Professional Documents
Culture Documents
Share the data to your friend via the internet[ISP(Internet Service Provider]].
IP phones are used within the LAN for communication.(collaboration/previously
voice)
VoIP[Voice over IP] depends on the internet speed.
100 Employees cannot exists in a single LAN.
Divide 100 Employees into LAN-1(25),LAN-2(25),LAN-3(25),LAN-4(25).
Switches are used indide the LAN.
Routers are used outside the LAN[means WAN].
Finally all the Routers are connected.
Two different LANs are connected via the ISP.
ISP handles more traffic with the high end routers.
Servers with the range 200GB-1TB RAM is required in the security space.
------------------------------------------------
Router----------------------------------------------
CCNA_DAY_2:
Router:
L3 device.
Router deals with the IP address.
Router maintains the database as a routing table.
Routers are used on the WAN side(Betwenn 2 different networks).
Router deals with the Broadcast Domains.
No.of.Broadcast Domains = No.of.Active Ports.
Collision Domain:
When two devices are trying to exchange the data at the same time(collision
happens).
collision happens between the two devices due to half-duplex within the same
broadcast domain.
----------------------------------------------------------
Full-duplex:
If device A and device B are connected by a single cable.
Virtually,there are two different ways in opposite directions.
At present,Networking industry is using full duplex,no half duplex.
In full duplex,there is less possibilities for collision.
Full duplex Example :mobile phone.
By default,Full duplex is enabled.
Half duplex:
Only one person can communicate at the same time(not two persons at the same time).
Half duplex Example:Walky talky.
----------------------------------------------------------
Hub:
L1 device.
Dumb device.
Single Broadcast Domain.
Single Collision Domain.
Collision between the two devices causes entire system to gets shut down.
Hub is a centralized device.
Troubleshooting is easy in the network.
PC1 is connected with all the PCs without any centralized device(Mesh
Topology).
Troubleshooting at the Physical Layer is very complex.
-----------------------------------------------------------------------------------
-----
Name---------->Amit(Name doesn't change).
Employee ID--->125(Employee Id changes).
Addresses types:
1.IP address[also known as Logical address][Eg:Employee Id].
2.MAC address[also known as Physical address][Eg:Name].
2.MAC address[Name]:
MAC address cannot change.
Example:Home address.
Both IP address and MAC address are used to transfer the data from one device to an
other device.
Switch always uses MAC address as a parameter.
----------------------------------------------------------
Switch:
L2 device.
Intelligent device.
Router deals with the MAC-address.
Single Broadcast Domain.
No.of.Broadcast Domains=No.of.Vlans.
No.of.Collision Domains=No.of.Active Ports.
Full-duplex.
Single Broadcast Domain is divided into Sub Broadcast Domains at the same time with
the VLANs.
Example:
IT department(VLAN 10)(Single Broadcast Domain).
VLAN 10(Single Broadcast Domain) consists of 4 PCs.
PC-1 sends a packet via the switch to the PC-2,not with the PC-3,PC-4 in a Single
Broadcast Domain.
Switch broadcasts that packet to the PC-2,PC-3,PC-4.
MAC address is the only solution within the same VLAN 10[Single Broadcast Domain].
Switch deals with the MAC address.
Switch maintains a database[MAC address Table/CAM Table].
4 PCs MAC addresses are connected with the Switch.
Scenario-1:
If MAC address table is already updated(Unicasting from the 2nd time).
Scenario-2:
If MAC address table is not already updated.
Once the MAC address table gets updated for the 1st time broadcasting.
Unicasting from the 2nd time.
Scenario-2 steps:
Step-1:Switch checks its interface.
Step-2:Switch checks the packet source MAC address(MAC address table updation).
Step-3:Switch checks the packet destination MAC address.
Switch broadcasts the packet for the first time.
PC-2 received the packet successfully.
Now,PC-2 reply reaches to the switch.
Again,switch checks its interface.
Switch updates its MAC address table.
Switch checks the source MAC address in its MAC address table.
2nd time,Switch checks the destination MAC address in its MAC address table.
2nd time,direct Uni-casting happens.
----------------------------------------------------------
Broadcasting in Router-Broadcasting(one to all).
Router maintains a database(Routing Table).
----------------------------------------------------------
Intentional Broadcasting in the switch-Flooding(one to all).
1).Static method:
Static entry never expires,until the manual deletion of the entry.
2).Dynamic method:
Dynamic entry expires after 300 seconds[5 minutes].
Different MAC address Tables has different timer.
By default,MAC address table has a 300 seconds timer[5 minutes].
After 300 seconds[5 minutes],timer gets expired,dynamic entries would be flushed
out from the MAC address Table.
During successfull reply,again timer gets updated to 300 seconds.
Manual manipulation of the timer is possible.
----------------------------------------------------------
IP Addressing:
There are two types of IP addresses:
1).Logical ip address.
2).Physical ip address.
a).IPv4 address:
Consider IPv4 as a container.
Container contains billions of IP addresses.
Container size is 32-bits[4 bytes].
Conversion:
a).Conversion of Binary to Decimal:
Minimum Binary value[00000000]/Octat->Sum=0[Minimum Decimal value]/Octat.
Maximum Binary value[11111111]/Octat->Sum=255[Maximum Decimal value]/octat.
Octat1:0-255[256].
Octat2:0-255[256].
Octat3:0-255[256].
Octat4:0-255[256].
Numbering concept:
Bits->Individual 0[1 bit] means ON-Bit and Individual 1[1 bit] means OFF Bit.
Bytes[or octate]->Bytes is a combination of 8 bits[1 byte or 1 octate].
Binary numbers:[Eg:01010101].
Hexadecimal numbers.
b).IPv6 address:
Consider IPv6 as a container.
Container contains millions of IP addresses.
Container size is 128-bits[16 bytes].
3.4028236692093E38 is the total no.of.IPv6 ip addresses in the IPv6 container.
----------------------------------------------------------
MAC address Table size is 48-bits[6 bytes].
----------------------------------------------------------
IPv4 address has 4 octates.
Consider Octate 1 as a Container.
Octate1 always starts from 0[Minimum value] and ends with 255[Maximum value].
class A example:1.1.1.1
class B example:128.1.1.1
class C example:192.1.1.1
class D example:224.1.1.1
class E example:240.1.1.1
Host bit:
Host bit is always represented with '0'.
We can change the host bit from 0 to 1.
Network bit:
Network bit is always represented with '1'.
We cannot change the Network bit from 1 to 0.
Note:
N represents Network bits.
H represents Host bits.
----------------------------------------------------------
class B subnet mask-255.255.0.0/16
No.of network bits-16.
No.of host bits-16.
Note:
N represents Network bits.
H represents Host bits.
----------------------------------------------------------
class C subnet mask-255.255.255.0/24
No.of network bits-24.
No.of host bits-8.
Note:
N represents Network bits.
H represents Host bits.
-------------------------------------------------------------
Class No.of Networks No.of Hosts[IP adresses] in a network
A 128 1,67,77,216
B 16,384 65,536
C 20,97,152 256
Important note:
No.of Networks are inversely proportional to the No.of Hosts[IP adresses] in a
network.
----------------------------------------------------------
class A subnet mask -255.0.0.0/8
N H H H
0.0.0.0/8-Invalid
1.0.0.0/8[1.0.0.0.0/8 network has 1,67,77,216 IP addresses]
2.0.0.0/8[1.0.0.0.0/8 network has 1,67,77,216 IP addresses]
.
.
.
.
127.0.0.0/8->Loopback network[Reserved].
Loopback is used for the self-checking.
class A:
Network:1.0.0.0/8
N H H H
No.of Hosts[IP adresses] in a network:1,67,77,216.
Octate 4:
1.0.0.0[1st IP address]
1.0.0.1
1.0.0.2
.
.
.
1.0.0.255
Now,octate 4 is full[0-255].
Maximum 255 IP address can be assigned in a single octate.
we have 1,67,77,216 IP addresses.
we have assigned 255 IP addresses.
255 ip addresses can be assigned in the next octate.
we can change the IP addresses in 3 octates.
Octate 3:
1.0.1.0
1.0.1.1
1.0.1.2
1.0.1.3
.
.
.
1.0.1.255
1.0.2.0
1.0.2.1
1.0.2.2
1.0.2.3
.
.
.
.
1.0.2.255
Octate 2:
1.1.0.0
1.1.0.1
.
.
.
1.1.0.255
.
.
.
1.1.1.0
Overall:
First IP address[Reserved] in class A:1.0.0.0
.
.
.
Last IP address[Reserved] in class A:1.255.255.255
10.0.0.0[Network-id]
10.0.0.1[First valid IP address]
.
.
.
10.255.255.254[Last valid IP address]
10.255.255.255[Broadcast IP address]
Eg:
10.0.0.0/8 and 10.1.0.0/8 belongs to the same network.
Because,Network parts are same.
----------------------------------------------------------
Class B:
class B subnet mask-255.255.0.0/16
150.0.0.0/16
N N H H
Eg:
150.0.0.0/16 and 150.1.0.0/16 belongs to the different network.
Because,Network parts are different.
150.0.0.0[Network-id]
150.0.0.1[First valid IP address]
.
.
.
150.0.0.254[Last valid IP address]
150.0.0.255[Broadcast IP address]
150.0.1.0
150.0.1.1
.
.
.
150.0.1.254
150.0.1.255
150.0.1.255
.
.
.
150.0.255.255
N N H H
Overall:
150.0.0.0/16:
150.0.0.0[Network id]
.
.
.
150.0.255.255[Broadcast id]
----------------------------------
Task:
160.0.0.0/16:
----------------------------------------------------------
Class C:
class C subnet mask-255.255.255.0/24
200.0.0.0/24
N N N H
200.1.0.0/24
N H H H
200.0.1.0/24
N H H H
200.0.0.0/24
N N N H
200.0.0.0/24[Network id]
200.0.0.1/24
200.0.0.2/24
.
.
.
200.0.0.255[Broadcast id].
----------------------------------------------------------
Tasks:
192.168.0.0/24:
N N N H
192.168.0.0/24[Network id]
N N N H
.
.
.
192.168.0.255/24[Broadcast id]
N N N H
172.168.0.0/16:
N N H H
172.168.0.0/16[Network id]
N N H H
.
.
.
192.168.255.255/16[Broadcast id]
N N H H
201.0.0.0/24:
N N N H
201.0.0.0/24[Network id]
N N N H
.
.
.
201.0.0.255/24[Broadcast id]
N N N H
111.0.0.0/8:
N N N H
111.0.0.0/8[Network id]
N H H H
.
.
.
111.255.255.255/24[Broadcast id]
N H H H
----------------------------------------------------------
3 routers are connected in a series.
we cannot transfer the broadcast traffic from one network to an other network.
By default,no communication between the two broadcast domains.
Communication can be established between the two broadcast domains by using the
static routing,default routing,dynamic routing protocols only for the unicast
traffic,multicast traffic not for the broadcast traffic.
Router is not capable to transfer the broadcast traffic from one interface to an
other interface.
----------------------------------------------------------
CCNA_DAY_6:
Subnetting:
Vlan is used to divide a single broadcast domain into a small broadcast domains.
Note:
Public IP address-Paid.
Private IP address-Unpaid.
Disadvantages:
1).Cost increases.
2).Wastage of IP addresses is high[1,67,77,216-120=1,67,77,096 IP addresses].
Solution: Subnetting.
Subnetting advantages:
1).Cost deccreases.
2).Wastage of IP addresses is less.
Subnetworks:
Formula:2^N
2^1=2 subnetworks.
2^2=4 subnetworks.
2^3=8 subnetworks.
Note:
N-no.of network bits.
Hosts:
Formula:2^H.
2^7=128[IP addresses].
2^3=8 hosts[IP addresses].
Note:
H-no.of host bits.
Eg:200.1.1.0/25
class C subnetmask=255.255.255.0.
no.of.network bits=24.
no.of.host bits=8.
Step-4:[Block size]
Blocksize=256[Total no.of hosts[IP addresses] in a network] - New subnet mask
=256-128
=128.
Note:
N-New network bits.
Formula:2^H-2.
=2^7-2
=128-2.
=126 valid hosts.
Note:
H-New host bits.
Note:
Total hosts[IP addresses] for '/24'-256.
Total hosts[IP addresses] for '/25'-128.
Total hosts[IP addresses] for '/26'-64.
Total hosts[IP addresses] for '/27'-32.
Total hosts[IP addresses] for '/28'-16.
Total hosts[IP addresses] for '/29'-8.
Total hosts[IP addresses] for '/30'-4.
Total hosts[IP addresses] for '/31'-2.
Total hosts[IP addresses] for '/32'-0[Because,No host bits].
----------------------------------------------------------
Eg:200.0.0.0/26
class C subnetmask=255.255.255.0.
no.of.network bits=24.
no.of.host bits=8.
Step-4:[Block size]
Blocksize=256[Total no.of hosts[IP addresses] in a network] - New subnet mask
=256-192
=64.
Note:
N-New network bits.
Formula:2^H-2.
=2^6-2
=64-2.
=62 valid hosts.
Note:
H-New host bits.
Subnetwork-1:
Network id-200.0.0.0/26
First valid host[IP address] of A.1 =200.0.0.1/26
Last valid host[IP address] of A.1 =200.0.0.62/26
Broadcast id-200.0.0.63/26
Subnetwork-2:
Network id-200.0.0.64/26
First valid host[IP address] of A.2 =200.0.0.65/26
Last valid host[IP address] of A.2 =200.0.0.126/26
Broadcast id-200.0.0.127/26
Subnetwork-3:
Network id-200.0.0.128/26
First valid host[IP address] of A.3 =200.0.0.129/26
Last valid host[IP address] of A.3 =200.0.0.190/26
Broadcast id-200.0.0.191/26
Subnetwork-4:
Network id-200.0.0.192/26
First valid host[IP address] of A.4 =200.0.0.193/26
Last valid host[IP address] of A.4 =200.0.0.255/26
Broadcast id-200.0.0.255/26
----------------------------------------------------------
Question:
200.0.0.137-?
1).Find out the '/'value.
/26.
2).200.0.0.137/26 belongs to which network?
class C subnetmask=255.255.255.0.
no.of.network bits=24.
no.of.host bits=8.
Step-4:[Block size]
Blocksize=256[Total no.of hosts[IP addresses] in a network] - New subnet mask
=256-224
=32.
Note:
N-New network bits.
Formula:2^H-2.
=2^5-2
=32-2.
=30 valid hosts.
Note:
H-New host bits.
Subnetwork-1:
Network id-200.0.0.0/27
First valid host[IP address] of A.1 =200.0.0.1/26
Last valid host[IP address] of A.1 =200.0.0.30/26
Broadcast id-200.0.0.31/27
Subnetwork-2:
Network id-200.0.0.32/27
First valid host[IP address] of A.2 =200.0.0.33/26
Last valid host[IP address] of A.2 =200.0.0.62/26
Broadcast id-200.0.0.63/27
Subnetwork-3:
Network id-200.0.0.64/27
First valid host[IP address] of A.3 =200.0.0.65/26
Last valid host[IP address] of A.3 =200.0.0.94/26
Broadcast id-200.0.0.95/27
Subnetwork-4:
Network id-200.0.0.96/27
First valid host[IP address] of A.4 =200.0.0.97/26
Last valid host[IP address] of A.4 =200.0.0.126/26
Broadcast id-200.0.0.127/27
Subnetwork-5:
Network id-200.0.0.128/27
First valid host[IP address] of A.5 =200.0.0.129/26
Last valid host[IP address] of A.5 =200.0.0.160/26
Broadcast id-200.0.0.159/27
Subnetwork-6:
Network id-200.0.0.160/27
First valid host[IP address] of A.6 =200.0.0.161/26
Last valid host[IP address] of A.6 =200.0.0.190/26
Broadcast id-200.0.0.191/27
Subnetwork-7:
Network id-200.0.0.192/27
First valid host[IP address] of A.7 =200.0.0.193/26
Last valid host[IP address] of A.7 =200.0.0.222/26
Broadcast id-200.0.0.223/27
Subnetwork-8:
Network id-200.0.0.224/27
First valid host[IP address] of A.8 =200.0.0.225/26
Last valid host[IP address] of A.8 =200.0.0.254/26
Broadcast id-200.0.0.255/26
----------------------------------------------------------
Note:
Total hosts[IP addresses] for '/24'-256[Valid hosts-254].
Total hosts[IP addresses] for '/25'-128[Valid hosts-126].
Total hosts[IP addresses] for '/26'-64[Valid hosts-62].
Total hosts[IP addresses] for '/27'-32[Valid hosts-30].
Total hosts[IP addresses] for '/28'-16[Valid hosts-14].
Total hosts[IP addresses] for '/29'-8[Valid hosts-6].
Total hosts[IP addresses] for '/30'-4[Valid hosts-2].
Total hosts[IP addresses] for '/31'-2[Valid hosts-0].
Total hosts[IP addresses] for '/32'-0[Because,No host bits].
Requirement is:
1).120 IP addresses.
'/25'[128-2=126 valid IP hosts] is feasible for the 120 IP addresses.
2).130 IP addresses.
3).10 IP addresses.
4).2 IP addresses.
Eg:150.0.0.0/16
class B subnetmask=255.255.0.0.
no.of.network bits=16.
no.of.host bits=16.
Step-4:[Block size]
Blocksize=256[Total no.of hosts[IP addresses] in a network] - New subnet mask
=256-128
=128.
Note:
N-New network bits.
-------------------------
Note:
H-New host bits.
11111111.10000000.00000000.00000000
-----------------------------------
Class A subnetting:[Focus on host part not on network part].
Eg:10.1.1.0/9
class A subnetmask=255.0.0.0.
no.of.network bits=8.
no.of.host bits=24.
Note:
N-New network bits.
Formula:2^H-2.
=2^23-2
=1,67,77,216-2.
=1,67,77,214 valid hosts.
-------------------------
Cross check:
83,88,608 * 2=1,67,77,216 hosts[IP addresses].
-------------------------
Note:
H-New host bits.
Eg:
11.0.0.0/8[Classfull]
11.0.0.0/9[Classfull]
11.0.0.0/10[Classfull]
11.0.0.0/11[Classfull]
11.0.0.0/12[Classfull]
11.0.0.0/13[Classfull]
11.0.0.0/14[Classfull]
11.0.0.0/15[Classfull]
11.0.0.0/16[Classless]
Note:
Total hosts[IP addresses] for '/24'-256[Valid hosts-254].
Total hosts[IP addresses] for '/25'-128[Valid hosts-126].
Total hosts[IP addresses] for '/26'-64[Valid hosts-62].
Total hosts[IP addresses] for '/27'-32[Valid hosts-30].
Total hosts[IP addresses] for '/28'-16[Valid hosts-14].
Total hosts[IP addresses] for '/29'-8[Valid hosts-6].
Total hosts[IP addresses] for '/30'-4[Valid hosts-2].
Total hosts[IP addresses] for '/31'-2[Valid hosts-0].
Total hosts[IP addresses] for '/32'-0[Because,No host bits].
Subnetwork-1:
Network id-11.0.0.0/25
First valid host[IP address] of A.1 =11.0.0.1/25
Last valid host[IP address] of A.1 =11.0.0.126/25
Broadcast id-11.0.0.127/25
Use 100 IP addresses out of the 126 IP addresses.
Use remaining 26 IP addresses in the future.
This concept is known as classless.
Subnetwork-2:
Network id-11.0.0.128/25
First valid host[IP address] of A.2 =11.0.0.129/25
Last valid host[IP address] of A.2 =11.0.0.254/25
Broadcast id=11.0.0.255/25
Classless:
Eg:10.0.0.0/30[Total hosts=4-2=2 hosts].
----------------------------------------------------------
Classless Task:
10.0.0.10/30[Network from class A,'/30' is from class C]
Blocksize:4.
10.0.0.0/30
+
4
-----
10.0.0.4/30
+
4
------
10.0.0.8/30
+
4
------
10.0.0.12/30
So,network id is 10.0.0.8/30
broadcast id is 10.0.0.11/30
----------------------------------------------------------
Classless Task:
10.0.0.101/27[Network from class A,'/27' is from class C]
Blocksize:32.
10.0.0.0/27
+
32
-----
10.0.0.32/27
+
32
------
10.0.0.64/27
+
32
------
10.0.0.96/27
+
32
-------
128
So,network id is 10.0.0.96/27
broadcast id is 10.0.0.127/27
----------------------------------------------------------
Classless Task:
150.1.1.235/28[Network from class B,'/28' is from class C]
Blocksize:16.
150.1.1.0/28
+
16
-----
150.1.1.16/28
+
16
------
150.1.1.32/28
+
16
------
150.1.1.48/28
+
16
-------
150.1.1.64/28
+
16
-------
150.1.1.80/28
+
16
-------
150.1.1.96/28
+
16
-------
150.1.1.112/28
+
16
-------
150.1.1.128/28
+
16
-------
150.1.1.144/28
+
16
-------
150.1.1.160/28
+
16
-------
150.1.1.176/28
+
16
-------
150.1.1.192/28
+
16
-------
150.1.1.208/28
+
16
-------
150.1.1.224/28
+
16
-------
150.1.1.240/28
+
16
-------
150.1.1.256/28
So,network id is 150.1.1.224/28
broadcast id is 150.1.1.239/28
----------------------------------------------------------
Classless Task:
200.0.0.177/25[Network from class C,'/25' is from class C]
subnet mask:255.255.255.128/25[11111111.11111111.11111111.10000000]
Blocksize=256-128.
=128.
200.0.0.0/25
+
128
-----
200.0.0.128/25
+
128
-----
200.0.0.255/25
So,network id is 200.0.0.128/25
broadcast id is 200.0.0.255/25
----------------------------------------------------------
Classless Task:
10.0.0.101/26[Network from class A,'/27' is from class C]
Blocksize:64.
10.0.0.0/26
+
64
-----
10.0.0.64/26
+
64
------
10.0.0.128/26
So,network id is 10.0.0.64/26
broadcast id is 10.0.0.128/26
----------------------------------------------------------
Classless Task:
11.0.0.133/30[Network from class A,'/30' is from class C]
Blocksize:4.
11.0.0.0/30
+
4
-----
11.0.0.4/30
+
4
------
11.0.0.8/30
+
4
------
11.0.0.12/30
.
.
.
11.0.0.135/30
So,network id is 11.0.0.132/30
broadcast id is 11.0.0.135/30
----------------------------------------------------------
FLSM and VLSM:
FLSM[Fixed Length Subnet Mask].
VLSM[Variable Length Subnet Mask].
Network admin requires 146 Public IP addresses for the individual employees to
access the internet.
ISP delivers 11.0.0.0/24[Classless].
'/25'cannot be used,because total valid hosts[IP addresses] for '/25' is 126.
----------------------------------------------------------
11.0.0.0/24[Single BCD].
Assign IP address from the same network[11.0.0.0/24] within the company.
Requirement:
Internally divide the network 11.0.0.0/24 into 4 parts within the company.
First always check for the team requires the highest no.of hosts[IP addresses].
Sales team[subnetwork-1]:
11.0.0.0/24[valid hosts=254]:
Network id-11.0.0.0/24
Broadcast id-11.0.0.255/24
Now,Internally divide the network 11.0.0.0/24 into 4 seperate parts.
According to FLSM,
use same subnetmask[255.255.255.128/25] for all the teams.
First always check for the team which requires the highest no.of hosts[IP
addresses].
IP wastage=6-6
=0.
VLSM FLSM
Sales team 11.0.0.0/25 11.0.0.0/25
HR team 11.0.0.176/29 11.0.0.128/25
IT team 11.0.0.160/28 12.0.0.0/25
Admin team 11.0.0.128/27 12.0.0.128/25
First always check for the team requires the highest no.of hosts[IP addresses].
IP wastage=4-2
=2.
Buffer Zone:[Fifth highest no.of hosts requirement]
11.0.0.0/24
11.0.0.60 to 11.0.0.63 is used for the future teams.
----------------------------------------------------------
Tasks:
3 Examples on FLSM.
3 Examples on VLSM.
Keep '/'value between '/24' to '/30'.
Task:
Types of cables.
----------------------------------------------------------
CCNA_DAY_8:
OSI[Open System Interconnection model]:
OSI is an IEEE standard.
In 1960's,IBM devices are not able to communicate with the dell devices.
1).Physical Layer:
Physical layer is about physical connections.
f 0[slot.no[NIC]]/0[port no].
UDP:
1).DHCP.
2).DNS.
----------------------------------------------------------
4).Transport Layer:
Transport Layer has two protocols:
1).TCP[Train].
2).UDP[Flight/Bus/Car/Bike/Bicycle/Walk].
TCP[Trasport medium] and UDP[Trasport medium] are used to transfer the data from
PC1 to PC2.
TCP [or] UDP depends on the Data Type.
TCP and UDP has port.no concept.
Purchase order confirmation gets only on the Amazon website[same tab] not on the
Netflix website.
------------------------------------------------
NSE3 Certificate.
Fortinet[NSE Institute]
Fortinet's Network Security Expert Certification.
NSE3 Network Security Associate.
-------------------------------------------------
Application layer,presentation layer,session layer are software based.
Programmer is responsible for Application layer,presentation layer,session layer.
Network engineer is responsible for Physical layer,Datalink layer,Network
layer,Transport layer are physical based.
Upper layers:
1).Application layer.
2).Presentation layer.
3).Session layer.
Lower layers:
1).Physical layer
2).Datalink layer
3).Network layer
4).Transport layer
Example:1
Session layer maintains all the different applications/tabs at the same time on the
Google Chrome.
Session layer able to manage all these applications via the Transport layer.
Session layer always works on behalf of the port.no.
Session Layer uses Transport Layer concept.
Example:2
Online exam time is 2 hours.
After 2 hours,window would be closed.
Example:3
Online Banking.
webpage is idle for the last 1 minute.
Automatically,webpage would be closed.
Session would be expired automatically.
Timer would be already set by developers.
----------------------------------------------------------
6).Presentation Layer:
Open a Networkershome website on the mobile phone/tab/Laptop.
Encryption and Decryption happens always on the presentation layer.
----------------------------------------------------------
7).Application Layer:
Different protocols in the application layer:
1).Http.
2).Https.
3).Telnet.
4).FTP.
5).SMTP.
6).BGP.
7).SSH.
During Decapsulation every lower layer has basic informations about the upper
layer.
i.e.,
L1 has some basic informations about L2 present in the form of bits.
L2 has some basic informations about L3 about Routed protocol[IPv4 or IPv6].
L3 has some basic informations about L4 about Protocols[TCP or UDP].
----------------------------------------------------------
CCNA_DAY_9:
what is the use of the session layer?
Types of routed protocols?
How many bits in MAC address?
How many bits in IPv6 address?
How many bytes in MAC address?
----------------------------------------------------------
Difference between TCP and UDP:
TCP UDP
1).Connection establishment No connection establishment.
2).Flow control. No flow control.
3).Congestion control. No congestion control.
4).Acknowledgement. No acknowledgement.
5).Error Correction by retransmitting of data. No error checking and correction.
6).Ordered delivery. No ordered delivery.
7).Reliable delivery. Unreliable delivery.
8).Applications: Applications:
.HTTP. .DNS[Usually].
.FTP. .DHCP.
.SMTP. .RTP[Real-Time Protocol].
.Telnet. .VoIP.
.MSN messenger.
----------------------------------------------------------
Transmission Control Protocol[TCP]:[00:09:35]
1).Connection-Oriented Communication.
2).Flow Control.
UDP Example:
Book the ticket and then inform to your friend.
TCP Example:
Inform the friend and then book the ticket.
3-way handshake process happens before the data transfer from Node A to Node B.
UDP transfers the data directly without any 3-way handshake process.
UDP does not support 3-way handshake process.
Scenario2:[Responder is free]
Initiator Responder
->syn(1)
<-syn(2)+Ack(1).
->Ack(2).
<->
Connection Established.
Data Transfer.
->Data-1(1).
<-Ack-1(1).
->Data-2(2).
<-Ack-2(2).
Initiator maintains a database of the Acknowledgement's sequence numbers received
from the responder.
Respondor maintains a database of the Data's sequence numbers received from the
Initiator.
->Data-3(3)->Data-3 losts inbetween due to some network issue.
->Data-4(4).
<-Ack-4(4).
.
.
.
.
<-Re-transmission(Responder requests the Initiator to resend the Data-3)
->Data-3(3) Re-transmitted.
<-Ack-3(3).
Both the Initiator's database(Acknowledgement sequence number) and the Responder's
database(Sequence sequence number) gets updated.
Note:
FIN->Finish.
----------------------------------------------------------
Let us consider,100 crore[1 billion] packets to be transmitted.
Initiator expects 1 billion Acknowledgements.
1 billion Acknowledgements are a huge traffic.
3-way handshake process and 4-way handshake process is fine in small level.
1 billion Acknowledgements are a disadvantage at large scale.
Windowing is the solution.
Manually set the windowing size as 1000 packets.
Responder sends an Acknowledgement for every 1000 packets.
If any one of the packets is missing from the Initiator side.
Re-transmission(Responder requests the Initiator to resend the Data-6).
->Data-6(6) Re-transmitted.
Now,Responder sends 1 Acknowledgement.
----------------------------------------------------------
Amit Sir's suggestion for the CCIE Security Guys:
First finish atleast 70% to 80% of the Training.
After CCIE security,we will get a chance to work in SOC Profile.
----------------------------------------------------------
2).Flow Control:
Take three routers and connect in series like R1[Source]->R2[Buffer]-
>R3[Destination].
Transfer the data from the Source[R1] to the Destination[R3].
R1 to R2 has Fibre optics cable[Data speed:1024Mbps[1Gbps]].
R2 to R3 has Ethernet cable[Data speed:10 Mbps].
Bottleneck service.
R2 has buffer.
UDP Applications:
1).Streaming media.
2).Real-time multiplayer games.
3).Voice over IP.
1).RAM[Volatile]:
RAM is a temporary memory.
Configurations presents in RAM are known as running configurations
Running configurations are stored in the RAM.
Router deletes all the configurations during the rebooting.
Running configurations are temporary.
2).NVRAM[Non-Volatile RAM]:
NVRAM is a permanent memory.
Save the running configurations in NV-RAM.
Configurations presents in RAM are known as startup-configurations.
Startup-configurations are permanent.
3).ROM:
ROM is a permanent memory.
Mini-OS for the back-up.
4).Flash:
Flash is a permanent memory.
Flash keeps all the iOS images[iOS versions-12.x,15.x,16.x].
iOS is the OS of the router.
Flash memory is removable.
---------------------------------------------------------
TFTP server:
TFTP server is used to install the iOS on the router.
TFTP server is a software.
Connect the laptop with the router's interface via the Fastethernet cable.
Push the iOS image into the router's Flash memory with the help of the TFTP server.
TFTP server is used to download the iOS image from the Router.
TFTP server is used to upload the iOS image into the Router.
----------------------------------------------------------
Case:
Router1 with iOS image.
Router2 without iOS image.
Take the iOS image backup from the Router1's Flash memory to the TFTP server.
then upload the iOS image from the TFTP server to the Router2.
----------------------------------------------------------
Boot sequence:
1).Router try to find iOS image in the flash memory.
2).Load the iOS image from the router's Flash memory into the TFTP server.
3).Router try to find out startup configuration in NV-RAM.
4).Router loads that startup configuration into the RAM.
5).Router asks to enter the username and password.
----------------------------------------------------------
Config-register:
The total boot sequence presents in the ROM.
Config-register[Hardware] is an instructor for the router boot sequence.
Config-register is a hardware,which presents in the motherboard.
Config-register value is0x2102.
Config-register plays very important role in router and in switch.
SSH is secured.
In corporates,100% SSH is used for the remote access.
Step2:Bootstrap/Boot sequence:
1).Router try to find iOS image in the flash memory.
2).Load the iOS image from the router's Flash memory into the TFTP server.
3).Router try to find out startup configuration in NV-RAM.
4).Router loads that startup configuration into the RAM.
5).Router asks to enter the username and password.
Manually connect the R1 and R2 via the cable[FastEthernet/Ethernet/Fibreoptics].
Step3:Auto negotiation:
1).FLP[First Link Pulse].
FLP checks the speed.
2).Duplex:
a).Full duplex.
b).Half duplex.
By default,Full duplex on all the cisco devices.
Possibility:
Manually Full duplex can be changed to Half duplex.
Note:
Half duplex always works with half duplex.
Full duplex always works with full duplex.
Half duplex does not works with full duplex.
Full duplex does not works with half duplex.
----------------------------------------------------------
GARP[Gratuitous ARP]:
GARP is a L3 protocol.
Source IP address and the Destination IP address are always same.
Router can automatically detect the IP address is Unique [or] not by using the GARP
in the same network.
Routers/L3 switches/Firewalls/FTD/FMC/ISE/Stealthwatch/WSA/ESA/Wireless controller
Access points/Mobile phones.
----------------------------------------------------------
4).Assign IP address:
Once IP address assigned on the router.
Immediately GARP is used to find out the unique IP address.
----------------------------------------------------------
Packet Format:
Source IP address[10.1.1.1].
Destination IP address[10.1.1.1].
Source MAC address[A].
Destination MAC address[FFFF[Broadcast IP address]].
Telnet-TCP.
ssh-TCP.
DNS-TCP/UDP.
DHCP-UDP.
PING-ICMP[Protocol.no.1].
Router always identifies ARP Request and ARP Reply on behalf of the Ethernet Type.
Now,the Destination MAC address field in the Echo Request gets updated as B.
Packet4:Echo Reply:
Source IP address[10.1.1.2].
Destination IP address[10.1.1.1].
Source MAC address[B].
Destination MAC address[A].
Type[0].
Code[0].
Packets Reaches:!!!!!
Packets Drops:.....
----------------------------------------------------------
5).PING:
Ping is divided into two parts:
1).Echo Request[On-Hold].
2).Echo Reply.
----------------------------------------------------------
6).ARP:
ARP is divided into two parts:
1).ARP Request.
2).ARP Reply.
----------------------------------------------------------
7).PING[Packet Internet Group]:
Ping is divided into two parts:
1).Echo Request.
2).Echo Reply.
Solution:
Vlan is required to seperate the domains[Eg:Domain1->HR,Domain2->IT,Domain3-
>Sales].
Vlan IDs:10,20,30.
Specific range of Vlan IDs:[0-4095].
Vlan 1002,Vlan 1003,Vlan 1004,Vlan 1005:Reserved for Token ring and FDDI[Fiber
distributed data interface].
At present,Token ring and FDDI are not using in the corporates.
Usuable standard Vlan range:[2-1001].
By default,Vlan 1,Vlan 1002,Vlan 1003,Vlan 1004,Vlan 1005 are reserved.
----------------------------------------------------------
Step1:Create 3 Vlans for 3 Domains:
ID Name
Vlan 10 HR[Domain1]
Vlan 20 IT[Domain2]
Vlan 30 Sales[Domain3]
Step2:
Option!:Assign sequence interfaces into the same Vlan one by one by 2 methods:
1).Static method[Switch's interface based method]->CCNA.
2).Dynamic method[End Router's MAC address based method]->CCNP.
CAM table gets updated first time during the IP address assignment.
1).Access port:
Only one Vlan[Either Vlan 10 or Vlan 20] traffic can be allowed at a time from one
interface.
By default,Enable access port on all the interfaces by using some specific
commands.
2).Trunk port:
All Vlan[Vlan 10 + Vlan 20] traffics can be allowed at a time from one interface.
Manually configure the trunk port.
Solution1:
Trunk port is configured to allow all Vlan Traffics can be allowed at a time from
one interface to an other interface.
Solution2:
Add interface 7 into Vlan 10[Now,Interface 7 becomes the part of the Vlan 10].
Two methods to configure the trunk:
1).Static method[Configure manually].
2).Dynamic method[Dynamic Trunking Protocol].
Fragmentation options:
Option1:Dismantle the MTU at the source and merge again in the Destination.
DTP Modes:
1).Dynamic-Desirable
2).Dynamic-Auto
3).Trunk
4).Access
Configure Vlans:
Vlan ID
HR 10
SALES 20
IT 30
MGMT 40
Server Client
VLAN creation possible. Not possible.
VLAN deletion possible. Not possible.
VLAN modification possible. Not possible.
Interface Assignment:
According to Interface requirements,Local Admin assigns the interfaces into the
respective Vlans.
Revision.No:
Revision.No=No.of. Vlan informations modifications in the Subset advertisement
message.
By default,server and client has Revision.No.1.
Revision.No. should be same on the server and the client.
1).Server mode:
VLAN Trunking Protocol(VTP) server mode is the default VTP mode for all catalyst
switches.
At least one server is required in a VTP domain to propogate VLAN information
within the VTP domain.
We can create,add,or delete VLANs of a VTP domain in a switch which is in VTP
server mode and change VLAN information in a VTP server.
The changes made in as switch in server mode are advertised to the entire VTP
domain.
2).Client Mode:
VLAN Trunking Protocol(VTP) client mode switches listen to VTP advertisements from
other switches and modify their VLAN configurations accordingly.
A network switch in VTP client mode requires a server switch to inform it about the
VLAN changes.
We cannot create,add,or delete VLANs in a VTP client.
3).Transparent Mode:
VLAN Trunking Protocol(VTP) transparent switches do not participate in the VTP
domain,but VTP transparent mode switches can receive and forward VTP advertisements
through the configured trunk links.
Command:
vtp mode server/client
vtp domain ccie
vtp version 2
----------------------------------------------------------
CCNA_DAY_14:[3 Switches]
STP[Spanning Tree Protocol]:
By default,STP is enabled on the switch interface.
STP is the most important protocol in switching.
STP is required to avoid the Layer 2 Loop.
Block port help us to avoid Layer 2 Loop.
Data cannot be Transmitted/Received on the block port.
Layer 2 Loop:
Vlan-1.
BCD-1.
Data transfer from PC1[switch1] to PC2[switch3].
----------------------------------------------------------
Selection process:
Two types of Bridges[swithes]:
1).Root Bridge[RB].
2).Non Root Bridge[NRB].
Eg:
3 bridges in a network.
Only one Root Bridge[NR] is possible in a network.
2[3-1] Non Root Bridges[NRBs] are possible in a network.
Port Roles:
1).Root port.
2).Designated port.
3).Non designated port/Alternate port/Block port.
1).Root port:
Best exit interface is always known as Root port.
Root port present always in the Non Root Bridges[NRB].
1NRB=1RP.
Pathcost:
Bandwidth Cost
10 Gbps 2
1 Gbps 4
100 Mbps[Fastethernety] 19
10 Mbps[Ethernet] 100
Important note:
Designated Port and Root Port are always in the forwarding state.
Alternate Port is always in the Block state.
Port states:
1).Disable state[Manually shutdown the interface][Red colour].
2).Blocking state[Interface is in disable state by STP][Amber].
3).Listening state[Root bridge election process][Amber].
4).Learning state[Root bridge election process][Amber].
5).Forwarding state[Final state][Green].
Data transfer happens only in the Forwarding state not in other states.
----------------------------------------------------------
CCNA_DAY_15:[Two switches]
7 Switches:
Use segmentationconcept.
Alternate Port:
Data transmission/reception is not possible in the Alternate Port.
BPDU transmission/reception is possible in the Alternate Port.
Port states:
1).Listening state[15 seconds].
2).Learning state[15 seconds].
3).Forwarding state[15 seconds].
Root ID:
Bridge ID of the Root Bridge.
Root ID[Global ID] is same on all the switches/Bridges.
Root ID size= 6 bytes + 2 bytes =8 bytes[64-bits].
Switch MAC address Switch priority
Bridge ID:
Local ID[NRB] of that particular switch.
Bridge ID size= 6 bytes + 2 bytes =8 bytes[64-bits].
Switch MAC address Switch priority
----------------------------------------------------------
Switch#Show spanning tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID: Priority :32,769
Address :0030:F288.D38B
This bridge is the root.
Hello Time :2 seconds.
Max Age :20 seconds[Timer].
Forward Delay :15 seconds[Listening State].
Forward Delay:
Total Forward delay=30 seconds[15*2=30 seconds].
Because,Listening state=15 seconds.
Learning state=15 seconds.
Max Age:
Max Age Timer is 20 seconds.
If Timer exceeds 20 seconds.
Alternate port does not receives any BPDUs.
Then Alternate port becomes the Designated port.
STP modes:
1).CST[Common Spanning Tree].
2).PVST[Per Vlan Spanning Tree].
3).PVST+.
Protocols:
1).STP.
2).RSTP.
3).MSTP.
Portfast:
STP is used to avoid the L2 loop between the switches.
STP is only required between the Switches[Because,switch is an L2 device].
STP is not required between the End device and the Switch.
Listening state[15 seconds] and Learning state[15 seconds] is not required between
the End device and the Switch.
Command:
spanning-tree portfast
portfast feature is used to skip the Listening and Learning state in the End
devices.
Listening state[15 seconds]and Learning state[15 seconds] is not required between
the End device and the Switch.
In industry practice,
Let us consider,Switch has 24 ports.
By default,2 ports are used in between the switches out of 24 ports.
Configure spanning-tree portfast command in the remaining 22 ports,which are
connected with the End devices.
[or]
Portfast:
Enable an interface to move directly to Forwarding on link up.
---------------------------------------------------------
Core switch:
The switch,which is connected with the Internet.
BPDU Guard:
Configure BPDU Guard feature in the remaining 22 ports,which are connected with the
End devices.
BPDU with better Bridge ID as compared to existing bridge ID is known as Superior
BPDU.
BPDU Guard feature protect the internal network from the superior BPDUs.
Error disable state.
Command:
spannig-tree bpduguard enable
[or]
Don't accept BPDUs on this interface.
----------------------------------------------------------
BPDU Filter:
BPDUs for every 2 seconds are only required between the Switches[Because,switch is
an L2 device].
BPDUs for every 2 seconds are not required between the End device and the Switch.
Configure BPDU Filter on the Root Bridge to stop the BPDUs for every 2 seconds
towards the End devices.
[or]
Don't send BPDUs on this interface.
----------------------------------------------------------
CCNA_DAY_16:
Routing Protocols:
Routing is always used on the WAN side.
In Routers:
N no.of.Interfaces = N no.of.Networks.
Routing methods:
1).Static method.
2).Dynamic method.
3).Default method.
Overall:
1).Distance vector protocol[RIP].
2).Link state protocol[OSPF].
3).Hybrid protocol[EIGRP].
4).IGRP[Interior Gateway Routing Protocol].
5).IS-IS[Intermediate system-Intermediate system Protocol].
6).BGP[I-BGP,E-BGP].
Important note:
ARP is always possible within the same network.
ARP is not possible between the two different networks.
Reason:
R1 has generated the ARP request[ARP request is always Broadcast].
R2 won't allow Broadcasting.
R2 allows Unicasting [or] Multicasting.
But,R1 ARP cache has entry like[10.1.1.1,10.1.1.2,11.1.1.3].
10.1.1.1[MAC accress:A],10.1.1.2[MAC accress:B]->Same network.
11.1.1.3[MAC accress:B]->Another network.
10.1.1.2[MAC accress:B] and 11.1.1.3[MAC accress:B] has the same MAC address.
This concept is known as the Proxy ARP.
Two disadvantages:
1).Recursive Route Lookup[No Proxy ARP].
2).Proxy ARP[No Recursive Route Lookup].
----------------------------------------------------------
Static Routing with Exit Interface+Next hop:
Syntax:
ip route [Destination Network ID] [Subnetmask] [Exit interface]+[Next hop]
Static Routing with Exit Interface+Next hop is the best option as compared to the
Next hop and the Exit interface.
Because there is No Proxy ARP and No Recursive Route Lookup.
----------------------------------------------------------
2).Default Routing:
Syntax:
ip route 0.0.0.0 0.0.0.0 [Next hop]
[Destination Network ID] [Subnetmask]
Automatically,OSPF calculates and find the best path to reach the destination.
90% cases,OSPF is used in the corporates.
Case:
If all the Prefix Length are same,then Tie breakrer.
Solution is use the Lowest AD value Routing Protocol.
Reserved AD values[Fixed]:
1).Connected-0[Lowest AD value].
2).Static-1
3).EIGRP-90
4).OSPF-110
5).RIP-120
Case:
If all the Reserved AD values are same,then Tie breakrer.
Solution is use the Lowest Metric value.
Hop Count means,in the RIP,i.e.,No.of.routers in between the source and trhe
destination.
4).Load Balancing:
1).Equal cost Load Balancing.
2).Un-equal cost Load Balancing.
Above discussed steps are used by any Dynamic Routing Protocols to find out the
best path.
If the source has more than 1 path from the same source to the destination.
----------------------------------------------------------
Area:
OSPF always works on Area based concept.
Area ID.
Area ID size is 16-bits and 32-bits.
First form the neighbourship between all the Intra Area Routers.
Configure OSPF between all the Intra Area Routers to exchange the network
informations.
By default,Intra area communication is possible.
By default,Inter area communication is not possible.
Backbone Area[Specific Area] is reserved for the inter area communication.
Area 0[Backbone Area ID].
There is no direct communication between the Inter Area Routers[R1,R2,R3,R4,R5].
Backbone Area is a Gateway to the different Areas.
Every different areas should be connected with the Backbone Area.
Neighbourship:
Existing router establishes a neighbourship with the new router to exchange the
network informations.
If there is no neighbourship,then there is no communication.
Neighbours are always directly connected.
Router has the Neighbourship table.
Aunti's model:
Aunti's model exists in all the Dynamic Routing Protocols.
Aunti's model means sharing a new information to the only to the immediate
neighbours.
Router ID selection:
1).Manually configure the Router ID on the router by using the command.
2).Automatically,Router selects the Router ID.
Router ID selection:
1).Manually configure the Router ID on the router by using the command
[router-id 0.0.0.1].
2).Automatically,Router selects the Router ID with the following two things.
a).Physical interface highest IP address[70.1.1.1].
b).Virtual interface highest IP address[1.1.1.1/24].
Command to create virtual interface:
int loopback 0
ip address 1.1.1.1 255.255.255.0
exit
Configure OSPF to form the neighbourship between the two routers by using the Hello
packet.
Hello packet contains:
a).Area ID[Must Match].
b).Network Type[Match].
c).Hello Timer[Match].
d).Dead Timer[Match].
e).Priority[0-255].
f).Authentication[Match].
g).Area Type[Match].
h).Stub Flag[Match].
i).SIP.
j).DIP.
k).SMAC.
l).DMAC.
Eg:
Command:
network 10.1.1.0 0.0.0.255 area 10
R2 uses network command to share the new informations with the R1.
Subnet mask:255.255.255.0
'0'->Octate is Empty.
'255'->Octate is Full.
Important Note:
Use always Wildcard mask for the ACL,BGP,EIGRP,OSPF.
So,
FHRP is for the device[Router] and the inside LAN interface.
Track is for the outside WAN interface.
Track is not a part of the CCNA.
Scenarios:
Scenario-1:Router Inside LAN interface gets down.
Scenario-2:Router itself gets down.
Scenario-3:Router Outside WAN interface gets down.
Edge device:
The device which is connected with the ISP.
From where we are getting the internet.
FHRP:
Backup/Redundancy concept is known as High Availability[HA].
FHRP is divided into 3 parts:
1).HSRP[Hot Standby Router Protocol].
2).VRRP[Virtual Router Redundancy Protocol].
3).GLBP[Gateway Load Balancing Protocol].
R1---------------->Active state.
R2[Backup Router]->Standby state.
If R1 gets down:
R1---------------->Down state.
R2[Backup Router]->Active state.
Load Balancing:
Keep R1 and R2 in the Active state.
Load balancing is used to equally divide the traffic between R1 and R2 at the same
time.
Extended Access List is more flexible than the Standard Access List.
Port.no assignment:
1).Source Port Number:
Source Port Number is always the Random Port Number.
Source Port Numbers Range:1024 - 65,535.
2).Known Port Number:
Known Port Numbers Range is 0 - 1023.
1st priority->Number.
2nd priority->Name.
3 Scenarios:
2 Users from the Network 'A' access the server in the Network 'B'.
1).Scenario.1.
2).Scenario.2.
3).Scenario.3.
Scenario.1->[Block the Host[IP address] from the network 'A' on the Network 'B'].
TCP->Specific Protocol.
IP->All the Protocols[TCP is one of the Protocol in the IP].
Scenario.2:[Configure ACL on the Edge Router to block the Internet access for the
User-1 in the Network A'].
----------------------------------------------------------
CCNA_DAY_22:
Two types of ip addresses:
1).Private ip address[Free service].
2).Public ip address[Paid service].
Private ip address is not routable on the ISP[means users cannot access internet].
Public ip address is routable on the ISP[means users can access internet].
Users cannot access the internet by using the private ip address on the End
devices.
NAT converts the Private ip address into Public ip address and vice versa.
Always configure the NAT on the Edge device[Routers,Firewalls].
NAT is also known as Translation.
1 Public ip address can handle 65,000 Private ip addresses.
Eg:
65,000 End devices are mapped with the 1 Public ip address.
NAT PAT
Overall:
1).Static NAT.
2).Dynamic NAT.
3).Static PAT.
4).Dynamic PAT.
PAT is better than NAT.
Dynamic NAT is better than Static NAT.
DHCP:
UDP-17[Protocol.no].
Server-67[Port.no].
Client-68[Port.no].
DNS is a public server[DNS Google Server [or] Actual Google Server][8.8.8.8 and
4.2.2.2].
1).Confidentiality:
@$#^%$&^%&->Cipher Text[or]Encrypted Data[Non-Readable Format].
Cisco------>Clear text/Clean text/Plain text[Readable Format].
Cipher suites/protocols are used to convert the clear text into cipher text:
1).Encryption Algorithms are used for the Confidentiality like:
a).DES[Data Encryption Standard].
b).3DES[Triple DES].
c).AES[Advanced Encryption Standard].
Use Encryption Algorithms on the top of the Clear Text[Username and Password].
----------------------------------------------------------
2).Integrity:
Data should be modified only by the Authorised persons not by any Un-authorised
persons[Attackers].
Integrity can be achieved by using the following Algorithms:
a).MD5[Message Digest Algorithm 5].
b).SHA[Secure Hash Algorithms].
Sometimes,md5 is used for the Authentication as well.
Hacking:
Malicious scripts to be installed on the Target device.
----------------------------------------------------------
3).Availability:
Always latest technologies should be used in the network.
NGFW provides L7 to L7 security.
Before NGFW,Device to Device Exists.
1).Site-to-Site VPN:
ISP[ISP acts as a road between the two sites] is required to provide the
connectivity.
Configure the VPN between the two Fixed sites [or] Static Public ip addresses.
IP security Protocols are used to protect the Site-to-Site VPN.
Tunnel is a Normal VPN,But still the Tunnel is not secured.
IPSec protocols are used to secure the Tunnel.
Site-to-Site VPN is also known as IPSec VPN.
IP sec protocol is the collection of different types of Algorithms[or Sub-
Protocols].
IP sec algorithms are:
a).MD5[Message Digest Algorithm 5].
b).DES[Data Encryption Standard].
c).DH[Diffie Helmen].
d).PKI/PSK[Public Key Infrastructure/Pre-Shared Key] for Authentication.
IP security algorithms are used to secure the VPN Tunnel.
----------------------------------------------------------
Firewall is a Security Guard.
Firewall checks for the authorisation.
NGIPS is used for the Scanning.
----------------------------------------------------------
2).Remote VPN:[Browser based VPN]
Remote VPN is a Normal VPN,But still the Remote VPN is not secured.
SSL protocol is used to secure the Remote VPN.
SSL protocol is the collection of different types of Algorithms[or Sub-Protocols].
SSL algorithms are:
a).SHA[Secure Hash Algorithms].
b).AES[Advanced Encryption Standard].
c).DH[Diffie Helmen].
HTTPS[S->SSL].
https://cisco.com->This is Remote VPN[Browser based VPN].
For HTTP->No VPN concept.
HTTP is just a Tunnel without any security.
CIA in VPN:
C-Confidentiality[about Encryption Algorithms].
I-Integrity.
A-Authentication
So,
Firewalls for the Inside network.
VPN for the Outside network.
----------------Basics of Security Completed------------------------
DHCP Attacks:
1).Spoofing attack.
2).Snooping attack.
Attack-1:DHCP Spoofing:
Spoofing->Attack.
Snooping->Mitigation for Spoofing.
By default,DHCP Snooping is disabled.
Commands to enable DHCP Snooping for the specific Vlan and the specific Interface:
sw#ip dhcp snooping
#ip dhcp snooping vlan 1
#exit
sw#int f0/1
#ip dhcp snooping trust
#exit
----------------------------------------------------------
Attack-2:MAC address flooding:[Man-in-the-Middle Attack]
sw(config)#int f0/1
#span port
#switchprt mode access
#switchport portsecurity[Command to enable portsecurity]
#switchport portsecurity violation shutdown
#switchport portsecurity maximum 2
#switchport portsecurity mac-address sticky(Dynamic)
#exit
Attacker diverts the traffic by using the software to generate the different dummy
mac addresses on the same switch interface.
Switch will remove the previous entries.
Un-known unicasting happens.
sw(config)#int f0/1
#span port
#switchprt mode access
#switchport portsecurity[Command to enable portsecurity]
#switchport portsecurity violation shutdown
#switchport portsecurity maximum 2
#switchport portsecurity mac-address sticky(Dynamic)
#exit
2).Mitigation procedures:
a).Implement DHCP snooping.
b).Implement Dynamic ARP inspection.
c).Implement Portsecurity.
d).Describe BPDU guard,root guard.
e).Verify mitigation procedures.
3).VLAN security:
a).Describe the security implications of a PVLAN.
b).Describe the security implications of a native VLAN.
----------------------------------------------------------
Zero Trust Area:
Protect the devices inside the premises.
----------------------------------------------------------
Wireless:
Signal Flow:
ISP->Edge Router[and Backup Edge Router]->Switch->Access Points.
Cisco Access Points are used in the Corporates not normal ACT Fibre Modems.
Cisco Access Points generates the wireless signals for the Employees.
Cisco Access Points are more secure and very Expensive.
WLC[Wireless LAN Controller] is used to configure all the Cisco Access points.
WLC[Wireless LAN Controller] controls all the Access Points.
Access Points configurations are always via the WLC by using the Laptop.
Reacheability must exists between the WLC and Cisco Access Points.
After ip address configurations on each Cisco Access Points.
Automatically,Cisco Access Points gets registered with the WLC.
In networking,90% Web browser with https[GUI] is used for the device access.
WLC Login page opens.
Enter Username and Password.
By default,Username and password on the WLC:
Username:admin.
Password:admin.
Now,Different SSIDs can be generated from the WLC.
SSID-Service Set Identifier.
Legacy network:[Configure the routers individually by using the Laptop via console
cable/Remote access[telnet/ssh]].
Same configurations should be there on all the routers.
Northbound interface exists between the Application layer and the Controller layer.
Southbound interface exists between the Controller layer and the Infrastructure
layer.
Infrastructure layer.
Northbound interface:
is meant for communication with upper,Application layer and would be in general
realized through REST APIs of SDN controllers.
Southbound interface:
is meant for communication with lower,Infrastructure layer of network elements and
would be in general realized through Southbound
protocols:Openflow,Netconf,Ovsdb,etc..
VIPTELA Devices:
1).V-Manage.
2).V-Smart.
3).V-Bond.
4).V-Edge.
SD WAN is used to configure the thousands of Edge devices at the same time.
Convert all the Edge routers into V-Edge.
Deploy the V-edge on the Edge routers to V-edge Routers.
Latest Cisco routers has in-built V-edge features.
[or]
Purchase V-edge Routers directly from the Cisco.
Network Admin needs 3 VIPTELA devices in the Main Branch:
1).V-Manage.
2).V-Smart.
3).V-Bond[V-Bond is a type of the Authenticator].
All the 3 VIPTELA devices are Intra-connected within the Main Branch.
Now,the Main branch is connected with the ISP via the switch.
Network Admin uses V-Manage to configure all the Edge routers.
Configurations cannot be directly deployed on the Edge routers directly.
First,V-Manage pushes the configurations towards the V-Smart.
Now,V-Smart deploys the configurations on all the Edge routers.
---------------------------------------------------------
SD Access:34:40
SD Access is used to manage the entire LAN in the centralized position
SD Access is about LAN.
SD WAN is about WAN.
----------------------------------------------------------
Palo Alto is a Firewall.
Palo Alto has In-built SD WAN feature.
----------------------------------------------------------
Edge routers are replaced with the Network Automation Tools.
According to the CCNA Syllabus:
1).Ansible[Red Hat Product].
2).Puppet.
3).Chef.
Program:
A set of instructions to perform the Task.
Software:
Software is a set of Inbuilt Libraries.
Packages[Inbuilt Libraries] are present in the Ansible tool.
Manually write program[Play Book].
Configure the task[Play] within the playbook program.
GitHub:
GitHub is an open source platform.
GitHub is providing all the Scripts.
Anyone can share their scripts in the GitHub.
Anyone can Copy,Modify and Paste the scripts from the GitHub.
Ansible Tool.
Inbuilt Modulus.
Ansible is an open source[Open source supports all the vendors].
----------------------------------------------------------
Ansible Documentation link has Cisco related Modules:
https://docs.ansible.com/ansible/2.8/modules/list_of_all_modules.html
Ansible Infrastructure:
1).Hot Inventory.
2).Play Book.
3).Ansible Configuration.
4).Core Modulus.
5).Custom Modulus.