletinMS17-010.Onceasystemwascompromised,theransomwarepresentedawindowontheuser'sdesktoprequestingaransombepaidinbitcoins.
Telegram Channel : @IRFaraExam
Importantnote
TolearnmoreaboutMicrosoftSecurityBulletinMS17-010,pleaserefertothefollowingURL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010
Sometimes,threatactorsmaynotwanttogainaccessorcompromiseasystem.Somehackersmaywanttodisruptanorganization'sservicesorresources.HackersmayexecutetheirideabylaunchingaDDoSattackfrommultiplegeographicsources.Occasionally,thismayentailacoordinatedattackbyagroupofhackersorperhapsbeexecutedusingabotnet.
Tip
ToviewrecordedDDoSattacksaroundtheglobe,checkoutDigitalAttackMapusingthefollowingURL:www.digitalattackmap.com
Oneexampleofsuchaserviceisanorganization'swebsite.Sometimes,hacktivistsorganizeamongthemselvestotakedownvariouswebsitesanddisruptservicesasameansofonlineprotestingonbehalfofasocialorpoliticalcause.
Preventingalltypesofcyberattacksisverychallenging.Inthefollowingsection,wewilltakeadiveintodiscussingastrategicapproachtoreducetheriskofcyberthreatsandattacksonanetwork.
DefenseindepthHavingasinglelayerofsecuritytoprotectyourorganizationisnolonger
Telegram Channel : @IRFaraExam
efficienttostopnewlyemergingthreats.Manyorganizationsmayimplementanetwork-basedfirewallwithintheirenterprisenetworkandthinktheyarewellprotectedfromallcyberthreats,whilesomemayonlyimplementahost-basedanti-virusandhost-basedfirewallontheiremployees'devicesandthinktheyaresafe,too.Thesearejustsomeexamplesofusingasingle-layerapproachtoprotectingassetswithinanorganization.Thismethodofusingasinglecomponent,suchasanetwork-basedfirewalloranti-malware,simplynolongercutsitwhenitcomestocombattingcyberattacksandthreats.
UsingaDiDapproachiswhereamulti-layeredapproachisusedtohelpsafeguardanorganizationanditsusers.ADiDapproachensuresthatmultiplesecuritycomponentsareimplementedtoprotectallassets,includingdataandsecuringcommunicationmethods.Inadditiontousinganetwork-basedfirewallandanti-malwareprotection,howaboutimplementingemailandwebsecurityappliancestofilterbothinboundandoutboundthreats,ornetwork-basedintrusionprevention(NIPS)andhost-basedintrusionprevention(HIPS)systemstodetectanythreatsastheypassalongyournetwork?
Onerecommendedsecurityapplianceisanext-generationfirewall(NGFW).Thissecurityappliancehastheabilitytoperformstatefulpacketinspectionandapplicationvisibility/controlforallinboundandoutboundnetworktraffic.Furthermore,withtheCiscoNGFW,youcanenablethenext-generationintrusionpreventionsystem(NGIPS)moduleforaddedsecuritytogetherwithCiscoAdvancedMalwareProtection(AMP).
Withinsomecompanies,thereareemployeeswhoworkremotelyandrequireaccesstothecorporatenetwork.OnesolutionistouseeitheraVirutalPrivateNetwork(VPN)-enabledrouterorafirewallappliancewithremoteaccessVPNcapabilities.Accessingthecorporatenetworkoveranuntrustednetworkisnota
Telegram Channel : @IRFaraExam
goodthing,however.Toensurethatyourremoteworkersaccessthecorporatenetworksecurely,aVPNisthesolution.
Inthefollowingsub-sections,youwilllearnmoreaboutendpointprotection,andCisco'semailandwebsecurityappliances.
EndpointprotectionEndpointsarecommonlythemostsusceptibledevicestomalwareandothercyberthreats.Endpointsarehostdevices,suchasdesktops,laptops,IPphones,andservers.Someofthesedevicesrelyontraditionalhost-basedanti-virusoranti-malwareprotection,host-basedfirewalls,andhost-basedintrusiondetectionsystems.However,thisisasinglelayerofsecurityand,withtheriseinnewerandmoresophisticatedmalware,yourequireamulti-layerapproachsuchasimplementingDiD.
Toimprovetheprotectionofendpointswithinanorganization,it'sbettertouseacombinationofvarioussecuritycomponentstoreducetheriskofacyberattack.CiscohasasolutioncalledAMPforEndpoints,which,asthenamesuggests,detectsandpreventsmalwareonendpointdevices.Tohelpprotectyourusersfromemailthreatsandattackers,theCiscoEmailSecurityAppliance(ESA)canbeimplemented,and,toprotectyouruser'sweb-basedtraffic,theCiscoWebSecurityAppliance(WSA)performswebfilteringandmalwareprotection.
CiscoEmailSecurityAppliance
Safeguardingyouremployeesfromvarioustypesofsocialengineeringattackssuchasphishingandspearphishingiscrucial.AccordingtotheSANSInstitute,
Telegram Channel : @IRFaraExam
inoneoftheirreports,spear-phishingattacksaccountforapproximately95%ofattacksonanenterprisenetwork.Furthermore,CiscoTalosIntelligenceGroupalsostatedthatapproximately85%ofallemailmessagessentwerespam,asreportedin2019.
TheCiscoESAisdesignedtomonitorallinboundandoutboundemailsofanorganization.Itiscapableofblockingallknownthreatsontheinternet,providingremediationagainstthreatsthathaveevadedinitialdetectionmechanisms,blockingemailmessagesthatcontainbadormaliciouslinks,restrictingaccesstowebsitesnewlyinfectedbymalware,andalsoprovidestheabilitytoencryptoutboundemailsandprovidedataleakageprotection(DLP).
ThefollowingdiagramshowstheprocessingsequenceforallinboundemailmessagesontheESA:
Figure14.1–ESAincomingmailprocessing
Telegram Channel : @IRFaraExam
ThefollowingdiagramshowstheprocessingsequenceforalloutboundemailmessagesontheESA:
Figure14.2–ESAoutgoingmailprocessing
Sometimes,acompromisedsystemmaybeattemptingtospreadmalwarebysendingemailmessageswithmaliciouscontenttoothers.Eachoutboundfilterisdesignedtopreventthespreadofanoutbreakontheinternetandpreventusersfromsendingconfidentialinformationoutsidethecompany'snetworkbymeansofDLP.
TheCiscoESAalsofiltersalloutboundmessagestoensurethatmalwareorthreatactorsarenotattemptingtospreadanymalwareordamagetheorganization'sdomainname.Additionally,theCiscoESAallowsITprofessionalstoenableDLPtopreventanyconfidentialdatafromleavingtheorganizationviaemailmessages.
Telegram Channel : @IRFaraExam
CiscoWebSecurityAppliance
Protectingyouremployeesagainstweb-basedthreatsisanotherimportantpartofsecuringyourorganization.TheCiscoWebSecurityAppliance(WSA)facilitatesthemitigationofweb-basedthreatswhilecontrollinginboundandoutboundwebtraffic.TheCiscoWSAenablesyoutocontrolhowyouruserswithintheorganizationaccesstheinternet.
TheCiscoWSAprovidesthefollowingcapabilities:
Webapplicationfiltering
URLfilteringandmalwarescanning
Webaccessrestrictionsbasedontimeandbandwidthlimits
Allweb-basedtrafficleavinganorganization'snetworkissenttotheCiscoWSAbeforeitissenttotheinternet.IftheCiscoWSAdeterminesthattheoutboundtrafficissafeandthedestinationistrusted,theWSAwillforwardthetraffic.Ifthedestinationisnottrustedorisunsafe,theWSAwilldiscardthepacket.
Inthissection,youhavelearnedabouttheneedtoimplementaDiDstrategytohelpprotectyourorganizationfromvariouscyberattacksandthreats.Inthenextsection,we'lltakeadeepdiveintodiscussingvariousLayer2threatsthatareharmfultoyourinternalnetwork.
Layer2threatsNetworkprofessionalscommonlyimplementvariousnetworksecuritysolutionstokeeptheircorporatenetworksafefromthreatactors.Suchnetworksolutions
Telegram Channel : @IRFaraExam
mayincludenetwork-basedfirewallappliances,IPS,andmayevenuseVPNsforremoteworkers.However,suchdevicesandcomponentsusuallyprotectdatabetweenLayer3andLayer7oftheOSImodel.
IflayerssuchasLayer2arecompromisedbyanattacker,theupperlayersarealsocompromisedaswell.ImagineascenariowhereanattackerisabletointerceptalltrafficsuchasframesatLayer2withinyourcorporatenetwork.Insuchanevent,thesecurityimplementedtoprotecttheupperlayerswillbeobsoleteinpreventingtheattack.
ThefollowingdiagramshowsboththeOSIreferencemodelandtheTCP/IPprotocolsuite:
Figure14.3–DataLinklayer
Telegram Channel : @IRFaraExam
ToprotectLayer2,CiscohasincorporatedmanyLayer2attackmitigationfeaturesintheirswitches.Asanetworkengineer,it'simportantthatyoulearnaboutthevarioustypesofattacksthatoccuratLayer2andhowtoimplementsecurityfeaturesonCiscoswitchestomitigatesuchattacks.
Inthefollowingsections,youwilllearnaboutvarioustypesofLayer2attacksthatcanoccuronanenterprisenetworkandhowtoimplementcountermeasurestosafeguardyournetwork.
CAMtableoverflowSwitchesarethenetworkingdevicesthatallowustoconnectourenddevices,suchascomputers,tothenetworkandaccessresources.Additionally,switchesareabletoforwardmessages(frames)totheirdestinationbysimplyrecordingthesourceanddestinationMACaddressesfoundineachinboundmessage.Foreachframetoenteraswitch'sinterface,thesourceMACaddressispopulatedwithintheswitch'sMACaddresstable,asshownhere:
Telegram Channel : @IRFaraExam
Figure14.4–MACaddresstable
Asshown,theshowmacaddress-tablecommandisusedtoviewalist
ofMACaddressesthatwerelearnedonaspecificinterfaceandVLAN.However,aswitchstoresMACaddressesonitsContentAddressableMemory(CAM)table.Toputitsimply,theCAMtabledoesnothaveinfinitestoragecapacity.EachswitchhasalimitintermsofthenumberofMACaddressestheyareabletostore.OnesuchexampleisaCiscoswitch,whichmaybeabletostore8,000addresses,whileanothermodelmaybeabletostoremore.CiscoIOSswitcheshaveadefaultaging/inactivitytimerof300seconds(5minutes)foranyMACaddresseswithintheCAMtable.IfaswitchdetectsnoactivityfromaMACaddressafter300seconds,itwillautomaticallyremoveitfromtheCAM
Telegram Channel : @IRFaraExam
tabletomakestorageavailablefornewaddresses.
ThefollowingsnippetshowsanexampleofthesizeoftheCAMtableforaCiscoIOSvL2switch:
Figure14.5–CheckingCAMtablecapacity
KeepinmindthatnotallmodelsofCiscoswitcheshavethesamecapacityofstorageontheirCAMtable.Eventhoughthefigureseemstobeverylargeintheprecedingsnippet,itisstillafinitenumber.OnevulnerabilitythatexistsisifaswitchreceivesmoreMACaddressesthanitcanpossiblystore,itwillbegintofloodallinboundmessages(frames)outofallports.Technicallyspeaking,theswitchbecomesahubonthenetwork.
AttackerscanfloodunsolicitedframeswithfakesourceMACaddressesintoaswitchtofilltheCAMtable.WhentheCAMtableisfilled,theattackerdoesnotstoptheattack.Theswitchwillbegintoforwardallinboundtrafficoutofallotherinterfaces.Theattackercancaptureallnetworktrafficthatisbeingforwardedoutoftheswitch.ThisisknownasaCAMTableOverflowattack.
Importantnote
Telegram Channel : @IRFaraExam
SinceeachinterfacecanbeassignedtoaVirtualLocalAreaNetwork(VLAN),ifanattackercanfloodunsolicited,bogusframesintoaswitchduringaCAMtableoverflowattack,theswitchwillonlyforwardtraffictoallotherportsonthesameVLAN.
Thefollowingdiagramshowsanexampleofanetworkimplantinjectingbogusframesintoaswitch:
Figure14.6–CAMtableoverflow
Intheprecedingdiagram,theattackerhasimplantedaRaspberryPiwithKaliLinuxandisusingspecialtoolssuchasmacoforyersiniatofloodthe
switchwithunsolicitedframes.
Thefollowingsnippetshowsmacofgeneratingbogusframes:
Telegram Channel : @IRFaraExam
Figure14.7–Themacoftool
Duringtheattack,theswitch'sCAMtablewillexceeditslimitationandbeginfloodingallincomingtrafficoutofallotherinterfaces.Inthediagram,wecanseethatPC2issendingtraffictotheswitch,buttheswitchisforwardingittounintendeddestinationsandtheattackerisabletocapturePC2'straffic.
VLANattacksBydefault,eachinterfaceonaCiscoIOSswitchusestheDynamicTrunkingProtocol(DTP)toautomaticallynegotiatetheinterfacemodewithaconnectiontootherdevices.InChapter5,ImplementingVLANs,Layer2DiscoveryProtocols,andEtherChannels,wediscussedDTPinfurtherdetailandhowitisappliedtoautomaticallynegotiateeitheranAccessorTrunkinterfaceon
Ciscoswitches.SinceallinterfacesonaCiscoIOSswitchusethedefaultmodeasdynamicauto,anattackercanusetheirmachineandcreatean
unauthorizedtrunkbetweentheattacker'smachineandtheswitch.
Telegram Channel : @IRFaraExam
Thefollowingdiagramshowshowanattackerhasenabledanunauthorizedtrunkonasmallnetwork:
Figure14.8–UnauthorizedTrunk
Asshownintheprecedingdiagram,theattackerwillbeabletoaccessanyVLANsontheswitch.Furthermore,theattackerisabletosendandreceivetrafficonanyVLANsontheswitch.ThisisknownasaVLANHoppingattack.
Thefollowingsnippetshowshoweasilyanattackercanattempttoenabletrunkingusingatoolsuchasyersinia:
Telegram Channel : @IRFaraExam
Figure14.9–YersiniaDTPattacks
Inanotherscenario,anattackercaninsertanotherVLANtaginanalreadytaggedframe.ThisisknownasVLANDoubleTagging.Insimpleterms,theattackerembedstheirown802.1Qtagwithinaframethatalreadyhasan
802.1Qtag.Togetabetterunderstandingofhowthisattackworks,let'stakea
Telegram Channel : @IRFaraExam
closerlookatthefollowingdiagram:
Figure14.10–VLANdoubletagging
Basedontheprecedingdiagram,thefollowingisthesequenceofactionsthatoccursonthenetwork:
1. Instep1,theattackersendsadouble-taggedframetoSW1.TheoutertagoftheframecontainstheVLANIDoftheinterfacetheattackerisconnectedto,whichisNativeVLAN(99).Theinner802.1Qtag(30)of
theframeisalsoinsertedbytheattacker.
2. Instep2,whenSW1receivesthedouble-taggedframe,itinspectsonlytheoutertag(VLAN99)andforwardstheframeoutofallVLAN99
interfacesafterremovingtheoutertag(99).TheinnerVLANtag,VLAN
30,isstillintactandwasnotinspectedbythefirstswitch.
Telegram Channel : @IRFaraExam
3. Instep3,whenSW2receivestheframe,itinspectstheinner802.1Qtag
thatwasinsertedbytheattacker(VLAN30).Theswitchwillthen
forwardtheframetothetargetVLANbyfloodingitoutofallVLAN30
interfacesordirectlytothetargetmachineiftheMACaddressofthetargetisknown.
InaVLANdoubletaggingattack,thetransmissionisalwaysunicast.Thisattackworksonlyiftheattacker'smachineisconnectedtoaninterfacethatisassignedthesamenativeVLANasthetrunkinterfaces.Additionally,thisattackallowstheattackertocommunicatewithatargetonaVLANthatisrestrictedorblockedbysecuritycontrolsonthenetwork.
TopreventbothVLANhoppingandVLANdoubletaggingattacks,adheretothefollowingrecommendations:
Makesurethatyoudisabletrunkingonallyouraccessportsontheswitches.Todothis,usethefollowinginterfacemodecommandonyouraccessports:
Switch(config)#interfaceGigabitEthernet0/1
Switch(config-if)#switchportmodeaccess
MakesurethatyoudisableDTPonallinterfacesbyusingthefollowinginterfacemodecommand:
Switch(config)#interfaceGigabitEthernet0/1
Switch(config-if)#switchportnonegotiate
Configureyourtrunkinterfacesmanuallybyusingthefollowinginterfacemodecommand:
Telegram Channel : @IRFaraExam
Switch(config)#interfaceGigabitEthernet0/2
Switch(config-if)#switchportmodetrunk
MakesurethatthenativeVLANisusedonlyonyourtrunklinks.
MakesurethatyoudonotuseVLAN1asthenativeVLAN.
InChapter5,ImplementingVLANs,Layer2DiscoveryProtocols,andEtherChannels,thelabsfoundwithinthechapterutilizedalltheaforementionedrecommendationsasgoodpractice.Feelfreetorevisitthechapterandthelabstogainhands-onexperiencebyapplyingtheseconfigurationsinaCiscoenvironment.
DHCPattacksInChapter10,ImplementingNetworkServicesandIPOperations,youlearnedaboutavarietyofIPservices,includingtheDynamicHostConfigurationProtocol(DHCP),anditspurposeandoperations.SimilartomanyTCP/IPnetworkprotocols,DHCPwasnotdesignedwithsecuritymechanisms.Onanetwork,anattackercanperformtwotypesofDHCPattacks.Theseareasfollows:
DHCPstarvation
DHCPspoofing
InaDHCPstarvationattack,thegoaloftheattackeristocreateadenialofservice(DoS)foranyclientmachinethatisrequestingIPconfigurationsfromaDHCPserver.Theattackercanuseatoolsuchasyersiniatogenerate
unsolicitedfakeDHCPdiscovermessageswithspoofedsourceMACaddresses.
Telegram Channel : @IRFaraExam
WhentheDHCPserverreceiveseachDHCPdiscovermessage,itwillattempttoprovideanavailableIPaddressfromitsDHCPpool.ByfloodingtheDHCPserverwithhundredsoreventhousandsofbogusDHCPdiscovermessages,theDHCPpoolwilleventuallybeexhausted.Therefore,anyconnectedclientmachinethatrequiresaleaseIPaddresswillbedeniedandwon'tbeabletocommunicateonthenetworkwithoutavalidIPaddress.
ThefollowingscreenshotshowsvariousDHCPattacksthatcanbeperformedusingyersinia:
Telegram Channel : @IRFaraExam
Figure14.11–Yersiniainterface
Asindicatedintheprecedingscreenshot,window1allowsapenetrationtesteroranattackertoexecutevarioustypesofDHCPattacksonanetwork.Window2allowsyoutofurthercustomizethesourceDHCPmessagesfromtheattackermachine.
Telegram Channel : @IRFaraExam
InaDHCPspoofingattack,theattackerinsertsarogueDHCPserveronthenetworktoprovidefalseIPconfigurationstolegitimateclients.ArogueDHCPservercanprovidethefollowingtoclients:
Incorrectdefaultgateway:Thiswillcauselegitimatehoststoforwardtheirinternet-basedtraffictotheattacker'smachineandcreatetheeffectofaman-in-the-middleattackaswell.
IncorrectIPaddressing:AnincorrectIPaddressandsubnetmaskisassignedtoclientsonthenetwork.AnincorrectIPaddressand/orsubnetmaskwillpreventahostfromcommunicatingwithotherdevices.
IncorrectDNSserver:ByprovidingclientswitharogueDNSserver,theattackercancontrolthehostnametoIPaddresslookupinformation.Thus,clientscanberedirectedtomaliciouswebsites.
TogetabetterunderstandingofwhatoccurswhenanattackerconnectsarogueDHCPservertoanetwork,let'stakealookatthefollowingdiagramandscenario:
Telegram Channel : @IRFaraExam
Figure14.12–RogueDHCPserver
Basedontheprecedingdiagram,thereisalegitimateDHCPserverandtheattackerhasconnectedarogueDHCPservertothesamenetwork.Thefollowingisthesequenceofeventsthatwilltakeplace:
1. WhenPC1connectstothenetwork,itwillbroadcastaDHCP
Discovermessage.
2. BoththelegitimateandrogueDHCPserverswillreceivethisDHCP
DiscovermessagefromPC1.
Telegram Channel : @IRFaraExam
3. BoththelegitimateandrogueDHCPserverswillrespondwiththeirDHCP
OffermessagecontainingIPconfigurations.
4. PC1willrespondwithaDHCPRequesttothefirstDHCPoffer
messageitreceives.PC1willaccepttheIPconfigurationsfromthefirstDHCPoffermessage.Therefore,ifPC1receivesaDHCPOffer
messagefromtherogueDHCPserverfirst,itwillrespondwithaDHCP
Request(broadcast).
5. BoththelegitimateandrogueDHCPserverswillreceivethebroadcastDHCPRequestmessagefromPC1andonlytherogueDHCPserver
willrespondwithaunicastDHCPAcknowledgementmessage.The
legitimateDHCPserverwillceasetocommunicatewithPC1,simplybecausePC1acceptedtheIPconfigurationsfromtherogueDHCPserverandhasestablishedtrustwiththedevice.
Additionally,anattackercanuseatoolsuchasyersiniatocreatearogue
DHCPserveronacorporatenetwork.Inthelatersectionsofthischapter,youwilllearnhowDHCPsnoopingcanbeusedtopreventbothDHCPstarvationandDHCPspoofingattacksonacorporatenetwork.
ARPattacksAswehavelearnedthroughoutthisbook,theAddressResolutionProtocol(ARP)isaLayer2protocolthatisdesignedtoresolveanIPaddresstoaMACaddress.AsmentionedinChapter1,IntroductiontoNetworking,switchesareusedtoconnectenddevicessuchasPCsandserverstothenetwork.ARPisneededasalldeviceswithinasubnetorLANforwardmessagestotheirdestinationbyusingtheMACaddressoftheintendedrecipient.
Telegram Channel : @IRFaraExam
Importantnote
IPaddresseswithintheLayer3headerofpacketsareutilizedwhenahostisattemptingtocommunicatewithanotherdeviceonadifferentsubnetornetwork.
Wheneverahostwantstosendamessagetoanotherdeviceonthesamenetwork,ifthesenderdoesnotknowtheMACaddressofthedestinationdevice,itwillbroadcastanARPRequestmessage.TheARPrequestcontainsthe
destinationdeviceIPaddressandissenttoalldevicesontheLANorsubnet.ThemessageissimplyarequestfortheMACaddressofthedestinationdevice.TheARPrequestmessageisreceivedandprocessedbyalldevicesonthesubnet.However,onlythedevicewiththematchingIPaddresswillrespondwithanARPReplycontainingitsMACaddress.
SimilartootherTCP/IPnetworkprotocols,theARPwasnotdesignedwithsecurityinmind.HostdevicessuchascomputersareabletosendunsolicitedARPreplies.TheseareknownasGratuitousARPs.AnattackercansendagratuitousARPmessagetoahostonthesamesubnet.ThemessagewillcontainaMACaddressandIPaddressmapping,whichnotifiesthedestinationdevicetoupdatetheirARPtable.
ThefollowingistheARPcacheonaWindowsoperatingsystem:
Telegram Channel : @IRFaraExam
Figure14.13–ARPcache
Asshownintheprecedingsnippet,thehostdevicewillonlypopulateitsARPcachewithadeviceithasrecentlyexchangedmessageswith.AnattackercansendspoofedMACaddressesusinggratuitousARPmessagestoclientsonanetwork,therebycausingthemtoupdatewithARPtablesautomatically.Asaresult,theattackercantrickclientsintothinkingtheattacker'smachineistheirdefaultgatewayandcreateaman-in-the-middleattack.
TogetabetterunderstandingofARPspoofing,let'stakealookatthefollowingscenario:
Telegram Channel : @IRFaraExam
Figure14.14–AnARPattack
Basedontheprecedingdiagram,anattackerconnectstothenetworkandattemptstosendgratuitousARPmessagestoPC1andR1.TheobjectiveistoinformPC1thattheMACaddressofR1hasbeenupdatedtoCC-CC-CC-CC-
CC-CC.ThiswillcausePC1toupdateitsARPtableandalltrafficthatis
destinedfor192.168.1.1willbesenttotheattacker'smachine.
Importantnote
WhenanattackerisattemptingtocauseavictimtoupdatetheirARPcachewithfalseARPentries,thisisreferredtoasARPPoisoning.
Additionally,thesamethingisdonetoR1astheattackertrickstherouterintothinkingthatPC1'snewMACaddresshasbeenupdatedtoCC-CC-CC-CC-
Telegram Channel : @IRFaraExam
CC-CC,asshownhere:
Figure14.15–ARPspoofing
ThiswillensurethatalltrafficbetweenPC1andR1willbesenttotheattacker'smachineandviceversa.ThefollowingdiagramshowstheeffectofARPspoofinginchainingaman-in-the-middleattack:
Telegram Channel : @IRFaraExam
Figure14.16–Man-in-the-middleattack
Inthisattack,allthevictim's(PC1)trafficwillbeinterceptedandcaptured.Ifanysensitivedataisbeingexchanged,themessageswillbecompromised.
Spanning-treeattacksOnaswitchnetwork,theSpanningTreeProtocol(STP)isusedtopreventLayer2loops.Itdoesthisbyelectingarootbridge,whichwilltheninstructallotherswitcheswithinthesameVLANtoblockcertainportswhileleavingothersinaforwardingstate.
Importantnote
Telegram Channel : @IRFaraExam
Ifyouwishtorecapthetopicsonspanning-tree,pleaseseeChapter6,UnderstandingandConfiguringSpanning-Tree..
InChapter6,UnderstandingandConfiguringSpanning-Tree,wediscussedthevitalroletherootbridgeplaysonthenetwork.OnekeypointtoalwaysrememberisthattherootbridgealsoactsasthecentralreferencepointforalltrafficwithinaVLAN.However,onceagain,STPisanotherLayer2networkprotocolthatwasnotdesignedwithsecuritymechanisms.AnattackercansimplyconnecttheirmachinetoaswitchandinjectcustomizedSTPBridgeProtocolDataUnits(BPDUs)withalower-priorityvalue.Iftheattackissuccessful,theSTPtopologywillchange,makingtheattackermachinethenewrootbridgeandcentralreferencepointonthenetwork.Furthermore,iftheattacker'smachineistherootbridge,theattackercancapturealltrafficontheVLAN,therebyactingasaman-in-the-middleonthenetwork.
Thefollowingdiagramshowsthatanattackerisattemptingtobecometherootbridge:
Telegram Channel : @IRFaraExam
Figure14.17–AnSTPattack
TopreventSTPattacks,it'srecommendedtoimplementBPDUGuardonallAccessPoints(APs)onyourswitches.InChapter6,UnderstandingandConfiguringSpanning-Tree,wecoveredhowtoimplementBPDUGuardinthelabentitledConfiguringPortFastandBPDUGuard.
CDPattacksTheCiscoDiscoveryProtocol(CDP)isaCiscoproprietaryLayer2protocolthatisdesignedtoshareinformationwithotherCiscodevicesonthesamenetwork.CDPisenabledbydefaultonallCiscodevicesandsharesinformation
Telegram Channel : @IRFaraExam
suchasthedevicemodel,hostname,IOSversion,devicecapabilities,IPaddress,andeventhenativeVLAN.
CDPwasdesignedtohelpnetworkengineerswithtroubleshootinganddeterminingnetworktopology.Asanexample,imagineyouareunabletopingadirectlyconnecteddevice,butyouarestillabletoreceiveCDPmessagesfromthesamedevice.ThisisanindicationthatLayer2isoperatingproperly,butthatLayer3mayrequirefurtherinvestigation.
Importantnote
TorecaponthetopicsandoperationsoftheCDP,pleaserevisitChapter5,ImplementingVLANs,Layer2DiscoveryProtocols,andEtherChannels.
CDPmessagesaresentoutofallCDP-enabledinterfacesonadeviceevery60seconds.TheseCDPmessagesareunencrypted.SuchinformationfoundwithinaCDPmessagecanbeveryvaluabletoanattackeronthenetwork.Theattackercanusetheinformationtocreateamapofthenetworkinfrastructure,determinethetypeofdevicesonthenetwork,theircapabilities,IPaddresses,andsoon.
ThefollowingscreenshotshowsthecontentsofaCDPmessageusingWireshark:
Telegram Channel : @IRFaraExam
Figure14.18–CDPmessagesonWireshark
Intheprecedingscreenshot,theCDPmessageswerecapturedwithaCiscoIOSvrouterandaCiscoIOSvL2switch.Thebodyofframe#7containssensitive
informationpertainingtotheCiscoIOSvrouteronthenetwork,suchasitsmanagementIPaddressandIOSversion.SincetheCDPwasnotdesignedwithsecurityinmind,anattackercanalsoinjectfakeCDPmessagesintoanetworkwithfakeinformation.
TomitigatesuchavulnerabilitywithintheCDP,observethefollowingguidelines:
DisabletheCDPgloballyonyourdeviceusingthenocdprun
command.
EnabletheCDPoninterfacesthatareconnectedtootherCDP-enableddevices.
CDP-enabledinterfacesshouldonlybeconnectedtoothernetworkingdevicesandnotenddevices.
CDPmessagesshouldnotbesenttotheinternetoryourISP.
Furthermore,theLinkLayerDiscoveryProtocol(LLDP)isalsovulnerabletothesametypeofattacksastheCDP.TodisabletheLLDPglobally,usetheno
lldpruncommandwithinglobalconfigurationmode.TodisabletheLLDP
onaninterface,useboththenolldptransmitandnolldpreceive
commandsontheinterfacemode.
Duringthissection,youhavelearnedaboutvariousLayer2threatsandattacks
Telegram Channel : @IRFaraExam
thatcanoccurwithinanorganization'snetwork.Inthenextsection,youwilldiscovervariousswitchsecuritycontrolstopreventavarietyofLayer2attacks.
ProtectingagainstLayer2threatsQuiteoften,manyorganizationsthinkcyberthreatsandattacksoriginatefromoutsideoftheirorganization,suchastheinternet.However,someofthesethreatsandattackscanoccurfromwithin.Thesethreatscanbeintheformofaninnocentemployeeconnectinganunauthorizeddevicetothenetwork,suchasaswitchorevenawirelessrouter,oradisgruntledemployeewhowantstotakedownthecompany'snetworkinfrastructureforpersonalreasons.Yourresponsibilityasanetworkengineerisnotonlytodesignandbuildnetworksforconnectivitybutalsotoensurethesecurityofthenetwork.
Inthissection,youwilllearnhowtoimplementsecuritycontrolsonyourswitchestopreventvariousLayer2attackssuchasthosementionedintheprevioussections.
PortsecuritySometimes,whenimplementinganewlyconfiguredswitchonaproductionnetwork,thenetworkengineermayhonestlyforgettosecureanyunusedinterfaces/portsontheswitch.Leavingunusedportsactiveislikeadoorwaythatiswideopen,enablinganyonetoaccessyourproperty.Sometimes,whenimplementingaswitch,notallportsareinuse.ItisrecommendedtodisableallunusedportstopreventanyunauthorizedaccesstotheLayer2network.
Tip
Telegram Channel : @IRFaraExam
Disableallinterfacesonaswitchandonlyenablethosethatarerequired.
TosecureanyunusedportsonaCiscoIOSswitch,usetheshutdown
commandwithininterfacemode:
Figure14.19–Securinganunusedport
Theshutdowncommandchangestheinterfacetoanadministrativelydown
state,whichwilldisabletheelectricalcircuitryonthatinterfaceonly.However,ifyouhavetodisablearangeofinterfaces,youcanusetheinterface
rangecommand,asshownhere:
Telegram Channel : @IRFaraExam
Figure14.20–Disablingarangeofinterfaces
Intheearlierpartsofthischapter,wediscussedmanytypesofLayer2attacks,oneofwhichwastheCAMtableoverflowattack,whichisdesignedtoexhaustthestoragecapacityofaswitch'sCAMtable.CiscohasimplementedasecuritycontrolknownasPortSecuritytolimitthenumberoftrustedMACaddressesthatareallowedonaswitch'sinterface.
Asanetworkengineer,thisfeatureallowsyoutoeithermanuallyconfiguretrustedMACaddressesperinterfaceorallowstheswitchtodynamicallylearnalimitednumberofMACaddresses.Whenportsecurityisenabledonaninterface,thesourceMACaddressesofallinboundframesarecomparedtoalistofsecuresourceMACaddresses.Byimplementingportsecurity,youcancontrol
Telegram Channel : @IRFaraExam
whichdevicesareabletoconnecttoaninterfaceandyournetwork.
Beforeenablingportsecurityonaninterfaceorarangeofinterfaces,ensurethattheinterface(s)arenotusingthedefaultDTPmode,dynamicauto,since
portsecuritywillnotwork.EnsurethatyourinterfaceisstaticallyconfiguredaseitheranAccessportforenddevicesoraTrunkport.
Toenableportsecurityonaninterface,usethefollowingcommands:
Switch(config)#interfacefastEthernet0/1
Switch(config-if)#switchportmodeaccess
Switch(config-if)#switchportport-security
Switch(config-if)#noshutdown
Switch(config-if)#exit
Toverifytheportsecuritystatusonaninterface,usetheshowport-
securityinterfacecommand,asshownhere:
Telegram Channel : @IRFaraExam
Figure14.21–Verifyingtheportsecurityinterfacestatus
Wecandeterminethefollowingkeypointsfromtheprecedingscreenshot:
PortsecurityisenabledontheFastEthernet0/1interface.
TheviolationmodeissettoShutdown.
ThemaximumnumberofsourceMACaddressesthatarepermittedonthisinterfaceis1.Ifmorethanonedeviceisconnectedtothisinterface,
theviolationwillbetriggeredandtheinterfacewillbetransitionedintoanerror-disabledstate.
Currently,nosourceMACaddressesarelearnedontheinterface.Ifadeviceconnectsandsendstraffictothisport,theswitchwillautomatically
Telegram Channel : @IRFaraExam
addthesourceMACaddressasasecureMACaddress.
Importantnote
Whenportsecurityisturnedon,thedefaultconfigurationsareasfollows:themaximumnumberofsecureMACaddressesis1,thedefaultviolationmodeisshutdown,andstickyaddresslearningisdisabled.
LimitingthenumberofMACaddressesallowedonaninterfacecanpreventunauthorizeddevicesfromconnectingtothenetworkandpreventamalicioususerfrominjectingunsolicitedframesintoaswitch.TolimitthenumberofMACaddressespermittedonaninterface,usethefollowingsyntax:
Switch(config-if)#switchportport-securitymaximum
number
TheremaybeasituationthatrequiresyoutomanuallyconfigureastaticMACaddressonaswitchinterface.Tostaticallyassign/associateasecureMACaddressonaswitchport,usethefollowingsyntax:
Switch(config-if)#switchportport-securitymac-
addressmac-address
ManuallyconfiguringasecureMACaddressonaninterfaceensuresthatonlytheenddevicewiththatsameMACaddressispermittedtoconnectonthesameinterfaceandsendtraffic.However,thistaskcanbeveryoverwhelmingifyouhavetodothisonallswitchesfortheentireorganization.OnemethodistoconfiguretheswitchtodynamicallylearnthesourceMACaddressesoneachinterfaceandstorethemontherunningconfiguration.
Telegram Channel : @IRFaraExam
TodynamicallylearnandstorethesourceMACaddressesonaninterface,usethestickycommandwiththefollowingportsecuritysyntax:
Switch(config-if)#switchportport-securitymac-
addresssticky
ThesourceMACaddresseslearnedusingthestickycommandwillbe
associatedwiththeinterfaceonlyandwillbesavedinrunning-config.If
theswitchlosespowerorisrebooted,thesecureMACaddresswillbelost.Therefore,makesurethatyousavetheconfigurationstoNVRAM(startup-
config).
ThefollowingisanexampledemonstratinghowtoconfigureportsecurityonaninterfacetolimituptotwosecureMACaddresses,staticallyconfigureonesecureMACaddress,andenabledynamiclearningforadditionalsecureMACaddresses:
Switch(config-if)#interfaceGigabitEthernet0/1
Switch(config-if)#switchportmodeaccess
Switch(config-if)#switchportport-security
Switch(config-if)#switchportport-securitymaximum2
Switch(config-if)#switchportport-securitymac-
addressB881.98D3.B223
Switch(config-if)#switchportport-securitymac-
addresssticky
Switch(config-if)#noshutdown
Telegram Channel : @IRFaraExam
Switch(config-if)#exit
Thefollowingscreenshotverifiesourportsecuritystatusandconfigurationsontheinterface:
Figure14.22–Verifyingtheportsecurityinterfacestatus
Asshownintheprecedingscreenshot,asecuresourceMAC(LastSourceAddress)addresshasbeendynamicallylearnedontheinterfaceandontheVLAN.Furthermore,youcanalsousetheshowport-securitycommand
toverifystatisticsonallsecureinterfacesandthenumberasshownhere:
Figure14.23–Verifyingportsecuritystatistics
Telegram Channel : @IRFaraExam
Importantnote
ToviewthetotalsizeoftheCAMtableonaCiscoIOSswitch,usetheshow
macaddress-tablecountcommand.
Sincethestickycommandwasusedtodynamicallylearnandstoresource
MACaddresses,theshowrunning-configcommandshowsyousticky
MACaddresses,ifany,asshowninthefollowingcodesnippet:
Figure14.24–VerifyingstickyMACaddresses
WhenthemaximumnumberofsecureMACaddresseshasbeenlearnedonaninterface,ifanyframeswithanewsourceMACaddressaresenttoasecureport,aviolationwilloccur.TheremaybetimeswhenyouneedtomanuallyremoveasecureMACaddressfromasecureinterfacewithoutdeletingtheexistingsecureMACaddresses.Forthistask,theportsecurityagingfeatureallowsustoconfigureaninterfacewithanagingtimelimittoensurethatoldsecureMACaddressesremainwhilenewMACaddressesareadded.
Theportsecurityusesthefollowingtypesofagingonasecureinterface:
Telegram Channel : @IRFaraExam
Absolute:SecureMACaddressesaredeletedafteradefinedagingtime.
Inactivity:SecureMACaddressesaredeletedonlywhentheyareinactiveforadefinedagingtime.
Toconfigureportsecurityagingonasecureinterface,usethefollowingsyntax:
Switch(config-if)#switchportport-securityaging{
static|timetime|type[absolute|inactivity]
}
Thefollowingisadescriptionofeachparameterfortheportsecurityagingcommand:
static:EnablesagingforasecureMACaddressthatisstatically
configuredontheinterface.
timetime:Allowsyoutospecifytheagingtimeontheinterface.The
timerangesbetween0–1440minutes.Ifthetimeissetto0,agingis
disabledontheinterface.
typeabsolute:SecureMACaddressesageoutandareremovedfrom
thesecureaddresslistontheswitchwhenthespecifiedtimeismet.
typeinactivity:SecureMACaddresseswillageoutonlyifthereis
notrafficfromasecureMACaddressforthespecifiedtime.
ThefollowingcommandsareanexampleofdemonstratinghowtosecureMACaddressestoageoutafter5minutesofinactivityonaninterface:
Switch(config)#interfacegigabitEthernet0/1
Telegram Channel : @IRFaraExam
Switch(config-if)#switchportmodeaccess
Switch(config-if)#switchportport-security
Switch(config-if)#switchportport-securityaging
time5
Switch(config-if)#switchportport-securityaging
typeinactivity
Switch(config-if)#exit
Usingtheshowport-securityinterfacecommand,you'llnoticethat
AgingTimehasbeenchangedto5mins,andAgingTypehasbeen
changedtoInactivity,asshownhere:
Figure14.25–Verifyingportsecurityagingconfigurations
IfasecureportreceivesasourceMACaddressthatisdifferentfromthelistof
Telegram Channel : @IRFaraExam
secureMACaddresses,aviolationwillbetriggeredandtheinterfacewilltransitionintoanerror-disabledstate.Thefollowingarethethreedifferentviolationmodeswhenconfiguringportsecurity:
shutdown:Thisisthedefaultviolationmode.Ifaviolationoccurs,the
portchangestoanerror-disabledstate.Theviolationcounterisincreased.Tore-enabletheinterface,thenetworkengineermustfirstusetheshutdowncommand,waitafewseconds,andthenusetheno
shutdowncommandwithintheaffectedinterface.
restrict:Ifaviolationoccurs,thismodedropsanymessagewithan
unknownsourceaddress.Thesecurityviolationcounterincreasesandasyslogmessageisgenerated.
protect:Ifaviolationoccurs,thismodewilldropanymessagewithan
unknownsourceaddress.However,itdoesnotincreasethesecurityviolationcounter,nordoesitsendasyslogmessage.Thismodeisconsideredtobetheleastsecureofthethreeviolationmodes.
Toconfigureaportsecurityviolationonaninterface,usethefollowingsyntax:
Switch(config-if)#switchportport-securityviolation
shutdown|restrict|protect
Thefollowingisanexampleofconfiguringtherestrictviolationonan
interfacewithportsecurity:
Switch(config)#interfaceGigabitEthernet0/1
Switch(config-if)#switchportmodeaccess
Telegram Channel : @IRFaraExam
Switch(config-if)#switchportport-security
Switch(config-if)#switchportport-securityviolation
restrict
Switch(config-if)#exit
Usingtheshowport-securityinterfacecommand,youcanseethat
theviolationmodehaschangedtoRestrict,asshowninthefollowing
screenshot:
Figure14.26–Verifyingviolationmodes
Inthenextsection,youwillgainhands-onexperienceintermsofimplementingportsecurityonaCiscoIOSswitch.
Lab–implementingportsecurity
Telegram Channel : @IRFaraExam
Inthislab,youwilllearnhowtoimplementportsecuritytolimitthenumberofsecuresourceMACaddressesthatarepermittedontheinterfacesofaCiscoIOSswitch.Togetstarted,we'llbeusingtheCiscoPacketTracerapplication,whichallowsustosimulateaCiscoenvironment.Forthislab,pleasebuildthefollowingnetworktopology:
Figure14.27–Portsecuritylabtopology
Ensurethatyou'veassignedtheIPaddressestoeachdeviceaccordingtothefollowingIPaddresstable:
Telegram Channel : @IRFaraExam
Figure14.28–IPaddressscheme
Eachcomputer–PC1,PC2,andtheAttackerPC–isusingtheirFastEthernet0(Fa0)interfacetoconnecttoSW1.
Nowthatyourlabisready,usethefollowinginstructionstoimplementportsecurity:
1. OnSW1,enableportsecurityontheFastEthernet0/1and
FastEthernet0/2interfacesusingthefollowingcommands:
SW1(config)#interfacerangeFastEthernet0/1-
FastEthernet0/2
SW1(config-if-range)#switchportmodeaccess
SW1(config-if-range)#switchportport-security
2. Configurethesecureportstopermitamaximumofonedeviceperinterface:
SW1(config-if-range)#switchportport-security
maximum1
3. ConfigurethesecureportstodynamicallylearnandstoresecuresourceMACaddressesontherunningconfigurationfile:
Telegram Channel : @IRFaraExam
SW1(config-if-range)#switchportport-security
mac-addresssticky
4. Next,enablethesecureportsonlyandexit:
SW1(config-if-range)#noshutdown
SW1(config-if-range)#exit
5. Secureanyunusedportsontheswitch:
SW1(config)#interfacerangeFastEthernet0/3-
FastEthernet0/24
SW1(config-if-range)#shutdown
SW1(config-if-range)#exit
SW1(config)#interfacerangeGigabitEthernet0/1
-GigabitEthernet0/2
SW1(config-if-range)#shutdown
SW1(config-if-range)#exit
6. PingbetweenPC1andPC2toensurethattheirsourceMACaddressesarelearnedandstoredontherunningconfigurationfile.Usetheshow
port-securityinterfacecommandtovalidatethe
configurationsonyourinterfaces:
Telegram Channel : @IRFaraExam
Figure14.29–Validatingportsecurity
Asshownintheprecedingscreenshot,portsecurityisenabledontheinterface,theviolationmodeissettoShutdown(default),agingis
Disabled,themaximumnumberofsecureMACaddressesallowedon
theinterfaceis1,thetotalnumberofsecureMACaddresseslearnedis1,
stickyisEnabledandhasstoredoneaddressonrunning-config,
andthelastMACaddresslearnedis0001.C9BA.5B83onVLAN1.
7. Next,usetheshowrunning-configcommandtoviewtheport
securityconfigurationsandthestickyaddressesthatareautomaticallyaddedtotherunningconfiguration:
Telegram Channel : @IRFaraExam
Figure14.30–Verifyingthestickyaddress
Asshownintheprecedingscreenshot,PC1'sMACaddressisboundtoFastEthernet0/1andPC2'sMACaddressisboundto
FastEthernet0/2.
8. Next,let'striggeraviolationofthenetwork.ConnecttheattackerPCtoFastEthernet0/2onSW1.Then,attempttopingfromtheAttacker
PCtoPC1,asshownhere:
Telegram Channel : @IRFaraExam
Figure14.31–Triggeringaviolation
9. Asexpected,sincetheattacker'ssourceMACaddressdoesnotmatchthesecureMACaddressonFastEthernet0/2,thetrafficisnotpermitted
andtheinterfacehasbeendisabled,asshownhere:
Telegram Channel : @IRFaraExam
Figure14.32–Verifyingviolation
TheportstatushasbeenchangedtoSecure-shutdown,theattacker's
sourceMACaddressisshown,andtheviolationcounterhasincreasedto1.
10. Toverifywhichinterfacesareinanerror-disabledstate,usetheshow
interfacesstatuscommand:
Figure14.33–Verifyingerror-disabledinterfaces
Anotherusefulcommandtoverifywhetheraportisinanerror-disabled
Telegram Channel : @IRFaraExam
stateistheshowinterfacescommand.
11. Lastly,let'sfixtheissuebyphysicallyreconnectingPC2toFastEthernet0/2onSW1andre-enablingtheinterfaceusingthe
followingcommands:
SW1(config)#interfaceFastEthernet0/2
SW1(config-if)#shutdown
SW1(config-if)#noshutdown
SW1(config-if)#exit
Havingcompletedthislab,youhavegainedthehands-onskillstoimplementportsecurityonaCiscoenvironment.Inthenextsection,youwilllearnhowtomitigateandpreventrogueDHCPserversonanetwork.
DHCPsnoopingDHCPsnoopingisasecurityfeatureavailablewithinCiscoIOSswitchesthatallowsyoutopreventandmitigateagainstrogueDHCPservers.DHCPsnoopingisnotdependentonsourceMACaddressesascomparedtoportsecuritybutratherdetermineswhetherDHCPmessagesareoriginatingfromatrusteddeviceortrustedsourceonthenetwork.WithDHCPsnoopingimplementedonacorporatenetwork,itcanfilterDHCPmessagesandperformratelimitingonDHCPmessagesfromuntrustedsources.Ratelimitingisusedtocontrolthenumberofmessagesenteringadevice'sinterface.
Onaprivatenetwork,devicessuchasrouters,servers,andswitchesareconsideredtobetrusteddevices.Theyaretrusteddevicessimplybecauseyou,as
Telegram Channel : @IRFaraExam
anetworkengineer,haveadministrativecontroloverthesenetworkingdevices.However,devicesthatareoutsideofyournetworkareconsideredtobeuntrusted.WhenDHCPsnoopingisenabled,allportsareuntrustedbydefault.
Importantnote
SinceDHCPclientsareexpectedtosendonlyDHCPDiscoverandDHCP
Requestmessagestoanuntrustedport,ifanuntrustedportreceivesaDHCP
OfferorDHCPAcknowledgementmessage,thenaviolationwilloccur.
Atrustedportmustbeexplicitlyconfiguredbythenetworkengineer.Additionally,allaccessportsshouldbeuntrustedsimplybecausetheaccesslayeriswhereanattackercaninserttheirrogueDHCPserver.Trustedinterfacesshouldbetrunkinterfacesandportsthatareconnectedtotheorganization'sDHCPserver.
Importantnote
Onatrustedport,DHCPOfferandDHCPAcknowledgementmessages
arepermitted.
WhenDHCPsnoopingisenabled,theswitchcreatesaspecialtableknownasaDHCPsnoopingbindingtable.ThistablekeepsatableofsourceMACaddressesofdevicesthatareconnectedtountrustedportsandtheirIPaddressesthatwereassignedbythelegitimateDHCPserver.TheMACaddressesandIPaddressesareboundtogether.
ToconfigureDHCPsnooping,observethefollowingsteps:
Telegram Channel : @IRFaraExam
1. Usetheipdhcpsnoopingcommandwithintheglobalconfiguration
modetoturnonDHCPsnooping.
2. Configuretrustedinterfacesbyusingtheipdhcpsnoopingtrust
commandwithintheinterfacemode.
3. Configureratelimitingonuntrustedportsusingtheipdhcp
snoopingratelimitnumbercommand.Specifyanumberfor
packetspersecond(pps).
4. AssignDHCPsnoopingforeitherasingleVLANorarangeofVLANsbyusingtheipdhcpsnoopingvlanvlan-idcommandinglobal
configurationmode.ThefollowingisanexampleofenteringmultipleVLANsinthecommand:ipdhcpsnoopingvlan5,15,20-22.
Inthenextsection,youwillgainhands-onexperienceintermsofimplementingDHCPsnoopingtopreventandmitigaterogueDHCPserversinaCiscoenvironment.
Lab–implementingDHCPsnoopingInthislab,youwilllearnhowtoimplementDHCPsnoopingtopreventandmitigaterogueDHCPserverandDHCPattacksonanetwork.Thislabissimplyanextensionofthepreviousexerciseonimplementingportsecurity.Forthislab,ensurethatyouaddtheadditionaldevicestothefollowingnetworktopology:
Telegram Channel : @IRFaraExam
Figure14.34–DHCPsnoopinglabtopology
Makesurethatyou'veassignedtheIPaddressestoeachdeviceaccordingtothefollowingIPaddresstable:
Figure14.35–IPaddressingscheme
Pleaseobservethefollowingguidelineswhenexecutingthislabtoensurethatyouobtainthesameresults:
ManuallyconfigureGigabitEthernet0/2onSW1andSW2asa
trunkportandenabletheinterface.
Telegram Channel : @IRFaraExam
Nowthatyourlabisready,usethefollowinginstructionstoconfigureDHCPsnooping:
1. OnSW1,usetheipdhcpsnoopingcommandtoenableDHCP
snooping,asshownhere:
SW1(config)#ipdhcpsnooping
2. ConfigureGigabitEthernet0/2asatrunkportandasatrusted
portusingthefollowingcommands:
SW1(config)#interfaceGigabitEthernet0/2
SW1(config-if)#switchportmodetrunk
SW1(config-if)#ipdhcpsnoopingtrust
SW1(config-if)#noshutdown
SW1(config-if)#exit
3. AssignDHCPsnoopingtotheVLANinuse,VLAN1,usingthe
followingcommand:
SW1(config)#ipdhcpsnoopingvlan1
Tip
AnetworkmaycontainDHCPrelayagentsthatwillinsertinformationaboutthemselves(option82)beforeforwardingaDHCPDiscover
messagetotheDHCPserver.WhenDHCPsnoopingisenabled,itpreventstheforwardingoftheDHCPmessagesviarelayagents.TopreventDHCPrelayoption82informationfrombeinginsertedinthe
Telegram Channel : @IRFaraExam
DHCPrelaymessages,youcanusethenoipdhcpsnooping
informationoptioncommandwithintheglobalconfiguration
mode.
4. Next,usethefollowingcommandtoenableDHCPsnoopingonSW2:
SW2(config)#ipdhcpsnooping
5. ConfigureGigabitEthernet0/1,GigabitEthernet0/2,and
FastEthernet0/1asatrustedportbyusingthefollowing
commands:
SW2(config)#interfacerangeGigabitEthernet0/1
-GigabitEthernet0/2
SW2(config-if-range)#switchportmodetrunk
SW2(config-if-range)#ipdhcpsnoopingtrust
SW2(config-if-range)#noshutdown
SW2(config-if-range)#exit
SW2(config)#interfaceFastEthernet0/1
SW2(config-if)#ipdhcpsnoopingtrust
SW2(config-if)#noshutdown
SW2(config-if)#exit
6. AssignDHCPsnoopingtotheVLANinuseonSW2andVLAN1by
usingthefollowingcommand:
SW2(config)#ipdhcpsnoopingvlan1
Telegram Channel : @IRFaraExam
7. ClickonthelegitimateDHCPserver,andselecttheServicestab|DHCP.MakesurethatyouenabletheserviceandassigntheIPdetailstocreateaDHCPpoolontheserver,asshownhere:
Figure14.36–ConfiguringthelegitimateDHCPserver
MakesurethatyouconfigurealltheIPaddresses:DefaultGateway=172.16.1.1,DNSServer=8.8.8.8,StartIPAddress=
Telegram Channel : @IRFaraExam
172.16.1.10,SubnetMask=255.255.255.0,WLCAddress=
172.16.1.40,andthenclickonSave.TheWLCaddresswillbeused
inthenextlabonwirelesssecurity.
8. ConfiguretherogueDHCPserverusingthefollowingsettings:
Figure14.37–RogueDHCPserversettings
9. Next,enableDHCPonbothPC1andPC2,asshownhere:
Telegram Channel : @IRFaraExam
Figure14.38–VerifyingthePC1IPaddress
IfyoudisconnectthelegitimateDHCPserverfromthenetwork,youwillnoticethatPCsdonotreceiveanyIPaddressconfigurationsfromtherogueDHCPserver.
10. Next,usetheshowipdhcpsnoopingcommandtoverifywhether
DHCPsnoopingisenabledontheVLAN,andOption82isenabled.
Additionally,thiscommandallowsyoutoverifybothtrustedanduntrustedinterfacesonthelocalswitch:
Telegram Channel : @IRFaraExam
Figure14.39–VerifyingtheDHCPsnoopingstatus
11. Lastly,useshowipdhcpsnoopingbindingtoviewtheDHCP
snoopingbindingtable:
Figure14.40–ViewingtheDHCPsnoopingbindingtable
Havingcompletedthislab,youhavegainedthehands-onskillstoimplementDHCPsnoopingtopreventandmitigateDHCPattacksinaCiscoenvironment.Inthenextsection,youwilllearnhowtomitigateandpreventIPspoofingandman-in-the-middleattacksonanetwork.
Telegram Channel : @IRFaraExam
DynamicARPinspectionDuringaman-in-the-middleattack,anattackerusesARPspoofingtosendanunsolicitedARPmessagewiththeirsourceMACaddresswiththeIPaddressofadefaultgatewaytootherhostsonthenetwork.ByimplementingaDynamicARPinspection(DAI)onCiscoIOSswitches,youcanpreventandmitigateARPspoofingandman-in-the-middleattacksonyourenterprisenetwork.ADAIensuresthatonlylegitimateARPrequestsandARPrepliesaresentonthenetwork.
ToensurethataDAIiseffectiveonanetwork,aDAIrequiresDHCPsnoopingtobeconfiguredandenabledontheswitchaswell.WithDHCPsnoopingandaDAIenabled,theypreventARPattacksbymeansofthefollowing:
PreventingARPrequestandARPreplymessagesonuntrustedinterfaces
InterceptingallARPmessagesonuntrustedinterfaces
ValidatingallinterceptedmessagesthatcontainavalidIP-to-MACaddressbinding.
DiscardingandloggingallARPreplymessagesthatareoriginatingfrominvalidsources.
Wheneveraviolationoccurs,theinterfacetransitionsintoanerror-disabledstate.
Importantnote
Allaccessportsonaswitchshouldbeconfiguredasuntrustedinterfaces.
Telegram Channel : @IRFaraExam
Alltrunkportsthatareconnectedtootherswitchesorroutersshouldbeconfiguredastrustedports.
ToconfigureaDAI,observethefollowingsteps:
1. EnableDHCPsnoopingbecauseaDAIrequirestheDHCPsnoopingbindingtabletovalidateIP-MACaddresses.Usetheipdhcp
snoopingcommandinglobalconfigurationmode.
2. AssignDHCPsnoopingtoaVLAN,usingtheipdhcpsnooping
vlanvlan-idcommandinglobalconfigurationmode.
3. Configurethetrunklinksastrustedinterfaces,andusetheipdhcp
snoopingtrustcommandandtheiparpinspectiontrust
commandininterfacemode.
4. EnableaDAIontheVLAN,andusetheiparpinspectionvlan
vlan-idcommandinglobalconfigurationmode.
ADAIalsohasthecapabilitytoinspectboththesourceordestinationMACandIPaddressesofeachmessage.Itdoesthisbyusingthefollowingcommand:
Switch(config)#iparpinspectionvalidate[src-mac
|dst-mac|ip]
ThefollowingisadescriptionofeachparameterfortheARPinspectioncommand:
src-mac:EnablesaDAItocheckthesourceMACaddressintheLayer
2headeragainstthesender'sMACaddresswithintheARPbody.
Telegram Channel : @IRFaraExam
dst-mac:ADAIchecksthedestinationMACaddressintheLayer2
headeragainstthetarget'sMACaddresswithintheARPbody.
ip:ADAIcheckstheARPbodyforanyinvalidIPaddresses,suchas
0.0.0.0,255.255.255.255,andallmulticastIPaddresses.
Inthenextsection,youwillgainhands-onexperienceintermsofimplementingaDAIinaCiscoenvironment.
Lab–implementingaDAIInthislab,youwilllearnhowtoimplementaDAItopreventandmitigateIPspoofingandman-in-the-middleattacksonanetwork.ThislabissimplyanextensionofthepreviousexerciseonimplementingDHCPsnooping.Forthislab,we'llbeusingthesamelabtopologyfromthepreviousexercise:
Telegram Channel : @IRFaraExam
Figure14.41–DAIlabtopology
SincewealreadyhaveDHCPsnoopingimplementedfromthelastlabexercise,we'llproceedtoapplyonlytheDAIconfigurationsonthenetworkbyusingthefollowingsteps:
1. OnSW1,configuretheuplink(trunk)interfaceasanARPtrustedport:
SW1(config)#interfaceGigabitEthernet0/2
SW1(config-if)#iparpinspectiontrust
SW1(config-if)#exit
2. EnableaDAIonVLAN1:
Telegram Channel : @IRFaraExam
SW1(config)#iparpinspectionvlan1
3. ConfigureaDAItoinspectboththesourceordestinationMACandIPaddressesofeachmessageonSW1:
SW1(config)#iparpinspectionvalidatesrc-mac
dst-macip
4. OnSW2,configurethetrunkinterfacesandtheportconnectedtothelegitimateDHCPserverasARPtrustedports:
SW2(config)#interfacerangegigabitEthernet0/1
-gigabitEthernet0/2
SW2(config-if-range)#iparpinspectiontrust
SW2(config-if-range)#exit
SW2(config)#interfaceFastEthernet0/1
SW2(config-if)#iparpinspectiontrust
SW2(config-if)#exit
5. EnableaDAIonVLAN1:
SW2(config)#iparpinspectionvlan1
6. ConfigureaDAItoinspectboththesourceanddestinationMACandIPaddressesofeachmessageonSW2:
SW2(config)#iparpinspectionvalidatesrc-mac
dst-macip
7. UsetheshowiparpinspectioncommandtoverifyARP
Telegram Channel : @IRFaraExam
inspectionstatistics,asshownhere:
Figure14.42–VerifyingARPinspectiondetails
8. Lastly,theshowiparpinspectionvlancommandcanbeused
toverifywhetheraDAIisinspectingbothsourceanddestinationMACandIPaddressesofeachmessage:
Telegram Channel : @IRFaraExam
Figure14.43–VerifyingadditionalARPinspectionconfigurations
Havingcompletedthislab,youhavegainedthehands-onexperienceandskillsrequiredtoimplementaDAItopreventandmitigateIPspoofingandman-in-the-middleattacksinaCiscoenvironment.Inthenextsection,youwilllearnhowtosecureawirelessnetwork.
WirelessnetworksecurityManyorganizationsimplementawirelessnetworktosupportthemobilityoftheirusers.ImplementingaWirelessLAN(WLAN)offersconveniencetouserswithmobiledevices,therebyallowingthemtoroamaroundthebuildingandworkfromanywhere.WithaWLAN,itisopentoanyonewithintherangeofthewirelesssignalgeneratedbytheAPsandthecorrectusercredentialstoaccessthecorporatenetwork.WLANscreateanentirelandscapeofthreatsandattacksbythreatactorsandevendisgruntledemployees.
Telegram Channel : @IRFaraExam
Thefollowingaresomeofthethreatsposedtoawirelessnetwork:
Athreatactorcanintercepttrafficonawirelessnetwork.Thethreatactordoesnotneedtobewithinthebuilding,butratherwithintherangeofthewirelesssignal.It'srecommendedthatallwirelesstrafficshouldbeencryptedtopreventanyeavesdropping.
Anintrudermaybepresentonthewirelessnetwork.Thisissomeonewhoisnotauthorizedtoaccessthewirelessnetworkorresources.
AthreatactorcancreateaDoSattacktopreventlegitimateusersfromaccessingthewirelessnetwork.
Athreatactorcansetupaneviltwinorrogueaccesspointtocapturelegitimateusers'traffic.
ArogueaccesspointiswhereanattackersetsuptheirownAPoutsidethetargetorganization,butcloseenoughforitswirelesssignaltobereachablebyemployees.Ontherogueaccesspoint,theattackeraddsaninternetconnectionandimplementspacketcaptureandothermalicioustoolstointerceptandcapturetraffic.TheideaofimplementingarogueaccesspointistotrickvictimsintoconnectingtotheAPownedbytheattackerandtocapturesensitivedata.
TheEvilTwinisanAPinstalledwithinthecorporatenetworkbyathreatactor.Alluserswhoareconnectedareabletoaccessthecorporateresources,buttheirtrafficisinterceptedandcapturedbytheAPownedbythethreatactor.
Tip
Tolearnaboutwirelesssecuritypenetrationtesting,youcancheckoutmybook,
Telegram Channel : @IRFaraExam
LearnKaliLinux2019,byGlenD.Singh,publishedbyPacktPublishingatthefollowingURL:https://www.packtpub.com/networking-and-servers/learn-kali-linux-2018.Thebookalsocoversvariousaspectsofethicalhackingandpenetrationtesting.
OnemethodofreducingthepossibilityofhidingyourwirelessnetworkisdisablingtheServiceSetIdentifier(SSID)broadcast.Thisfeaturedoesnottotallyprotectyournetworkfromathreatactor,sincetherearetechniquesfordiscoveringahiddenwirelessnetwork,butitdoesreducethepossibilitythatanovicehackermaynotdetectit.WhentheSSIDbroadcastisdisabled,thewirelessrouterorAPwillnotsendtheSSIDwithinitsbeaconmessages.
ThefollowingscreenshotisanexampleofhowtodisabletheSSIDbroadcastonaLinksys160Ndevice:
Telegram Channel : @IRFaraExam
Figure14.44–DisablingSSIDBroadcast
Additionally,youcanenableMACaddressfilteringtocreateanACLofpermittedordenieddevices.ThefollowingscreenshotshowsanexampleoftheMACfilteringinterfaceonaLinksys160Nwirelessrouter:
Telegram Channel : @IRFaraExam
Figure14.45–MACfiltering
KeepinmindthatanexperiencedhackercanfindwaystobypassMACfilteringcontrolsonawirelessnetwork.However,it'sbettertohavesomesecurityonyournetworkratherthanhavingnosecurityatall.Inthenextsection,youwilldiscovervariousmethodsofauthenticationthatcanbeimplementedonawirelessnetwork.
AuthenticationmethodsAwirelessrouterorAPprovidesafewoptionstoconfigurehowusersareauthenticatedontothenetwork.OnemethodisOpenAuthentication,whichdisablesanyauthenticationmechanismsonthewirelessdevice.Thismethod
Telegram Channel : @IRFaraExam
allowsanyonetoconnecttothewirelessnetworkfreely.Anauthenticationmethodsuchasthisiscommonlyusedinshoppingmalls,coffeeshopsandrestaurants,andpublicareas.
Importantnote
WPA3iscurrentlytheonlywirelesssecuritystandardthatencryptsmessagesonanopennetworkusingOpportunisticWirelessEncryption(OWE).ThistechnologyallowstheencryptionoftrafficbetweentheclientandtheAPonanopennetwork.ThistypeofimplementationisusefulforpublicWi-Fideployments.
AnothermethodinvolvestheuseofSharedKeyAuthentication.Thismethodisalsoreferredtoasapre-sharedkey(PSK).WithPSKauthentication,thewirelessrouterisconfiguredwithapassphraseforthewirelessnetwork,soanyoneattemptingtoaccessthewirelessnetworkwillbepromptedtoprovidethecorrectpre-sharedkey.TherearevariouswirelesssecuritystandardsthatusePSK.Theseareasfollows:
WiredEquivalentPrivacy(WEP):WEPisthefirstofficialstandardusedtosecuredatatransmissionusingtheRivestCipher4(RC4)encryptionalgorithmonanIEEE802.11network.Duetovarious
securityvulnerabilitiesfoundinthisstandard,itisnolongerrecommended.
Wi-FiProtectedAccess(WPA):ThisstandardusesWEPwithamoresecureencryptionalgorithmknownasTemporalKeyIntegrityProtocol(TKIP).TKIPappliesauniquekeytoeachpacketonthewirelessnetwork,thusmakingitdifficulttocompromise.TKIPalsovalidatesthe
Telegram Channel : @IRFaraExam
integrityofeachmessagebyusingMessageIntegrityCheck(MIC).
WPA2:WPA2iscurrentlytheindustrystandardforsecuringIEEE
802.11networks.ThisstandardusestheAdvancedEncryption
Standard(AES)fordataencryption,whichisalotstrongerthanthosepreviouslymentioned.AESusestheCounterCipherModewithBlockChainingMessageAuthenticationCodeProtocol(CCMP),whichenablesthedestinationdevicetovalidateconfidentialityandintegrity.
WPA3:Asofthetimeofwritingthisbook,WPA3isthelatestwirelesssecuritystandard.WPA3usesthemostup-to-datesecurityprotocolsanddiscontinuesoutdatedandlegacyprotocols.WPA3usesSimultaneousAuthenticationofEquals(SAE)tomitigatevulnerabilitiesfoundinWPA2.WPA3usestheCommercialNationalSecurityAlgorithm(CNSA)inWPA3-Enterpriseauthentication.
Thefollowingscreenshotshowsanexampleofconfiguringtheauthenticationmethodsonawirelessrouter:
Telegram Channel : @IRFaraExam
Figure14.46–Authenticationmethods
WPAandWPA2usetwoadditionalauthenticationmethods.Theseareasfollows:
Personal:ThismethodiscommonlyusedonahomewirelessnetworkandallowsyoutoconfigurethePSKdirectlyonthewirelessrouter.
Enterprise:ThismethodallowsyoutoassociatethewirelessrouterwithaAAAserver.ThewirelessrouterdoesnothandletheauthenticationofusersonthenetworkbuthandstheresponsibilityovertotheAAAserver(RADIUSorTACACS+).
Havingcompletedthissection,youhavelearnedaboutvariouswirelesssecuritythreatsandsecuritymechanisms.Inthenextsection,youwilllearnhowtoimplementawirelessnetworkandapplywirelesssecurity.
Telegram Channel : @IRFaraExam
Lab–implementingwirelesssecurityusingaWLCInthislab,youwilllearnhowtoimplementwirelesssecurityusingaCiscoWirelessLANController(WLC).ThislabissimplyanextensionofthepreviousexerciseonimplementingadynamicARPinspection.Forthislab,ensurethatyouaddadditionaldevicestothefollowingnetworktopology:
Figure14.47–Wirelesssecuritylabtopology
Pleaseobservethefollowingguidelineswhenexecutingthislabtoensurethatyouobtainthesameresults:
Telegram Channel : @IRFaraExam
FortheWLC,usetheCisco2504controller.OnCiscoPacketTracer,clickonNetworkDevices|WirelesstoselecttheCisco2504controller.
FortheLightweightAccessPoints(LAPs),usetheLAP-PTdevices.ThefollowingscreenshotshowsthelocationofboththeWLCandLAPsontheCiscoPacketTracerapplication:
Figure14.48–Wirelesscomplements
Thenumberedlabelsintheprecedingdiagramshowthebuttonstoclickon.
Nowthatyourtopologyisready,usethefollowinginstructionstosetuptheWLCandimplementawirelesssectiononthenetwork:
1. ClickontheWLC,andthenselecttheConfigtab|Managementinterfacetoassignthefollowingaddresses,asshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure14.49–WLCIPconfigurations
2. Next,clickonPC1,selecttheDesktoptab,andthenopenWebBrowser.EntertheURLhttp://172.16.1.40andclickonGotoloadthe
WLChomepage.
3. Createausername,admin,setapassword,Cisco123,andthenclick
Start,asshownhere:
Telegram Channel : @IRFaraExam
Figure14.50–WLCwelcomepage
4. ConfigurethemanagementIPaddress,subnetmask,anddefaultgateway,asshownhere:
Telegram Channel : @IRFaraExam
Figure14.51–ManagementIPontheWLC
TheIPsettingsarethesameasdefinedinstep1.ClickNexttocontinue.
5. Onthenextpage,createawirelessnetworkname,WLAN-Corp,setthe
securityasWPA2-Personal,andthepassphraseascisco456,as
shownhere:
Telegram Channel : @IRFaraExam
Figure14.52–CreatingawirelessnetworkonWLC
6. Next,youwillbeaskedtoconfigureavirtualIPaddressthatallowstheLAPstocommunicatewiththeWLConthenetwork.LeavethisconfigurationasthedefaultandthenclickNext:
Telegram Channel : @IRFaraExam
Figure14.53–VirtualIPconfigurationonWLC
7. Next,theWLCwillpresentasummarypagewiththeconfigurationsyouhavemade.ClickApply.TheWLCwillreboot.ToaccesstheWLCafterithasrebooted,usetheURLhttps://172.16.1.40.
8. WhiletheWLCisrebooting,clickoneachLAPanddragthepoweradapter(1)tothepowerinterface(2),asshownhere:
Telegram Channel : @IRFaraExam
Figure14.54–ConnectingapoweradaptertotheAP
Bydefault,LAPsdonothavepower.ConnectingthepoweradapterviaCiscoPacketTracerwillsupplypowertothedevice.
9. Weneedtore-enabletheinterfacesassociatedwiththeLAPsonSW1.Usethefollowingcommandstoenabletheinterfaces:
SW1(config)#interfacerangeFastEthernet0/23-
FastEthernet0/24
SW1(config-if-range)#noshutdown
SW1(config-if-range)#exit
Theinterfacesmaytakeafewsecondsbeforetheytransitionintoaforwardingstate.
Telegram Channel : @IRFaraExam
10. It'snowtimetotestwhetherthewirelessnetworkisconfiguredproperlybyconnectingamobiledevice.OnCiscoPacketTracer,clickonEndDevicesanddragthesmartdevice(suchasaphone)neartoanLAP.
11. Clickonthesmartdevice(phone),selecttheConfigtab|Wireless0interface,andapplythefollowingsettings:SSID:WLAN-Corp;
Authentication:WPA2-PSK;andPSKPassPhrase:cisco456,as
shownhere:
Telegram Channel : @IRFaraExam
Figure14.55–Wirelessconfigurationonasmartdevice
Afterapplyingthewirelessconfigurations,thesmartdevicewillautomaticallyassociateitselfwithoneoftheLAPsandreceiveanIPaddressfromtheDHCPserveronthenetwork.IfthesmartdeviceobtainsanAPIPAaddress(169.254.x.x),simplytogglebacktoStaticandDHCPagain.This
sometimeshappensonanetworkwhentheDHCPDiscovermessagewasnotsuccessfullydeliveredtotheDHCPserveronthenetwork.
Lastly,wecanvalidatetheIPconfigurationsonthesmartdevice.ClickontheDesktoptab|CommandPromptandexecutetheipconfigcommand,as
shownhere:
Figure14.56–ValidatingIPconfigurations
Telegram Channel : @IRFaraExam
Havingcompletedthissection,youhavegainedhands-onexperienceofimplementingaCiscoWLCandLAPs,andimplementedwirelesssecurityinaCiscoenvironment.
SummaryDuringthecourseofthischapter,youhavelearnedabouttheneedtouseamulti-layeredapproachknownasDefense-in-Depthtoimprovethesecuritypostureofyournetworkandorganization.Furthermore,youhavelearnedhowthreatactorscanusevariousLayer2threatsandattackstocompromiseourenterprisenetwork.Next,wecoveredhowtoimplementLayer2securitycontrolsonyourCiscoIOSswitchestopreventandmitigateLayer2attacksandwirelesssecuritytosecureyournetwork.
IhopethischapterhasbeeninformativeforyouandwillprovehelpfulinyourjourneytowardlearninghowtoimplementandadministerCiscosolutionsandpreparefortheCCNA200-301certification.Inthenextchapter,NetworkAutomationandProgrammabilityTechniques,youwilllearnhowautomationandprogrammabilitycanimproveefficiencyinnetworkdeploymentandmanagement.
QuestionsThefollowingisashortlistofreviewquestionstohelpreinforceyourlearningandhelpyouidentifyareasthatrequiresomeimprovement:
1. Whichofthefollowingisatypeofmalwarethatisdesignedtoencryptyourdata?
Telegram Channel : @IRFaraExam
A.Worm
B.Ransomware
C.Polymorphic
D.Trojan
2. Asecurityprofessionalimplementsmultiplesecuritycomponentstoimprovethesecuritypostureoftheorganization.Whatisthesecurityprofessionaltryingtodo?
A.Installanti-malwareonalldevices.
B.Installhost-basedfirewallsonallenddevices.
C.Implementemailsecurity.
D.ImplementDefenseinDepth.
3. Athreatactorisattemptingtoforceaswitchtofloodallitsinboundtrafficoutofallotherports.Whattypeofattackisthethreatactorperforming?
A.IPspoofing
B.CAMtableoverflow
C.Man-in-the-middle
D.ARPspoofing
4. AnotherattackerisattemptingtogainunauthorizedaccesstoaVLAN.Whattypeofattackisbeingperformedbytheattacker?
Telegram Channel : @IRFaraExam
A.An802.1Qattack
B.ADTPattack
C.VLANhopping
D.VLANdoubletagging
5. WhichcommandisusedtodisableDTPonaninterface?
A.switchportnonegotiate
B.switchportmodeaccess
C.switchportmodetrunk
D.noswitchportdtp
6. AnattackerisattemptingtoconnectarogueDHCPserveronthenetwork.Howcansuchanattackbeprevented?
A.ImplementaDAI.
B.Shutdowntheinterface.
C.Portsecurity.
D.DHCPsnooping.
7. Whenportsecurityisenabled,whichisthedefaultviolationmode?
A.Protect
Telegram Channel : @IRFaraExam
B.Error-disabled
C.Shutdown
D.Restrict
8. WhichcommandcanbeusedtoenableaDAItoinspectboththesourceanddestinationMACandIPaddressesofeachmessage?
A.iparpinspectionvalidatesrc-macdst-mac
B.iparpinspectionvalidatesrc-macdst-macip
C.iparpinspectionvalidatesrc-macip
D.iparpinspectionvalidateenable
9. Whichsecurityapplianceshouldyouusetofilteremailtraffic?
A.CiscoUmbrella
B.CiscoNGIPS
C.CiscoNGFW
D.CiscoESA
10. Whichistheleastsecureviolationmodeinportsecurity?
A.Protect
B.Error-disabled
C.Shutdown
Telegram Channel : @IRFaraExam
D.Restrict
FurtherreadingThefollowinglinksarerecommendedforadditionalreading:
Configuringportsecurity:https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html
ConfiguringDHCPsnooping:https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html
ConfiguringaDAI:https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dynarp.html
Telegram Channel : @IRFaraExam
Inthissection,youwillbeintroducedtonetworkprogrammability.ThisisanewskillCiscorecommendsforeachexistingandnewnetworkengineerinthefield.Additionally,youwilldiscoverthemanybenefitsofimplementingtechniquesthatwillassistinnetworkmanagement,suchasautomation.
Thissectioncontainsthefollowingchapters:
Chapter15,NetworkAutomationandProgrammabilityTechniques
Chapter16,MockTest1
Chapter17,MockTest2
Telegram Channel : @IRFaraExam
Chapter15:NetworkAutomationandProgrammabilityTechniquesIn2019,Ciscomadeahugeannouncementrelatedtotheircertificationtracksandexaminationstructure.OnenotableupdateistheinclusionofautomationandprogrammabilitywithintheCCNA,CCNP,andCCIEcertificationtracks.You'reprobablywondering,whatdoesthismeanforcurrentandnewnetworkengineers?Toputitsimply,automationandprogrammabilityarebeingintegratedintonetworkengineering,thuscreatinganewtypeofnetworkprofessionals,referredtoasnetworkdevelopers.
Duringthecourseofthischapter,youwilllearnhowprogrammabilityandautomationarebeingintegratedintonetworkengineering.Furthermore,youwillgainknowledgetohelpyouunderstandthevariousdataformatsofprogramminglanguagessuchasJSON,YAML,andXML.
Inthischapter,wewillcoverthefollowingtopics:
Understandingautomation
Understandingdataformats
UnderstandingAPIs
Understandingnetworkconfigurationmanagement
Understandingintent-basednetworking
Understandingautomation
Telegram Channel : @IRFaraExam
Automationisanyprocessthatisself-drivenwithouttheneedforhumanintervention.Inmanymanufacturingplantsaroundtheworld,machines(orrobots)areusedduringthebuildingandassemblyprocess.Imagineacarmanufacturerusingmachinesthatcanoperateona24/7/365continuousschedulethatisbeingcontrolledbyacomputer.Thecomputerprovidestheinstructionsforthemachinestointerpretandexecuteonthemanufacturingline.Thesemachinesareabletoworkcontinuouslywithouttheneedtostopandrest,andtheycanperformjobsinaprecisemannerwithouterrorsorfaults.Havingmachinesinaproductionlineremovestheneedforhumanworkersashigherproductionoutputisachievedwhilereducingtheriskofhumanerroronthejob.
Automationwasmostusedwithinmanufacturingplants,whereitwasmoreeffectivetoimplementmachinestoperformcertaintasksandwheretheworkingenvironmentmaybehazardoustohumans.Today,automationhasbeenexpandingtomanyindustries,includingInformationTechnology(IT).Anexampleishomeautomation,whereyoucanuseaRaspberryPiwithitsnativeoperatingsystemandthePythonprogramminglanguage,alongwithafewothercomponents,toautomatevariousprocesseswithinthehome.Automationissuchanawesometopictolearnabout,especiallyasmanytaskswithinourjobsinnetworkengineeringandevenotherareasofITcanbenefitalotfromit.
Haveyouwonderedhowonesystemisabletocommunicatewithanothersystem?Let'suseascenariowherethecomputersystemismanagingthemachinesthatbuildcarsonaproductionline.Boththecomputersystemandthemachinesaredifferentsystemsaltogether–theyarenotdesignedwiththesameoperatingsystemorapplications,sonatively,theyarenotabletoworktogether.Fromourpointofview,itwouldseemthecomputersystemisabletocommunicatefluentlywiththemachinesandviceversa,astheyareexecuting
Telegram Channel : @IRFaraExam
thetasksascoordinatedbythecomputer.Whenthecomputersendsinstructionstothemachines,theycanconnectalltheinstructionsthatarereceivedandthenusethemtoperformagivenaction.Thecomputermustsendtheinstructionsusingastructureddataformat,whichwillcontainalltheinformationthemachinesneedtounderstandforthetaskandtoperformtheirjobs.Inthenextsection,youwilllearnaboutthesedataformatsindetail.
UnderstandingdataformatsLet'simaginetherearetwodifferentsystemsonanetwork,suchasacomputerandarouter.Thecomputerwantstosharedatawiththerouterbutsincethesearetwodifferentdevicesaltogether,theroutermaynotunderstandorbeabletointerpretthemessageitreceivesfromthecomputer.Tosolvethisissue,dataformatsareusedtoensurethedatathatisbeingexchangedbetweenthesystemsispresentedinaformatthatiseasilyunderstoodbyanothersystem.ThinkofadataformatastwopeoplewhobothspeakdifferentlanguagesusingacommonlanguagesuchasEnglishsothattheinformationthat'sbeingexchangedcanbeeasilyunderstoodbyboth.
Dataformatsgoastepfurthertoensurecomputers,networkdevices,andapplicationsareallabletounderstanddatathatisbeingsharedbetweenthem.Asanexample,let'stakealookatasimplewebpagewrittenintheHypertextMarkupLanguage(HTML),asshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure15.1–HTMLcode
HTMLisknownasoneofthestandardmarkuplanguagesusedtocreatewebpages.ThedataformatofHTMLensuresanapplicationsuchasawebbrowsercanreadandunderstandthedataeasily.Additionally,beingastructureddataformatallowsushumanstoreadandunderstandmostofthedata,asshownintheprecedingsnippet.Noticehowthedataispresentedbetweentags(elements)andthatthetitleofthewebpageisplacedbetweenthe<title></title>
tags.ThisformatisusedthroughouttheremainderoftheHTMLcodeandisanexampleofastructureddataformat.
ThefollowingscreenshotshowshowtheprecedingHTMLcodeisrenderedwithinawebbrowser:
Telegram Channel : @IRFaraExam
Figure15.2–HTMLwebpage
Dataformatsareveryimportanttounderstandastheyplayavitalroleinnetworkautomationandprogrammability.Thefollowingarevariousdataformatsthatareusedinmanycomputerapplicationstoassistwithautomationandprogrammability:
eXtensibleMarkupLanguage(XML)
JavaScriptObjectNotation(JSON)
YAMLAin'tMarkupLanguage(YAML)
Thesedataformatsarenotjustforsystemsandapplicationstounderstand,butbeingastructureddataformatalsoallowshumanstoreadandinterpretthedataandvaluesjustasthesystemdoes.
Dataformatsusethefollowingrulesandstructures:
JSON,XML,andYAMLuseakey-valuepairtorepresentdata.keyis
alwaysontheleftanditisusedtoidentifythedata.valueisalwayson
therightandthevalueistheactualdataitself.Additionally,thekeyand
Telegram Channel : @IRFaraExam
valuearealwaysseparatedusingacolon(:)intheformofkey:value.
Similartoprogramminglanguages,varioussyntaxesareusedwithdataformats.Thesearesquarebraces[],curvebraces(),curlybraces{},
commas,quotationmarks,whitespaces,andevenindentations.
Theobjectswithinadataformatcanbecharacters(a-z)orstringssuchaswords,lists,andarrays.
Overthenextfewsections,youwilllearnandunderstandthecharacteristicsofJSON,XML,andYAMLandhowdataisformattedusingeachofthesedataformats.
eXtensibleMarkupLanguageTheXMLdataformatisdesignedfortheinternetasitcloselyresemblesHTML.ThechallengewithformattingdatausingXMLisinthedifficultyitpresentstousashumansinreadingandunderstandingthedata.ThisisbecausetheXMLdataformatwasreallydesignedtotransportorcarrydatafromonesystemtoanother,nottopresentordisplayittohumans.
ThefollowingaretheimportantguidelinesthatshouldbeusedwhenformattingdatawithXML:
XMLusestagstostructureitsdata.Thesetagsusethefollowingformat:<key>value</key>.
XMLhasthecapabilitytouseattributeswithakey-valuepair,suchas<keyname="MyName">value</key>.
Telegram Channel : @IRFaraExam
AllwhitespacesusedwithinXMLdataareignored.
Bothconfigurationfilesandwebsites'sitemapsuseXML.
Tip
Ifyou'reinterestedinlearningmoreabouttheXMLdataformat,pleaseseetherelevantpageontheW3Schoolssiteathttps://www.w3schools.com/xml/default.asp.
ThefollowingsnippetshowsasimplenotewrittenintheXMLdataformat:
Figure15.3–XMLdataformat
Asshownintheprecedingsnippet,oneachline,thevaluesareplacedbetweentheircorrespondingkeys.Additionally,somelineswithinthedataformatareindentedtoimprovereadabilitybyhumans,butthisisnotmandatoryforsystemsandapplications.XMLisalsousedtostore,transfer,andreaddatabetweensystemsandapplications.
Telegram Channel : @IRFaraExam
JavaScriptObjectNotationJSONisanotherhuman-readabledataformatthatisusedbysystemsandapplicationstostore,transfer,andreaddata.JSONhasgainedalotofpopularityduetoitsusecaseswithmanywebservicesandApplicationprogramminginterfaces(APIs)toretrievedatafrompubliclyaccessibledevices.
TobetterunderstandtheJSONdataformat,let'stakealookattheoutputfromtheshowinterfaceGigabitEthernet0/1commandonaCiscoIOS
router:
GigabitEthernet0/1isup,lineprotocolisup
(connected)
Description:ConnectedtoWideAreaNetwork(WAN)
Internetaddressis172.16.1.1/24
Theprecedingoutputisprovidedviathecommand-lineinterface(CLI)weareaccustomedtowhenworkingwithCiscodevices.TheprecedingoutputcanberepresentedinJSONdataformatasfollows:
Telegram Channel : @IRFaraExam
Figure15.4–JSONdataformat
Asshownintheprecedingsnippet,eachkey-valuepaircontainsadifferentpieceofdataaboutthedevice'sinterfacesuchasitsname,itsdescription,whethertheinterfaceisenabledordisabled,andtheIPaddressandsubnetmask.
TobetterunderstandhowdataisformattedinJSON,let'stakealookatthefollowingcharacteristics:
JSONusesahierarchicaltreestructurethatcontainsnestedvaluesandobjects.
JSONusescurlybraces{}tocontain/holdobjects.
Telegram Channel : @IRFaraExam
JSONusessquarebraces[]tocontain/holdarrays.Anarrayisusedto
representalistofdatainprogramming.Anexampleofalistisashoppinglist.
DatarepresentedinJSONiswrittenusingakey-valuepair.Thesekey-valuepairsarewritteninthekey:"value"format.Acolonisusedtoseparatethekeyandthevalue.
Whitespacesareignoredbutusedtoimprovehumanreadability.
ThefollowingarekeypointstohelpyouinterpretJSON:
Allkeysarewrittenwithindoublequotationmarks.Valuesmustbeeitherotherobjects,arrays,strings,numbers,orBooleanexpressions.Thefollowingisanexampleofakey-valuepairinJSON:
{"certification":"CCNA200-301"}
Sincethekey-valuepairisalsoenclosedincurlybraces,theentireformatisknownasaJSONobject.
Youcanhavemorethanonekey-valuepairwithinasingleobject.Acommaisusedtoseparateeachkey-valuepairfromtheothers.
Akeymaycontainmorethanonevalue.Thinkofitlikealistofitemsforshopping–intheprogrammingworld,thisisknownasanarray.Anarrayisdefinedasanorderedlistofvaluesenclosedinsquarebraces[].
Eachvaluewithinakeyisseparatedbyacomma.Eacharraywithinanobjectisalsoseparatedbyacomma.
ThefollowingisanexampleofalistofITcertificationsrepresentedinJSON:
Telegram Channel : @IRFaraExam
Figure15.5–AnarrayinJSON
Fromtheprecedingsnippet,wecandeterminethefollowing:
ThekeyinthiscodeisITCerts.
Squarebraces[]areusedtocreateanarray(alist)ofthreeobjects.These
threeobjectsareNetworking,Cybersecurity,andNetworkDeveloper.
Eachobjectisenclosedwithacurlybrace{}andseparatedbyacomma.
Thelastobjectwithinthearraydoesnotendwithacommasimplybecauseit'sthelastitemonthelist.
Eachobjectcontainsonekey-valuepair.
Telegram Channel : @IRFaraExam
Tip
Ifyou'reinterestedinlearningmoreabouttheJSONdataformat,pleaseseethefollowingpageontheW3Schoolssiteathttps://www.w3schools.com/js/js_json_intro.asp.
AsyoumayhavenoticedwithJSON,it'sanotherhuman-readabledataformatforrepresentingandexchangingdatabetweensystemsandapplications.
YAMLAin'tMarkupLanguageYAMLisanotherhuman-readabledataformatthatisalsousedtostore,transfer,andreaddatabetweensystemsandapplications.ThefollowingarethecharacteristicsofYAML:
YAMLusesaveryminimalisticformat,thusmakingitsupereasytoreadandwrite.
YAMLusesindentationstodefinethedatastructurewithouttheneedforcommasorbracesofanykind.
WhitespacesareusedtodefinethestructureoftheYAMLfile.
YAMLusesadash(-)torepresentsalistofitemswithinanarray.
It'snewerthanXMLandJSONandisgaininginpopularity.
Let'stakealookatthefollowingJSONdata:
Telegram Channel : @IRFaraExam
Figure15.6–JSONdataformat
Now,let'stakealookatthesamedatawritteninYAMLformat,asfollows:
Figure15.7–YAMLdataformat
Noticehowkey-valuepairswritteninYAMLdonotuseanycommandsorquotationmarksandthateachobjectwithinthearrayisindicatedusingadash(-
).
Telegram Channel : @IRFaraExam
Tip
Ifyou'reinterestedinlearningmoreabouttheYAMLdataformat,pleaseseethefollowingpage:https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html.
YAMLhasbecomethepreferreddataformatinthenetworkingindustry,simplybecauseitisveryeasytounderstandforhumansandsystemsalike.
Havingcompletedthissection,youhavegainedtheessentialskillstointerpretvariousdataformatssuchasXML,JSON,andYAML.Inthenextsection,youwilldiscoverthevitalrolethatAPIsplayinanetwork,especiallyinnetworkdevelopmentandoperations.
UnderstandingAPIsAnAPIallowsdataformatstobesharedbetweendifferentsystemsordevices.APIssimplyallowanapplicationtosendandretrievedatafromanothersystem.APIsareusedalmosteverywhere,fromcloudservicessuchasMicrosoftAzureandAmazon'sAWStosocialmediaplatformssuchasFacebook.
TounderstandhowAPIsoperate,let'simagineyouvisityourfavoriterestauranttohaveadine-indinnerwithyourfamilyorsignificantother.Attherestaurant,youaregivenamenusothatyoucanchooseyourmealbeforeit'spreparedinthekitchen.Asacustomer,youwon'tbeallowedtovisitthekitchentoretrieveyourmealwhenit'sready–awaiterorwaitressisassignedthisrole.Whenyou(theuser)arereadytoplaceyourorder,therequestismadeviathewaiter/waitress(API),whichisknownasanAPIcall.Thewaiter/waitressthengoestothekitchenwithyourorder(therequest).Whenthefood(data)isready,
Telegram Channel : @IRFaraExam
thewaiter/waitress(API)deliversittoyou(theresponse).
ThefollowingdiagramshowstheconceptofanAPIretrievingdatafromasystemforauser:
Figure15.8–APIoperations
YoucanthinkofanAPIasasortofmessengerthat'susedtorequestandretrievedatafromasystemoranapplication.Whenonesystemrequestsinformationfromanothersystem,anAPIcallisusedtomaketherequest.Now,let'slookatthedifferenttypesofAPIs.
TypesofAPIsVarioustypesofAPIsareusedforspecificscenarios.EachtypeofAPIhasitsownuniquepurposeandrole.ThefollowingisalistofvarioustypesofAPIs:
Open/publicAPIs:OpenorpublicAPIsaredesignedtobeusedwithoutanyrestrictionsonasystem.AnexampleofapublicAPIistheYouTubeDataAPI,whichallowsapersontoaddYouTubefunctionalitytotheirapplicationorwebsite.
Internal/privateAPIs:AninternalorprivateAPIisusedwithinan
Telegram Channel : @IRFaraExam
organizationbyitsemployees.AnexampleofthisisaninternalAPIthatcanallowauthorizedpersonsfromthesalesteamtoaccess/retrieveinternalsalesinformationontheirsmartdevices.
PartnerAPIs:ThistypeofAPIisusedbetweendifferentorganizationsorcompanies.Anorganizationisgivenauthorization(permissionfromanothercompany)tousetheAPItoretrievedatafromtheirapplicationorsystem.Asanexample,yoursmartphonemayhaveaweatherwidgetthatusesanAPItoretrieveweatherforecastdatafromanonlineserver.
Next,wewilltakeadiveintoRepresentationalStateTransfer(REST)APIs.
RESTfulAPIsARESTAPIusesHTTPtosendorretrievedataforthesystemorapplication.Beforedivinginfurther,it'simportanttounderstandthefundamentalsofHTTPcommunicationbetweenaclientdevicesuchasacomputerandthewebserver.Foraclientdevicetointerfacewithawebserver,astandardwebbrowserisrequiredtoallowtheusertoviewwebpagesinahuman-readableformat.Whenauserwantstoviewawebpage,theuseropenstheirpreferredwebbrowser,whichthenuseseitherHTTPorHTTPSecure(HTTPS)torequest(HTTPGET)thewebpagefromthewebserver.
Thefollowingdiagramshowsaclientmachinerequestingawebpagefromaserver:
Telegram Channel : @IRFaraExam
Figure15.9–HTTPoperation
WhentheserverreceivestheHTTPGETmessage,itwillrespondwithanHTTPstatuscodeof200andreturnthewebpagetotheclient.HTTPusesvariousstatuscodesthatcanbeusedduringtroubleshooting.However,anHTTPstatuscodeof200simplymeanstherequestissuccessfulandthattheserverwillprovidethedata.
RESTAPIsaretypesofAPIthatoperateontopofHTTP,whichmeansitdefinestherulesandinstructionsthatdeveloperscanusetoexecutetasks,suchasrequestingdataorupdatingormodifyingrecordsonasystemorapplication.AllofthisisdoneusingHTTPprotocolmessagessuchasGETandPOST.
ImportantNote
AnHTTPGETmessageisusedtorequestdatafromadevicesuchasaserver,whiletheHTTPPOSTmessageisusedtoupdateinformationonaserver.
APIsthatabidebytherulesandguidelinesoftheRESTstructurearereferredto
Telegram Channel : @IRFaraExam
asRESTfulAPIs.ThefollowingcharacteristicsmustbemetforanAPItobeconsideredRESTful:
ARESTfulAPIusesaclient-servermodel.Theclientdeviceistypicallythefrontend,wheretheusercaninterfacewiththeserver.Theserverisresponsibleforbackendoperationssuchashostingapplicationsandservers,aswellasstoringdata.Thebenefitofusingthismodelisthatitallowseachdevicetooperateindependentlyfromeachother,meaningthateithertheclientortheservercanbereplaced.
RESTfulAPIsarestatelessbynature.Beingstatelessmeanstheserverdoesnotstoreanydatabetweenrequestsfromanyclients.Allthesessioninformation,suchasstates,arestoredonlyontheclientmachine.AnexampleisifaclientsendsanAPIcalltoaserveraskingWhatistheweatherliketoday?,andtheserverrespondswiththedata.IftheclientsendsasecondAPIcall,suchasafollow-uptothepreviousrequestsuchasWillitbehotorcold?,theserverwillnotbeabletorespondtothesecondrequestsimplybecauseitdoesnotkeeptrackofanystates.
RESTfulAPIsareconsideredtobecacheable.Sincetheserverisunabletostoreanysessionstates,informationsuchasresponsescanbecachedontheclient-sidesimplytoimprovetheoverallperformanceofthecommunicationbetweentheclientsandtheserver.
SinceRESTfulAPIsuseHTTPtorequestandrespondtomessagesbetweensystems,it'simportanttounderstandthevariousHTTPmethods,suchasPOST,
GET,PUT/PATCH,andDELETE.ForHTTPtorequestaresource,itneedsto
knowwheretheresourceislocated,suchasawebpageonawebserver,whichisreferredtobyaUniformResourceIdentifier(URI).AnexampleofaURIis
Telegram Channel : @IRFaraExam
https://www.netacad.com/courses/packet-tracer.Webservicesoftensupportvariousdataformats,suchastheonesmentionedintheprevioussection;thatis,XML,JSON,andYAML.Whenaclientmachinewantstorequestawebpage,itwillsendanHTTPGETmessagetotheURIand,ifsuccessful,theserverwillrespondwiththeHTTP200statuscodeandthewebpageinHTML.
RESTfulAPIsuseHTTPmethods(verbs)suchasPOST,GET,PATCH,andDELETEtosendandretrievedataformatsbetweentheclientandserver.TheseHTTPmethodsalsocorrespondtoRESTfuloperationssuchasCreate,Read,Update,andDelete(CRUD).
Thefollowingtableprovidesaside-by-sidecomparisonofCRUDoperations:
Figure15.10–CRUD
Whenaclientmachinerequests(HTTPGET)datafromasystemsuchasaserver,aslongastheclientusesaproperlystructuredJSONrequest,theserverwillrespondwiththeJSONdata.TheJSONdataintheresponsecanthenbepresentedinaclient-sideapplication.
ForaRESTfulAPItointeractperfectlywithasystemorapplication,it'simportantthattheRESTfulAPIcorrectlyidentifieswebresourcesusingaURI.
Telegram Channel : @IRFaraExam
AURIhasthefollowingtwospecifications:
UniformResourceName(URN):AURNisusedtoidentifyonlythenamespaceofaresource.Anexampleofaresourceisawebpage,image,ordocumentwithoutspecifyingaprotocolsuchasHTTPorHTTPS.AnexampleofaURNiswww.cisco.com/c/en/us/index.html.
UniformResourceLocator(URL):AURLisabitsimilartoaURN,exceptthatitisusedtospecifythelocationofaresourceonanetworkandspecifiesaprotocol.TherearemanyapplicationlayerprotocolssuchasHTTP,HTTPS,FTP,SFTP,andsoon.AnexampleofaURLishttps://www.cisco.com/c/en/us/index.html.
Additionally,aURIismadeupofthefollowingcomponents:
Protocol(scheme):Theprotocolsimplydefinestheapplicationlayerprotocolthatisusedbyanapplicationtoaccessaresource.ExamplesofprotocolsareHTTPandHTTPS.
Hostname:ThehostnamesimplydefinestheFullyQualifiedDomainName(FQDN),suchaswww.cisco.com.
Pathandfilename:Thepathandfilenameidentifythelocationandnameoftheresource.Anexampleofapathandfilenameis/c/en/us/training-events/training-
certifications/certifications/associate/ccna.html.
Fragment:Afragmentidentifiesaspecificareaonawebpage.Anexampleofafragmentis#~exams.
ThefollowingisanexampleofaURIcontainingallthecomponentsmentioned
Telegram Channel : @IRFaraExam
here:
https://www.cisco.com/c/en/us/training-events/training-certifications/certifications/associate/ccna.html#~exams
IfyouclickorvisittheprecedingURI,itwillcarryyoutotheexaminationsectionoftheCCNApageontheCiscowebsite.
Asanotherexample,thefollowingshowsaRESTfulAPIrequestbeingsentfromaclienttoCiscoDNACentertorequestdataonanyinterfacewithanIPv4addressof10.10.22.253.ThisURIisasfollows:
https://sandboxdnac.cisco.com/dna/intent/api/v1/inte
rface/ip-address/10.10.22.253
TheserverrespondedinJSONdataformat,thusprovidingthefollowingresponse:
Telegram Channel : @IRFaraExam
Figure15.11–ResponseinJSONdataformat
CiscoDNACenterreturnedalldataabouttheinterfacethatwasassignedthe
Telegram Channel : @IRFaraExam
specificIPv4address,asstatedintheURI.Asshownintheprecedingsnippet,youcanreadandinterpretalmostalltheinformationpresentedinJSON,simplybecauseJSONisahuman-readabledataformat.
TheRESTfulAPIrequestconsistsofthefollowingparts:
APIserver:IdentifiestheAPIserverwithintheURL.TheAPIserverishttps://sandboxdnac.cisco.com.
Resources:Identifiestheresourcesthatarebeingrequestedbytheclient,suchas/dna/intent/api/v1/interface/ip-
address/10.10.22.253.
Query:Thequeryisusedtospecifythedataformatandthedatathattheclientisrequestingfromtheserver.Aquerycanincludetheformat,whichindicateswhethertherequestisXML,JSON,orYAML.Additionally,aquerycancontainakey,whichisusedtoidentifyanAPIkeytoauthenticatetheclienttotheserver.Lastly,thequerymayalsocontainparameters,whichareusedtosendspecificinformationfromtheclienttotheserver.ThishelpstheAPIknowexactlywhattoreturntotheclient.
ImportantNote
Systemsthatofferpubliclyaccessibleinformation,suchasGoogleMaps,allowausertogenerateapublicAPI(key)ontheirplatformtousetheservices.Thesekeysprovideaformofauthenticationbetweentheclientandtheserver,whichcreatesanumberofbenefits.ItallowstheservertotrackthenumberofpersonsusingtheAPI,limitthenumberofrequests
Telegram Channel : @IRFaraExam
beingsentbyusers,captureandkeeptrackofthedatarequestedbytheclients,andgatherinformationaboutthepeopleusingtheAPI.
ForausertomakeaRESTfulAPIrequesttoasystem,theusercanuseoneofthefollowingmethods:
Developerwebsite:Manyonlineapplicationvendorsusuallyhaveadeveloperwebsitewheretheyoftenmaintainandpublishprocedures,outlininghowuserscancreateandusetheirsystemswithAPIs.AnexampleistheCiscoDevNetwebsite(https://developer.cisco.com),whichcontainsalargeamountofAPIdocumentationforvariousCiscoplatforms.
POSTMAN:ThistoolallowsausertointeractwithasystemusingvariousHTTPverbstoperformactionssuchasCRUD.POSTMANalsoallowsausertoconstructandsendRESTfulAPIrequestswithadditionalqueryparameterssuchaskeysandformattype.TolearnmoreaboutPOSTMAN,pleaseseehttps://www.postman.com.
Python:ThisprogramminglanguageallowsadevelopertointegrateaRESTfulAPIintotheircodetoperformactionssuchasautomation.
Networkoperatingsystems:NetworkoperatingsystemsusevariousprotocolssuchasNETCONFandRESTCONF,whichallowanetwork
developertointeractwithanetworkdeviceviaanAPI.TheNETCONF
protocolallowsausertoperformnetworkconfigurations,whileRESTCONFallowstheapplicationtoformatthedatathat'spassed
betweentheclientandservermachines.
Telegram Channel : @IRFaraExam
ImportantNote
Tolearnmoreaboutnetworkprogrammability,checkoutthefreecourseonCiscoDevNetathttps://developer.cisco.com/video/net-prog-basics/.
Havingcompletedthissection,youhavegainedtheskillstoidentifyandunderstandthepurposeandrolethatRESTfulAPIsplaywhenyou'reaccessingdatabetweendifferentsystems.Inthenextsection,youwilllearnaboutconfigurationmanagementtools.
UnderstandingnetworkconfigurationmanagementAtthebeginningofthischapter,wediscussedautomationandhowithelpsus,asnetworkengineers,workmoreefficientlywhenconfiguring,deploying,andtroubleshootingissuesonalargenetwork.Animportantfactorwithnetworkautomationisthatitsavesusalotoftimefromperformingmanualtasksonournetworkdevices.Whenbecominganetworkdeveloper,it'simportanttounderstandhowvariousconfigurationmanagementtoolscanimprovehowweautomateconfigurationsonourswitches,routers,firewalls,andmanyothernetworkdevices.
Inatraditionalscenario,anetworkengineerwillaccessandmanageanetworkdevicesuchasarouterorswitchviaaCLI.Thisishowwealllearnedtomanageourdevices–ifthereisachangethatneedstobemadeonthenetwork,weneedtologintotheCLIandmanuallymakethischange.Asthismethodhasworkedformanyyearsandit'stheprimarymethodbywhichwedothings,it'salsovulnerabletohumanerror,whereapersonmaymisconfigureadevice,anditcan
Telegram Channel : @IRFaraExam
equallybeverytime-consumingifthenetworkengineerhastoapplythesameconfigurationstomultipledevices.Sometimes,youmaythinkthatcopyingandpastingtheconfigurationsbetweendevicesisaformofautomation,butinreality,itisstillamanualandtime-consumingtask.
InChapter10,ImplementingNetworkServicesandIPOperations,wecoveredthefunctionalityandusecasesoftheSimpleNetworkManagementProtocol(SNMP).Thisprotocolallowsus,asnetworkengineers,tomanagevariousdevicesonournetwork,suchasdesktopscomputers,servers,networkingdevices,andsecurityappliances,allonanIP-basednetwork.AnetworkengineerwilldefinitelyneedaNetworkManagementStation(NMS),whichwillfunctionastheSNMPmanagertointeractwiththeSNMPagentsonthenodes(desktops,switches,andsoon).WithSNMP,wecanupdateconfigurationsonnetworkdevices;however,it'snotrecommendedtouseSNMPforsuchatasksimplyduetothesecurityvulnerabilitiesthatcanbefoundwithintheprotocolsuite.SNMPisalsousedtoretrieveinformationaboutdevices,whichcanhelpnetworkingprofessionalsgatherusefuldatasuchasstatisticsandperformancedetailsondevices.ThismakesSNMPbetterfornetworkmonitoringthanautomatingdeviceconfiguration.
WithAPIs,anetworkdevelopercanquicklyautomateconfigurationsanddeploydevicesmoreefficientlyoveranetwork.Imaginethat,withAPIs,youcanuseautomationconfigurationtoolstoconfigurechangesonmultipledevicessimultaneously,withouthavingtomanuallylogintoeachdeviceindividually.Withconfigurationmanagementtools,youcanuseRESTfulAPIstoautomateconfigurationonallyourdeviceswithinyourorganization.Thesetoolswillhelpyoutomaintainconsistencybetweensystemandnetworkdeviceconfigurations,includingsecuritysettings,IPprotocolsettings,interfaceconfigurations,andso
Telegram Channel : @IRFaraExam
on.
Thefollowingisalistofseveralconfigurationmanagementtools:
Ansible
Chef
Puppet
ThefollowingarethecharacteristicsofAnsible:
CreatedbyRedHat.
WorkswiththePythonprogramminglanguageandYAMLdataformat.
Itisagentless.Thismeansanagentisnotrequiredtobeinstalledorconfiguredonanetworkdevicethatyouwanttocontrol.Beingagentlessallowstheusertopushconfigurationstoanodeonanetwork.
YoucanmanageanynumberofdevicesusingAnsible.Asthenetworkgrows,youcandesignateadedicatedmachinetoworkasanAnsiblecontroller.SinceAnsibleisagentless,anydevicecanbeacontrolleronthenetwork.
Alltheinstructionsarecreatedusingaplaybook.
ThefollowingarethecharacteristicsofChef:
ChefusestheRubyprogramminglanguage.
AnagentisrequiredtobeinstalledonthedeviceyouwanttomanagewithChef.Beingagent-based,thenodewillpullconfigurationsfromthe
Telegram Channel : @IRFaraExam
Chefmaster.
ThedevicethatmanagesallthenodesorsystemsonanetworkisknownasaChefmaster.
Alltheinstructionsarecreatedinacookbook.
ThefollowingarethecharacteristicsofPuppet:
PuppetusestheRubyprogramminglanguage.
Puppetsupportsbothagent-basedandagentlessnodes.
APuppetmasterisusedtocontrolallthesystemsanddevicesonthenetwork.
Allinstructionsarewritteninthemanifest.
Havingcompletedthissection,youhavelearnedaboutvariousconfigurationmanagementtoolsandhoweachtoolisdifferentfromtheother.Inthenextsection,wewilltakeadeepdiveintointent-basednetworking(IBN)andCisco'sDigitalNetworkArchitecture(DNA)Center.
Understandingintent-basednetworking
Overthecourseofthischapter,youhavelearnedaboutmanyamazingtechnologiesthatallworktogethertohelpyou,asanetworkengineer,automatemanytasksonyourenterprisenetwork.Inthissection,wewilldiscusstwoadditionalpiecesoftechnologythatbringeverythingtogetherfornetworkautomation.TheseareknownasIBNandCiscoDNACenter.
Inthepast,networkengineerswouldimplementaconceptknownasaSoftware-
Telegram Channel : @IRFaraExam
DefinedNetwork(SDN)tovirtualizeanetworkandprovideanewmethodtooffernetworkadministrationandmanagementtasks.WithSDNs,thegoalwastoensurenetworkoperationstasksweremadesimpleandstreamlinedfornetworkengineers.
Withinnetworkdevices,therearethreelogicalplanesthatexistwithintheoperatingsystem.Eachplanehasauniqueroleandfunctiononthenetwork.Thefollowinglistprovidesdescriptionsofeachplane:
Managementplane:Thisplaneisresponsibleforallowinganadministratortomanageadevice.Asatypicalnetworkengineer,wewouldusevariousprotocolssuchasSecureShell(SSH),HTTPS,TrivialFileTransferProtocol(TFTP),andSNMPtohelpusmanageourdevices.Thismanagementplanesimplydefineshowwecanaccessanetworkdevice.
Dataplane:Thisplaneisresponsibleforsendingandreceivingmessagesonanetworkdevice.It'sliketheforwardingplaneonthedeviceitself.
Controlplane:Thisplanecontrolstheentirenetworkdeviceandhowitoperates.Thisisthebrainofthedevice.Layer2andevenLayer3forwardingmechanisms,routingprotocols,IPv4andIPv6routingtables,Spanning-TreeProtocol(STP),andsoonallexistinthecontrolplane.
Sinceeachdevicehasalltheseplanes,eachdevicecanthinkandmakeforwardingdecisionsontheirownwhileoperatingonaproductionnetwork.Asanexample,anOpenShortestPathFirst(OSPF)-enabledrouterisabletomakeitsforwardingdecisionsforinboundpacketsindependently,andallOSPF-enabledrouterswithinasingleareaareabletoestablishneighboradjacenciesinordertoexchangeinformationwitheachother.EnablingOSPFonarouterdoes
Telegram Channel : @IRFaraExam
nothappenautomatically;anetworkengineerneedstoconfigureeachrouteronthenetworkwithOSPF,andthentheywillattempttocreateneighboradjacencies.WithSDN,thecontroller-basednetworkallowsustoautomateandmanagetheoveralldeploymentandconfigurationofOSPFwithintheenterprisenetwork.
Toputitsimply,weareusinganSDNcontrollertomanagethebrainofallthenetworkdevicestogether.Therefore,thecontrolplanemovesfromtheswitches,routers,firewalls,andsoontotheSDNcontrolleronthenetwork.TheSDNcontrollerenablesacentralizedcontrolplaneforallthedevicesonthenetwork,whilethedataplaneremainsonthenetworkdevicesastheywillneedtoforwardLayer2andLayer3messages.
ThefollowingdiagramshowstheconceptofanSDNcontrolleractingasthecentralizedcontrolplaneforallthenetworkingdevicesinacorporateenvironment:
Telegram Channel : @IRFaraExam
Figure15.12–SDNcontroller
TheSDNcontrollercancontrolallthenodes(switches,routers,andsoon)byusingaSouthboundInterface(SBI).TheSDNcontrollerneedstousesometypeofmethodtoactuallymanagethenetworkdevices.Thefollowingisalistoftechnologiesthatthecontrolleruses:
NETCONF
OpenFlow
ACLI
SNMP
OpFlex
TheNorthboundInterface(NBI)onthecontrollerallowsus,thenetworkengineer,toaccessandcontroleverythingonthenetworkusingasinglepaneofglass.Asanetworkengineerornetworkdeveloper,youcanaccesstheNBIusingeitheraGraphicalUserInterface(GUI)orRESTfulAPIs.
ThefollowingshowstheNBIofaCiscoDNACenterinstanceontheCiscoDevNetplatform:
Telegram Channel : @IRFaraExam
Figure15.13–CiscoDNACenterNBI
IBNisthelatesttechnologythatbuildsontopofSDN,whichallowsallmanualandhardware-centrictasksandoperationstobedesignedintoafullyfledgedautomatedsystemthatissoftware-centric.IBNmakesallthishappenbyusingCiscoDNACenter.WithIBN,youdonotneedtologintoyourroutersorswitchesindividuallytoconfigureAccessControlLists(ACLs)inordertoallowordenytrafficbetweennetworks,orevenmanuallyconfiguretheOSPFroutingprotocolonagroupofrouters.WithCiscoDNACenter,asanetworkdeveloper,youwon'tneedtobeworriedtoomuchabouttheactualCLIconfigurationthatweareaccustomedto.ThisisbecausewejustneedtotellCiscoDNACenterwhatourintentis,anditwillmakeithappen.CiscoDNACenter,thecentralizedbrainofthenetwork,willautomaticallyapplytheconfigurationstoallthedevicestomakeourthoughtsarealityregardinghowwewantthenetworktooperate,hencethetermintent-basednetworking.
IBNconsistsofthefollowingthreefunctions:
Translation:Thisfunctionisusedtogatherinformationaboutthebusinessintentandtranslateitintopolicies.Withthisfeature,anetworkengineerordevelopercantellCiscoDNACentertheirintentionforthenetworkandCiscoDNACenterwilltranslatethisintosupportingpoliciesforthenetwork.
Activation:ThisfunctiontakesthepoliciesitreceivedfromtheTranslationfunction,thencoordinatesthepoliciesandconfiguresthenetworkdevicessuchasswitches,routers,andsoontomeettheintentofthebusiness.
Telegram Channel : @IRFaraExam
Assurance:Thisfunctionisusedtocontinuouslygatherinsightsaboutthenetwork,whichwillallowCiscoDNACentertomanageandperformanyadjustmentstothenetworkasrequired.
ThefollowingdiagramshowshowthesethreefunctionsallworktogetherinCiscoDNACenter:
Figure15.14–ThethreefunctionsofIBN
WithIBN,thenetworkinfrastructure(includingbothphysicalandvirtualdevices)isknownasthefabric.Thetermfabricisusedtodescribetheentiretopologyofanenterprisenetwork.Thefabriciseverythinginanetwork,suchasthedevices,applications,andtechnologiesusedtoforwardtrafficbetweennetworksanddevices.
Telegram Channel : @IRFaraExam
Fabric,overlay,andunderlayWithSDNandIBN,theCiscoDNACentercontrollerisnottooconcernedwithhowthenetworkdevicesareinterconnectedortheprotocolstheyareusingtoforwardtrafficthroughthenetwork.InCiscoDNACenter,thecontrollerusesanoverlaytomanagethelogicaltopology.
Theoverlayreducesthenumberofnetworkdevicesanetworkengineermustmanuallyconfigureonthenetwork,andit'salsoresponsiblefortheservicesandhownetworkdevicesforwardtraffic.Toputitsimply,anetworkengineercanspecifytheirintenttoCiscoDNACenter,whichwilltranslateitintopolicies,whicharethenappliedtothedevicesonthenetworkviatheOverlayControlPlanetomakeithappen.
Thefollowingdiagramshowsatypicalphysicalnetworktopologywithouttheoverlay:
Telegram Channel : @IRFaraExam
Figure15.15–Physicalnetworktopology
Basedonthephysicaltopologyshownintheprecedingdiagram,therearemultiplehopsbetweenPC1andSVR1.IfPC1wantstocommunicatewithSVR1,thetrafficcantakemanypaths.Withanoverlay,atunnelknownasaVirtualExtensibleLAN(VXLAN)isestablishedbetweenbothdevices,soPC1willseeSVR1asasinglehopawayonthenetwork.
ThefollowingdiagramshowstheconceptofaVXLANbeingestablishedbetweenPC1andSVR1overthenetwork:
Telegram Channel : @IRFaraExam
Figure15.16–VXLANtunnel
WithCiscoDNACenter,thecontrollermakesitseemlikePC1andSVR1areonanetworkthatonlycontainsthosetwodevices.
ImportantNote
YoucanthinkoftheoverlayastheareawheretheencapsulationprotocolsexistbetweenacontrollersuchasaWirelessLANController(WLC)anditsLightweightAccessPoints(LAPs).BetweentheWLCandtheLAPs,there'saControlandProvisioningofWirelessAccessPoints(CAPWAP)tunnelthatallowstheWLCtomanageitsLAPs.
Theunderlayistheactualphysicalnetworkthatprovidesconnectivityfortheoverlay.Thisistypicallythephysicalnetworktopologyandincludestheswitches,routers,servers,firewalls,andsoon.Withintheunderlay,thecontrolplaneisresponsibleforforwardingtrafficbetweendevicesonthetopology.
Withinalargertopologysuchasadatacenter,suchtechnologiesareusedtoimprovetrafficflowbetweenendpointsinthenetwork.Ciscousestheir
Telegram Channel : @IRFaraExam
ApplicationPolicyInfrastructureController(APIC)tomanageallthenetworkdeviceswithinthedatacenternetwork.
Thefollowingtopologyshowsatypicaldatacenternetworktopology:
Figure15.17–Spine-leaftopology
Thelowerswitches(leaves)areconnectedtotheupperlayerswitches(spines)tocreateafull-meshdesign.Thelowerlayerismadeupofaccessswitchesthatoperateasboththeaccessanddistributionlayers,andeachleafswitchisconnectedtoeveryspineswitch.Thismodel,whichisimplementingaVXLAN,allowsthenetworktoscaleeasilyandtakescareofissuesthatarerelatedtoclouddeployments.
CiscoDNACenter
Telegram Channel : @IRFaraExam
CiscoDNACenterprovidesyouwiththefollowingfivekeyfunctions:
Design:Thisfunctionallowsyoutocreateanentiremodelofyourintentnetworkwithbuildingsandofficelocations.Youcanalsoincludebothphysicalandvirtualdevices,LANs,WANs,andevencloudtechnologies.
Policy:Policiesallowtheautomationofnetworkmanagement,thushelpingusreducetheoverallcostandriskwhilerollingoutnewservicesquicklyonourenterprisenetwork.
Provision:ThisfeatureenablesCiscoDNACentertoprovidenewnetworkservicesquicklyandefficientlyonthenetwork.Whetherit'sasmallerorlargerenterprisenetwork,CiscoDNACentergetsitdone.
Assurance:ThisfeatureenablesCiscoDNACentertotakeaproactiveapproachtowardmonitoringandgatheringintelligenceonthenetwork.SuchinformationhelpsCiscoDNACenterpredictpotentialnetworkissuesquickly,aswellasensurethepoliciesthatareappliedtotheunderlayarealignedtothebusinessintent.
Platform:ThisfeatureallowsanetworkengineertouseAPIstointeractbetweentheCiscoDNACenterandvendordevices.
Tip
TolearnmoreabouttheCiscoDNACenteruserinterface,pleasebesuretocheckoutthefreeCiscoDNACenteronlinesandboxfromCiscoDevNetathttps://developer.cisco.com/docs/sandbox/#!networking.
WithCiscoDNACenter,youcanimplementIBNwithinyourorganization.As
Telegram Channel : @IRFaraExam
youhavelearned,withthiscontroller,youcansecurelydeploydevicesonyournetwork.Additionally,withCiscoDNACenter,youcanimplementthefollowingsolutions:
Software-DefinedAccess(SD-Access):WithSD-Access,accesstonetworkresourcesismadeavailablewithinamatterofminutestousersordevices,withoutsecuritybeingaconcern.
Software-DefinedWAN(SD-WAN):Thissolutionallowsorganizationstogainabetteruserexperiencewhenaccessingtheirapplicationsthatarehostedinthecloudorevenlocallyonanon-premisesplatform.
CiscoDNASecurity:Providesanentire360-degreeviewofallreal-timeanalyticsandsecurityintelligenceonthenetwork.Thishelpsreducetheriskofthreatswhileprotectingyourorganization.
CiscoDNAAssurance:Allowsanetworkengineertodeterminethecauseofissuesonthenetworkquicklyandprovidesrecommendedactionstoresolveissues.
Havingcompletedthissection,youhavelearnedaboutIBN,itsoperations,andthecomponentsrequiredtomakeeverythingworktogether.Additionally,youhavediscoveredhowCiscoDNACenterbecomesthebrainbehindalltheoperationsofyournetwork,aswellasthefunctionalitiesitofferstoimproveeverythingonanenterprisenetwork.
SummaryOverthecourseofthischapter,youhavelearnedabouttheneweraofnetworking,whereautomationandprogrammabilitycangreatlyhelpnetwork
Telegram Channel : @IRFaraExam
engineersimprovethetimetheyspendondeploymentandconfigurationwhilereducingtheneedtomanuallyperformrepetitivetasksintheirdailyjob.Additionally,youhavegainedtheskillstounderstandvariousdataformatssuchasXML,JSON,andYAML,aswellashowtheyareusedtorequestdatafromasystemviaAPIs.
Furthermore,youhavelearnedaboutthefunctionsofvarioustypesofAPIsandthecomponentsofRESTfulAPIs.YoulearnedaboutthecharacteristicsofconfigurationmanagementtoolssuchasAnsible,Chef,andPuppetandtheroletheyplaytoassistusinnetworkautomation.Then,wecoveredhowIBNandCiscoDNACentercanbeusedtohelpusfullyautomateourenterprisenetworkusingacontroller-basedmodel.
Lastly,IknowthejourneyofpreparingfortheCiscoCertifiedNetworkAssociate(CCNA)200-301examinationisn'taneasyoneandthattherearemanychallengesalongtheroadtosuccess.Iwouldpersonallyliketothankyouverymuchforyoursupportbypurchasingacopyofmybook,andcongratulationsonmakingittoendwhileacquiringalltheseamazingnewskillsbylearningaboutnetworkengineering.IdohopeeverythingyouhavelearnedinthisbookhasbeeninformativeandishelpfulinyourjourneytowardlearninghowtoimplementandadministerCiscosolutions,aswellaspreparefortheCCNA200-301certification.
QuestionsThefollowingisashortlistofreviewquestionstohelpreinforceyourlearningandallowyoutoidentifyareasthatrequiresomeimprovement:
1. Whichdataformatiscommonlyusedtocreatewebpages?
Telegram Channel : @IRFaraExam
A.JSON
B.XML
C.HTML
D.YAML
2. WhichdatatypeissimilartoHTML?
A.JSON
B.XML
C.YAML
D.Python
3. Whichdatatypeisthesimplesttoreadandunderstand?
A.JSON
B.XML
C.YAML
D.Python
4. WhenusingYAML,whichsyntaxisusedtorepresentalistofitems?
A.{}
B.[]
Telegram Channel : @IRFaraExam
C.()
D.-
5. WhileusingJSON,whichsyntaxisusedtorepresentalistofitems?
A.{}
B.[]
C.()
D.-
6. WhichtypeofAPIallowsavendortoaccessdatawithinanorganization'ssystem?
A.Partner
B.Open
C.Public
D.Internal
7. WhichRESTfulAPIoperationisequivalenttoanHTTPPOSTmessage?
A.PUT
B.Update
C.Request
Telegram Channel : @IRFaraExam
D.Create
8. WhichcomponentofaURIidentifiesaspecificareaonawebpage?
A.Path
B.Filename
C.Hostname
D.Fragment
9. Whichconfigurationmanagementtoolusesapushfunction?
A.Ansible
B.Chef
C.Python
D.Puppet
10. WhichfunctionofCiscoDNACenterisresponsibleforconfiguringthenetworkdeviceswiththeintentionofthenetworkengineer?
A.Translation
B.Activation
C.Assurance
D.Policy
Telegram Channel : @IRFaraExam
FurtherreadingThefollowinglinksarerecommendedforadditionalreading:
AnsibleIOSmodules:https://docs.ansible.com/ansible/latest/modules/list_of_network_modules.html#ios
CiscoDNACenterSolution:https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/dna-center/nb-06-dna-center-so-cte-en.html?oid=sowen000306
LearnJSON:https://www.w3schools.com/js/js_json_intro.asp
YAMLbasics:https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
Telegram Channel : @IRFaraExam
Chapter16:MockExam1
Questions1. Whichofthefollowingnetworkprotocolsareimplementedinallmodern-
daydevices?
A.OSIModel
B.TCP/IP
C.AppleTalk
D.IPX
2. Whichtechnologywouldyouusetoextendabranchofficenetworktoanotherlocationmanymilesaway?
A.Switch
B.WLAN
C.Router
D.WAN
3. OnwhichlayerofTCP/IPdoesasegmentexist?
A.Transport
B.DataLink
Telegram Channel : @IRFaraExam
C.Application
D.Network
4. WhichlayerofTCP/IPisresponsiblefordataformatting?
A.Application
B.Presentation
C.Transport
D.Network
5. WhereistheoperatingsystemlocatedonaCiscorouter?
A.NVRAM
B.HDD
C.Flash
D.SSD
6. WhatisthedefaultmethodtoaccessanewCiscoswitch?
A.VTY
B.Console
C.AUX
D.ManagementIPaddress
Telegram Channel : @IRFaraExam
7. AnIPv4addressismadeupofhowmanybits?
A.28
B.30
C.48
D.32
8. YouhaveinterconnectedmanyAccessPoints(APs)ontothesamecorporateLAN.Thistypeofwirelessnetworkisknownaswhichofthefollowing?
A.BSS
B.ESS
C.SSID
D.WLAN
9. WhichcommandisusedtocreateaVLAN?
A.vlan10
B.vlansales
C.vlannumber10
D.vlannamesales
10. WhereareVLANsstoredonaswitch?
Telegram Channel : @IRFaraExam
A.Flash
B.startup-config
C.running-config
D.vlan.dat
11. Packetsthatarediscardedbecausetheyarelessthan64bytesinsizeandaresmallerthantheminimumpacketsizearereferredtoaswhichofthefollowing?
A.CRC
B.Runts
C.Collision
D.Giants
12. WhichisthedefaultpriorityvaluefoundwithinaBPDUmessage?
A.4096
B.32767
C.32769
D.32768
13. WhichofthefollowingisaportroleonlyinRapid-PVST+?
A.Listening
Telegram Channel : @IRFaraExam
B.Blocking
C.Discarding
D.Forwarding
14. TheSpanning-TreeProtocolisdefinedbywhichofthefollowingframeworks?
A.IEEE802.1D
B.IEEE802.1Q
C.IEEE802.1X
D.IEEE802.11
15. WhichcommandallowsyoutoviewtheMACaddressofaswitch?
A.showversion
B.showipinterfacebrief
C.showrunning-config
D.showdevicemac
16. Iffaultpacketsenteraswitchinterface,whichcounterwillincreasetoinformthedeviceadministrator?
A.Giants
B.Inputerrors
Telegram Channel : @IRFaraExam
C.CRC
D.Collision
17. Whichnetworktoolcanbeusedtotestend-to-endconnectivity?
A.nbtstat
B.netstat
C.traceroute
D.ping
18. Whichcommandallowsyoutoseeallroutesonarouter?
A.showipprotocols
B.showroute
C.showiproute
D.showroutingtable
19. WhichcommandisneededtoenableIPv6routing?
A.ipv6unicast-routing
B.ipv6routeenable
C.enableipv6route
D.enableipv6unicast-routing
Telegram Channel : @IRFaraExam
20. WhichcommandallowsyoutocreateadefaultroutetoanISProuterthathasanIPaddressof192.0.2.1?
A.ipv4route0.0.0.00.0.0.0192.0.2.1
B.iproute0.0.0.00.0.0.0192.0.2.1
C.route0.0.0.00.0.0.0.0192.0.2.1
D.iproute0.0.0.0/0192.0.2.1
21. ThedefaultadministrativedistanceofOSPFiswhichofthefollowing?
A.90
B.120
C.110
D.170
22. Whichcommandallowsyoutoviewthelink-statedatabaseofOSPF?
A.showipospfneighbor
B.showipospf
C.showipospfneighbordetail
D.showipospfdatabase
23. WhatisthedefaultHellotimeronanOSPF-enabledinterface?
Telegram Channel : @IRFaraExam
A.10
B.5
C.40
D.15
24. WhichcommandallowsyoutoverifytheHelloandDeadtimersonOSPF?
A.showipospfdatabase
B.showipospfneighbor
C.showipprotocols
D.showipospfinterface
25. YouwanttocreateaStaticNATmapbetweenaninternalcomputerwithanIPaddressof192.168.1.10andtheedgerouterhasapublicIPof
192.0.2.10.Whichofthefollowingcommandswillyouusetocreate
theStaticNATmap?
A.ipnatinsidesourcestatic192.0.2.10192.168.1.10
B.ipnatinsidesourcestatic192.168.1.10192.0.2.10
C.ipnatinsidesource192.0.2.10192.168.1.10
Telegram Channel : @IRFaraExam
D.ipnatinsidestatic192.168.1.10192.0.2.10
26. AnorganizationhasasinglepublicIPaddressandmanycomputersthatrequireinternetconnectivity.WhichtypeofNATisrecommendedtoallowtheinternaldevicestoconnecttotheinternet?
A.DynamicNAT
B.StaticNAT
C.PortAddressTranslation
D.PATwithStaticNAT
27. WhichcommandallowsyoutoverifyrecentNATtranslationsonarouter?
A.showipnat
B.showipnatstatistics
C.shownattranslations
D.showipnattranslations
28. WhichcommandallowsyoutodeterminewhetherStaticNAT,DynamicNAT,orPATisbeingusedonarouter?
A.shownat
B.showipnatstatistics
C.shownattranslations
Telegram Channel : @IRFaraExam
D.showipnattranslations
29. You'reanetworkadministratorforalargeorganizationandyouareassignedatasktoconfigurethetimeonalldeviceswithinthecompany.Whichofthefollowingmethodsisthemostefficienttocompletethistask?
A.ConfigureanNTPServeronthenetworkandconfigureallotherdevicesasNTPclientstosynchronizetime.
B.ConfigurethetimeoneachdevicewithinthenetworkandensureNTPisturnedon.
C.ConfiguretheedgerouterasanNTPclientonlyandallotherdeviceswillsynchronizetheirtimewiththerouter.
D.Alloftheabove.
30. Thedevicethathasthemostaccuratetimewithinanetworkisknownaswhichofthefollowing?
A.PublicNTPserver
B.Stratum1
C.Stratum0
D.NTPserver
31. WhichcommandisusedtorelayDHCPmessagesbetweenmachinesonanIPnetwork?
Telegram Channel : @IRFaraExam
A.ipdhcphelper
B.iphelper-dhcp
C.ipdhcphelper-address
D.iphelper-address
32. WhichapplicationlayerprotocolisusedtoresolveahostnametoanIPaddress?
A.ARP
B.DNS
C.DHCP
D.ICMP
33. WhichcommandisusedtoenablesequencenumbersinSyslogmessages?
A.servicetimestamps
B.enableservice-sequence
C.enableservicesequence-numbers
D.servicesequence-numbers
34. Whichnetworkprotocolallowsyoutoperformmonitoringonallofyournetworkingdevices?
A.SNMP
Telegram Channel : @IRFaraExam
B.Syslog
C.SolarWinds
D.MIB
35. Whichtypeofthreatactorusestheirhackingskillstoperformmaliciousactionstoserveasocialorpoliticalagenda?
A.Scriptkiddie
B.Hacktivist
C.Greyhathacker
D.Blackhathacker
36. Anobjectthattakesadvantageofasecurityweaknessonasystemisknownaswhichofthefollowing?
A.Vulnerability
B.Threat
C.Exploit
D.Hacker
37. Whichtypeofmalwareholdsyourdatahostageandasksforaransomtoreleasethedatabacktothevictim?
A.Worm
Telegram Channel : @IRFaraExam
B.Crypto-malware
C.Trojan
D.Ransomware
38. WhichofthefollowingAAAserversiscompatiblewithmixedvendordevices?
A.RADIUS
B.AAA
C.TACACS+
D.ASA
39. WhichcommandisusedtoacceptonlySSHinboundtrafficonanetworkdevice?
A.transportssh
B.transportinputssh
C.transportinputall
D.transportacceptssh
40. Whichistherecommendedcommandtocreateasecurepasswordtopreventaccesstoprivilegemode?
A.enablepasswordcisco123
Telegram Channel : @IRFaraExam
B.enablepasswordsecretcisco123
C.enablesecretcisco123
D.enablesecretpasswordcisco123
41. Whichcommandisusedtoencryptallplaintextpasswordsautomatically?
A.servicepassword-secret
B.serviceenable-password
C.serviceencryption-password
D.servicepassword-encryption
42. Whichsecuritymechanismcanbeusedtopreventanattackerfromfloodingbogusframesintoaswitch?
A.DHCPsnooping
B.IPsourceguard
C.Portsecurity
D.DynamicARPinspection
43. Anattackerisattemptingtoflipaninterfaceonaswitchintoatrunkport.Whatcanthenetworkengineerdotopreventsuchanattack?
A.switchportmodetrunk
B.switchportmodeaccess
Telegram Channel : @IRFaraExam
C.switchportnonegotiate
D.switchportport-security
44. Whichofthefollowingistruewhenportsecurityisenabledonaninterface?
A.MACaddressesareautomaticallystoredintherunning-config.
B.ThedefaultviolationmodeisRestrict.
C.Stickyisenabled.
D.Stickyisdisabled.
45. WhichwirelesssecuritystandardusestheAdvancedEncryptionStandard(AES)fordataencryption?
A.WPA
B.WPA2
C.WPA3
D.WEP
46. Whichdataformatwasdesignedfortransportingdataratherthanitspresentation?
A.XML
B.YAML
Telegram Channel : @IRFaraExam
C.JSON
D.HTML
47. WhichsyntaxdoesJSONusetoholdanobject?
A.()
B.[]
C.{}
D.-
48. WhichofthefollowingsyntaxisusedtorepresentalistofitemsinYAML?
A.()
B.-
C.{}
D.[]
49. WhichRESTfuloperationisusedtorequestdataonaserver?
A.GET
B.Create
C.Update
Telegram Channel : @IRFaraExam
D.Request
50. UsingYAML,instructionsarecreatedinwhichofthefollowing?
A.JSON
B.Cookbook
C.Playbook
D.Manifest
Telegram Channel : @IRFaraExam
Chapter17:MockExam2
Questions1. Apacketcontainswhichofthefollowinginitsheader?
A.IPaddress
B.MACaddress
C.Portnumbers
D.CRC
2. Aswitchuseswhichofthefollowingtomakeitsforwardingdecision?
A.SourceIPaddress
B.DestinationMACaddress
C.SourceMACaddress
D.DestinationMACaddress
3. Whichtransportlayerprotocoldoesnotprovideanyreassuranceofamessagebeingsentbetweenasourceanddestination?
A.TCP
B.IP
Telegram Channel : @IRFaraExam
C.ICMP
D.UDP
4. WhatisthesizeofaMACaddress?
A.128bits
B.40bits
C.48bits
D.32bits
5. AnetworkengineerwantstoverifytheMACaddressonaWindowscomputer.Whichcommandcanthenetworkengineerusetoobtainsuchinformation?
A.ipconfig
B.ipconfig/all
C.ifconfig
D.netstat
6. WhenaswitchlearnsaboutaMACaddress,wheredoestheswitchstorethenewlylearnedMACaddresses?
A.Running-config
B.Flash
Telegram Channel : @IRFaraExam
C.RAM
D.CAM
7. Whichdeviceisprimarilyusedtofiltermalicioustrafficbetweennetworks?
A.Router
B.Switch
C.IPS
D.Firewall
8. AnetworkengineerhasdeployedmultipleAccessPoints(APs)atvariousbranchesofanorganization.Whichnetworkcomponentwillhelpthenetworkengineertomanageallthedevices?
A.WirelessLANcontroller
B.ImplementeachAPinautonomousmode
C.Useaconsolecable
D.SetupremoteaccessusingSSH
9. IntheCisco2-Tierarchitecture,theCollapsedCorelayerismadeupofwhichofthefollowinglayers(choosetwo)?
A.Access
B.Distribution
Telegram Channel : @IRFaraExam
C.Core
D.Routers
10. Whereisthestartup-configfilelocatedonaCiscoIOSrouter?
A.TFTP
B.HDD
C.RAM
D.NVRAM
11. AnetworkengineerhasjustreceivedanewCiscorouter.Whichistheprimarymethodusedtoaccessthedevice?
A.GUI
B.Console
C.AUX
D.VTY
12. WhichcommandwillshowyouasummaryofalltheinterfacesonaCiscodeviceandtheirstatuses?
A.showipinterface
B.showinterfacebrief
C.showipinterfacebrief
Telegram Channel : @IRFaraExam
D.showinterfaceipbrief
13. WhichofthefollowingsyntaxesallowsyoutoconfigureabanneronaCiscoIOSdevice?
A.bannermotd%KeepOut%
B.banner%KeepOut%
C.bannermotd%KeepOut
D.bannermotd%KeepOut&
14. Whichcommandcanyouusetoverifyhowlongaswitchhasbeenpoweredon?
A.showrouter
B.showclock
C.showstatus
D.showversion
15. WhichofthefollowingIPaddressisnotroutableontheinternet?
A.172.33.1.4
B.172.32.1.3
C.172.31.1.23
D.172.15.1.5
Telegram Channel : @IRFaraExam
16. AnIPv4addresscontainsatotalofhowmanybits?
A.8
B.32
C.48
D.128
17. WhatisthenumberofusableIPaddressesinthenetwork172.16.1.0/28?
A.14
B.16
C.254
D.65,534
18. WhichofthefollowingIPaddressesbelongstothenetwork192.168.1.64/27(choosetwo)?
A.192.168.1.97
B.192.168.1.80
C.192.168.1.126
D.192.168.1.94
19. WhichofthefollowingIPv4addressesisassignedtoadevice
Telegram Channel : @IRFaraExam
automaticallywhenaDHCPserverisnotpresentonthenetwork?
A.169.254.1.5
B.168.254.1.5
C.192.168.1.5
D.10.10.1.5
20. WhichIPv6addressisusedwhendevicesarecommunicatingonthesamelocalareanetwork?
A.Uniquelocal
B.Globalunicast
C.Link-local
D.Anycast
21. WhichofthefollowingcommandsisusedtoenableIPv6routingonaCiscoIOSrouter?
A.ipv6routing
B.ipv6enable
C.enableipv6routing
D.ipv6unicast-routing
22. WhichAccessPoint(AP)modehasthecapabilitytoswitchtraffic
Telegram Channel : @IRFaraExam
betweenanSSIDandavirtualLAN(VLAN)iftheCAPWAPtunnelisdown?
A.Bridge
B.FlexConnect
C.Local
D.Flex+Bridge
23. Whichtypeofhypervisorisinstalleddirectlyontopofthehardwareofasystem?
A.VirtualBox
B.Type2
C.Type1
D.Type0
24. Whichtypeofcloudserviceprovidestheuserwithonlytheapplication'suserinterface?
A.SaaS
B.PaaS
C.IaaS
D.Private
Telegram Channel : @IRFaraExam
25. Whichtypeofclouddeliverymodelcloudinfrastructureisownedbyanotherorganizationthatrentspartofortheentiredatacentertoothers?
A.Community
B.IaaS
C.Public
D.Private
26. Whenaframeentersaswitchinterface,whichofthefollowingtagsisinsertedintothemessage?
A.IEEE802.1X
B.IEEE802.1w
C.IEEE802.1D
D.IEEE802.1Q
27. Bydefault,howmanyVLANsexistonaCiscoIOSswitch?
A.1
B.5
C.0
D.2
28. VLANsthatbelongtotheextendedrangearestoredwhere?
Telegram Channel : @IRFaraExam
A.startup-config
B.NVRAM
C.running-config
D.vlan.dat
29. Whichofthefollowingcommandswillallowyoutoconfigureaninterfacetobeanaccessport?
A.switchportmodeaccess
B.switchportaccessport
C.switchportmodeaccessenable
D.switchportenableaccess
30. WhichofthefollowingcommandsallowsyoutoassignaVLANtoanaccessport?
A.switchportmodeaccessvlan10
B.switchportvlan10
C.switchportaccessvlan10
D.switchportaccessmodevlan10
31. WhichofthefollowingcommandsallowsyoutoconfigureanativeVLANonatrunk?
Telegram Channel : @IRFaraExam
A.switchporttrunkallowedvlan99
B.switchporttrunkvlan99
C.switchportnativevlan99
D.switchporttrunknativevlan99
32. Whichofthefollowingisthedefaultoperatingmodeofaswitch'sinterface?
A.Access
B.Trunk
C.Dynamicdesirable
D.Dynamicauto
33. Whichcommandisusedtodisablethetrunkingnegotiationfeatureonaswitchinterface?
A.switchportmodetrunk
B.switchportmodeaccess
C.switchportnonegotiate
D.noswitchportnonegotiate
34. Whenconfiguringinter-VLANrouting,whichcommandisusedtoassociateVLAN10withasub-interface?
Telegram Channel : @IRFaraExam
A.encapsulation802.1qvlan10
B.encapsulationdot1q10
C.encapsulationvlan10
D.encapsulationdot1qvlan10
35. WhichcommandallowsyoutoviewasummaryofalltheVLANsonaswitchandtheirassociatedinterfaces?
A.showrunning-config
B.showinterfacevlanbrief
C.showvlaninterfacebrief
D.showvlanbrief
36. Whichcommandwillallowyoutoviewasummaryofthetrunkinterfacesonaswitch?
A.showinterfacestrunk
B.showtrunks
C.showtrunkinterface
D.showipinterface
37. WhichcommandisusedtodisableCDPentirelyonaswitch?
A.nocdp
Telegram Channel : @IRFaraExam
B.nocdpenable
C.nocdprun
D.noenablecdp
38. WhichCDPcommandwillallowyoutoobtaintheIPaddressofadirectlyconnectedLayer3device?
A.showcdpinterface
B.showcdpneighbors
C.showcdp
D.showcdpneighborsdetail
39. WhichofthefollowingcommandsisusedtoenableLLDPonaCiscodevice?
A.lldpenable
B.lldprun
C.enablelldp
D.Noneoftheabove
40. WhichofthefollowingisaninterfaceoperatingmodeforLACP?
A.Active
B.Auto
Telegram Channel : @IRFaraExam
C.Desirable
D.Enable
41. Whichcommandallowsyoutoverifywhetheraninterfaceisexperiencinganyphysicalissues?
A.showinterfacestatus
B.showipinterface
C.showinterfaces
D.showversion
42. Packetsthatarediscardedbecausetheyexceedthemaximumpacketsizeareknownas?
A.Collisions
B.Runts
C.Outputerrors
D.Giants
43. Whichofthefollowingstandards/frameworksaredesignedtopreventloopsonaLayer2network?
A.IEEE802.1Q
B.IEEE802.1D
Telegram Channel : @IRFaraExam
C.IEEE802.1w
D.IEEE802.3
44. ABPDUcontainswhichofthefollowingcomponents(choose3)?
A.ExtendedSystemID
B.Priority
C.BridgeID
D.MACaddress
E.Hostname
F.InterfaceID
45. Bydefault,eachswitchuseswhichofthefollowingdefaultpriorities?
A.32768
B.32769
C.4096
D.0
46. WhichversionofSpanning-TreeisenabledbydefaultonaCiscoswitch?
A.STP
B.RSTP
Telegram Channel : @IRFaraExam
C.PVST+
D.Rapid-PVST+
47. WhichofthefollowingportrolesdoesnotexistinPVST+?
A.Listening
B.Forwarding
C.Learning
D.Discarding
48. WhichcommandallowsyoutoenableRapid-PVST+?
A.spanning-treeenablerapid-pvst
B.spanning-treemoderapid-pvst
C.spanning-treerapid-pvstenable
D.enablerapid-pvst
49. WhichofthefollowingcommandscananetworkengineerusetoensureaswitchiselectedasaRootBridgeonVLAN20?
A.spanning-treevlan20priority4096
B.spanning-treevlan20priority8192
C.spanning-treevlan20priority4095
Telegram Channel : @IRFaraExam
D.spanning-treevlan20priority8193
50. WhichcommandwhenappliedtoaninterfacepreventsBPDUsfromentering?
A.enablespanning-treebpduguard
B.spanning-treeenablebpduguard
C.spanning-treebpduguardenable
D.spanning-treebpduguard
51. WhichfactordoesaCiscorouterusetodeterminethemostsuitableroutetoadestination?
A.Numberofhops
B.Administrativedistance
C.Bandwidth
D.Metric
52. Whichofthefollowingroutingprotocolsuseshopcountasitsmetric?
A.EIGRP
B.OSPF
C.BGP
D.RIP
Telegram Channel : @IRFaraExam
53. Astaticroutehasadefaultadministrativedistanceof…?
A.1
B.0
C.90
D.5
54. WhatisthedefaultdeadtimeronOSPF?
A.15
B.180
C.40
D.120
55. Whichcommandallowsyoutoverifytheprocess-IDofOSPF?
A.showipospfinterfacesummary
B.showipprotocols
C.showipinterface
D.showipospfinterface
56. WhichcommandallowsyoutoverifytheOSPFprocess-IDonarouter?
A.showiprouteospf
Telegram Channel : @IRFaraExam
B.showipprotocols
C.showospf
D.Noneoftheabove
57. Youwanttoadvertisethenetwork192.168.1.0/24usingOSPF.
Whichofthefollowingcommandswillyouuse?
A.network192.168.1.0255.255.255.0
B.network192.168.1.00.0.0.255
C.network192.168.1.0255.255.255.0area0
D.network192.168.1.00.0.0.255area0
58. YouwanttopreventOSPFmessagesfromeitherenteringorleavingaspecificinterfaceonarouter.Whichcommandwillyouuseontherouter?
A.passive-interface
B.enablepassive-interface
C.passive-interfaceenable
D.passive-interfacedefault
59. HSRPv2useswhichofthefollowingmulticastaddressestoexchangemessageswithotherHSRP-enableddevicesonthenetwork?
A.224.0.0.10
Telegram Channel : @IRFaraExam
B.224.0.0.5
C.224.0.0.2
D.224.0.0.102
60. WhichofthefollowingcommandsisusedtoverifytheHSRPstatusbetweenCiscodevices?
A.showactive
B.showglbp
C.showstandby
D.showhsrp
61. WhichofthefollowingfirsthopredundancyprotocolsisnotaCiscoproprietaryprotocol?
A.GLBP
B.VRRP
C.HSRP
D.Alloftheabove
62. WhichtypeofNATallowsanorganizationtomapmultipleprivateIPaddressesontoasinglepublicaddress?
A.Portforwarding
Telegram Channel : @IRFaraExam
B.StaticNAT
C.DynamicNAT
D.PAT
63. WhichofthefollowingisusedtocreateastaticNATmapwiththeinsideaddress192.168.1.10andtheoutsideaddress192.0.2.10?
A.ipnatinsidesourcestatic192.168.1.10192.0.2.10
B.ipnatoutsidesourcestatic192.168.1.10192.0.2.10
C.ipnatinsidesourcestatic192.0.2.10192.168.1.10
D.ipnatoutsidesourcestatic192.0.2.10192.168.1.10
64. WhichofthefollowingcommandswillallowyoutoseeNATtranslationsonarouter?
A.showipnatstatistics
B.shownattranslations
C.showipnattranslations
D.shownatstatistics
Telegram Channel : @IRFaraExam
65. Whichofthefollowingprotocolsallowsyoutoensuretimeissynchronizedonanetwork?
A.DNS
B.ICMP
C.CDP
D.NTP
66. WhichofthefollowingportsdoesaDHCPserveruse?
A.67
B.68
C.53
D.69
67. WhichcommandallowsyoutoconfigureadefaultgatewayaspartofaDHCPpoolonaCiscoIOSrouter?
A.default-gateway
B.default-router
C.ipdefault-gateway
D.ipdefault-router
68. WhichDNSrecordisresponsibleforresolvinganIPaddresstoa
Telegram Channel : @IRFaraExam
hostname?
A.NS
B.SVR
C.PTR
D.A
69. InSyslog,aseveritynameofErrorhaswhichofthefollowingseveritylevels?
A.1
B.2
C.3
D.4
70. AnSNMPmanageruseswhichofthefollowingmessagestoretrieveinformationaboutanetworkdevice?
A.Retrieve
B.TRAP
C.SET
D.GET
71. Anythingwiththemotivationtocauseharmordamagetoaperson,
Telegram Channel : @IRFaraExam
system,ornetworkisknownasawhat?
A.Risk
B.Threat
C.Vulnerability
D.Exploit
72. Whichtypeofcyber-attackisfocusedontrickinghigh-profileemployeesofanorganizationintorevealingconfidentialinformation?
A.Whaling
B.Spear-phishing
C.Pharming
D.Vishing
73. WhichofthefollowingcommandsisusedtoenableAAAonaCiscoIOSrouter?
A.enableaaa-model
B.enableaaanew-model
C.aaanew-model
D.enableaaa
74. WhichcommandensurestherouteracceptsonlySSHinbound
Telegram Channel : @IRFaraExam
connections?
A.transportssh
B.transportonlyssh
C.transportsshinput
D.transportinputssh
75. WhichtypeofACLwouldyouusetofilterTelnettraffic?
A.StandardACL
B.InboundACL
C.ExtendedACL
D.OutboundACL
76. WhichofthefollowingcommandswillallowyoutoassignanACLonyourremoteaccesslines?
A.ipaccess-group
B.access-class
C.access-group
D.ipaccess-class
77. WhichofthefollowingcommandswillallowyoutoassignanACLonaninterface?
Telegram Channel : @IRFaraExam
A.ipaccess-group
B.access-class
C.access-group
D.ipaccess-class
78. Whichtypeofsecurityappliancecanbeimplementedtopreventmaliciousemailsfromenteringyourorganizations?
A.Anti-virus
B.IPS
C.Firewall
D.ESA
79. Anattackerisattemptingtoinjectbogusframesintoaswitch.Whichtypeofattackisthethreatactortryingtoperform?
A.Bufferoverflow
B.CAMtableoverflow
C.Packetinjection
D.DoS
80. WhichsecuritymechanismcanbeimplementedtopreventaDHCPstarvationattack?
Telegram Channel : @IRFaraExam
A.switchportport-security
B.DAI
C.DHCPsnooping
D.Shuttingdowntheinterface
81. WhichofthefollowingcommandsisusedtoautomaticallylearnandstorethesourceMACaddressonaninterfaceontoRAM?
A.switchportport-securitymac-addresssticky
B.switchportport-securitysticky
C.port-securitymac-addresssticky
D.switchportmac-addresssticky
82. Whichofthefollowingisthedefaultviolationmodeforportsecurity?
A.Shutdown
B.Protect
C.Restrict
D.Administrativelydown
83. WhichofthefollowingcommandsisusedtoenableDHCPsnoopingonaswitch?
A.dhcpsnooping
Telegram Channel : @IRFaraExam
B.enableipdhcpsnooping
C.ipdhcpsnooping
D.enabledhcpsnooping
84. DynamicARPinspectionisdependentonwhichofthefollowingcomponents?
A.Portsecurity
B.ThecontentsoftheCAMtable
C.TheARPcacheonthelocalswitch
D.TheDHCPsnoopingbindingtable
85. WhichofthefollowingwirelesssecuritystandardsusesTKIPforitsdataencryption?
A.WPA2
B.WPA
C.WEP
D.WPA3
86. Whichofthefollowingdataformatsisthesimplesttoreadandunderstand?
A.JSON
Telegram Channel : @IRFaraExam
B.YAML
C.HTML
D.XML
87. WhichofthefollowingattributesisusedtodescribeaRESTfulAPI?
A.Stateful
B.Stateless
C.Non-cacheable
D.Easytoread
88. Whichofthefollowingconfigurationmanagementtoolsrequiresanagenttobeinstalledontheclientdevice?
A.Python
B.Ansible
C.Chef
D.Puppet
89. Whichofthefollowingarefunctionsofintent-basednetworking(choosetwo)?
A.Translation
B.Design
Telegram Channel : @IRFaraExam
C.Activation
D.Policy
90. Withinadatacenter,whichcomponentisusedtomanageallthenetworkingdevices?
A.APIC
B.CiscoDNA
C.Ansible
D.Ciscocloud
Telegram Channel : @IRFaraExam
Chapter1Thefollowingaretheanswerstothereviewquestions:
1. B
2. D
3. C
4. B
5. B
6. B
7. A
8. C
9. D
10. B
Telegram Channel : @IRFaraExam
Chapter2Thefollowingaretheanswerstothereviewquestions:
1. D
2. C
3. A
4. B
5. D
6. C
Telegram Channel : @IRFaraExam
Chapter4Thefollowingaretheanswerstothereviewquestions:
1. D
2. C
3. A
4. B
5. D
6. A
7. B
8. C
9. D
10. B
11. C
12. B
13. AD
14. C
Telegram Channel : @IRFaraExam
Chapter5Thefollowingaretheanswerstothereviewquestions:
1. B
2. D
3. C
4. A
5. B
6. B
7. D
8. C
9. A
10. D
Telegram Channel : @IRFaraExam
Chapter6Thefollowingaretheanswerstothereviewquestions:
1. A
2. D
3. B
4. A
5. C
6. D
Telegram Channel : @IRFaraExam
Chapter7Thefollowingaretheanswerstothereviewquestions:
1. A
2. A
3. B
4. D
5. B,C
6. B–False
7. B–False
8. D
9. D
10. C
Telegram Channel : @IRFaraExam
Chapter8Thefollowingaretheanswerstothereviewquestions:
1. B
2. D
3. C
4. B
5. A
6. C
7. D
8. B
9. D
10. A
Telegram Channel : @IRFaraExam
Chapter9Thefollowingaretheanswerstothereviewquestions:
1. C
2. A
3. D
4. BandD
5. D
6. B
7. A
8. C
9. B
10. C
Telegram Channel : @IRFaraExam
Chapter10Thefollowingaretheanswerstothereviewquestions:
1. C
2. D
3. A
4. B
5. C
6. D
7. D
8. B
9. A
10. B
Telegram Channel : @IRFaraExam
Chapter11Thefollowingaretheanswerstothereviewquestions:
1. B
2. C
3. D
4. A
5. C
6. D
7. B
8. A
9. C
10. D
Telegram Channel : @IRFaraExam
Chapter12Thefollowingaretheanswerstothereviewquestions:
1. C
2. A
3. C
4. B
5. D
6. A
7. B
8. C
9. D
10. A
Telegram Channel : @IRFaraExam
Chapter13Thefollowingaretheanswerstotheprecedingpracticequestions:
1. D
2. B
3. C
4. A
5. D
6. C
7. A
8. B
9. C
10. A
Telegram Channel : @IRFaraExam
Chapter14Thefollowingaretheanswerstothereviewquestions:
1. B
2. D
3. B
4. C
5. A
6. D
7. C
8. B
9. D
10. A
Telegram Channel : @IRFaraExam
Chapter15Thefollowingaretheanswerstothereviewquestions:
1. C
2. B
3. C
4. D
5. B
6. A
7. D
8. D
9. A
10. B
Telegram Channel : @IRFaraExam
Chapter16–MockExam1ThefollowingaretheanswerstothequestionsfromMockExam1:
1. B
2. D
3. A
4. A
5. C
6. B
7. D
8. B
9. A
10. D
11. B
12. D
13. C
14. A
Telegram Channel : @IRFaraExam
15. A
16. B
17. D
18. C
19. A
20. B
21. C
22. D
23. A
24. D
25. B
26. C
27. D
28. B
29. A
30. C
31. D
Telegram Channel : @IRFaraExam
32. B
33. D
34. A
35. B
36. C
37. D
38. A
39. B
40. C
41. D
42. C
43. C
44. D
45. B
46. A
47. C
48. B
Telegram Channel : @IRFaraExam
Chapter17–MockExam2ThefollowingaretheanswerstothequestionsfromMockExam2:
1. A
2. B
3. D
4. C
5. B
6. D
7. D
8. A
9. B,C
10. D
11. B
12. C
13. A
14. D
Telegram Channel : @IRFaraExam
15. C
16. B
17. A
18. B,D
19. A
20. C
21. D
22. B
23. C
24. A
25. C
26. D
27. B
28. C
29. A
30. C
31. D
Telegram Channel : @IRFaraExam
32. D
33. C
34. B
35. D
36. A
37. C
38. D
39. B
40. A
41. C
42. D
43. B
44. A,C,D
45. A
46. C
47. D
48. B
Telegram Channel : @IRFaraExam
49. A
50. C
51. B
52. D
53. A
54. C
55. B
56. B
57. D
58. A
59. D
60. C
61. B
62. D
63. A
64. C
65. D
Telegram Channel : @IRFaraExam
66. A
67. B
68. C
69. C
70. D
71. B
72. A
73. C
74. D
75. C
76. B
77. A
78. D
79. B
80. C
81. A
82. A
Telegram Channel : @IRFaraExam
OtherBooksYouMayEnjoyIfyouenjoyedthisbook,youmaybeinterestedintheseotherbooksbyPackt:
LearnWireshark
LisaBock
ISBN:978-1-78913-450-6
BecomefamiliarwiththeWiresharkinterface
Navigatecommonlyaccessedmenuoptionssuchasedit,view,andfile
Usedisplayandcapturefilterstoexaminetraffic
UnderstandtheOpenSystemsInterconnection(OSI)model
Telegram Channel : @IRFaraExam
CarryoutdeeppacketanalysisoftheInternetsuite:IP,TCP,UDP,ARP,andICMP
Explorewaystotroubleshootnetworklatencyissues
Subsettraffic,insertcomments,save,export,andsharepacketcaptures
NetworkAutomationCookbook
KarimOkasha
ISBN:978-1-78995-648-1
UnderstandthevariouscomponentsofAnsible
AutomatenetworkresourcesinAWS,GCP,andAzurecloudsolutions
UseIaCconceptstodesignandbuildnetworksolutions
AutomatenetworkdevicessuchasCisco,Juniper,Arista,andF5
Telegram Channel : @IRFaraExam
UseNetBoxtobuildnetworkinventoryandintegrateitwithAnsible
ValidatenetworksusingAnsibleandBatfish
Leaveareview-letotherreadersknowwhatyouthinkPleaseshareyourthoughtsonthisbookwithothersbyleavingareviewonthesitethatyouboughtitfrom.IfyoupurchasedthebookfromAmazon,pleaseleaveusanhonestreviewonthisbook'sAmazonpage.Thisisvitalsothatotherpotentialreaderscanseeanduseyourunbiasedopiniontomakepurchasingdecisions,wecanunderstandwhatourcustomersthinkaboutourproducts,andourauthorscanseeyourfeedbackonthetitlethattheyhaveworkedwithPackttocreate.Itwillonlytakeafewminutesofyourtime,butisvaluabletootherpotentialcustomers,ourauthors,andPackt.Thankyou!
Telegram Channel : @IRFaraExam
Contents1. ImplementingandAdministeringCiscoSolutions:200-301CCNAExamGuide2. Whysubscribe?3. Contributors4. Abouttheauthor5. Aboutthereviewers6. Packtissearchingforauthorslikeyou7. Preface
1. Whothisbookisfor2. Whatthisbookcovers3. Togetthemostoutofthisbook4. Downloadtheexamplecodefiles5. CodeinAction6. Downloadthecolorimages7. Conventionsused8. Disclaimer9. Getintouch10. Reviews
8. Section1:NetworkFundamentals9. Chapter1:IntroductiontoNetworking
1. Understandingtheevolutionofnetworkingandtheinternet2. Understandingnetworksizes–SOHO,LAN,andWAN3. Learningaboutnetworkprotocolsuites
1. OSIreferencemodel2. UnderstandingtheTCP/IPprotocolsuite
4. Understandingthefunctionsofnetworkdevices1. Hubs2. Layer2switches3. Layer3switches4. Routers5. Next-generationfirewallsandIPS6. AccessPoints7. CiscoWirelessLANController(WLC)8. Endpointsandservers9. CiscoDNA
5. Networktopologyarchitectures1. 2Tier2. 3Tier
6. Summary7. Furtherreading
10. Chapter2:GettingStartedwithCiscoIOSDevices1. Technicalrequirements2. BuildingaCiscolabenvironment
1. CiscoPacketTracer2. VirtualCCNALab3. Physicallabs
3. GettingstartedwithCiscoIOSdevices1. Bootprocess
4. AccessingaCiscoIOSdevice5. ConfiguringtheCiscoIOS
1. SettingupasmallCisconetwork6. Performingtroubleshootingprocedures7. Summary8. Questions9. Furtherreading
11. Chapter3:IPAddressingandSubnetting1. Technicalrequirements2. TheneedforIPaddressing3. CharacteristicsofIPv4
1. CompositionofanIPv4packet2. Convertingbinaryintodecimal
Telegram Channel : @IRFaraExam
3. Convertingdecimalintobinary4. Transmissiontypes
4. ClassesofIPv4addresses1. PublicIPv4addressspace2. PrivateIPv4addressspace
5. SpecialIPv4addresses1. Loopbackaddress2. Test-Net3. LinkLocal
6. Subnetmask1. Networkprefix2. IdentifyingtheNetworkID
7. Subnetting1. Step1–DeterminingtheappropriateIPaddress2. Step2–Creatingnewsubnets(subnetworks)3. Step3–Assigningsubnetstoeachnetwork4. Step4–PerformingVariable-LengthSubnetMasking(VLSM)
8. IPv61. TypesofIPv6addresses
9. Lab–ConfiguringIPv6onaCiscoIOSrouter10. Lab–ConfiguringIPv6onaWindowscomputer11. Testingend-to-endconnectivity12. Summary13. Furtherreading
12. Chapter4:DetectingPhysicalIssues,WirelessArchitectures,andVirtualization1. Technicalrequirements2. Understandingnetworkswitchfunctions
1. Detectingphysicalissues2. Wirelesstechnologies3. 2.4GHzversus5GHz4. Wirelessbands5. SSID,BSSID,andESS
3. Ciscowirelessarchitectures1. Autonomous2. Cloud-based3. Split-MAC
4. APmodes5. Wirelesscomponentsandmanagement
1. Lab–accessingaCiscoWLCGUI2. Lab–configuringawirelessnetworkusingaCiscoWLC
6. Virtualizationfundamentals1. Type1hypervisor2. Type2hypervisor
7. Cloudcomputing1. Cloudservices2. SaaS3. PaaS4. IaaS5. Clouddeliverymodels
8. Summary9. Questions10. Furtherreading
13. Section2:NetworkAccess14. Chapter5:ImplementingVLANs,Layer2DiscoveryProtocols,andEtherChannels
1. Technicalrequirements2. UnderstandingVLANs
1. VLANranges2. TypesofVLANs3. Trunkinterfaces4. Inter-VLANrouting5. Lab–implementingVLANs6. Lab–creatingtrunkinterfaces7. Lab–configuringinter-VLANrouting
3. Layer2DiscoveryProtocols
Telegram Channel : @IRFaraExam
1. CiscoDiscoveryProtocol(CDP)2. Link-LayerDiscoveryProtocol(LLDP)
4. UnderstandingandconfiguringEtherChannels1. Lab–implementingEtherChannels
5. Summary6. Questions7. Furtherreading
15. Chapter6:UnderstandingandConfiguringSpanning-Tree1. Technicalrequirements2. WhatisSpanning-TreeProtocol?
1. BridgeProtocolDataUnit2. Rootbridgeandsecondaryrootbridge
3. Spanning-treestandards1. Portrolesandstates2. Determiningtherootbridgeandportroles3. PVST+4. Rapid-PVST+5. Lab–implementingRapid-PVST+onaCisconetwork6. Lab–configuringPortFastandBPDUguard
4. Summary5. Questions6. Furtherreading
16. Section3:IPConnectivity17. Chapter7:InterpretingRoutingComponents
1. Technicalrequirements2. UnderstandingIProuting3. Componentsoftheroutingtable
1. Routingprotocolcodes2. Prefixandnetworkmask3. Nexthop4. AdministrativeDistance5. Routingmetrics6. Gatewayoflastresort
4. Summary5. Questions6. Furtherreading
18. Chapter8:UnderstandingFirstHopRedundancy,StaticandDynamicRouting1. Technicalrequirements2. Understandingstaticrouting
1. Doweneedstaticrouting?2. Typesofstaticroutes3. Lab–configuringstaticroutingusingIPv44. Lab–configuringanIPv4defaultroute5. Lab–configuringstaticroutingusingIPv6
3. Understandingdynamicrouting1. Typesofdynamicroutingprotocols2. OpenShortestPathFirst3. Lab–configuringOSPFv24. ValidatingOSPFconfigurations
4. Understandingfirsthopredundancy1. VariousFHRPs
5. Summary6. Questions7. Furtherreading
19. Section4:IPServices20. Chapter9:ConfiguringNetworkAddressTranslation(NAT)
1. Technicalrequirements2. ThechallengeofusingIPv4ontheinternet3. UnderstandingNAT
1. UnderstandingNAToperationandterminology4. TypesofNAT
1. StaticNAT2. DynamicNAT3. ConfiguringPAT
Telegram Channel : @IRFaraExam
5. Lab–implementingNAToverload(PAT)6. Lab–implementingstaticNATwithportforwarding7. Lab–implementingdynamicNAT8. Summary9. Questions10. Furtherreading
21. Chapter10:ImplementingNetworkServicesandIPOperations1. Technicalrequirements2. UnderstandingNTP
1. Lab–configuringNTP3. UnderstandingDHCP
1. DHCPoperations2. Cisco'sDHCPconfigurations3. DHCPrelay4. Lab–configuringDHCPandDHCPrelay
4. DomainNameSystem1. DNSrootservers2. DNSrecordtypes3. Lab–configuringDNS
5. UnderstandingthebenefitsofusingSyslog1. Syslogseveritylevels2. Lab–configuringSyslog
6. SimpleNetworkManagementProtocol1. SNMPversions2. Managementinformationbase3. Lab–configuringSNMP
7. QoStrafficclassification1. QoSterminologies2. Traffictypecharacteristics3. QoSqueuingalgorithms4. QoSpolicymodels5. QoSimplementationmethods
8. Summary9. Questions10. Furtherreading
22. Section5:SecurityFundamentals23. Chapter11:ExploringNetworkSecurity
1. Technicalrequirements2. Securityconcepts
1. TheCIAtriad2. Threats3. Vulnerabilities4. Exploits5. Attacks
3. Authentication,Authorization,andAccounting1. Lab–ImplementingAAA
4. Elementsofasecurityprogram5. Wireshark101
1. Lab–Analyzingpackets6. Summary7. Questions8. Furtherreading
24. Chapter12:ConfiguringDeviceAccessControlandVPNs1. Technicalrequirements2. Deviceaccesscontrol
1. Securingconsoleaccess2. SecuringanAUXline3. VTYlineaccess4. SecuringPrivilegeExecmode5. Encryptingallplaintextpasswords
3. VirtualPrivateNetworks1. Site-to-SiteVPNs2. RemoteaccessVPNs3. IPsec
Telegram Channel : @IRFaraExam
4. Lab–Configuringasite-to-siteVPN5. Lab–ConfiguringaremoteaccessVPN
4. Summary5. Questions6. Furtherreading
25. Chapter13:ImplementingAccessControlLists1. Technicalrequirements2. WhatareACLs?
1. BenefitsofusingACLs3. ACLoperation4. ACLwildcardmasks
1. Calculatingthewildcardmask2. ACLguidelinesandbestpractices
5. WorkingwithstandardACLs1. CreatinganumberedstandardACL2. ImplementinganamedstandardACL3. DeletinganACL4. Lab–implementingastandardnumberedACL5. Lab–configuringastandardnamedACL6. Lab–securingVTYlinesusingACLs
6. WorkingwithextendedACLs1. CreatinganumberedextendedACL2. ImplementinganamedextendedACL3. Lab–implementingextendedACLs
7. Summary8. Questions9. Furtherreading
26. Chapter14:ImplementingLayer2andWirelessSecurity1. Technicalrequirements2. TypesofLayer2attacksonanetwork
1. Networkattacks2. Defenseindepth3. Layer2threats
3. ProtectingagainstLayer2threats1. Portsecurity2. DHCPsnooping3. DynamicARPinspection
4. Wirelessnetworksecurity1. Authenticationmethods2. Lab–implementingwirelesssecurityusingaWLC
5. Summary6. Questions7. Furtherreading
27. Section6:AutomationandProgrammability28. Chapter15:NetworkAutomationandProgrammabilityTechniques
1. Understandingautomation2. Understandingdataformats
1. eXtensibleMarkupLanguage2. JavaScriptObjectNotation3. YAMLAin'tMarkupLanguage
3. UnderstandingAPIs1. TypesofAPIs2. RESTfulAPIs
4. Understandingnetworkconfigurationmanagement1. Fabric,overlay,andunderlay2. CiscoDNACenter
5. Summary6. Questions7. Furtherreading
29. Chapter16:MockExam11. Questions
30. Chapter17:MockExam21. Questions
31. Assessments
Telegram Channel : @IRFaraExam
1. Chapter12. Chapter23. Chapter44. Chapter55. Chapter66. Chapter77. Chapter88. Chapter99. Chapter1010. Chapter1111. Chapter1212. Chapter1313. Chapter1414. Chapter1515. Chapter16–MockExam116. Chapter17–MockExam2
32. OtherBooksYouMayEnjoy1. Leaveareview-letotherreadersknowwhatyouthink
Landmarks1. Cover2. TableofContents
Telegram Channel : @IRFaraExam