INDUSTRIAL TRAINING

CISCO CCNA V7

A Project report submitted in partial fulfillment of the requirements for

the award of

DIPLOMA

IN

COMPUTER ENGINEERING

Submitted by

A.PHANINDRA (18635-cm-001)

DEPARTMENT OF COMPUTER ENGINEERING

GOVERNMENT POYTECHNIC, CHODAVARAM

Under the guidance of

Senior Lecturer in CM.E

DEPARTMENT OF COMPUTER ENGINEERING

GOVERNMENT POYTECHNIC, ANAKAPALLI
(Affiliated to Department of Technical Education, Vijayawada)
(2020-2021)
 DEPARTMENT OF COMPUTER SCIENCE ENGINEERING
GOVERNMENT POLYTECHINIC
CHODAVARAM, VISAKHAPATNAM - 531036

BONAFIDE CERTIFICATE

This is to certify that the report on “CCNA v7 CISCO Industrial Training for 6th Semester
D.CM.E” submitted by “A. Phanindra (18635-cm-001)” in partial fulfillment of the
requirements for the award of the Diploma in Computer Engineering of Government
Polytechnic, Chodavaram is a record of bonafide work carried out under my guidance and
supervision.

Head of CM.E Department Instructor/CM.E

External Examiner
 ACKNOWLEDGEMENT

The satisfaction that accompanies the successful completion of any task would be
incomplete without the mention of people whose ceaseless cooperation made it possible,
whose constant guidance and encouragement crowns all efforts with success.

I would like to express our deep gratitude to our Industrial Training Guide Mr. I.
Kameshwara Rao Sir, Senior Lecturer, Department of Computer Engineering,
Government Polytechnic, Anakapalli and Mr. K. Amarnath, Lecturer, Department of
Electronics and Communication Engineering, Government Polytechnic, Anakapalli, for
their guidance with unsurpassed knowledge and constructive suggestions.

I am grateful to Sri. S. Esther Rani , Head of the Department, Computer Engineering,

for providing us with the required facilities for the completion of the Industrial Training.

I am very much thankful to the Principal Sri. A. Nagaraju Garu, Government

Polytechnic, Chodavaram, for their encouragement and cooperation for the completion
of our Industrial Training.

I express my thanks to all teaching staff of Department of Computer Engineering,

Government Polytechnic, Chodavaram, whose suggestions during reviews helped us in
accomplishment of our Industrial Training. I would like to thank all non-teaching staff
of the Government Polytechnic, Chodavaram, for providing great assistance in
accomplishment of our Industrial Training.

I would like to thank my parents, friends and classmates for their encouragement
throughout my Industrial Training period. At last but not the least, I thank everyone for
supporting me directly or indirectly in completing this Industrial Training successfully.

A. Phanindra (18635-CM-001)
 ABSTRACT

This Industrial Training is aimed at developing practical knowledge in Networking by Cisco.inc

with CCNA course module, it comprises of III Modules.

Modules in this Industrial Training:

1. Introduction to Networks.

2. Switching, Routing and Wireless Essentials.

3. Enterprise Networking, Security and Automation.

Brief Description on the Modules:

The “Introduction to Networks” module helps in understanding basics of Networking. The “Switching,
Routing and Wireless Essentials” module focuses on switching technologies and router operations
including Security concepts. The “Enterprise Networking, Security and Automation” module includes
WAN Technologies and QoS Mechanisms used for secure remote access, Introduction of Software-
defined Networking, Virtualization and Automation Concepts that support the Digitalization of
Networks.

I
 TABLE OF CONTENTS

S.NO: TITLE PAGE NO:

1 Abstract i

2 Module-I: Introduction to Networks 1-36

3 Module-II: Switching, Routing and Wireless Essentials 36-59

4 Module-III: Enterprise Networking Security and Automation 59-93

5 Conclusion 94
 MODULE-1:
INTRIDUCTION
TO
NETWORKS
 MODULE-1: INTRODUCTION TO
NETWORKS
CHAPTER-1 Networking Today

Networks Affect our Lives:

 In today’s world, through the use of networks, we are connected like never before. People
with ideas can communicate instantly with others to make those ideas a reality.
 The creation of online communities for the exchange of ideas and information has the
potential to increase productivity opportunities across the globe.
 The creation of the cloud lets us store documents and pictures and access them
anywhere, anytime.

Network Components:

 All computers that are connected to a network and participate directly in network
communication are classified as hosts. Hosts can be called end devices. Some hosts are also
called clients.

Figure 1

 Many computers function as the servers and clients on the network. This type of network is
called a peer-to-peer network.
 An end device is either the source or destination of a message transmitted over the network.
 Intermediary devices connect the individual end devices to the network and can connect multiple
individual networks to form an internetwork.
 Intermediary devices use the destination end device address, in conjunction with information
about the network interconnections, to determine the path that messages should take through the
network.
 Communication transmits across a network on media. The media provides the channel over
which the message travels from source to destination.
 Modern networks primarily use three types of media to interconnect devices, Metal wires within
cables, fiber-optic cables, and Wireless transmission.

1
Network Representations and Topologies:
 Logical topology diagrams illustrate devices, ports, and the addressing scheme of the network.
 Diagrams of networks often use symbols to represent the different devices and connections
that make up a network.
 Physical topology diagrams illustrate the physical location of intermediary devices and
cable installation.
 A diagram provides an easy way to understand how devices connect in a large network.
This type of “picture” of a network is known as a topology diagram.

Figure 2

Common Types of Networks:

 Networks come in all sizes. They range from simple networks consisting of two computers,
to networks connecting millions of devices.
 Small home (SOHO) networks connect a few computers to each other and to the internet.
 Medium to large networks, can have many locations with hundreds or thousands
of interconnected hosts.
 The internet is a network of networks that connects hundreds of millions of computers world-
wide.
 The two most common types of network infrastructures are Local Area Networks (LANs),
and Wide Area Networks (WANs).

2
 Figure 3

 A LAN is a network infrastructure that spans a small geographical area.

 A WAN is a network infrastructure that spans a wide geographical area.
 Intranet refers to a private connection of LANs and WANs that belongs to an organization.

Figure 4

Internet Connections:
 Business internet connections include Dedicated Leased Line, Metro Ethernet, Business DSL,
and Satellite.
 Converged networks deliver data, voice, and video between many different types of devices over
the same network infrastructure. This network infrastructure uses the same set of rules,
agreements, and implementation standards.
 SOHO internet connections include cable, DSL, Cellular, Satellite, and Dial-up telephone.
 The choice of connection varies depending on geographical location and service provider
availability. Traditional separate networks used different technologies, rules, and standards.

Reliable Networks:

 Network architecture refers to the technologies that support the infrastructure and the
programmed services and rules, or protocols, that move data across the network. There are four

3
 basic characteristics that network architects must address to meet user expectations: Fault
Tolerance, Scalability, Quality of Service (QoS), and Security.
 A scalable network expands quickly to support new users and applications.
 Networks are scalable because the designers follow accepted standards and protocols.
 QoS is a primary mechanism for managing congestion and ensuring reliable delivery of content
to all users.
 Network administrators must address two types of network security concerns: network
infrastructure security and information security. To achieve the goals of network security, there
are three primary requirements: Confidentiality, Integrity, and Availability.

Network Trends:

 There are several recent networking trends that affect organizations and consumers: Bring
Your Own Device (BYOD), online collaboration, video communications, and cloud
computing.
 BYOD means any device, with any ownership, used anywhere.
 Collaboration tools, like Cisco WebEx give employees, students, teachers, customers,
and partners a way to instantly connect, interact, and achieve their objectives.
 Video is used for communications, collaboration, and entertainment.
 Applications such as word processing and photo editing can be accessed using the cloud.
 There are four primary types of clouds: Public Clouds, Private Clouds, Hybrid Clouds
and Custom Clouds.
 Smart home technology is currently being developed for all rooms with in a house.

Network Security:

 There are several common external threats to networks:

• Viruses, worms, and Trojan horses
• Spyware and adware, Zero-day attacks
• Threat Actor attacks
• Denial of service attacks
• Data interception and theft
• Identity theft
 Antivirus and antispyware, Firewall filtering are the basic security components for a home or
small office network.
 Larger networks and corporate networks use antivirus, antispyware, and firewall filtering, but
they also have other security requirements: Dedicated firewall systems, Access control lists
(ACL), Intrusion prevention systems (IPS), VPN.

4
CHAPTER-2 Basic Switch and End Device Configuration
Cisco IOS Access:

 All end devices and network devices require an operating system (OS).
 The user can interact with the shell using a command-line interface (CLI) to use a keyboard to
run CLI-based network programs, use a keyboard to enter text and text-based commands, and
view output on a monitor.
 A GUI such as Windows, macOS, Linux KDE, Apple iOS, or Android allows the user to interact
with the system using an environment of graphical icons, menus, and windows.
 ACCESS METHODS:-

Method Description
This is a physical management port that provides out-of-band access to a Cisco
device. Out-of-band access refers to access via a dedicated management channel
that is used for device maintenance purposes only. The advantage of using a
Console console port is that the device is accessible even if no networking services are
configured, such as performing the initial configuration. A computer running
terminal emulation software and a special console cable to connect to the device
are required for a console connection.
SSH is an in-band and recommended method for remotely establishing a secure
Secure CLI connection, through a virtual interface, over a network. Unlike a console
Shell connection, SSH connections require active networking services on the device,
(SSH) including an active interface configured with an address. Most versions of Cisco
IOS include an SSH server and an SSH client that can be used to establish SSH
sessions with other devices.
Telnet is an insecure, in-band method of remotely establishing a CLI session,
through a virtual interface, over a network. Unlike SSH, Telnet does not provide
Telnet a secure, encrypted connection and should only be used in a lab environment.
User authentication, passwords, and commands are sent over the network in
plaintext. The best practice is to use SSH instead of Telnet. Cisco IOS includes
both a Telnet server and Telnet client.

IOS Navigation:

 As a security feature, the Cisco IOS software separates management access into the
following two command modes: User EXEC Mode and Privileged EXEC Mode.

Default
Command
Description Device
Mode
Prompt
Mode allows access to only a limited number of basic
User Exec monitoring commands. Switch>
Mode It is often referred to as “view-only" mode. Router>

5
 Default
Command
Description Device
Mode
Prompt
Mode allows access to all commands and features.
Privileged The user can use any monitoring commands and execute Switch#
EXEC Mode configuration and management commands. Router#

 Global configuration mode is accessed before other specific configuration modes. From global
config mode, the user can enter different sub-configuration modes.
 Two common sub-configuration modes include: Line Configuration Mode and Interface
Configuration Mode.
 To move in and out of global configuration mode, use the configure terminal privileged EXEC
mode command. To return to the privileged EXEC mode, enter the exit global config mode
command.

The Command Structure:

 Each IOS command has a specific format or syntax and can only be executed in the appropriate
mode.
 The general syntax for a command is the command followed by any appropriate keywords and
arguments.
 The IOS has two forms of help available: context-sensitive help and command syntax check.

Figure 5

Basic Device Configuration:

 The first configuration command on any device should be to give it a unique device name or
hostname.
 Network devices should always have passwords configured to limit administrative access.
 Cisco IOS can be configured to use hierarchical mode passwords to allow different
access privileges to a network device.
 Configure and encrypt all passwords.

6
  Provide a method for declaring that only authorized personnel should attempt to access the device
by adding a banner to the device output.

Save Configurations:

 There are two system files that store the device configuration: startup-config and running-config.
 Running configuration files can be altered if they have not been saved. Configuration files can
also be saved and archived to a text document.

Ports and Addresses:

 IP addresses enable devices to locate one another and establish end-to-end communication on the
internet.
 Each end device on a network must be configured with an IP address.
 The structure of an IPv4 address is called dotted decimal notation and is represented by four
decimal numbers between 0 and 255.
 Network communications depend on end user device interfaces, networking device interfaces,
and the cables that connect them.
 A cable connecting to the interface must be designed to match the physical standards of the
interface. Types of network media include twisted-pair copper cables, fiber-optic cables, coaxial
cables, or wireless.

Configure IP Addressing:

 IPv4 address information can be entered into end devices manually, or automatically using
Dynamic Host Configuration Protocol (DHCP).
 In a network, DHCP enables automatic IPv4 address configuration for every end device that is
DHCP-enabled.
 To access the switch remotely, an IP address and a subnet mask must be configured on the SVI.
To configure an SVI on a switch, use the interface vlan 1 global configuration command. Vlan
1 is not an actual physical interface but a virtual one.

Verify Connectivity:

 The show ip interface brief command verifies the condition of the switch interfaces.
 The ping command can be used to test connectivity to another device on the network or a
website on the internet.

7
 CHAPTER-3 Protocols and Models
The Rules:

 All communication methods have three elements in common: message source (sender), message
destination (receiver), and channel.
 Sending a message is governed by rules called protocols. Protocols must include: an identified
sender and receiver, common language and grammar, speed and timing of delivery, and
confirmation or acknowledgment requirements.
 Common computer protocols include these requirements: message encoding, formatting and
encapsulation, size, timing, and delivery options.
 Encoding is the process of converting information into another acceptable form, for transmission.
Decoding reverses this process to interpret the information.
 Message formats depend on the type of message and the channel that is used to deliver the
message. Message timing includes flow control, response timeout, and access method. Message
delivery options include unicast, multicast and broadcast.

Protocols:

 Protocols are implemented by end-devices and intermediary devices in software, hardware,

or both.
 The Ethernet family of protocols includes IP, TCP, HTTP, and many more.
 Protocols secure data to provide authentication, data integrity, and data encryption: SSH,
SSL, and TLS.
 Protocols enable routers to exchange route information, compare path information, and then to
select the best path to the destination network: OSPF and BGP. Protocols are used for the
automatic detection of devices or services: DHCP and DNS.
 Computers and network devices use agreed-upon protocols that provide the following functions:
addressing, reliability, flow control, sequencing, error-detection, and application interface.

Figure 6

8
Protocol Suites:

 A protocol suite is a group of inter-related protocols necessary to perform a communication

function.
 TCP/IP protocols are available for the application, transport, and internet layers. TCP/IP is the
protocol suite used by today’s networks and internet.
 TCP/IP offers two important aspects to vendors and manufacturers: open standard protocol suite,
and standards-based protocol suite.
 The TCP/IP protocol suite communication process enables such processes as a web server
encapsulating and sending a web page to a client, as well as the client de-encapsulating the web
page for display in a web browser.

Standard Organizations:

 Open standards encourage interoperability, competition, and innovation.

 Standards organizations are usually vendor-neutral, non-profit organizations established
to develop and promote the concept of open standards.
 Standards organizations that develop and support TCP/IP include: ICANN and IANA.
Electronic and communications standards organizations include: IEEE, EIA, TIA, and ITU-T.

Reference Models:

 The OSI reference model provides an extensive list of functions and services that can occur
at each layer.
 The TCP/IP model is a protocol model because it describes the functions that occur at each
layer of protocols within the TCP/IP suite.

Figure 7
Data Encapsulation:

 Segmenting messages increases speed and efficiency.

9
  TCP is responsible for sequencing the individual segments.
 The form that a piece of data takes at any layer is called a protocol data unit (PDU).
 During encapsulation, each succeeding layer encapsulates the PDU that it receives from the layer
above in accordance with the protocol being used. When sending messages on a network, the
encapsulation process works from top to bottom.
 De-encapsulation is the process used by a receiving device to remove one or more of the protocol
headers. The data is de-encapsulated as it moves up the stack toward the end-user application.

Data Access:

 The network and data link layers are responsible for delivering the data from the source device to
the destination device. Protocols at both layers contain a source and destination address, but their
addresses have different purposes:
• Network layer source and destination addresses - Responsible for delivering the IP
packet from the original source to the final destination, which may be on the same
network or a remote network.
• Data link layer source and destination addresses - Responsible for delivering the
data link frame from one network interface card (NIC) to another NIC on the same
network.

10
 CHAPTER-4 Physical Layer

Purpose of the Physical Layer:

 A physical connection to a local network can be a wired connection using a cable or a wireless
connection using radio waves.
 Network Interface Cards (NICs) connect a device to the network. WLAN (Wireless Local Area
Network) NICs are used for wireless.
 The OSI physical layer provides the means to transport the bits that make up a data link layer
frame across the network media. It accepts a complete frame from the data link layer and
encodes it as a series of signals that are transmitted onto the local media.

Physical Layer Characteristics:

 The physical layer consists of electronic circuitry, media, and connectors developed by engineers.
 The physical layer standards address three functional areas: physical components, encoding,
and signaling.
 Bandwidth is the capacity at which a medium can carry data. Digital bandwidth measures
the amount of data that can flow from one place to another in a given amount of time.
 Throughput is the measure of the transfer of bits across the media over a given period of time and
is usually lower than bandwidth. s
 Latency refers to the amount of time, including delays, for data to travel from one given point
to another.
 Good put is the measure of usable data transferred over a given period of time.

UTP Cabling:

• UTP cabling consists of four pairs of color-coded copper wires that have been twisted
together and then encased in a flexible plastic sheath.
• UTP cable does not use shielding to counter the effects of EMI and RFI.
• UTP cabling conforms to the standards established jointly by the TIA/EIA. The electrical
characteristics of copper cabling are defined by the Institute of Electrical and Electronics
Engineers (IEEE).
• UTP cable is usually terminated with an RJ-45 connector.
• The main cable types that are obtained by using specific wiring conventions are Ethernet Straight-
through and Ethernet Crossover.

11
Fiber-Optic Cabling:

• Optical fiber cable transmits data over longer distances and at higher bandwidths than any other
networking media. Fiber-optic cable can transmit signals with less attenuation than copper wire
and is completely immune to EMI and RFI.
• Optical fiber is a flexible, but extremely thin, transparent strand of very pure glass. Bits are
encoded on the fiber as light impulses.
• Fiber-optic cabling is now being used in four types of industry: enterprise networks, FTTH, long-
haul networks, and submarine cable networks.
• There are four types of fiber-optic connectors: ST, SC, LC, and duplex multimode LC.

Wireless Media:

• Wireless media carry electromagnetic signals that represent the binary digits of data
communications using radio or microwave frequencies.
• Wireless does have some limitations, including: coverage area, interference, security, and the
problems that occur with any shared medium.
• Wireless standards include the following: Wi-Fi (IEEE 802.11), Bluetooth (IEEE 802.15),
WiMAX (IEEE 802.16), and Zigbee (IEEE 802.15.4). Wireless LAN (WLAN) requires a
wireless AP and wireless NIC adapters.

Figure 8

12
 CHAPTER-5 Number Systems
Binary Number Systems:

 Binary is a numbering system that consists of the numbers 0 and 1 called bits.
 Binary is important for us to understand because hosts, servers, and network devices use binary
addressing, specifically, binary IPv4 addresses, to identify each other.
 One must know binary addressing and how to convert between binary and dotted decimal IPv4
addresses.
 The binary positional notation operates as described in the table:

Radix 2 2 2 2 2 2 2 2

Position in 7 6 5 4 3 2 1 0
Number
Ssss Calculate (27) (26) (25) (24) (23) (22) (21) (20)

Position value 128 64 32 16 8 4 2 1

Hexadecimal Number Systems:

 The hexadecimal base sixteen number system uses the numbers 0 to 9 and the letters A to F. The
hexadecimal numbering system is used in networking to represent IPv6 addresses and Ethernet
MAC addresses.
 IPv6 addresses are 128 bits in length and every 4 bits is represented by a single hexadecimal
digit; for a total of 32 hexadecimal values.
 To convert hexadecimal to decimal, firstly convert the hexadecimal to binary and then convert the
binary to decimal. To convert decimal to hexadecimal, firstly convert the decimal to binary and
then binary to hexadecimal.

Figure 9

13
 CHAPTER-6 Data Link Layer
Purpose of the Data Link Layer:

 The data link layer of the OSI model (Layer 2) prepares network data for the physical network.
 The data link layer is responsible for network interface card (NIC) to network interface
card communications.
 The IEEE 802 LAN/MAN data link layer consists of the following two sub layers: LLC
and MAC.
 The MAC sub layer provides data encapsulation through frame delimiting, addressing, and
error detection. Router interfaces encapsulate the packet into the appropriate frame.
 Engineering organizations that define open standards and protocols that apply to the
network access layer include: IEEE, ITU, ISO, and ANSI.

Topologies:

 The two types of topologies used in LAN and WAN networks are physical and logical.
 Three common types of physical WAN topologies are: point-to-point, hub and spoke, and mesh.
 Physical point-to-point topologies directly connect two end devices (nodes).
 In multi-access LANs, nodes are interconnected using star or extended star topologies. In this
type of topology, nodes are connected to a central intermediary device.
 Physical LAN topologies include: star, extended star, bus, and ring.
 Half-duplex communications exchange data in one direction at a time. Full-duplex sends and
receives data simultaneously.
 A multi-access network is a network that can have multiple nodes accessing the network
simultaneously.

Data Link Frame:

Figure 10

 The data link layer prepares the encapsulated data (usually an IPv4 or IPv6 packet) for
transport across the local media by encapsulating it with a header and a trailer to create a
frame.
 The data link protocol is responsible for NIC-to-NIC communications within the same
network. Each frame type has three basic parts: header, data, and trailer.

14
 The data link layer appends information in the trailer. There is no one frame structure that meets
the needs of all data transportation across all types of media.
 Frame fields include: frame start and stop indicator flags, addressing, type, control, data, and
error detection. The data link layer provides addressing used to transport a frame across shared
local media. Device addresses at this layer are physical addresses.
 Data link layer addressing is contained within the frame header and specifies the frame
destination node on the local network.
 Data link layer protocols include: Ethernet, 802.11 Wireless, PPP, HDLC, and Frame Relay.

15
 CHAPTER-7 Ethernet Switching
Ethernet Frame:

 Ethernet operates in the data link layer and the physical layer.
 Ethernet standards define both the Layer 2 protocols and the Layer 1 technologies. Ethernet
uses the LLC and MAC sub layers of the data link layer to operate.
 Data encapsulation includes the following: Ethernet frame, Ethernet addressing, and
Ethernet error detection. Ethernet LANs use switches that operate in full-duplex.
 The Ethernet frame fields are: preamble and start frame delimiter, destination MAC
address, source MAC address, Ether Type, data, and FCS.

Figure 11

Ethernet MAC Address:

 The MAC address is used to identify the physical source and destination devices (NICs) on
the local network segment.
 MAC addressing provides a method for device identification at the data link layer of the
OSI model.
 An Ethernet MAC address is a 48-bit address expressed using 12 hexadecimal digits, or 6bytes.
An Ethernet MAC address consists of a 6 hexadecimal vendor OUI code followed by a 6
hexadecimal vendor assigned value.
 When a device is forwarding a message to an Ethernet network, the Ethernet header includes the
source and destination MAC addresses. In Ethernet, different MAC addresses are used for
Layer 2 unicast, broadcast, and multicast communications.

The MAC Address Table:

 A Layer 2 Ethernet switch makes its forwarding decisions based solely on the Layer 2Ethernet
MAC addresses.
 The switch dynamically builds the MAC address table by examining the source MAC address
of the frames received on a port.
 The switch forwards frames by searching for a match between the destination MAC address in
the frame and an entry in the MAC address table.
 As a switch receives frames from different devices, it is able to populate its MAC address
table by examining the source MAC address of every frame.
 When the MAC address table of the switch contains the destination MAC address, it is able

16
to filter the frame and forward out a single port.

17
The MAC Address Table:

 A Layer 2 Ethernet switch makes its forwarding decisions based solely on the Layer
2Ethernet MAC addresses.
 The switch dynamically builds the MAC address table by examining the source MAC
address of the frames received on a port.
 The switch forwards frames by searching for a match between the destination MAC
address in the frame and an entry in the MAC address table.
 As a switch receives frames from different devices, it is able to populate its MAC
address table by examining the source MAC address of every frame.
 When the MAC address table of the switch contains the destination MAC address, it
is able to filter the frame and forward out a single port.

Switch Speeds and Forwarding Methods:

 Switches use one of the following forwarding methods for switching data between
network ports: store-and-forward switching or cut-through switching.
 Two variants of cut-through switching are fast-forward and fragment-free.
 Two methods of memory buffering are port-based memory and shared memory.
 There are two types of duplex settings used for communications on an Ethernet
network: full- duplex and half-duplex.
 Auto negotiation is an optional function found on most Ethernet switches and NICs. It
enables two devices to automatically negotiate the best speed and duplex capabilities.
 Full-duplex is chosen if both devices have the capability along with their highest
common bandwidth.

18
 CHAPTER-8 Network Layer

Network Layer Characteristics:

 The network layer (OSI Layer 3) provides services to allow end devices to exchange data
across networks.
 IPv4 and IPv6 are the principle network layer communication protocols. The network
layer also includes the routing protocol OSPF and messaging protocols such as ICMP.
 Network layer protocols perform four basic operations: addressing end devices,
encapsulation, routing, and de-encapsulation.
 IPv4 and IPv6 specify the packet structure and processing used to carry the data from
one host to another host.
 IP encapsulates the transport layer segment by adding an IP header, which is used to
deliver the packet to the destination host. The IP header is examined by Layer 3 devices
(i.e., routers) as it travels across a network to its destination.
 The characteristics of IP are that it is connectionless, best effort, and media independent.

IPv4 Packet:

 An IPv4 packet header consists of fields containing information about the packet.
These fields contain binary numbers which are examined by the Layer 3 process.
 The binary values of each field identify various settings of the IP packet.

IPv6 Packet:

 IPv6 is designed to overcome the limitations of IPv4 including: IPv4 address

depletion, lack of end-to-end connectivity, and increased network complexity.
 IPv6 increases the available address space, improves packet handling, and eliminates the
need for NAT.

19
 Figure 12
How a Host Routes:

 A host can send a packet to itself, another local host, and a remote host.
 In IPv4, the source device uses its own subnet mask along with its own IPv4 address and the
destination IPv4 address to determine whether the destination host is on the same network.
 In IPv6, the local router advertises the local network address (prefix) to all devices on the
network, to make this determination.
 The default gateway is the network device (i.e., router) that can route traffic to other networks.
On a network, a default gateway is usually a router that has a local IP address in the same address
range as other hosts on the local network, can accept data into the local network and forward data
out of the local network, and route traffic to other networks. A host routing table will typically
include a default gateway.
 In IPv4, the host receives the IPv4 address of the default gateway either dynamically via DHCP
or it is configured manually. In IPv6, the router advertises the default gateway address, or the
host can be configured manually.

Introduction to Routing:

 When a host sends a packet to another host, it consults its routing table to determine where to
send the packet. If the destination host is on a remote network, the packet is forwarded to the
default gateway which is usually the local router.
 When a packet arrives on a router interface, the router examines the packet’s destination IP
address and searches its routing table to determine where to forward the packet.
 The routing table of a router stores three types of route entries: directly connected networks,
remote networks, and a default route.
 Static routes are route entries that are manually configured. Static routes include the remote
network address and the IP address of the next hop router.
 At the beginning of an IPv4 routing table is a code that is used to identify the type of route or how
the route was learned. Common route sources (codes) include:

L - Directly connected local interface IP address, C - Directly connected network,

S - Static route was manually configured by an administrator,

O - Open Shortest Path First (OSPF), D - Enhanced Interior Gateway Routing Protocol (EIGRP).

20
 CHAPTER-9 Address Resolution
MAC and IP:

 Layer 2 physical addresses are used to deliver the data link frame with the encapsulated IP packet
from one NIC to another NIC on the same network. If the destination IP address is on the same
network, the destination MAC address will be that of the destination device.
 When the destination IP address is on a remote network, the destination MAC address will be the
address of the host default gateway.
 Along each link in a path, an IP packet is encapsulated in a frame. The frame is specific to the
data link technology associated that is associated with that link, such as Ethernet.
 For IPv4 packets, this is done through a process called ARP. For IPv6 packets, the process is
ICMPv6 ND.

ARP:

 When a device sends an Ethernet Layer 2 frame, it contains these two addresses: destination
MAC address and source MAC address. A device uses ARP to determine the destination MAC
address of a local device when it knows its IPv4 address.
 ARP provides two basic functions: resolving IPv4 addresses to MAC addresses and maintaining
a table of IPv4 to MAC address mappings.
 The ARP request is encapsulated in an Ethernet frame using this header information: source and
destination MAC addresses and type.
 Only one device on the LAN will have an IPv4 address that matches the target IPv4 address in
the ARP request. All other devices will not reply.
 After the ARP reply is received, the device will add the IPv4 address and the corresponding
MAC address to its ARP table.
 When the destination IPv4 address is not on the same network as the source IPv4 address, the
source device needs to send the frame to its default gateway.
 For each device, an ARP cache timer removes ARP entries that have not been used for a specified
period of time.

Neighbor Discovery:

 IPv6 does not use ARP, it uses the ND protocol to resolve MAC addresses.
 ND provides address resolution, router discovery, and redirection services for IPv6 using
ICMPv6.
 ICMPv6 ND uses five ICMPv6 messages to perform these services: neighbor solicitation,
neighbor advertisement, router solicitation, router advertisement, and redirect.
 IPv6 devices use IPv6 ND to resolve the MAC address of a device to a known IPv6 address.

21
 CHAPTER-10 Basic Router Configuration
Configure Initial Router Settings:

 The following tasks should be completed when configuring initial settings on a router.
1. Configure the device name.
2. Secure privileged EXEC mode.
3. Secure user EXEC mode.
4. Secure remote Telnet / SSH access.
5. Secure all passwords in the config file.
6. Provide legal notification.
7. Save the configuration.

Configure Interfaces:

 For routers to be reachable, the router interfaces must be configured. The Cisco ISR 4321 router
is equipped with two Gigabit Ethernet interfaces: Gigabit Ethernet 0/0/0 (G0/0/0) and Gigabit
Ethernet 0/0/1 (G0/0/1).
 The tasks to configure a router interface are very similar to a management SVI on a switch. Using
the no shutdown command activates the interface.
 The interface must also be connected to another device, such as a switch or a router, for the
physical layer to be active.
 There are several commands that can be used to verify interface configuration including the
show ip interface brief and show ipv6 interface brief, the show ip route and show ipv6 route,
as well as show interfaces, show ip interface and show ipv6 interface.

Configure the Default Gateway:

 For an end device to communicate over the network, it must be configured with the correct IP
address information, including the default gateway address. The default gateway address is
generally the router interface address for the router that is attached to the local network of the
host.
 The IP address of the host device and the router interface address must be in the same network.
 To connect to and manage a switch over a local IP network, it must have a switch virtual
interface (SVI) configured.
 The SVI is configured with an IPv4 address and subnet mask on the local LAN.
 The switch must also have a default gateway address configured to remotely manage the switch
from another network.
 To configure an IPv4 default gateway on a switch, use the ip default-gateway ip-address global
configuration command. Use the IPv4 address of the local router interface that is connected to the
switch.

22
 CHAPTER-11 IPv4 Addressing
IPv4 Addressing Structure:

 An IPv4 address is a 32-bit hierarchical address that is made up of a network

portion and a host portion.
 The bits within the network portion of the address must be identical for all
devices that reside in the same network. The bits within the host portion of
the address must be unique to identify a specific host within a network.
 A host requires a unique IPv4 address and a subnet mask to show the
network/host portions of the address.
 The prefix length is the number of bits set to 1 in the subnet mask. It is
written in “slash notation”, which is a “/” followed by the number of bits set
to 1.
 Logical AND is the comparison of two bits. Only a 1 AND 1 produces a 1
and all other combination results in a 0.
 Within each network there are network addresses, host addresses, and a
broad cast address.
 Within each network there are network addresses, host addresses, and a broad
cast address.

Figure 14

23
IPv4 Unicast, Broadcast and Multicast:

 Unicast transmission refers to a device sending a message to one other device in one-to-one
communications. A unicast packet is a packet with a destination IP address that is a unicast
address which is the address of a single recipient.
 Broadcast transmission refers to a device sending a message to all the devices on a network in
one-to-all communications. A broadcast packet has a destination IP address with all ones (1s) in
the host portion, or 32 one (1) bits.
 Multicast transmission reduces traffic by allowing a host to send a single packet to a selected set
of hosts that subscribe to a multicast group. A multicast packet is a packet with a destination IP
address that is a multicast address. IPv4 has reserved the 224.0.0.0 to 239.255.255.255 addresses
as a multicast range.

Types of IPv4 Addresses:

 Public IPv4 addresses are globally routed between ISP routers.

 Not all available IPv4 addresses can be used on the internet. There are blocks of addresses called
private addresses that are used by most organizations to assign IPv4 addresses to internal hosts.
 Most internal networks use private IPv4 addresses for addressing all internal devices (intranet);
however, these private addresses are not globally routable. Loopback addresses used by a host to
direct traffic back to itself.
 Link-local addresses are more commonly known as APIPA addresses, or self-assigned addresses.
In 1981, IPv4 addresses were assigned using classful addressing: A, B, or C.
 Public IPv4 addresses must be unique, and are globally routed over the internet. Both IPv4 and
IPv6 addresses are managed by the IANA, which allocates blocks of IP addresses to the RIRs.

Network Segmentation:

 In an Ethernet LAN, devices broadcast to locate other devices using ARP.

 Switches propagate broadcasts out all interfaces except the interface on which it was received.
 Routers do not propagate broadcasts, instead each router interface connects a broadcast
domain and broadcasts are only propagated within that specific domain.
 Sub netting reduces overall network traffic and improves network performance. An administrator
may subnet by location, between networks, or by device type.

Subnet an IPv4 Network:

 IPv4 subnets are created by using one or more of the host bits as network bits. This is done by
extending the subnet mask to borrow some of the bits from the host portion of the address to
create additional network bits.
 The more host bits that are borrowed, the more subnets that can be defined. The more bits that are
borrowed to increase the number of subnets also reduces the number of hosts per subnet.
 Networks are most easily sub netted at the octet boundary of /8, /16, and /24. Subnets can borrow
bits from any host bit position to create other masks.

24
Subnet a /16 and /8 Prefix:

 When a larger number of subnets are required, an IPv4 network is required that has more hosts bits
available to borrow.
 To create subnets, one must borrow bits from the host portion of the IPv4 address of the existing
internetwork.
 Starting from the left to the right with the first available host bit, borrow a single bit at a time until you
reach the number of bits necessary to create the number of subnets required.
 When borrowing bits from a /16 address, start borrowing bits in the third octet, going from left to right. The
first address is reserved for the network address and the last address is reserved for the broadcast address.

Subnet to Meet Requirements:

 A typical enterprise network contains an intranet and a DMZ. Both have sub netting
requirements and challenges.
 The intranet uses private IPv4 addressing space.
 The 10.0.0.0/8 can also be sub netted using any other number of prefix lengths, such as /12, /18,
/20, etc., giving the network administrator many options. Because these devices need to be publicly accessible
from the internet, the devices in the DMZ require public IPv4 addresses.
 Organizations must maximize their own limited number of public IPv4 addresses.
 Administrators must consider how many host addresses are required for each network, and how many
subnets are needed. This is known as Variable Subnet Length Masking.

Variable Length Subnet Masking:

 Traditional sub netting might meet an organization’s needs for its largest LAN and divide the address space
into an adequate number of subnets. But it likely also results in significant waste of unused addresses.
 VLSM allows a network space to be divided into unequal parts. With VLSM, the subnet mask will vary
depending on how many bits have been borrowed for a particular subnet.
 VLSM is just sub netting a subnet. When using VLSM, begin with satisfying the host requirements of the
largest subnet. Continue sub netting until the host requirements of the smallest subnet are satisfied.

Structured Design:

 A network administrator should study the entire network, both the intranet and the DMZ, and determining
how each area of an IPv4 network will be segmented.
 The address plan includes determining where address conservation is needed, and where there is more
flexibility. Where address conservation is required the plan should determine how many subnets are
needed and how many hosts per subnet.
 The address plan includes how host addresses will be assigned, which hosts will require static IPv4
addresses, and which hosts can use DHCP for obtaining their addressing information.
 Within a network, there are different types of devices that require addresses: end user clients, servers and
peripherals, servers that are accessible from the internet, intermediary devices, and gateways.
 When developing an IP addressing scheme, have a set pattern of how addresses are allocated to each type
of device. This helps when adding and removing devices, filtering traffic based on IP, as well as
simplifying documentation.

25
 CHAPTER-12 IPv6 Addressing
IPv4 Issues:

 IPv4 has a theoretical maximum of 4.3 billion addresses.

 Private addresses in combination with NAT have helped to slow the depletion of IPv4 address
space. With an increasing internet population, a limited IPv4 address space, issues with NAT and
the Io T, this led to the transition of IPv4 to IPv6.
 Both IPv4 and IPv6 will coexist. The IETF has created various protocols and tools to help
network administrators migrate their networks to IPv6. The migration techniques can be divided
into three categories: dual stack, tunneling, and translation.

IPv6 Address Representation:

 IPv6 addresses are 128 bits in length and written as a string of hexadecimal values. Every 4 bits is
represented by a single hexadecimal digit; for a total of 32 hexadecimal values.
 The preferred format for writing an IPv6 address is x: x: x: x: x: x: x: x, with each “x” consisting
of four hexadecimal values.

Figure15

 Two rules that help to reduce the number of digits needed to represent an IPv6 address.
1. The first rule to help reduce the notation of IPv6 addresses is to omit any leading 0s
(zeros) in any hextet.
2. The second rule to help reduce the notation of IPv6 addresses is that a double colon (::)
can replace any single, contiguous string of one or more 16-bit hex tets consisting of all
zeros.

IPv6 Address Types:

 There are three types of IPv6 addresses: unicast, multicast, and any cast.
 IPv6 does not use the dotted-decimal subnet mask notation. The prefix length is represented in
slash notation and is used to indicate the network portion of an IPv6 address.
 An IPv6 unicast address uniquely identifies an interface on an IPv6-enabled device. IPv6
addresses typically have two unicast addresses: GUA and LLA.
 IPv6 unique local addresses have the following uses: they are used for local addressing within a
site or between a limited number of sites, they can be used for devices that will never need to
access another network, and they are not globally routed or translated to a global IPv6 address.

26
  IPv6 global unicast addresses (GUAs) are globally unique and routable on the IPv6 internet.
These addresses are equivalent to public IPv4 addresses. A GUA has three parts: a global routing
prefix, a subnet ID, and an interface ID.
 An IPv6 link-local address (LLA) enables a device to communicate with other IPv6-enabled
devices on the same link and only on that link (subnet). Devices can obtain an LLA either
statically or dynamically.

GUA and LLA Static Configuration:

 The command to configure an IPv6 GUA on an interface is ipv6 address ipv6-address/prefix-

length.
 Configuring static addresses on clients does not scale to larger environments. For this reason,
most network administrators in an IPv6 network will enable dynamic assignment of IPv6
addresses.
 It is necessary to create recognizable LLAs on routers. LLAs can be configured manually using
the ipv6 address ipv6-link-local-address link-local command.

Dynamic Addressing for IPv6 GUAs:

 A device obtains a GUA dynamically through ICMPv6 messages. IPv6 routers periodically send
out ICMPv6 RA messages, every 200 seconds, to all IPv6-enabled devices on the network.
 An RA message will also be sent in response to a host sending an ICMPv6 RS message, which is
a request for an RA message. The ICMPv6 RA message includes: network prefix and prefix
length, default gateway address, and the DNS addresses and domain name.
 RA messages have three methods: SLAAC, SLAAC with a stateless DHCPv6 server, and stateful
DHCPv6 (no SLAAC).
• With SLAAC, the client device uses the information in the RA message to create its
own GUA because the message contains the prefix and the interface ID.
• With SLAAC with stateless DHCPv6 the RA message suggests devices use SLAAC to
create their own IPv6 GUA, use the router LLA as the default gateway address, and use
a stateless DHCPv6 server to obtain other necessary information.
• With stateful DHCPv6 the RA suggests that devices use the router LLA as the default
gateway address, and the stateful DHCPv6 server to obtain a GUA, a DNS server
address, domain name and all other necessary information.

Dynamic Addressing for IPv6 LLAs:

 All IPv6 devices must have an IPv6 LLA. An LLA can be configured manually or created
dynamically.
 By default, Cisco IOS routers use EUI-64 to generate the Interface ID for all LLAs on IPv6
interfaces. For serial interfaces, the router will use the MAC address of an Ethernet
interface.
 To make it easier to recognize and remember these addresses on routers, it is common
to statically configure IPv6 LLAs on routers.
 To verify IPv6 address configuration use the following three commands: show ipv6
interface brief, show ipv6 route and ping.

27
IPv6 Multicast Addresses:

 There are two types of IPv6 multicast addresses: well-known multicast addresses and solicited
node multicast addresses.
 Assigned multicast addresses are reserved multicast addresses for predefined groups of
devices. Well-known multicast addresses are assigned.
 Two commonIPv6 assigned multicast groups are: ff02::1 All-nodes multicast group and ff02::2
All-routers multicast group.
 A solicited-node multicast address is similar to the all-nodes multicast address. The advantage
of a solicited-node multicast address is that it is mapped to a special Ethernet multicast address.

Subnet an IPv6 Network:

 IPv6 was designed with sub netting in mind. A separate subnet ID field in the IPv6 GUA is used
to create subnets. The subnet ID field is the area between the Global Routing Prefix and the
interface ID.
 The benefit of a 128-bit address is that it can support more than enough subnets and hosts per
subnet for each network. Address conservation is not an issue.
 With over 65,536 subnets to choose from, the task of the network administrator becomes one
of designing a logical scheme to address the network.
 Address conservation is not a concern when using IPv6. Each router interface can be
configured to be on a different IPv6 subnet.

28
 CHAPTER-13 ICMP
ICMP Messages:

 The TCP/IP suite provides for error messages and informational messages when communicating
with another IP device to provide feedback about issues related to the processing of IP packets
under certain conditions. These messages are sent using ICMP.
 The ICMP messages common to both ICMPv4 and ICMPv6 are: Host reach ability, Destination
or Service Unreachable, and Time exceeded.
 An ICMP Echo Message tests the reach ability of a host on an IP network. The local host sends an
ICMP Echo Request to a host. If the host is available, the destination host responds with an Echo
Reply. This is the basis of the ping utility.
 An ICMPv4 Time Exceeded message is used by a router to indicate that a packet cannot be
forwarded because the Time to Live field of the packet was decremented to zero.
 ICMPv6 also sends a Time Exceeded in this situation. ICMPv6 uses the IPv6 hop limit field to
determine if the packet has expired.
 Time Exceeded messages are used by the trace route tool. The messages between an IPv6 router
and an IPv6 device including dynamic address allocation include RS and RA.
 The messages between IPv6 devices include the redirect, NS and NA.

Ping and Trace route Testing:

 Ping uses ICMP echo request and echo reply messages to test connectivity between hosts.
 To test connectivity to another host on a network, an echo request is sent to the host address
using the ping command.
 If the host at the specified address receives the echo request, it responds with an echo reply. As
each echo reply is received, ping provides feedback on the time between when the request was
sent and when the reply was received.
 After all the requests are sent, the ping utility provides a summary that includes the success rate
and average round-trip time to the destination.
 Ping can be used to test the internal configuration of IPv4 or IPv6 on the local host. Ping the local
loopback address of 127.0.0.1 for IPv4 (::1 for IPv6).
 Ping can also be used to test the ability of a local host to communicate across an internetwork.
 Trace route (tracert) generates a list of hops that were successfully reached along the path. This
list provides verification and troubleshooting information. The round-trip time is the time a
packet takes to reach the remote host and for the response from the host to return.

29
 CHAPTER-14 Transport Layer
Transportation of Data:

 The transport layer is the link between the application layer and the lower layers that are
responsible for network transmission. It is responsible for logical communications between
applications running on different hosts.
 The transport layer includes TCP and UDP. A transport layer protocol specifies how to transfer
messages between hosts and is responsible for managing reliability requirements of a
conversation.
 This layer is responsible for tracking conversations (sessions), segmenting data and reassembling
segments, adding header information, identifying applications, and conversation multiplexing..

TCP Overview:

 TCP is stateful, reliable, acknowledges data, resends lost data, and delivers data in sequenced
order. Use TCP for email and the web.
 TCP establishes sessions, ensures reliability, provides same-order delivery, and supports flow
control. A TCP segment adds 20 bytes of overhead as header information when encapsulating the
application layer data.
 TCP header fields are the Source and Destination Ports, Sequence Number, Acknowledgment
Number, Header Length, Reserved, Control Bits, Window Size, Checksum, and Urgent.
 Applications that use TCP are HTTP, FTP, SMTP, and Telnet.

UDP Overview:

 UDP is stateless, fast, has low overhead, does not requires acknowledgments, do not resend lost
data, and delivers data in the order it arrives. Use UDP for VoIP and DNS.
 UDP reconstructs data in the order it is received, lost segments are not resent, no
session establishment, and UPD does not inform the sender of resource availability.
 UDP header fields are Source and Destination Ports, Length, and Checksum.
 Applications that use UDP are DHCP, DNS, SNMP, TFTP, VoIP, and video conferencing.

Figure16
30
Port Numbers:

 The TCP and UDP transport layer protocols use port numbers to manage multiple simultaneous
conversations.
 The source and destination ports are placed within the segment. The segments are then
encapsulated within an IP packet. The IP packet contains the IP address of the source and
destination.
 The combination of the source IP address and source port number, or the destination IP address
and destination port number is known as a socket. The socket is used to identify the server and
service being requested by the client.
 There is a range of port numbers from 0 through 65535. This range is divided into groups: Well-
known Ports, Registered Ports, Private and/or Dynamic Ports. There are a few Well-Known Port
numbers that are reserved for common applications such as FTP, SSH, DNS, HTTP and others.

Figure 17

TCP Communication Process:

 Each application process running on a server is configured to use a port number.

 TCP server processes are as follows: clients sending TCP requests, requesting destination ports,
requesting source ports, responding to destination port and source port requests.
 To terminate a single conversation supported by TCP, four exchanges are needed to end both
sessions. Either the client or the server can initiate the termination.
 The three-way handshake establishes that the destination device is present on the network,
verifies that the destination device has an active service and is accepting requests on the
destination port number that the initiating client intends to use, and informs the destination device
that the source client intends to establish a communication session on that port number. The six
control bits flags are: URG, ACK, PSH, RST, SYN, and FIN.

Reliability and Flow Control:

 For the original message to be understood by the recipient, all the data must be received and the
data in these segments must be reassembled into the original order. Sequence numbers are
assigned in the header of each packet.
31
  TCP provides ways to manage segment losses. During the three-way handshake, if both hosts
support SACK, the receiver can explicitly acknowledge which segments (bytes) were received
including any discontinuous segments. The sending host would therefore only need to retransmit
the missing data.
 Flow control helps maintain the reliability of TCP transmission by adjusting the rate of data flow
between source and destination. To accomplish this, the TCP header includes a 16-bit field called
the window size.
 The process of the destination sending acknowledgments as it processes bytes received and the
continual adjustment of the source’s send window is known as sliding windows. A source might
be transmitting 1,460 bytes of data within each TCP segment.

UDP Communication:

 UDP is a simple protocol that provides the basic transport layer functions. When UDP data grams
are sent to a destination, they often take different paths and arrive in the wrong order. UDP does
not track sequence numbers the way TCP does.
 UDP simply reassembles the data in the order that it was received and forwards it to the
application. If the data sequence is important to the application, the application must identify the
proper sequence and determine how the data should be processed.
 UDP-based server applications are assigned well-known or registered port numbers. The UDP
client process dynamically selects a port number from the range of port numbers and uses this as
the source port for the conversation.
 After a client has selected the source and destination ports, the same pair of ports is used in the
header of all data grams used in the transaction. For the data returning to the client from the
server, the source and destination port numbers in the datagram header are reversed.

32
 CHAPTER-15 Application Layer
Application, Presentation and Session:

 Application layer protocols are used to exchange data between programs running on the source
and destination hosts.
 The presentation layer has three primary functions: formatting, or presenting, data at the source
device into a compatible form for receipt by the destination device, compressing data in a way
that can be decompressed by the destination device, and encrypting data for transmission and
decrypting data upon receipt.
 The session layer creates and maintains dialogs between source and destination applications. The
session layer handles the exchange of information to initiate dialogs, keep them active, and to
restart sessions that are disrupted or idle for a long period of time.

Figure17
 TCP/IP application layer protocols specify the format and control information necessary for many
common internet communication functions. The protocols implemented on both the source and
destination host must be compatible.

Peer-to-Peer:

 In the client/server model, the client begins the exchange by requesting data from the server,
which responds by sending one or more streams of data to the client.
 In a P2P network, two or more computers are connected via a network and can share resources
without having a dedicated server. Every peer can function as both a server and a client.
 P2P applications require that each end device provide a user interface and run a background
service. Many P2P applications allow users to share pieces of files with each other at the same
time. Clients use a small file called a torrent file to locate other users who have pieces that they
need so that they can connect directly to them.

Web and Email Protocols:

 When a web address or URL is typed into a web browser, the web browser establishes a connection to the
web service. The web service is running on the server that is using the HTTP protocol, which is a
request/response protocol.
 When a client, typically a web browser, sends a request to a web server, HTTP specifies the message types
used for that communication. The three common message types are GET, POST, and PUT.
 For secure communication across the internet, HTTPS uses the same client request-server response process
as HTTP, but the data stream is encrypted with SSL before being transported across the network.
 Email supports three separate protocols for operation: SMTP, POP, and IMAP. The application layer
process that sends mail uses SMTP. A client retrieves email using POP or IMAP.

33
IP Addressing Services:
 The DNS protocol communications use a message format for all types of client queries and
server responses, error messages, and the transfer of resource record information between
servers.
 DNS uses domain names to form a hierarchy. Each DNS server maintains a specific database file
and is only responsible for managing name-to-IP mappings for that small portion of the entire
DNS structure.

 DHCP for IPv4 service automates the assignment of IPv4 addresses, subnet masks, gateways, and
other IPv4 networking parameters. DHCPv6 provides similar services for IPv6 clients, except
that it does not provide a default gateway address.
 DHCPv4 messages include DHCPDISCOVER, DHCPOFFER. The DHCPv6 messages are
SOLICIT, ADVERTISE, INFORMATION REQUEST, and REPLY.

File Sharing Services:

 An FTP client is an application which runs on a computer that is being used to push and pull data
from an FTP server. The client establishes the first connection to the server for control traffic
using TCP port 21. The client establishes the second connection to the server for the actual data
transfer using TCP port 20.

34
 CHAPTER-16 Network Security Fundamentals
Security Threats and Vulnerabilities:

 Attacks on a network can be devastating and can result in a loss of time and money due to
damage or theft of important information or assets.
 Intruders who gain access by modifying software or exploiting software vulnerabilities are threat
actors. After the threat actor gains acces to the network, four types of threats may arise:
information theft, data loss and manipulation, identity theft, and disruption of service.
 There are three primary vulnerabilities or weaknesses: technological, configuration, and security
policy. The four classes of physical threats are: hardware, environmental, electrical and
maintenance.

Network Attacks:

 Malware (malicious software), is code or software specifically designed to damage, disrupt, steal,
or inflict “bad” or illegitimate action on data, hosts, or networks.
 Viruses, worms, and Trojan horses are types of malware. Network attacks can be classified
into three major categories: reconnaissance, access, and denial of service.
 The four classes of physical threats are: hardware, environmental, electrical, and maintenance.
 The three types of reconnaissance attacks are: internet queries, ping sweeps, and port scans. The
four types of access attacks are: password (brute-force, Trojan horse, packet sniffers), trust
exploitation, port redirection, and man-in-the-middle. The two types of disruption of service
attacks are: DoS and D DoS.

Network Attack Mitigation:

 To mitigate network attacks, one must first secure devices including routers, switches,
servers, and hosts.
 Several security devices and services are implemented to protect an organization’s users and
assets against TCP/IP threats: VPN, ASA firewall, IPS, ESA/WSA, and AAA server.
 AAA is a way to control who is permitted to access a network (authenticate), what they can do
while they are there (authorize), and what actions they perform while accessing the network
(accounting).
 Securing endpoint devices is critical to network security. A company must have well-documented
policies in place, which may include the use of antivirus software and host intrusion prevention.

Device Security:

 The security settings are set to the default values when a new OS is installed on a device. This
level of security is inadequate.
 For most OSs default usernames and passwords should be changed immediately and any
unnecessary services and applications should be turned off and uninstalled when possible. To
protect network devices, it is important to use strong passwords.
 For routers and switches, encrypt all plaintext passwords, setting a minimum acceptable password

35
length, deter brute-force password guessing attacks, and disable an inactive privileged EXEC
mode access after a specified amount of time.

36
 CHAPTER-17 Build a Small Network
Devices in a Small Network:

 Small networks typically have a single WAN connection provided by DSL, cable, or an
Ethernet connection. Small networks are managed by a local IT technician or by a contracted
professional.
 Factors to consider when selecting network devices for a small network are cost, speed and
types of ports/interfaces, expandability, and OS features and services.
 When implementing a network, create an IP addressing scheme and use it on end devices,
servers and peripherals, and intermediary devices.

 The routers and switches in a small network should be configured to support real-time traffic,
such as voice and video, in an appropriate manner relative to other data traffic. A good network
design will implement quality of service (QoS) to classify traffic carefully according to priority.

Small Network Applications and Protocols:

 There are two forms of software programs or processes that provide access to the network:
network applications and application layer services.
 Some end-user applications implement application layer protocols and are able to communicate
directly with the lower layers of the protocol stack.
 Other programs may need the assistance of application layer services to use network resources
like file transfer or network print spooling. These are the programs that interface with the
network and prepare the data for transfer.
 The two most common remote access solutions are Telnet and Secure Shell (SSH). SSH service is
a secure alternative to Telnet. Network administrators must also support common network
servers and their required related network protocols.

Scale to Larger Networks:

 To scale a network, several elements are required: network documentation, device inventory,
budget, and traffic analysis.
 Know the type of traffic that is crossing the network as well as the current traffic flow.
 Capture traffic during peak utilization times to get a good representation of the different traffic
types and perform the capture on different network segments and devices as some traffic will be
local to a particular segment.

Verify Connectivity:

 The ping command is the most effective way to quickly test Layer 3 connectivity between a
source and destination IP address. The command also displays various round-trip time statistics.
 Trace route can help locate Layer 3 problem areas in a network. A trace returns a list of hops as a
packet is routed through a network. It is used to identify the point along the path where the
problem can be found.
 The output derived from network commands contributes data to the network baseline. One

37
 method for starting a baseline is to copy and paste the results from an executed ping, trace, or
other relevant commands into a text file. These text files can be time stamped with the date and
saved into an archive for later retrieval and comparison.

Host and IOS Command:

 IP Configuration on a Windows Host:

• ipconfig - view the IP addressing information.
• ipconfig/all - view the MAC address, number of details regarding the Layer 3 addressing
of the device.
• ipconfig/release and ipconfig/renew - renewing IP address configuration.
• ipconfig/displaydns - display all cached DNS entries.

 IP Configuration on a Linux Host:

• If con fig - display the status of currently active interfaces and their IP Configurations.
• ip address - display address and their properties.
 IP Configuration on a mac OS Host:
• if con fig - to verify the interface IP configuration.
• Network setup-list all network services - to verify the host IP settings.
 The arp command is executed from the Windows, Linux, or Mac command prompt. The
command lists all devices currently in the ARP cache of the host.
 The arp –a command displays the known IP address and MAC address binding.
Common show commands are show running-con fig, show interfaces, show ip address, show
arp, show ip route, show protocols, and show version.

Troubleshooting Methodologies:

 Step 1: Identify the problem

 Step 2: Establish a theory of probably causes.
 Step 3: Test the theory to determine the cause.
 Step 4: Establish a plan of action and implement the solution.
 Step 5: Verify the solution and implement preventive measures.
 Step 6: Document findings, actions, and outcomes.

Troubleshooting Scenarios:

 There are two duplex communication modes: half-duplex and full-duplex. If one of the two
connected devices is operating in full-duplex and the other is operating in half-duplex, a duplex
mismatch occurs.
 Wrongly assigned IP addresses create a variety of issues, including IP address conflicts and
routing problems. Two common causes of incorrect IPv4 assignment are manual assignment
mistakes or DHCP-related issues.
 Most end devices are configured to rely on a DHCP server for automatic IPv4 address
assignment. The default gateway for an end device is the closest networking device that can
forward traffic to other networks.
 The default gateway is the path to remote networks, its address must belong to the same network
as the end device.DNS failures often lead the user to conclude that the network is down.

38
MODULE-2
SWITCHING,
ROUTING AND
WIRELESS
ESSENTIALS

39
 CHAPTER-1 Basic Device Configuration
Configure a Switch with Initial Settings:

 After a Cisco switch is powered on, it goes through a five step boot sequence.
• Step 1: First, the switch loads a power-on self-test (POST) program stored in ROM.
POST checks the CPU subsystem. It tests the CPU, DRAM, and the portion of the flash
device that makes up the flash file system.
• Step 2: Next, the switch loads the boot loader software. The boot loader is a small
program stored in ROM that is run immediately after POST successfully completes.
• Step 3: The boot loader performs low-level CPU initialization. It initializes the CPU
registers, which control where physical memory is mapped, the quantity of memory, and
its speed.
• Step 4: The boot loader initializes the flash file system on the system board.
• Step 5: Finally, the boot loader locates and loads a default IOS operating system
software image into memory and gives control of the switch over to the IOS.

Configure Switch Ports:

 Full-duplex communication increases bandwidth efficiency by allowing both ends of a connection to

transmit and receive data simultaneously. This is also known as bidirectional communication and it
requires micro segmentation
 Half-duplex communication creates performance issues because data can flow in only one direction
at a time, often in resulting collisions.
 Unlike full-duplex communication, half-duplex communication is unidirectional.

Figure20
Secure Remote Access:

 Secure Shell (SSH) is a secure protocol that uses TCP port 22. It provides a secure (encrypted)
management connection to a remote device. SSH should replace Telnet for management
connections.
 To enable SSH on a Catalyst 2960 switch, the switch must be using a version of the IOS software
including cryptographic (encrypted) features and capabilities.
 Use the show version command on the switch to see which IOS the switch is currently running.

40
Basic Router Configuration:

 The dual stack topology in the figure is used to demonstrate the configuration of router IPv4 and
IPv6 interfaces.

Figure 21

 The loopback interface is a logical interface that is internal to the router. It is not assigned to a
physical port and can never be connected to any other device. It is considered a software
interface that is automatically placed in an “up” state, as long as the router is functioning.

Verify Directly Connected Network:

 The output of the show ip interface brief and show ipv6 interface.
 brief commands can be used to quickly reveal the status of all interfaces on the router.
 The output of the show ipv6 interface brief command displays two configured.
 IPv6 addresses per interface. One address is the IPv6 global unicast address that was manually
entered.

41
 CHAPTER-2 Switching Concepts
Frame Forwarding:

 The concept of switching and forwarding frames is universal in networking and

telecommunications. Various types of switches are used in LANs, WANs, and in the public
switched telephone network (PSTN).
 There are two terms associated with frames entering and leaving an interface:
• Ingress - This is used to describe the port where a frame enters the device.
• Egress - This is used to describe the port that frames will use when leaving the device.
 The store-and-forward switching methods drop frames that do not pass the FCS check.
Therefore, it does not forward invalid frames.

Switching Domains:

 In legacy hub-based Ethernet segments, network devices competed for the shared medium. The
network segments that share the same bandwidth between devices are known as collision
domains.
 There are no collision domains when switch ports are operating in full- duplex. However, there
could be a collision domain if a switch port is operating in half-duplex.
 A collection of interconnected switches forms a single broadcast domain. Only a network layer
device, such as a router, can divide a Layer 2 broadcast domain. Routers are used to segment
broadcast domains, but will also segment a collision domain.

42
 CHAPTER-3 VLANs
Overview of VLANs:

 Virtual LANs (VLANs) provide segmentation and organizational flexibility in a switched

network. A group of devices within a VLAN communicate as if each device was attached to the
same cable.
 VLANs allow an administrator to segment networks based on factors such as function, team, or
application, without regard for the physical location of the users or devices.
 Each VLAN in a switched network corresponds to an IP network. Therefore, VLAN design must
take into consideration the implementation of a hierarchical network-addressing scheme.
 VLANs reduce the need for expensive network upgrades and use the existing bandwidth and
uplinks more efficiently, resulting in cost savings.

VLANs in a Multi-Switched Environment:

 A trunk is a point-to-point link between two network devices that carries more than one VLAN.
A VLAN trunk extends VLANs across an entire network.

Figure 22

 When VLANs are implemented on a switch, the transmission of unicast, multicast, and
broadcast traffic from a host in a particular VLAN are restricted to the devices that are in that
VLAN.
 One VLAN is for voice traffic and the other is a data VLAN to support the host traffic. The link
between the switch and the IP phone simulates a trunk link to carry both voice VLAN traffic and
data VLAN traffic.
VLAN Configuration:

 The number of supported VLANs is large enough to accommodate the needs of most
organizations. For example, the Catalyst 2960 and 3650 Series switches support over 4,000
VLANs.
 Flash memory is persistent and does not require the copy running- config startup-config
command.
 The switch port mode access command is optional, but strongly recommended as a security
best practice.
 An access port can belong to only one data VLAN at a time. However, a port can also be
associated to a voice VLAN.

43
VLAN Trunks:

 A VLAN trunk is a Layer 2 link between two switches that carries traffic for all VLANs
(unless) the allowed VLAN list is restricted manually or dynamically.
 The switch output displays the configuration of switch port F0/1 on switch S1. The
configuration is verified with the show interfaces interface-ID switch port
command.
 Use the no switch port trunk allowed vlan and the no switch port trunk native vlan
commands to remove the allowed VLANs and reset the native VLAN of the trunk.
 The show interfaces f0/1 switch port command reveals that the F0/1 interface is now in
static access mode.

Dynamic Trunking Protocol:

 Some Cisco switches have a proprietary protocol that lets them automatically negotiate trunking
with a neighboring device. This protocol is called Dynamic Trunking Protocol(DTP).
 DTP is a Cisco proprietary protocol that is automatically enabled on Catalyst 2960 and Catalyst
3650 Series switches. DTP manages trunk negotiation only if the port on the neighbor switch is
configured in a trunk mode that supports DTP. Switches from other vendors do not support DTP.
 To enable trunking from a Cisco switch to a device that does not support DTP, use the
Switch port mode trunk and switch port.
 No negotiate interface configuration mode commands. This causes the interface to become a
trunk, but it will not generate DTP frames.
 Use the switch port no negotiate interface configuration command to stop DTP negotiation.
The switch does not engage in DTP negotiation on this interface. One can use this command
only when the interface switch port mode is access or trunk.

Figure 23

44
 CHAPTER-4 Inter VLAN Routing
Inter-VLAN Routing Operation:

 Inter-VLAN routing using the router-on-a-stick method is simple to implement for a small
to medium-sized organization.
 Inter-VLAN routing using the router-on-a-stick method is simple to implement for a small
to medium-sized organization.
 Inter-VLAN routing is the process of forwarding network traffic from one VLAN to another
VLAN.


Figure23
 Legacy inter-VLAN routing using physical interfaces works, but it has a significant limitation.
It is not reasonably scalable because routers have a limited number of physical interfaces.

Router-on-a-Stick Inter-VLAN Routing:

 To enable devices to ping each other, the switches must be configured with VLANs and
trunking, and the router must be configured for inter-VLAN routing.
 The following steps are to be completed to configure S1 with VLANs and trunking:
• Step 1: Create and name the VLANs.
• Step 2: Create the management interface.
• Step 3: Configure access ports.
• Step 4: Configure trunking ports.
 The router-on-a-stick configuration is complete after the switch trunk and the router sub
interfaces have been configured. The configuration can be verified from the hosts, router, and
switch.

Inter-VLAN Routing using Layer 3 Switches:

 Inter-VLAN routing using the router-on-a-stick method is simple to implement for a small to
medium-sized organization. However, a large enterprise requires a faster, much more scalable
method to provide inter-VLAN routing.
 To provide Inter-VLAN routing, Layer 3 switches use SVIs. SVIs are configured using the same
interface vlan vlan-id used to create the management SVI on a Layer 2 switch. A Layer 3 SVI
must be created for each of the routable VLANs.

45
 Figure24
 A routed port is created on a Layer 3 switch by disabling the switch port feature on a Layer 2
port that is connected to another Layer 3 device.
 Specifically, configuring the no switch port interface configuration command on a Layer 2 port
converts it into a Layer 3 interface.

Troubleshoot Inter-VLAN Routing:

 There are a number of reasons why an inter-VAN configuration may not work. All are related to
connectivity issues. First, check the physical layer to resolve any issues where a cable might be
connected to the wrong port.
 An inter-VLAN connectivity issue could be caused by a missing VLAN. The VLAN could be
missing if it was not created, it was accidently deleted, or it is not allowed on the trunk link.
 Use the show interface interface-id switch port command to verify the VLAN membership.
 Another issue for inter-VLAN routing includes mis configured switch ports. In a legacy inter-
VLAN solution, this could be caused when the connecting router port is not assigned to the
correct VLAN.

46
 CHAPTER-5 STP Concepts
Purpose of STP:

 Spanning Tree Protocol (STP) is a loop-prevention network protocol that allows for redundancy while
creating a loop-free Layer 2 topology. IEEE 802.1D is the original IEEE MAC Bridging standard for STP.
 Broadcast storms can disable a network within seconds by overwhelming switches and end devices .

Figure 26

 STP was developed specifically as a loop prevention mechanism for Layer 2 Ethernet.
 Broadcast frames are not the only type of frames that are affected by loops.
 A broadcast storm is an abnormally high number of broadcasts overwhelming the network during a
specific amount of time. Broadcast storms can disable a network within seconds by overwhelming
switches and end devices.
 STP prevents loops from occurring by configuring a loop-free path through the network using strategically
placed "blocking- state" ports.

STP operations:

 STP builds a loop-free topology in a four-step process:

• Elect the root ports.
• Elect designated ports.
• Elect alternate (blocked) ports.
• Elect the root bridge.
 BPDUs are used to elect the Root Bridge, root ports, designated ports, and alternate ports. Each BPDU
contains a bridge ID (BID) that identifies which switch sent the BPDU. The BID is involved in making
many of the STA decisions including root bridge and port roles.

Evolution of STP:

 The latest standard for spanning tree is contained in IEEE-802- 1D-2004, the IEEE standard for Local and
metropolitan area networks: Media Access Control (MAC) Bridges.
 Cisco switches running IOS 15.0 or later, run PVST+ by default. This version incorporates many of the
specifications of IEEE 802.1D-2004, such as alternate ports in place of the former non- designated ports.
 RSTP increases the speed of the recalculation of the spanning tree when the Layer 2 network topology
changes. RSTP can achieve much faster convergence in a properly configured network, sometimes in as
little as a few hundred milliseconds.

47
 CHAPTER-6 Ether Channel
Ether Channel operation:

 Ether Channel is a link aggregation technology that groups multiple physical Ethernet links
together into one single logical link. It is used to provide fault-tolerance, load sharing, increased
bandwidth, and redundancy between switches, routers, and servers.
 Ether Channel technology makes it possible to combine the number of physical links between
the switches to increase the overall speed of switch-to-switch communication.
 Ether Channel technology was originally developed by Cisco as a LAN switch-to-switch
technique of grouping several Fast Ethernet or Gigabit Ethernet ports into one logical channel.
 PAgP helps create the Ether Channel link by detecting the configuration of each side and
ensuring that links are compatible so that the E the Channel link can be enabled when needed.

Figure 27

Configure Ether Channel:

 Ether Channel is disabled by default and must be configured. The topology in the figure will
be used to demonstrate an Ether Channel configuration example using LACP.
 Configuring Ether Channel with LACP requires the following three steps:
• Step 1: Specify the interfaces that compose the Ether Channel group using the interface
range interface global configuration mode command. The range keyword allows you to
select several interfaces and configure them all together.
• Step 2: Create the port channel interface with the channel-group identifier mode active
command in interface range configuration mode. The identifier specifies a channel group
number. The mode active keywords identify this as an LACP Ether Channel
configuration.
• Step 3: To change Layer 2 settings on the port channel interface, enter port channel
interface configuration mode using the interface port-channel command, followed by
the interface identifier. In the example, S1 is configured with an LACP Ether Channel.
The port channel is configured as a trunk interface with the allowed VLAN s specified.

Verify and Troubleshoot Ether Channel:

 The show interfaces port-channel command displays the general status of the port channel
interface.
 All interfaces within an Ether Channel must have the same configuration of speed and duplex
mode, native and allowed VLANs on trunks, and access VLAN on access ports
48
 CHAPTER -7DHCPv4
DHCPv4 Concepts:

 Dynamic Host Configuration Protocol v4 (DHCPv4) assigns IPv4 addresses and other
network configuration information dynamically.
 DHCPv4 is an extremely useful and timesaving tool for network administrators.
 The DHCPv4 server dynamically assigns, or leases, an IPv4 address from a pool of
addresses for a limited period of time chosen by the server, or until the client no longer
needs the address.

Configure a CISCO IOS DHCPv4 Server:

 The Cisco IOS DHCPv4 server assigns and manages IPv4 addresses from specified
address pools within the router to DHCPv4 clients.
 The following steps are used to configure a Cisco IOS DHCPv4 server:
• Step 1: Exclude IPv4 addresses.
• Step 2: Define a DHCPv4 pool name.
• Step 3: Configure the DHCPv4 pool.
 The DHCPv4 service is enabled by default. To disable the service, use the no service dhcp
global configuration mode command.

Configure a DHCPv4 Client:

 To configure an Ethernet interface as a DHCP client, use the ip address dhcp

interface configuration mode command.
 The show ip interface g0/0/1 command confirms that the interface is up and that the
address was allocated by a DHCPv4 server.

49
 CHAPTER-8 SLAAC and DHCPv6
IPv6 GUA Assignment:

 An IPv6 router that is on the same link as the host sends out RA messages that suggest to the hosts how to
obtain their IPv6addressing information.
 On a router, an IPv6 global unicast address (GUA) is manually configured using the ipv6 address ipv6-
address/prefix-length interface configuration command.
 The IPv6 link-local address is automatically created by the host when it boots and the Ethernet interface is
active. The example ip config output shows an automatically generated link-local address on a interface.
 All stateless and stateful methods in this module use ICMPv6 RA messages to suggest to the host how to
create or acquire its IPv6 configuration.

SLAAC:

 SLAAC uses ICMPv6 RA messages to provide addressing and other configuration information that
would normally be provided by a DHCP server.
 SLAAC is a stateless service. This means there is no server that maintains network address
information to know which IPv6 addresses are being used and which ones are available.
 The SLAAC only method is enabled by default when the ipv6 unicast- routing command is
configured.

DHCPv6:

 Server to client DHCPv6 messages use UDP destination port 546while client to server DHCPv6 messages
use UDP destination port 547.
 The steps for DHCPv6 operations are as follows:
• The host sends an RS message.
• The router responds with an RA message. The host sends a DHCPv6 SOLICIT
message.
• The DHCPv6 server responds with an ADVERTISE message.

Configure DHCPv6 Server:

 The stateless DHCPv6 server option requires that the router advertise the IPv6 network
addressing information in RA messages.
 There are five steps to configure and verify a router as a stateless DHCPv6 server:
• Step 1: Enable IPv6 routing.
• Step 2: Define a DHCPv6 pool name.
• Step 3: Configure the DHCPv6 pool.
• Step 4: Bind the DHCPv6 pool to an interface.
• Step 5: Verify that the hosts have received IPv6 addressing information.

50
 CHAPTER-9 FHRP Concepts
First HOP Redundancy Protocol:

 A mechanism is needed to provide alternate default gateways in switched networks

where two or more routers are connected to the same VLANs. That mechanism is
provided by first hop redundancy protocols (FHRPs).
 End devices are typically configured with a single IPv4 address fora default gateway.

Figure 31

 This address does not change when the network topology changes. If that default
gateway IPv4 address cannot be reached, the local device is unable to send packets off
the local network segment, effectively disconnecting it from other networks.

HSRP:

 HSRP is a Cisco-proprietary FHRP that is designed to allow for transparent failover of a

first- hop IP device.
 HSRP ensures high network availability by providing first-hop routing redundancy for
IP hosts on networks configured with an IP default gateway address. HSRP is used in a
group of routers for selecting an active device and a stand by device.
 HSRP priority can be used to determine the active router. The router with the highest
HSRP priority will become the active router. By default, the HSRP priority is 100. If the
priorities are equal, the router with the numerically highest IPv4 address is elected as the
active router.

51
 CHAPTER-10 LAN Security Concepts
End Point Security:

 Various network security devices are required to protect the network perimeter from outside
access. These devices could include a Virtual Private Network (VPN) enabled router, a next-
generation firewall (NGFW), and a network access control (NAC) device.
 A VPN-enabled router provides a secure connection to remote users across a public network and
into the enterprise network. VPN s services can be integrated into the firewall.
 Endpoints are hosts which commonly consist of laptops, desktops, servers, and IP phones, as
well as employee-owned devices that are typically referred to as bring your own devices
(BYODs).

Access Control:

 AAA stands for Authentication, Authorization, and Accounting.

 AAA provides the primary framework to set up access control on a network device. AAA is a
way to control who is permitted to access a network (authenticate), what they can do while they
are there (authorize), and to audit what actions they performed while accessing the network
(accounting).

Layer 2 Security Threats:

 Security is only as strong as the weakest link in the system, and Layer 2 is considered to be that
weak link. This is because LANs were traditionally under the administrative control of a single
organization.
 These Layer 2 solutions will not be effective if the management protocols are not secured. For
example, the management protocols Sy slog, Simple Network Management Protocol (SNMP),
Trivial File Transfer Protocol (TFTP), telnet, File Transfer Protocol (FTP) and most other
common protocols are insecure.

Figure 32

52
MAC Address and Table Attacks:

 All MAC tables have a fixed size and consequently, a switch can run out of resources in which
to store MAC addresses. MAC address flooding attacks take advantage of this limitation by
bombarding the switch with fake source MAC addresses until the switch MAC address table is
full.
 If the threat actor stops mac of from running or is discovered and stopped, the switch eventually
ages out the older MAC address entries from the table and begins to act like a switch again.
 A tool such as mac of can flood a switch with up to 8,000 bogus frames per second; creating a
MAC address table overflow attack in a matter of a few seconds.

LAN Attacks:

 A VLAN hopping attack enables traffic from one VLAN to be seen by another VLAN without
the aid of a router.
 In a basic VLAN hopping attack, the threat actor configures a host to act like a switch to take
advantage of the automatic trunking port feature enabled by default on most switch ports.
 DHCP servers dynamically provide IP configuration information including IP address, subnet
mask, default gateway, DNS servers, sand more to clients.

53
 CHAPTER-11 Switch Security Configuration
Implement Port Security:

 All switch ports (interfaces) should be secured before the switch is deployed for production use.
 To configure a range of ports, use the interface range command.
 Switch(config)# interface range type module/first-number–last-number.
 Port security limits the number of valid MAC addresses allowed on a port. It allows an administrator to
manually configure MAC addresses for a port or to permit the switch to dynamically learn a limited
number of MAC addresses.

Mitigate VLAN Attacks:

 The following steps are to be used mitigate VLAN hopping attacks:

• Step 1: Disable DTP (auto trunking) negotiations on non-trunking ports by using the
Switch port mode access interface configuration command.
• Step 2: Disable unused ports and put them in an unused VLAN.
• Step 3: Manually enable the trunk link on a trunking port by using the switch port mode
trunk command.
• Step 4: Disable DTP (auto trunking) negotiations on trunking ports by using the
Switch port no negotiate command.
• Step 5: Set the native VLAN to a VLAN other than VLAN 1 by using the switch port trunk
native vlan vlan_number command.

Mitigate DHCP Attacks:

 The following steps are to be used to enable DHCP snooping:

• Step 1: Enable DHCP snooping by using the ip dhcp snooping global configuration
command.
• Step 2: On trusted ports, use the ip dhcp snooping trust interface configuration
command.
• Step 3: Limit the number of DHCP discovery messages that can be received per second on un
trusted ports by using the ip dhcp snooping limit rate interface configuration command.
• Step 4: Enable DHCP snooping by VLAN, or by a range of VLANs, by using the ip dhcp
snooping vlan global configuration command.
Mitigate ARP Attacks:

 To mitigate the chances of ARP spoofing and ARP poisoning, these DAI implementation
guidelines are to be followed:
• Enable DHCP snooping globally.
• Enable DHCP snooping on selected VLANs.
• Enable DAI on selected VLANs.
• Configure trusted interfaces for DHCP snooping and ARP inspection.
Mitigate STP Attacks:

 To mitigate Spanning Tree Protocol (STP) manipulation attacks, use Port Fast and Bridge Protocol Data
Unit (BPDU) Guard:
• Port Fast – Port Fast immediately brings an interface configured as an access port to the
forwarding state from a blocking state, bypassing the listening and learning states. Apply to all
end-user ports. Port Fast should only be configured on ports attached to end devices.
• BPDU Guard - BPDU guard immediately error disables a port that receives a BPDU. Like
Port Fast, BPDU guard should only be configured on interfaces attached to end devices.

54
 CHAPTER-12 WLAN Concepts
Introduction to Wireless:

 A Wireless LAN (WLAN) is a type of wireless network that is commonly used in homes,
offices, and campus environments.
 There are many different network infrastructures that provide network access, such as wired
LANs, service provider networks, and cell phone networks.

 Wireless networks are based on the Institute of Electrical and Electronics Engineers (IEEE)
standards and can be classified broadly into four main types: WPAN, WLAN, WMAN, and
WWAN.
WLAN Concepts:

 Wireless deployments require a minimum of two devices that have a radio transmitter and a
radio receiver tuned to the same radio frequencies:
• End devices with wireless NICs,
• A network device, such as a wireless router or wireless AP,
• A wireless router is commonly implemented as a small business or residential
wireless access device.

WLAN Operation:

 The 802.11 standard identifies two main wireless topology modes: Ad hoc mode and
Infrastructure mode. Tethering is also a mode sometimes used to provide quick wireless access.
 Infrastructure mode defines two topology building blocks: A Basic Service Set (BSS) and an
Extended Service Set (ESS).
CAPWAP operation:

 CAPWAP is an IEEE standard protocol that enables a WLC to manage multiple APs and
WLANs.
 CAPWAP is based on LWAPP but adds additional security with Datagram Transport Layer
Security (DTLS).
 IPv4 and IPv6 both use UDP ports 5246 and 5247. Port 5246 is for CAPWAP control messages
used by the WLC to manage the AP.
 ame radio channel.

Figure33

55
Channel Management:

 Wireless LAN devices have transmitters and receivers tuned to specific frequencies of radio
waves to communicate. A common practice is for frequencies to be allocated as ranges. Such
ranges are then split into smaller ranges called channels.
 A best practice for WLANs requiring multiple APs is to use non-overlapping channels. For
example, the 802.11b/g/n standards operate in the 2.4 GHz to 2.5 GHz spectrum.
 Interference occurs when one signal overlaps a channel reserved for another signal, causing
possible distortion.
WLAN Threats:

 A WLAN is open to anyone within range of an AP and the appropriate credentials to associate to
it. With a wireless NIC and knowledge of cracking techniques, an attacker may not have to
physically enter the workplace to gain access to a WLAN.
 A rogue AP is an AP or wireless router that has been connected to a corporate network without
explicit authorization and against corporate policy. Anyone with access to the premises can
install (maliciously or non- maliciously) an inexpensive wireless router that can potentially allow
access to a secure network resource.

Secure WLANs:

 Wireless signals can travel through solid matter, such as ceilings, floors, walls, outside of the
home, or office space. Without stringent security measures in place, installing a WLAN can be
the equivalent of putting Ethernet ports everywhere, even outside.
 To address the threats of keeping wireless intruders out and protecting data, two early security
features were used and are still available on most routers and APs: SSID cloaking and MAC
address filtering.
 The best way to secure a wireless network is to use authentication and encryption systems.

56
CHAPTER-13 WLAN Configuration
Remote Site WLAN Configuration:

 Remote workers, small branch offices, and home networks often use a small office and home
router.
 These wireless routers typically provide WLAN security, DHCP services, integrated Name
Address Translation (NAT), quality of service (QoS), as well as a variety of other features. The
feature set will vary based on the router model.
 Basic network setup includes the following steps:
• Log in to the router from a Web browsers.
• Change the default administrative password.
• Log in with the new administrative password.
• Change the default DHCP IPv4 addresses.
• Renew the IP address.
• Log in to the router with the new IP address.

Configure a Basic WLAN on the WLC:

 Configuring a wireless LAN controller (WLC) is not that much different from configuring a
wireless router except that a WLC controls APs and provides more services and management
capabilities.
 Wireless LAN Controllers have ports and interfaces. Ports are the sockets for the physical
connections to the wired network. They resemble switch ports. Interfaces are virtual.

Troubleshoot WLAN Issues:

 Network problems can be simple or complex, and can result from a combination of hardware,
software, and connectivity issues. Technicians must be able to analyze the problem and
determine the cause of the error before they can resolve the network issue. This process is called
troubleshooting.
 To optimize and increase the bandwidth of 802.11 dual-band routers and APs, either:
 Upgrade your wireless clients Split the traffic

57
 CHAPTER-14 Routing Concepts
Path Determination:

 Ethernet switches are used to connect end devices and other intermediary devices, such as
other Ethernet switches, to the same network. A router connects multiple networks, which
means that it has multiple interfaces that each belong to a different IP network.
 The primary functions of a router are to determine the best path to forward packets based on
the information in its routing table, and to forward packets toward their destination.
 The routing table contains route entries consisting of a prefix (network address) and prefix
length.
Packet Forwarding:

 The primary responsibility of the packet forwarding function is to encapsulate packets in the
appropriate data link frame type for the outgoing interface.
 The more efficiently a router can perform this task, the faster packets can be forwarded by the
router.
 Routers support the following three packet forwarding mechanisms:
• Process switching,
• Fast switching,
• Cisco Express Forwarding (CEF).

Basic Router Configuration Review:

 A router creates a routing table to help it determine where to forward packets.

 The filtering parameters that can be configured after the pipe include:
• section - This displays the entire section that starts with the filtering expression.
• include - This includes all output lines that match the filtering expression.
• exclude - This excludes all output lines that match the filtering expression.
• begin - This displays all the output lines from a certain point, starting with the line
that matches the filtering expression.

IP Routing Table:

 A routing table contains a list of routes to known networks (prefixes and prefix lengths). The
source of this information is derived from the following: Directly connected networks, Static
routes.
 The code identifies how the route was learned. For instance, common codes include the
following:
• L - Identifies the address assigned to a router interface. This allows the router to
efficiently determine when it receives a packet for the interface instead of being
forwarded.
• C - Identifies a directly connected network.
• S - Identifies a static route created to reach a specific network.
• O - Identifies a dynamically learned network from another router using the OSPF
routing protocol.
• * - This route is a candidate for a default route.

58
Static and Dynamic Routing:

 Static routes are commonly used in the following scenarios:

• As a default route forwarding packets to a service provider.
• For routes outside the routing domain and not learned by the dynamic
routing protocol.
• When the network administrator wants to explicitly define the path for a
specific network.
• For routing between stub networks.
 Dynamic routing protocols are commonly used in the following scenarios:
• In networks consisting of more than just a few routers.
• When a change in the network topology requires the network to
automatically determine another path for scalability.
• As the network grows, the dynamic routing protocol automatically learns about
any new networks.

59
 CHAPTER-15 IP Static Routing
Static Routes:

 Static routes can be configured for IPv4 and IPv6. Both protocols support the following types of static
routes:
• Standard static route.
• Default static route.
• Floating static route.
• Summary static route.
 IPv4 static routes are configured using the following global configuration command:
 Router(config)# ip route network-address subnet-mask { ip-address | exit-intf [ip-address]}
[distance].
 The figure shows a dual-stack network topology. Currently, no static routes are configured for either
IPv4 or IPv6.

Configure IP Static Routes:

 In a fully specified static route, both the exit interface and the next-hop IP address are specified. This form
of static route is used when the exit interface is a multi-access interface and it is necessary to explicitly
identify the next hop.
 The next hop must be directly connected to the specified exit interface. Using an exit interface is optional,
however it is necessary to use a next- hop address.
 The difference between an Ethernet multi-access network and a point-to- point serial network is that a
point-to-point serial network has only one other device on that network, the router at the other end of the
link. With Ethernet networks, there may be many different devices sharing the same multi-access network,
including hosts and even multiple routers.

Configure IP Default Static Routes:

 Routers commonly use default routes that are either configured locally or learned from another router,
using a dynamic routing protocol.

 A default route does not require any far-left bits to match between the default route and the destination IP
address. A default route is used when no other routes in the routing table match the destination IP address
of the packet.
 Default static routes are commonly used when connecting an edge router to a service provider network, or
a stub router.

Configure Floating Static Routes:

 Floating static routes are a type of static routes that are used to provide a backup path to a primary
static or dynamic route, in the event of a link failure.

Configure Static Host Routes:

 A host route is an IPv4 address with a 32-bit mask, or an IPv6 address with a 128-bitmask.
 Three ways using which a host route can be added to the routing table are: Automatically
installed when an IP address is configured on the router, Configured as a static host route, Host
route automatically obtained through other methods.
 The static route uses a destination IP address and a 255.255.255.255 (/32) mask for IPv4 host

60
 routes, and a /128 prefix length for IPv6 host routes.

CHAPTER-16 Troubleshoot Static and Default

Routes
Packet Processing with Static Route:

 The following describes the packet forwarding process with static routes:
• The packet arrives on the Gigabit Ethernet 0/0/0 interface ofR1.
• R1 does not have a specific route to the destination network, 192.168.2.0/24.
Therefore, R1 uses the default static route.
• R1 encapsulates the packet in a new frame. Because the link to R2 is a point-to-
point link, R1 adds an "all 1s" address for the Layer 2 destination address.
• The frame is forwarded out of the Serial 0/1/0 interface. The packet arrives on
the Serial 0/1/0 interface on R2.
• R2 de-encapsulates the frame and looks for a route to the destination. R2 has a
static route to 192.168.2.0/24 out of the Serial 0/1/1 interface.
• R2 encapsulates the packet in a new frame. Because the link to R3 is a point-to-
point link, R2 adds an "all 1s" address for the Layer 2 destination address.
• The frame is forwarded out of the Serial 0/1/1 interface. The packet arrives on
the Serial 0/1/1 interface on R3.
• R3 de-encapsulates the frame and looks for a route to the destination. R3 has a
connected route to 192.168.2.0/24 out of the Gigabit Ethernet 0/0/0 interface.
• R3 looks up the ARP table entry for 192.168.2.10 to find the Layer 2 Media Access
Control (MAC) address for PC3.
• R3 encapsulates the packet in a new frame with the MAC address of the Gigabit
Ethernet 0/0/0 interface as the source Layer 2 address, and the MAC address of PC3
as the destination MAC address.
• The frame is forwarded out of Gigabit Ethernet 0/0/0 interface. The packet arrives on
the network interface card (NIC) interface of PC3.

Troubleshoot IPv4 Static and Default Route Configuration:

 When there is a change in the network, connectivity may be lost. Network administrators are
responsible for pinpointing and solving the problem. To find and solve these issues, a network
administrator must be familiar with tools to help isolate routing problems quickly.
 Common IOS troubleshooting commands include the following:
• ping,
• trace route,
• show ip route,
• show ip interface brief,
• show cdp neighbors detail.

61
MODULE-3:
ENTERPRISE
NETWORK,
SECURITY
AND
AUTOMATION

62
CHAPTER-1 Single-Area OSPFv2 Concepts
OSPF Features and Characteristics:

 Open Shortest Path First (OSPF) is a link-state routing protocol that was developed as an
alternative for the distance vector Routing Information Protocol (RIP).
 OSPF has significant advantages over RIP in that it offers faster convergence and scales to much
larger network implementations.
 OSPF is a link-state routing protocol that uses the concept of areas for scalability. All link-state
information includes the network prefix, prefix length, and cost. All routing protocols use
routing protocol messages to exchange route information.
 Routers running OSPF exchange messages to convey routing information using five types of
packets: the Hello packet, the database description packet, the link-state request packet, the link-
state update packet, and the link-state acknowledgment packet.
 To maintain routing information, OSPF routers complete a generic link-state routing process to
reach a state of convergence:
• Establish Neighbor Adjacencies,
• Exchange Link-State Advertisements,
• Build the Link State Database,
• Execute the SPF Algorithm,
• Choose the Best Route.

OSPF Packets:

 OSPF uses the following link-state packets (LSPs) to establish and maintain neighbor
adjacencies and exchange routing updates: 1 Hello, 2 DBD, 3 LSR, 4 LSU, and 5 LS Ack. LSUs
are also used to forward OSPF routing updates, such as like change .
 Hello packets are used to:
• Discover OSPF neighbors and establish neighbor adjacencies.
• Backup Designated Router (BDR) on multi-access networks like Ethernet.
• Point-to-point links do not require DR or BDR.
• Some important fields in the Hello packet are type, router ID, area ID, network
mask, hello interval, router priority, dead interval, DR, BDR and list of neighbors.

OSPF Operation:
 When an OSPF router is initially connected to a network, it attempts to:
• Create adjacencies with neighbors,
• Exchange routing information,
• Calculate the best routes,
• Reach convergence.
 The states that OSPF progresses through to do this are down state, init state, two-way state,
ExStart state, Exchange state, loading state, and full state.
 When OSPF is enabled on an interface, the router must determine if there is another OSPF
neighbor on the link by sending a Hello packet that contains its router ID out all OSPF-enabled
interfaces.
 The Hello packet is sent to the reserved All OSPF Routers IPv4 multicast address 224.0.0.5.

63
 When a neighboring OSPF-enabled router receives a Hello packet with a router ID that is not
within its neighbor list, the receiving router attempts to establish an adjacency with the initiating
router.

Figure 37

 After the Two-Way state, routers transition to database synchronization states, which is a three
step process: i) Decide First Router, ii) Exchange DBDs, iii) Send an LSR.
 A dramatic increase in the number of routers also dramatically increases the number of LSAs
exchanged between the routers.

64
CHAPTER-2 Single-Area OSPFv2
Configuration
OSPF Router ID:

 OSPFv2 is enabled using the router ospf process-id global configuration mode command. The process-
id value represents a number between 1 and 65,535 and is selected by the network administrator. An OSPF
router ID is a 32-bit value, represented as an IPv4 address.
 The router ID is used by an OSPF-enabled router to synchronize OSPF databases and participate in the
election of the DR and BDR.
 Cisco routers derive the router ID based on one of three criteria, in the following preferential order:
1. The router ID is explicitly configured using the OSPF router-id rid router configuration mode
command. The rid value is any 32-bit value expressed as an IPv4 address.
2. If the router ID is not explicitly configured, the router chooses the highest IPv4 address of any
of configured loopback interfaces.
3. If no loopback interfaces are configured, then the router chooses the highest active IPv4
address of any of its physical interfaces.
 The router ID can be assigned to a loopback interface.
 After a router selects a router ID, an active OSPF router does not allow the router ID to be changed
until the router is reloaded or the OSPF process is reset.
 Use the clear ip ospf process command to reset the adjacencies.

Point-to-Point OSPF Networks:

 The network command is used to determine which interfaces participate in the routing process for an
OSPFv2 area.
 Any interfaces on a router that match the network address in the network command can send and
receive OSPF packets.
 The wildcard mask is typically the inverse of the subnet mask configured on that interface. Ina wildcard
mask:
• Wildcard mask bit 0 - Matches the corresponding bit value in the address
• Wildcard mask bit 1 - Ignores the corresponding bit value in the address
 ip ospf command - To configure OSPF directly on the interface.
 passive-interface command - To stop transmitting routing messages through a router interface, but still
allow that network to be advertised to other routers.
 show ip protocols command - To verify that the Loopback 0 interface is listed as passive.
 ip ospf network point-to-point command –T to disable the DR/BDR election process.

OSPF Network Types:

 Routers can be connected to the same switch to form a multi access network.
 In broadcast networks, all devices on the network see all broadcast and multicast frames. The
DR is responsible for collecting and distributing LSAs.
 If the DR stops producing Hello packets, the BDR promotes itself and assumes the role of DR.
All other routers become a DROTHER. DROTHERs use the multi access address 224.0.0.6 (all
designated routers) to send OSPF packets to the DR and BDR.
 Only the DR and BDR listen for 224.0.0.6. To verify the roles of the OSPFv2 router, use the
show ip ospf interface command.
 To verify the OSPFv2 adjacencies, use the show ip ospf neighbor command.

65
  The state of neighbors in multi access networks can be:
• FULL/DROTHER - This is a DR or BDR router that is fully adjacent with a non-DR
or BDR router.
• FULL/DR - The router is fully adjacent with the indicated DR neighbor.
• FULL/BDR - The router is fully adjacent with the indicated BDR neighbor.
• 2-WAY/DROTHER - The non-DR or BDR router has a neighbor relationship with
another non-DR or BDR router.

Modify Single-Area OSPFv2:

 OSPF uses cost as a metric. A lower cost indicates a better path than a higher cost. A higher
bandwidth indicates a lower cost. The formula used to calculate the OSPF cost is: Cost =
reference bandwidth / interface bandwidth.
 auto-cost reference-bandwidth command – To adjust the reference bandwidth
 ip ospf cost command - manually set the OSPF cost value. To adjust the reference bandwidth,
use the auto-cost reference-bandwidth Mbps command.
 ip ospf cost value - To change the cost value report by the local OSPF router to other OSPF
routers.
 If the Dead interval expires before the routers receive a Hello packet, OSPF removes that
neighbor from its link-state database (LSDB).

Default Route Propagation:

 In OSPF terminology, the router located between an OSPF routing domain and a non-OSPF
network is called the ASBR.
 To propagate a default route settings on the ASBR must be configured with a default static route
using the ip route 0.0.0.0 0.0.0.0 [next-hop-address | exit-intf] command, and the default-
information originate router configuration command.

Verify Single-Area OSPFv2:

 The following two commands are used to verify routing:

• show ip interface brief – Used to verify that the desired interfaces are active
with correct IP addressing.
• show ip route - Used to verify that the routing table contains all the expected routes.
 Additional commands for determining that OSPF is operating as expected include : show ip ospf
neighbor, show ip protocols, show ip ospf and show ip ospf interface.
 show ip protocols - To verify vital OSPF configuration information
 show ip ospf - To examine the OSPFv2 process ID and router ID.
 show ip ospf interface - To provide a detailed list for every OSPFv2-enabledinterface.

66
 CHAPTER-3 Network Security Concepts
Current State of Cyber Security:

 Network security breaches can disrupt e-commerce, cause the loss of business data, threaten
people’s privacy, and compromise the integrity of information.
 Mitigation techniques are required before, during, and after an attack.
 An attack vector is a path by which a threat actor can gain access to a server, host, or network.
Attack vectors originate from inside or outside the corporate network.

Threat Actors:

 The term ‘threat actor’ includes hackers and any device, person, group, or nation state that is,
intentionally or unintentionally, the source of an attack. There are “White Hat”, “Gray Hat”, and
“Black Hat” hackers.
 Cyber criminals operate in an underground economy where they buy, sell, and trade attack
toolkits, zero day exploit code, botnet services, banking Trojans, key loggers, and more.
 Hacktivists tend to rely on fairly basic, freely available tools.

Threat Actor Tools:

 Attack tools have become more sophisticated and highly automated. These new tools require
less technical knowledge to implement.
 Ethical hacking involves many different types of tools used to test the network and keep its data
secure.
 Common types of attacks are: eavesdropping, data modifications, IP address spoofing,
password- based, denial-of-service, man-in-the-middle, compromised-key, and sniffer.


Malware:

 The three most common types of malware are worms, viruses, and Trojan horses.
 A worm executes arbitrary code and installs copies of itself in the memory of the infected
computer.
 A virus executes a specific unwanted, and often harmful, function on a computer.
 A Trojan horse is non-self-replicating. When an infected application or file is downloaded and
opened, the Trojan horse can attack the end device from within.
 Other types of malware are: adware, ransom ware, root kit and spyware.

67
 Common Network Attacks:

 Networks are susceptible to the following types of attacks: reconnaissance, access, and Do S.
 Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and mapping
of systems, services, or vulnerabilities.
 Types of access attacks are: password, spoofing, trust exploitations, port redirections, man-in-
the-middle, and buffer overflow.
 Social engineering is an access attack that attempts to manipulate individuals into performing
actions or divulging confidential information.
 DoS and DDoS are attacks that create some sort of interruption of network services to users,
devices, or applications.

IP Vulnerabilities and Threats:

 Threat actors can send packets using a spoofed source IP address. Threat actors can also tamper
with the other fields in the IP header to carry out their attacks.
 IP attack techniques include: ICMP, amplification and reflection, address spoofing, MITM, and
session hijacking.
 Threat actors use ICMP for reconnaissance and scanning attacks.

TCP and UDP Vulnerabilities:

 TCP segment information appears immediately after the IP header. TCP provides reliable
delivery, flow control, and stateful communication.
 TCP attacks include: TCPSYN Flood attack, TCP reset attack, and TCP Session hijacking.
 UDP is commonly used by DNS, TFTP, NFS, and SNMP. It is also used with real-time
applications such as media streaming or VoIP.
 UDP is not protected by encryption. UDP Flood attacks send a flood of UDP packets, often
from a spoofed host, to a server on the subnet. The result is very similar to a Do S attack.

68
IP Services:

 Any client can send an unsolicited ARP Reply called a “gratuitous ARP.” This means that any
host can claim to be the owner of any IP or MAC.
 A threat actor can poison the ARP cache of devices on the local network, creating an MITM
attack to redirect traffic.
 DNS attacks include: open resolver attacks, stealth attacks, domain shadowing attacks, and
tunneling attacks.
 A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and
provides false IP configuration parameters to legitimate clients.

Network Security Best Practices:

 Most organizations follow the CIA information security triad: confidentiality, integrity, and
availability.
 To ensure secure communications across both public and private networks, one must secure
devices including routers, switches, servers, and hosts. This is known as defense-in-depth.
 A firewall is a system, or group of systems, that enforces an access control policy between
networks.
 To defend against fast-moving and evolving attacks, one may need intrusion detection systems
(IDS), or the more scalable intrusion prevention systems (IPS).

Cryptography:

 The four elements of secure communications are data integrity, origin authentication, data
confidentiality, and data non-repudiation.
 Hash functions guarantee that message data has not changed accidentally or intentionally. Three
well-known hash functions are MD5 with 128-bit digest, SHA hashing algorithm, andSHA-2.
 To add authentication to integrity assurance, use a keyed-hash message authentication code.
 Data confidentiality can also be ensured using asymmetric algorithms, including Rivest, Shamir,
and Adleman (RSA) and the public key infrastructure (PKI). Diffie-Hellman (DH) is an
asymmetric mathematical algorithm where two computers generate an identical shared secret
key without having communicated before.

69
 CHAPTER-4 ACL

Concepts Purpose of
ACLs:

 Several tasks performed by routers require the use of ACLs to identify traffic.
 An ACL is a series of IOS commands that are used to filter packets based on
information found in the packet header. A router does not have any ACLs configured
by default.
 When an ACL is applied to an interface, the router performs the additional task of
evaluating all network packets as they pass through the interface to determine if the
packet can be forwarded.
 An inbound ACL filters packets before they are routed to the outbound interface. If the
packet is permitted by the ACL, it is then processed for routing.
 An outbound ACL filters packets after being routed, regardless of the inbound interface.
 When an ACL is applied to an interface, it follows a specific operating procedure:
• The router extracts the source IPv4 address from the packet header.
• The router starts at the top of the ACL and compares the source IPv4 address
to each ACE in a sequential order.
• When a match is made, the router carries out the instruction, either
permitting or denying the packet, and the remaining ACEs in the ACL, if
any, are not analyzed.
If the source IPv4 address does not match any ACEs in the ACL, the packet is
discard

70
Wildcard Masks:

 A wildcard mask is used to filter traffic for one host, one subnet, and a range IPv4addresses.
 An IPv4 ACE uses a 32-bit wildcard mask to determine which bits of the address to examine for
a match. Wildcard masks are also used by the Open Shortest Path First (OSPF) routing protocol.
 A wildcard mask is similar to a subnet mask in that it uses the ANDing process to identify which
bits in an IPv4 address to match.
 They differ in the way they match binary 1s and 0s. Wildcard mask bit 0 matches the
corresponding bit value in the address. Wildcard mask bit 1 ignores the corresponding bit value
in the address.

Guidelines for ACL creation:

 There is a limit on the number of ACLs that can be applied on a router interface.
 A router interface can have one outbound IPv4 ACL, one inbound IPv4 ACL, one inbound
IPv6 ACL , and one outbound IPv6 ACL.
 Basic planning is required before configuring an ACL and includes the following best practices:
• Base ACLs on the organizational security policies.
• Write out what you want the ACL to do.
• Use a text editor to create, edit, and save all of your ACLs.
• Document the ACLs using the remark command.
• Test the ACLs on a development network before implementing them on a
production network.

Types of IPv4 ACLs:

 There are two types of IPv4 ACLs: standard ACLs and Extended ACLs.
 Standard ACLs permit or deny packets based only on the source IPv4 address.
 Extended ACLs permit or deny packets based on the source IPv4 address and destination IPv4
address, protocol type, source and destination TCP or UDP ports and more.
 ACLs number 1 to 99, or 1300 to 1999, are standard ACLs. ACLs number 100-199, or 2000 to
2699, are extended ACLs.

71
 CHAPTER-5 ACLs for IPv4 Configuration
Configure Standard IPv4 ACLs:

 All ACLs must be planned, especially for ACLs requiring multiple access control entries
(ACEs).
 ip access-list standard access-list-name command - To create a numbered and also a named
standard ACL.
 no access-list access-list-number command - To remove a numbered and also a named standard
ACL.
 show ip interface command - To verify if an interface has an ACL applied to it.
 ip access-group {access-list-number | access-list-name} { in | out } command - To bind a
numbered or named standard IPv4 ACL to an interface.
 no ip access-group command - To remove an ACL from an interface.
 no access-list command - To remove the ACL from the router.

Figure 41

Modify IPv4 ACLs:

 ACLs with multiple ACEs should be created in a text editor. This allows one to plan the
required ACEs, create the ACL, and then paste it into the router interface.
 An ACL ACE can also be deleted or added using the ACL sequence numbers.
 Sequence numbers are automatically assigned when an ACE is entered. These numbers are
listed in the show access-lists command.

Secure VTY Ports with a Standard ACL:

 ACLs typically filter incoming or outgoing traffic on an interface. A standard ACL can also be
used to secure remote administrative access to a device using the vty lines.
 The two steps to secure remote administrative access to the vty lines are to create an ACL to
identify which administrative hosts should be allowed remote access and to apply the ACL to
incoming traffic on the vty lines.
 show ip interface command - To verify if an interface has an ACL applied to it.
 show access-lists command - To verify the ACL statistics.

72
Configure Extended IPv4 ACLs:

 Extended ACLs are used more often than standard ACLs because they provide a greater degree
of control. They can filter on source address, destination address, protocol and port number.
 Extended ACLs can be created as numbered extended ACL and named extended ACL.
 Extended ACLs can filter on many different types of internet protocols and ports. Selecting a
protocol influences port options. TCP can also perform basic stateful firewall services using the
TCP established keyword. After an ACL has been configured and applied to an interface, use
Cisco IOS show commands to verify the configuration.

73
 CHAPTER-6 NAT for IPv4
NAT Characteristics:

 There are not enough public IPv4 addresses to assign a unique address to each device connected
to the internet. Private IPv4 addresses cannot be routed over the internet. To allow a device with
a private IPv4 address to access devices and resources outside of the local network, the private
address must first be translated to a public address.
 NAT provides the translation of private addresses to public addresses. The primary use of NAT
is to conserve public IPv4 addresses.
 When an internal device sends traffic out of the network, the NAT-enabled router translates the
internal IPv4 address of the device to a public address from the NAT pool.

Figure 42

Types of NAT:

 Static NAT uses a one-to-one mapping of local and global addresses. Static NAT is particularly
useful for web servers or devices that must have a consistent address that is accessible from the
internet, such as a company web server.
 Static NAT requires that enough public addresses are available to satisfy the total number of
simultaneous user sessions.
 Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-served
basis. Dynamic NAT requires that enough public addresses are available to satisfy the total
number of simultaneous user sessions. Port Address Translation (PAT), also known as NAT
overload, maps multiple private IPv4 addresses to a single public IPv4 address or a few
addresses.
NAT Advantages and Disadvantages:

 Advantages:
1. NAT conserves the legally registered addressing scheme by allowing the privatization of intranets.
2. NAT increases the flexibility of connections to the public network.
3. NAT provides consistency for internal network addressing schemes.
4. NAT hides user IPv4 addresses.
 Disadvantages:
1. NAT increases forwarding delays because the translation of each IPv4 address within the packet headers
takes time.
2. End-to-end addressing is lost. Many internet protocols and applications depend on end- to-end addressing
from the source to the destination.

74
3. End-to-end IPv4 traceability is also lost.

75
Static NAT:

 Static NAT is a one-to-one mapping between an inside address and an outside address.
 Static NAT allows external devices to initiate connections to internal devices using the statically
assigned public address.
 The first task is to create a mapping between the inside local address and the inside global
addresses.
 After the mapping is configured, the interfaces participating in the translation are configured.
 To verify NAT operation use the show ip nat translations command.

Dynamic NAT:

 Dynamic NAT automatically maps the inside local addresses to inside global addresses.
 Dynamic NAT uses a pool of addresses translating a single inside address to a single outside
address. The pool of public IPv4 addresses is available to any device on the inside network on a
first-come first-served basis.
 To configure dynamic NAT, first define the pool of addresses that will be used for translation
using the ip nat pool command.
 Identify which interfaces are inside also outside, in relation to NAT.
 show ip nat translations command – To display all static translations that have been
configured and any dynamic translations that have been created by traffic.

PAT:
 There are two ways to configure PAT, depending on how the ISP allocates public IPv4
addresses. In the first instance, the ISP allocates a single public IPv4 address that is required for
the organization to connect to the ISP and in the other, it allocates more than one public IPv4
address to the organization.
 To configure PAT to use a single IPv4 address, simply add the keyword overload to the ip nat
inside source command.
 To configure PAT for a dynamic NAT address pool, simply add the keyword overload to the ip
nat inside source command.
 show ip nat translations command - To verify PAT configurations.

NAT64:

 IPv6 was developed with the intention of making NAT for IPv4 with translation between public
and private IPv4 addresses unnecessary.
 ULA addresses are not meant to provide additional IPv6 address space, or to provide a level of
security; however, IPv6 does provide for protocol translation between IPv4 and IPv6 known as
NAT64.
 NAT for IPv6 is used in a much different context than NAT for IPv4. Dual-stack is when the
devices are running protocols associated with both the IPv4 and IPv6.
 Tunneling for IPV6 is the process of encapsulating an IPv6 packet inside an IPv4 packet.

76
 CHAPTER-7 WAN Concepts
Purpose of WANs:

 A WAN is a telecommunications network that spans over a relatively large geographical area. A
WAN operates beyond the geographic scope of a LAN.
 A private WAN is a connection that is dedicated to a single customer. A public WAN
connection is typically provided by an ISP or telecommunications service provider using the
internet.
 WAN topologies are described using a logical topology. WANs are implemented using the
following logical topologies: Point-to-Point, Hub-and-Spoke, Dual-homed, Fully Meshed, and
Partially Meshed.
 Small companies may use a single LAN connected to a wireless router to share data and
peripherals. Connection to the internet is through a broadband service provider.
 An even larger company may require a metropolitan area network (MAN) to interconnect sites
within the city. A MAN is larger than a LAN but smaller than a WAN.
 Site-to-site and remote access Virtual Private Networks (VPNs) enable the company to use the
internet to securely connect with employees and facilities around the world.

WAN Operations:

 Modern WAN standards are defined and managed by a number of recognized authorities:
TIA/EIA, ISO, and IEEE. Most WAN standards focus on the physical layer (OSI Layer 1) and
the data link layer (OSI Layer 2).
 Layer 1 protocols describe the electrical, mechanical, and operational components needed to
transmit bits over a WAN.
 Layer 2 protocols define how data will be encapsulated into a frame.
 The WAN physical layer describes the physical connections between the company network and
the service provider network.
 Serial communication transmits bits sequentially over a single channel. In contrast, parallel
communications simultaneously transmit several bits using multiple wires.
 The two most common types of circuit-switched WAN technologies are PSTN and ISDN.
Packet-switching segments traffic data into packets that are routed over a shared network.
Common types of packet-switched WAN technologies are Ethernet WAN and MPLS.
Traditional WAN Connectivity:

 In the 1980s, organizations needed their networks to connect to the local loop of a service
provider by using dedicated lines or by using switched services from a service provider.
 When permanent dedicated connections were required, a point-to-point link using copper media
was used to provide a pre-established WAN communications path from the customer premises to
the provider network.
 Frame Relay is a simple Layer 2 NBMA WAN technology used to interconnect enterprise
LANs. ATM technology is capable of transferring voice, video, and data through private and
public networks. It is built on a cell-based architecture rather than on a frame-based architecture.

Modern WAN Connectivity:

 Modern WAN connectivity options include dedicated broadband, Ethernet WAN and MPLS
(packet-switched), along with various wired and wireless version of internet-based broadband.

77
 MPLS is a high-performance service provider WAN routing technology to interconnect clients.
MPLS supports a variety of client access methods (e.g., Ethernet, DSL, Cable, Frame Relay).
MPLS can encapsulate all types of protocols including IPv4 or IPv6 traffic.

78
 CHAPTER-8 VPN and IP sec Concepts
VPN Technology:

 A VPN is virtual, in that it carries information within a private network, but that information is
actually transported over a public network.
 A VPN is private in that the traffic is encrypted to keep the data confidential while it is
transported across the public network.
 Benefits of VPNs are cost savings, security, scalability, and compatibility.
 VPNs are commonly deployed in one of the following configurations: site-to-site or remote-
access. VPNs can be managed and deployed as enterprise VPNs and service provider VPNs.

Types of VPNs:

 Remote-access VPNs let remote and mobile users securely connect to the enterprise by creating
an encrypted tunnel. Remote access VPNs can be created using either IP sec or SSL.
 SSL uses the public key infrastructure and digital certificates to authenticate peers.
 Site-to-site VPNs are used to connect networks across an untrusted network such as the internet.
 A VPN gateway could be a router or a firewall.
 IPsec VTI simplifies the configuration process required to support multiple sites and remote
access.

Figure 44

IPsec:

 IP sec protects and authenticates IP packets between source and destination. IP sec can protect
traffic from Layer 4 through Layer 7. Using the IP sec framework, IP sec provides
confidentiality, integrity, origin authentication, and Diffie-Hellman.
 IP sec encapsulates packets using AH or ESP. The degree of confidentiality depends on the
encryption algorithm and the length of the key used in the encryption algorithm.
 The local device derives a hash and encrypts information with its private key. The encrypted
hash is attached to the message and is forwarded to the remote end and acts like a signature.

79
 CHAPTER-9 Quos Concepts
Network Transmission Quality:

 Voice and live video transmissions create higher expectations for quality delivery among users,
and create a need for Quality of Service (Quos).
 Congestion occurs when multiple communication lines aggregate onto a single device such as a
router, and then much of that data is placed on just a few outbound interfaces, or onto a slower
interface.
 Without any Quos mechanisms in place, packets are processed in the order in which they are
received. When congestion occurs, network devices such as routers and switches can drop
packets.
 One Quos technique that can help when the volume of traffic is greater is to classify data into
multiple queues.
 Network congestion points are ideal candidates for Quos mechanisms to mitigate delay and
latency. Two types of delays are fixed and variable.
 Sources of delay are code delay, packetization delay, queuing delay, serialization delay,
propagation delay, and de -jitter delay.

Traffic Characteristics:

 Voice and video traffic are two of the main reasons for Quos. Voice and video can tolerate
a certain amount of latency, jitter, and loss without any noticeable effects.
 Voice traffic is smooth and benign, but it is sensitive to drops and delays.
 Video traffic is burst, greedy, drop sensitive, and delay sensitive. Without Quos and a
significant amount of extra bandwidth, video quality typically degrades.

Queuing Algorithms:

 Queuing is a congestion management tool that can buffer, prioritize, and, if required, reorder
packets before being transmitted to the destination. Some of the queuing algorithms are as
follows: First-In, First-Out (FIFO), Weighted Fair Queuing (WFQ), Class-Based Weighted Fair
Queuing (CBWFQ), and Low Latency Queuing (LLQ).
 FIFO queuing buffers and forwards packets in the order of their arrival. FIFO has no concept of
priority or classes of traffic and consequently, makes no decision about packet priority.

Figure 45

80
  WFQ is an automated scheduling method that provides fair bandwidth allocation to all network
traffic.
 WFQ classifies traffic into different flows based on packet header addressing, including such
characteristics as source and destination IP addresses, MAC addresses, port numbers, protocol,
and Type of Service (Toss) value.
 CBWFQ extends the standard WFQ functionality to provide support for user-defined traffic
classes.
 LLQ feature brings strict priority queuing (PQ) to CBWFQ.

Quos Models:

 There are three models for implementing Quos: Best-effort model, Integrated services
(IntServ), and Differentiated services (DiffServ).
 The Best-effort model is the most scalable but does not guarantee delivery and does not give
any packet preferential treatment.
 The IntServ architecture model was developed to meet the needs of real-time applications,
 The DiffServ QoS model specifies a simple and scalable mechanism for classifying and
managing network traffic. DiffServ divides network traffic into classes based on business
requirements.

QoS Implementation Techniques:

 There are three categories of QoS tools: classification and marking tools, congestion avoidance
tools, and congestion management tools.
 Classification and marking allows us to identify or “mark” types of packets. Classification
determines the class of traffic to which packets or frames belong.
 The field is then referred to by receiving devices which forward the packets based on the
appropriate assigned QoS policy. These fields have 6-bits allocated for QoS, these six bits offer a
maximum of 64 possible classes of service.
 The 64 DSCP values are organized into three categories: Best-Effort (BE), Expedited
Forwarding (EF), Assured Forwarding (AF).
 Congestion management includes queuing and scheduling methods. Congestion avoidance tools
help to monitor network traffic loads.

81
 CHAPTER-10 Network Management
Device Discovery with CDP:

 Cisco Discovery Protocol (CDP) is a Cisco proprietary Layer 2 protocol that is used to gather
information about Cisco devices which share the same data link.
 CDP can be used as a network discovery tool to determine the information about the
neighboring devices.
 CDP can assist in network design decisions, troubleshooting, and making changes to equipment.
 show cdp command - To verify the status of CDP and display information about CDP.
 cdp run command - To enable CDP globally.
 cdp enable command - To enable CDP on the specific interface .
 show cdp neighbors command - To verify the status of CDP and display a list of neighbors.

NTP:

 The software clock on a router or switch starts when the system boots and is the primary source of time for
the system. When the time is not synchronized between devices, it will be impossible to determine the
order of the events and the cause of an event.
 NTP protocol allows routers on the network to synchronize their time settings with an NTP server.
 The synchronized time is distributed across the network by using NTP.
 ntp server ip-address command - To configure a device as the NTP server.
 show clock detail command - To verify the time source is set to NTP.
 show ntp associations and show ntp status commands - To verify that a device is
synchronized with the NTP server.

SNMP:

 SNMP allows administrators to manage servers, workstations, routers, switches, and security appliances,
on an IP network.
 SNMP is an application layer protocol that provides a message format for communication between
managers and agents. The SNMP system consists of three elements: SNMP manager, SNMP agents, and
the MIB.
 The SNMP manager can collect information from an SNMP agent by using the “get” action and can
change configurations on an agent by using the “set” action.
 SNMP agents can forward information directly to a network manager by using “traps”. The SNMP
agent responds to SNMP manager Get Request-PDUs and Set Request-PDUs.
 A network management application can collect information to monitor traffic loads and to verify
device configurations of managed devices.
Sy slog:

 The most common method of accessing system messages is to use a protocol called Syslog. The syslog
protocol uses UDP port 514 to allow networking devices to send their system messages across the network
to syslog servers.
 The syslog logging service provides three primary functions: gather logging information for monitoring
and troubleshooting, select the type of logging information that is captured, and specify the destinations of
captured syslog messages.
 Destinations for syslog messages include the logging buffer, console line, terminal line, and
syslog ser

82
  Syslog facilities identify and categorize system state data for error and event message reporting.
Common syslog message facilities include: IP, OSPF protocol, SYS operating system, IPsec,
and IF.

Router and S witch File Maintenance:

 show file systems command - To

 that must be maintained.
 Select a Cisco IOS image file that meets the requirements in terms of platform, features, and
software.
 Download the file from cisco.com and transfer it to the TFTP server.
 Ping the TFTP server.
 Verify the amount of free flash.
 show flash command - To verify the amount of free flash.

83
 CHAPTER-11 Network Design
Hierarchical Networks:
 Implement multiple links between equipment.
 Use a scalable routing protocol and implementing features within that routing protocol
 Implement wireless connectivity to allow for mobility and expansion.
 Link aggregation, such as Ether Channel, allows an administrator to increase the amount
of bandwidth between devices.
 Link-state routing protocols such as OSPF, work well for larger hierarchical networks where
fast convergence is important.

Switch Hardware:

 There are several categories of switches for enterprise networks including campus LAN, cloud-
managed, data center, service provider, and virtual networking.
 Form factors for switches include fixed configuration, modular configuration, and stackable
configuration.
 The thickness of a switch is expressed in number of rack units.
 The port density of a switch refers to the number of ports available on a single switch.
 Business considerations for switch selection include cost, port density, power, reliability, port
speed, frame buffers, and scalability.
Router Hardware:

•
Routers use the network portion (prefix) of the destination IP address to route
packets to the proper destination. They select an alternate path if a link or path
goes down.
 All hosts on a local network specify the IP address of the local router interface in their IP
configuration, this router interface is the default gateway.
 Routers also serve other beneficial functions:
• They provide broadcast containment by limiting broadcasts to the local network.
• They interconnect geographically separated locations.
• They group users logically by application or department within a company, who have
command needs or require access to the same resources.
• They provide enhanced security by filtering unwanted traffic through access
control lists.
 Routers come with a variety of different interfaces, such as Fast Ethernet, Gigabit Ethernet,
Serial, and Fiber-Optic.



84



CHAPTER-12 Network Troubleshooting

Network Documentation:

 Common network documentation includes: physical and logical network topologies, network
device documentation recording all pertinent device information, and network performance
baseline documentation.
 Information found on a physical topology typically includes the device name, device location
(address, room number, rack location, etc.), interface and ports used, and cable type.
 A logical network topology diagram can be useful in identifying key devices and ports to
monitor. The length of time and the baseline information being gathered must be long enough to
determine a “normal” picture of the network.
 When documenting the network, gather information directly from routers and switches using the
show, ping, trace route, and telnet commands.

Troubleshooting Process:

 The troubleshooting process should be guided by structured methods.

 One method is the seven-step troubleshooting process: 1. Define the problem, 2. Gather
information, 3. Analyze information, 4. Eliminate possible causes, 5. Propose hypothesis, 6. Test
hypothesis, and 7. Solve the problem.
 Use the show, ping, trace route, and telnet commands to gather information from devices.
 Use the layered models to perform bottom-up, top-down, or divide-and-conquer
troubleshooting.
 Other models include follow-the-path, substitution, comparison, and educated guess.
 Software problems are often solved using a top-down approach while hardware-based problems
are solved using the bottom-up approach.

85
Troubleshooting Tools:

 Common software troubleshooting tools include NMS tools, knowledge bases, and baselining
tools.
 A protocol analyzer, such as Wires hark, decodes the various protocol layers in a recorded
frame and presents this information in an easy to use format.
 Hardware troubleshooting tools include digital multimeters, cable testers, cable analyzers,
portable network analyzers, and Cisco Prime NAM.
 Syslog server can also be used as a troubleshooting tool.
 Implementing a logging facility for network troubleshooting.

Symptoms and Causes of Network Problems:

 Failures and suboptimal conditions at the physical layer usually cause networks to shutdown.
 Network administrators must have the ability to effectively isolate and correct problems at this
layer.
 Symptoms include performance lower than baseline, loss of connectivity, congestion, high CPU
utilization, and console error messages.
 The causes are usually power-related, hardware faults, cabling faults, attenuation, noise,
interface configuration errors, exceeding component design limits, and CPU overload.

Troubleshooting IP Connectivity:

 Diagnosing and solving problems is an essential skill for network administrators. By employing
a structured approach to the troubleshooting process, an administrator can reduce the time it
takes to diagnose and solve a problem.
 End-to-end connectivity problems are usually what initiates a troubleshooting effort. Two of the
most common utilities used to verify a problem with end-to-end connectivity
are ping and trace route.
 Step 1: Verify the physical layer.
 Step 2: Check for duplex mismatches.
 Step 3: Verify addressing on the local
network.
 Step 4: Verify the default gateway.
 Step 5: Verify correct path.
 Step 6: Verify the transport layer.
 Step 7: Verify ACLs.
 Step 8: Verify DNS.

86
 CHAPTER-13 Network Virtualization
Cloud Computing:

 Cloud computing involves large numbers of computers connected through a network that can be
physically located anywhere. Cloud computing can reduce operational costs by using resources
more efficiently.
 Cloud computing addresses a variety of data management issues:
• It enables access to organizational data anywhere and at any time.
• It streamlines the organization’s IT operations by subscribing only to needed services.
• It eliminates or reduces the need for onsite IT equipment, maintenance, and
management.
• It reduces cost for equipment, energy, physical plant requirements, personnel training
needs.
• It enables rapid responses to increasing data volume requirements.
 The three main cloud computing services defined by the National Institute of Standards and
Technology (NIST) are Software as a Service (SaaS), Platform as a Service (PaaS), and
Infrastructure as a Service (IaaS).
 The four types of clouds are public, private, hybrid, and community.

Figure 49

Virtualization:

 Virtualization is the foundation of cloud computing. Virtualization separates the operating system (OS)
from the hardware.
 When a component fails, the service that is provided by this server becomes unavailable. This is known as
a single point of failure.
 Another problem with dedicated servers is that they often sat idle for long periods of time, this wastes
energy and resources.
 Virtualization reduces costs because less equipment is required, less energy is consumed, and less space is
required. It provides for easier prototyping, faster server provisioning, increased server uptime, improved
disaster recovery, and legacy support.

87
  A .Type 2 hypervisor is software that creates and runs VM instances.
 A computer system consists of the following abstraction layers: services, OS, firmware, and hardware.
With Type 1 hypervisors, the hypervisor is installed directly on the server or networking hardware

Virtual Network Infrastructure:

 Type 1 hypervisors are also called the “bare metal” approach because the hypervisor is installed
directly on the hardware. They improve scalability, performance, and robustness.
 Type 1 hypervisors require a “management console” to manage the hypervisor.
 The management console provides recovery from hardware failure.
 Server virtualization hides server resources, such as the number and identity of physical servers,
processors, and OSs from server users.

Software-Defined Networking:

 Two major network architectures have been developed to support network virtualization:
Software-Defined Networking (SDN) and Cisco Application Centric Infrastructure(ACI).
 SDN is an approach to networking where the network is software programmable remotely.
Components of SDN may include Open Flow, Open Stack, and other components.
 Network administrators use applications such as Secure Shell (SSH), Trivial File Transfer
Protocol (TFTP), Secure FTP, and Secure Hypertext Transfer Protocol (HTTPS) to access the
management plane and configure a device. Protocols like Simple Network Management Protocol
(SNMP) use the management plane.

Controllers:

 The SDN controller is a logical entity that enables network administrators to manage and dictate
how the data plane of switches and routers should handle network traffic.
 The SDN controller defines the data flows between the centralized control plane and the data
planes on individual routers and switches.
 Device-based SDN is when the devices are programmable by applications running on the device
itself or on a server in the network.
 Controller-based SDN uses a centralized controller that has knowledge of all devices in the
network.
 Policy based SDN is similar to controller-based SDN where a centralized controller has a view
of all devices in the network.

88
 CHAPTER-14 Network Automation
Automation Overview:

 Automation is any process that is self-driven, reducing and potentially eliminating, the need for
human intervention.
 Whenever a course of action is taken by a device based on an outside piece of information, then
that device is a smart device.
 For smart devices to “think”, they need to be programmed using network automation tools.
Data Formats:

 Data formats are simply a way to store and interchange data in a structured format. One such
format is called Hypertext Markup Language (HTML).
 Common data formats that are used in many applications including network automation and
programmability are JavaScript Object Notation (JSON), extensible Markup Language (XML),
and YAML Isn’t Markup Language (YAML).
 Data formats have rules and structure similar to what we have with programming and written
languages.

APIs:

 An API is a set of rules describing how one application can interact with another, and the
instructions to allow the interaction to occur.
 Open/Public APIs are, as the name suggests, publicly available.
 Internal/Private APIs are used only within an organization.
 Partner APIs are used between a company and its business partners.
 There are four types of web service APIs: Simple Object Access Protocol (SOAP),
Representational State Transfer (REST), extensible Markup Language-Remote Procedure Call
(XML-RPC), and JavaScript Object Notation-Remote Procedure Call (JSON-RPC).

REST:

 A REST API defines a set of functions developers can use to perform requests and receive
responses via HTTP protocol such as GET and POST.
 Conforming to the constraints of the REST architecture is generally referred to as being
“RESTful”.


  RESTful APIs use common HTTP methods including POST, GET, PUT, PATCH and DELETE.
These methods correspond to RESTful operations: Create, Read, Update, and Delete (or CRUD).
 Web resources and web services such as RESTful APIs are identified using a URI.
 A URI has two specializations, Uniform Resource Name (URN) and Uniform Resource Locator
(URL).
 In a RESTful Web service, a request made to a resource's URI will elicit a response. The
response will be a payload typically formatted in JSON. The different parts of the API request
are API server, Resources, and Query. Queries can include format, key, and parameters.

Figure50

Configuration Management Tools:

 There are now new and different methods for network operators to automatically monitor,
manage, and configure the network. These include protocols and technologies such as REST,
Ansible, Puppet, Chef, Python, JSON, XML, and more.
 Configuration management tools use RESTful API requests to automate tasks and scale across
thousands of devices.
 Characteristics of the network that benefit from automation include software and version control,
device attributes such as names, addressing, and security, protocol configurations, and ACL
configurations. Configuration management tools typically include automation and orchestration.

IBN and CISCO DNA Center:

 The physical and virtual network infrastructure is a fabric. The term fabric describes an overlay
that represents the logical topology used to virtually connect to devices.
 The underlay network is the physical topology that includes all hardware required to meet
business objectives.
 Cisco implements the IBN fabric using Cisco DNA. The business intent is securely deployed
into the network infrastructure (the fabric).
 Cisco DNA then continuously gathers data from a multitude of sources to provide a rich context
of information. Cisco DNA Center is the foundational controller and analytics platform at the
heart of Cisco DNA.
 Cisco DNA Center is a network management and command center for provisioning and
configuring network devices. It is a single interface hardware and software platform that focuses
on assurance, analytics, and automation.
 IBN builds on SDN, taking a software-centric, fully automated approach to designing and
operating networks. Cisco views IBN as having three essential functions: translation, activation,
and assurance.




CONCLUSION

 The modules in this course provides basic understanding of networking, basic

knowledge about WLAN and network security concepts, information about
advanced functionalities of switches and routers and basic knowledge about
virtualization and automation.
 Networking is an ever-growing domain. Networks are progressively becoming more
and more convoluted as the technology is advancing and flourishing. Several
designations are existent in computer networking. A career in Networking requires a
person to be at par with the latest trends in technology. An Educational Degree
and Experience certification demonstrates one’s commitment and learning ability
and takes the person a step further towards their career.
 This Industrial Training helped me to improve my knowledge and skills in
networking. Hence, the Industrial Training of CISCO CCNA v7 is successfully
completed with the cooperation of The Principal, Head of the CM.E Department,
Instructor, and Teaching Staff of the CM.E Department.

BIBLIOGRAPHY

REFERENCE WEBSITES:

 CISCO NETWORKING ACADEMY

 https://www.netacad.com

78