CCNA SP 640-875 SPNGN1 Study Notes - certmaniacscertmaniacs.com/wp-content/uploads/2015/01/SPNGN1-Study-Notes... · CCNA SP 640-875 SPNGN1 Study Notes Cisco IP NGN Architecture: Application

CCNA SP 640-875 SPNGN1 Study Notes

Cisco IP NGN Architecture:

Application Layer: Mobile Access, Residential Access, Business Access

Services Layer: Mobile Services, Video Services, Cloud Services

Cisco IP NGN Infrastructure Layer: Access, Aggregation, IP Edge, Core

Full Mesh Topology: n * (n-1) / 2

OSI Model:

Application

Presentation

Session

Transport

Network

Data Link

Physical

Ports

20/21 �TCP - FTP

22 � TCP - SSH

23 - TCP � Telnet

25 - TCP� SMTP

53 � UDP,TCP � DNS

67, 68 � UDP � DHCP

69 � UDP � TFTP

80 � TCP � HTTP

110 � TCP � POP3

161 � UDP � SNMP

443 � TCP � SSL (HTTPS)

IP Theory

TCP/IP Stack:

Application (5-7)

Transport (4)

Internet (3)

Network Access (1 and 2)

IPv4

IPv4 Classes

Class A � 1.0.0.0 � 126.255.255.255

Class B � 128.0.0.0 � 191.255.255.255

Class C � 192.0.0.0 � 223.255.255.255

Class D � 224.0.0.0 � 239.255.255.255

Class E � 240.0.0.0 � 255.255.255.255

IPv4 Private Address Ranges

Class A � 10.0.0.0 � 10.255.255.255

Class B - 172.16.0.0 � 172.31.255.255

Class C - 192.168.0.0 � 192.168.255.255

Auto Configuration Addresses: 169.254.0.0 � 169.254.255.255

IPv6

-128 bits, 8 octets with 16 bit hexadecimal fields (4 hex characters)

-leading 0s in a field are optional

-once per address successive fields of zeroes can be represented as a double colon

-Dynamic stateful (DHCPv6), dynamic stateless (auto config with 64 bit interface ID)

-uses router solicitation (RS) and router advertisements (RA) for router and prefix discovery*

-neighbor discovery protocol replaces IPv4 ARP functions*

-IPv6 loopback: ::1

Link-Local Addresses

-All IPv6 interfaces must have one

-for addressing on a single link (scope is limited to the link)

-created dynamically by using prefix FE80::/10 and a 64 bit interface ID

-used for auto address config neighbour discovery, and router discovery (many routing protocols can use

them)

Global Unicast

-/48 assigned to a site, 16 bit subnet used to identify links in a site

-stateless auto config using 64 bit interface ID

-200X:: onwards (IANA assignments)

Unique Local

-fd00::/8 prefix, site specific scope by almost assured to be globally unique

-after prefix is a 40 bit pseudo random global ID, then a 16 bit subnet, then a 64 bit interface ID

IPv6 Multicast:

-replaces broadcast, one-to-many

-FFxy formation

FF01::1 All MC hosts

FF01::2 All MC Routers

FF02::5/6 OSPFv4

FF02::9 RIPng

FF02:A EIGRP

DNS

-A record: IPv4 to name

-AAAA record: IPv6 to name

-MX record � IP address of mail server

-Top of DNS hierarchy are 13 server clusters (root servers), followed by: Primary authoritative DNS,

secondary authoritative DNS, caching DNS, client-based DNS resolver library

-there are primary and secondary servers at each hierarchy level

TCP

-Three-way handshake to begin: SYN, SYN ACK, established

-Connection teardown: FIN, ACK then FIN ACK, send return ACK

-TCP Acknowledgement Example:-Sender A: Send 1-Receiver B: Receive 1, send ACK 2-A: Receive ACK 2, Send 2-B: Receive 2, send ACK 3-A: Receive ACK 3, Send 3-B: Receive 3, send ACK 4

-Windows allows sender to send multiple packets without acknowledgment, controls the transmission rate

to prevent data lost, windows can slide (can up and down in size)

MAC Addressing Theory

-2 components: 24 bit OUI indicating the manufacturer (with broadcast and local bits in front), 24 bit

vendor assigned second half

Address Resolution Protocol ARP: Mapping IP address to a MAC address

-ARP table is generally dynamic and default table entry hold time is 300 seconds

-ARP MAC Broadcast: FFFF.FFFF.FFFF

Network Security

-Hardware threats � access to equipment

-Environmental threats: -temp and humidity control, remove EMI

-Electrical Threats � install UPS, backup generator, and redundant power. Test these regularly

-Maintenance Threats � ESD, label equipment, maintain stock of critical spares, mind hardware threats

-Reconnaissance Attack � discovery and mapping of systems/services/vulnerabilities. What ports are

open, what IPs are live, etc.

-CIA: Confidentiality: only authorized users allowed; Integrity: only authorized people can CHANGE data;

Availability: Uninterrupted access for authorized users

Cisco Network Foundation

Control Plane: ability to route traffic (protected by routing protocol authentication)*

Management plane: ability to manage device

Data Plane: ability to forward data

Classes of Attack: Passive (analysis, monitoring), Active (circumvent or break protection, introduce

malicious code, steal or modify data), Close-in (gaining physical proximity), Insider, Distributed (DDoS)

Switching Theory

LAN Specifications:

802.3u: 100BASE-TX, 100BASE-T4, 100BASE-FX

802.3z: 1000BASE-X

802.3ab: 100BASE-T

CSMA/CD: Carrier Sense Multiple Access with Collision Detection, when a collision is noted, jamming

signals are used and random backoff timers are used

100BASE-TX Cat 5 UTP 2 pair 100m RJ 45

100BASE-T Cat 5 UTP 4 pair 100m RJ-45

1000BASE-SX 50 or 62.5 micron MMF 275m (62.5) or 550m (50) N/A

1000BASE-LX 9 micron SMF 3-10km N/A

10GBASE-SR 62.5 or 50 micron MMF 26-82m(62.5) or 300m (50) N/A

10GBASE-LR 9 micro SMF 10-25km N/A

40GBASE SMF 10km N/A

100GBASE SMF 40km N/A

Unshielded Twisted Pair (UTP)

Cat 1: telephone communication, not suitable for data

Cat 2: data at speeds up to 4Mbps

Cat 3: used in 10BASE-T networks, up to 10Mbps

Cat 4: Used in Token Ring networks, up to 16Mbps

Cat 5: Capable of transmitting data up to 100 Mbps

Cat 5e: up to 1000Mbps

Cat 6: 4 pairs of 24 gauge copper wire, up to 1Gbps

Cat 7: up to 10Gbps

Straight and Crossover Cabling

-switches/hubs are crossed internally

-�like� devices need a crossover to connect

-Auto MDIX determines the required cable connection

Examples:

Switch to Router � Straight

Switch to PC or Server � Straight

Switch to Switch � Crossover

Router to Router � Crossover

Router Ethernet Port to PC NIC � Crossover

PC to PC � crossover

DWDM � Dense Wavelength Division Multiplexing, passively combining multiple wavelengths by color so

they do not interfere with another. Increases bandwidth over fiber

Hubs, Bridges, and Switches

Hubs

-Regenerates signal (extends it)

-connects multiple devices and makes them act as a single network segment

-Every signal is sent out every port, creates many collisions

-not really used anymore

Bridge

-connects multiple network segments at layer 2

-has only a few ports

-not used anymore

Switch

-same function as bridge, more ports though

-mixture of port speeds

-fast internal switching

-internal frame buffer

-Advanced functions: VLANs, trunking, security, media rate adapt, CoS (layer 2 version of QofS), port

buffers, high port density

Types of Switching

Cut-Through: acts upon data as soon as it�s received (does not wait for complete transmission) . No

error checking

Store and Forward: stores data in buffers until complete frame is received, during this process analyzes

the frame for info about its destination. In this process, also performs an error check

Fragment-Free: ensures enough bytes are read from the source to detect a collision before forwarding.

Cisco�s preferred method

Collision/Broadcast Domains

Hub Port: All hubs ports are in the SAME collision and broadcast domains

Switch port: Each switchport is an individual collision domain, but all ports on a switch are part of ONE

broadcast domain

Router Port: Each port is a broadcast/collision domain

Connecting to a Cisco Device

Console terminal

-Rollover cable

-terminal program with the following settings: Speed 9600bps, Data bits: 8, Parity: none, Stop bit: 1, Flow

control: none

Router/Switch Internal Components

RAM: stores running-config, routing tables, and packet buffers

ROM: microcode for basic function: bootstrap code, POST, ROMMON

Flash memory: storing IOS image

NVRAM: start-up config

Editing Commands

Ctrl-A: moves to beginning of command line

Ctrl-E: moves to the end of the command line

Esc-B: Move back one word

Esc-F: Move forward one word

Ctrl-B: Move back one character

Ctrl-F: Move forward one character

Ctrl-D: Delete a single character

Tab: Completes command

Ctrl-P or Up Arrow: Recalls last command

Ctrl-N or Down Arrow: Recalls more recent commands

show history: Shows command buffer contents

terminal history <size lines>: sets session command buffer size

General Cisco Config

show flash: displays contents of flash memory

show version: displays config of the system hardware including: IOS software release, platform, uptime

copy tftp: run (config stored in TFTP server merges the running config)*

erase start removes start-up configuration

Boot-up Sequence

1. Perform POST

2. Load and run bootstrap code

3. Find the IOS software

4. Load the IOS software

5. Find the config

6. Load the config

7. Run the configured IOS software

Finding Cisco IOS Image

1. Checks config register

2. Parses config for boot system command

3. Defaults to first file in flash memory

4. Attempts to boot from network server

5. Boot helper image

6. ROMMON

0x2100: ROMMON

0x2101: Boot Helper

0x2102 to 0x210F: Normal Boot

0x2142: Bypass start-up config

To access ROMMON: With console cable, reboot router, WITHIN 30 SECONDS use break key to bypass

passwords

Basic Switch Config Commands

(config)hostname CiscoSwitch

(config)ip domain name <name>

(config)ip default-gateway <ip address>

Switch Security

Configuring Passwords

(config)line console 0

(config-if)login

(config-if)password cisco

(config)line vty 0 4 (then same as above, note there is a total of 16 vty lines normally)

(config)enable password cisco

(config)service password-encryption

(config)enable secret ottawa

Telnet and SSH

-Telnet is in plain text, avoid using it

Enabling SSH:

(config)ip domain-name cisco.com

(config)crypto key generate rsa (you are then prompted to set key size)

(config)username cisco password cisco (creates a user account, when used will force user to enter the

username and the password)

(config)ip ssh version 2

(config)line vty 0 15

(config-if)login local (forces the use of username AND password)

(config-if)transport input ssh (allows ONLY SSH, no telnet)

show ip ssh � verifies SSH is enabled and which version

show ssh � shows connected ssh sessions

ssh �l <username> <password> (SSH from one Cisco device to another)

Port Security

-remember to shut down unused ports

(config)int fa0/1

(config-if)switchport port-security

(config-if)switchport port-security maximum 2 (sets number of MACs allowed to be learned/set)

(config-if)switchport port-security mac-address 0000.1111.aaaa

(config-if)switchport port-security mac-address 0000.1111.bbbb

(config-if)switchport port-security violation shutdown (other options: protect or restrict �drops frames and

creates logs/SNMP traps)

show port-security int gi0/1

show port-security

(config)int fa0/2

(config0if)switchport port-security mac-address sticky (learns connect MAC address)

show port-security address

Switched Network Optimization

Speed and Duplex

-speed and duplex must match on each side (for example: only one side cannot be auto-austo)

-full duplex is collision free

-set duplex THEN speed

show int fa0/1

show ip int br

Cisco ME 3400 Port Types

Network to Network Int, NNI: -prior to 12.2 only four ports can be NNI, newer versions ALL can be

-these are ports connected to end devices such as routers or other switches

User Network Int, UNI: -no switching of local traffic

-no control plane data (CDP, STP, LACP, PAgP)

-connects to hosts like PC or Cisco IP phone

Enhanced Network Interface: -same functionality as UNI ports

-some support for additional protocols not on UNI: CDP, STP, LACP, PAgP

Control Plane: Route Table, ARP Table, CPU, IOS

Data Plane: FIB (TCAM, route table ASIC), Adj DB (CAM, MAC table ASIC)

Configuring Port Type

(config-if)port-type nni (other options: UNI or ENI)

Spanning Tree Protocol (STP)

-broadcast storms: bridges flood broadcasts endlessly

-multiple frame transmission: multiple copies of same frame can case unrecoverable errors

-MAC database instability

-STP provides loop free topology by placing some ports in blocking state

-originally 802.1D specification

-MST and PVRST+ are predominant STPs

-RSTP � 802.1w, improves converge by adding roles to ports and enhancing BPDU exchanges

-PVST+: Cisco enhancement that provided separate 802.1D ST for each VLAN configured

-Rapid PVST+: Cisco enhancement of RSTP using PVST+

Determining Root Bridge:

1. Lowest Bridge ID: Priority. Extended System (VLAN). Base MAC.

2. Lowest Aggregate Root Path Cost: 10gpbs=2, 1gpbs=4, 100mbps=19, 10mbps=100

3. Lowest Sender�s Bridge ID

4. Lowest Port ID

Spanning Tree Convergence:

1. Elect one root bridge per broadcast domain (per VLAN), all ports on this are designated

2. Elect one root port per non-root bridge

3. Elect one designated port per segment

4. Non-designated ports are blocking logically

802.1D Port Roles: Root, Designated, Non-Designated

Port States: Discarding, Listening, Learning, Forwarding

802.1w (RSTP): Root, Designated, Alternate Back-up

Port States: Discarding, Learning, Forwarding

Default STP config for Catalyst Switches:

-PVST+

-Enabled on all ports in VLAN 1

-slower convergence after topology change

Default STP config for Cisco ME switches:

-Rapid PVST+

-Faster convergence

-Enabled on NNI ports in VLAN 1

-Disabled on ENI ports (can be enabled)

-not supported on UNI ports

Configuring Rapid PVST+ on ME Switch:

(config)spanning-tree mode rapid-pvst

(config-if)port-type eni

(config-if)spanning-tree (not necessary for NNI)

show spanning-tree vlan 1

show spanning-tree root

EtherChannel

-creates logical links made up of several similar physical links

-viewed as one logical link to STP

-more bandwidth, load balancing, redundancy

-support for switch ports and routed ports

-once port channel is created, ONLY config the PO, never the individual physical interface

-all ints in the channel must have the same speed/duplex, mode (access or trunk), same native or allowed

VLANs for trunks, same access VLAN for access ports

Configuring EtherChannel

(config)int range fa0/21 � 22

(config-if-range)channel-group 1 mode on (creates Port Channel 1)

show etherchannel summary

show int fa0/21 etherchannel

Flex Link

-pair of Layer 2 interfaces

-Alternative to STP

-provides basic link redundancy

-only one link is forwarding traffic

Troubleshooting Switch Issues

Copper Media: damaged wiring, EMI, traffic patterns change, new equipment is installed

Fiber Media macrobend losses, splice losses

show int fa0/1

-check interface and line protocol status (want up-up)

-input errors: CRC errors and framing errors

-output errors

-collisions

IOS XR

-built upon QNX: pre-emptive, memory protected, micro-kernel based OS: higher availability, better

scalability, package-based software distribute model (some optional features can be installed while router

is in service)

-web-based CLI

-Example IOS XR systems: 800, 1900, 2900, and 2900 Integrated Service Routers

-Catalyst 6500 series switches

-Cisco 7200 and 7600 Series Routers

-Cisco Carrier Routing System (CSR)

Management Access:

-console to RP (route processor) and standby RP

-Aux console (modem) to RP and standby RP

-Two ethernet management ints (IP connectivity)

Users/Task Groups*

-users are associated with a particular user group that links to a set of Task Ids

-every user group is associated with one or more task groups

-each task group is defined by a set of task IDs

Meaning of RP/0/RSP0/CPU0:Router Name#

RP = route processor

0 = single-rack chassis

RSP0 = Route Switch Processor (either 0 or 1)

CPU0 = always the same

Router Name = whatever the configured router name is

IOS XR Config

-only a running-config

-all changes must be committed, which default to atomic commit (attempts to commit all, if fails, no config

applies)

-turboboot procedure: install IOS XR software from scratch using ROMMON*

(config)commit ? (view all options, best-effort is often preferable)

show config

show config merge (shows potential config after commit)

show config history

show config lock

show hw-module fpd location all (used to determine if firmware on ASR 9000 Series cards can be

upgraded)

Routing Theory

Administrative Distance:

Directly Connected 0

Static Routes 1

EIGRP Summary Route 5

External BGP 20

Internal EIGRP 90

OSPF 110

IS-IS 115

RIP 120

External EIGRP 170

Unreachable/Unknown 255

Route summarization: uses to control growth of routing tables, a group of subnets is rolled up into one

summarizing router table entry

Classless Inter-Domain Routing: method for allocating IP addresses and routing IP packets, replaces cla

ssful network design, goal is to slow growth of routing tables

Configuring Static Routes:

IOS:

(config)ip route 10.1.10.0 255.255.255.0 GigabitEthernet0/2

(config)ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/2 (This is a default route)

IOS XR:

(config)router static

(config-static)address-family ipv4 unicast

(config-static-afi) 10.1.10.0/24 GigabitEthernet0/0/0/0 (or IP address)

RIP Version 2:

-Hop count is distance metric

-maximum allowable hop count is 16

-Routing Updates every 30 seconds

-capable of load balancing up to 6 equal cost paths

-uses multicast for routing updates (IPv4: 224.0.0.p, IPv6: FF02::9)

RIPng:

-enabled on a per interface basis (instead of per network)

Configuring RIPv2:

IOS:

(config)router rip

(config-router)version 2

(config-router)network 10.0.0.0

(config-router)network 192.168.101.0

(config-router)no auto-summary (allows discontinuous networks)

Note: The network command enables routing on ints in that range and advertise the directly connected

network.

IOS XR:

(config)router rip

(config-rip)interface GigabitEthernet0/0/0/0 (enables RIP on this int)

Note: On IOS XR, RIPv2 is enabled by default

Configuring RIPng

IOS:

(config)ipv6 unicast-routing (enables IPv6 on the router)

(config)ipv6 rip <RIP process name> enabled

(config)Interface Loopback0

(config-int)ipv6 address FC00:10:1:10::/64 eui-64

(config-int)ipv6 enable

Verifying Routing Configuration:

IOS:

show ip protocols

show ip route <routing protocol>

IOS XR:

show protocols <protocol type> default-context

show route <routing protocol>

EIGRP:

-rapid convergence (uses DUAL algorithm)

-reduced bandwidth usage (only routing info needed and to who needs it)

-Multiple network layer support (IPv4, IPv6, IPX, AppleTalk)

-Class routing (supports discontiguous subnets and VLSMs)

-Less overhead (Multicast addresses: 224.0.0.10 and FF02::A)

-Load balancing : equal and unequal metric

-Easy summarization (create summary routes anywhere)

-Composite metric: Bandwidth, Delay, Reliability, Loading, MUT

-Hellos: 5 seconds Hold-time: 15 seconds

-Autosummarization disabled on IOS XR, and on more recent IOS versions

Advertised distance: metric for a EIGRP neighbour to reach a particular network

Feasible distance: AD learned from EIGRP neighbour PLUS the metric to reach that neighbour

*Note: To choose a feasible successor, the AD must be less than the FD of the current successor

EIGRP configuration:

IOS:

(config)router eigrp 100 (remember EIGRP process numbers must match between routers)

(config-router)network 10.1.10.0 0.0.0.255 (second address is the wildcard value)

(config-router)network 192.168.101.0 (wildcard only required for further subnetting)

IOS XR:

(config)router eigrp 100

(config-eigrp) address-family ipv4

(config-eigrp-afi)int Loopback0

(config-eigrp-afi)int GigabitEthernet0/0/0/0

NAT and PAT

Static NAT: One to one address mapping

Dynamic NAT: Many to many, from a pool of public IPs

NAT overloading: One to many (requires PAT)

Inside local address: IPv4 address assigned to a host on the (your) inside network (Private)

Inside global address: Legitimate IPv4 address assigned (usually be the SP) that represents one or more

inside local IPv4 addresses to the outside world (Public)

Outside local address: IPv4 address of an outside host as it appears to the inside network. Not

necessarily legitimate, the outside local address is allocated from a routable address space on the inside. (

Private)

Outside global address: IPv4 address assigned to a host on the outside network by the host owner, the

address is allocated from a globally routable address or network space. (Public)

PAT:

-uses unique source port numbers on the inside global addresses to distinguish between translations

Configuring Static NAT translation:

(config)ip nat inside source static <local ip> <global ip>

(note that these entries will not the the router ints directly, but the next device they�d be connected to)

(config)int <int id>

(config-if)ip nat inside

(config-if)ip nat outside (note this line is for a different int that will face the outside)

show ip nat translations

Configuring Dynamic NAT:

(config)ip nat pool <name> <start IP> <end IP> <netmask or pre-fix length>

(config)access-list <access list number> permit <source> <source wildcard>

(config)ip nat inside source list <access list number> pool <name>

(config)int <interface>

(config-if)ip nat inside

(config-if)ip nat outside (note this line is for a different int that will face the outside)

show ip nat translations

Configuring Overloading (PAT)

(config)access-list <access list number> permit <source> <source wildcard>

(config)ip nat inside source list <access-list-number> interface <outside source interface> overload

Then specific the inside and outside devices (remember the ip nat outside you configure must match the

one configured above)

DHCP

-uses UDP port 67 (to server) and UDP port 68 (to client)

Four DHCP steps:

DHCP discover: client broadcasts DHCP discover messages with its own MAC to find available

DHCP servers.

DHCP offer: When the server receives the discover message, it reserves an IP for that client and

sends the offer to them.

DHCP request: a client can receive multiple offers, but will only accept one. The DHCP request

message is broadcasted (due to still not having an IP).

DHCP Acknowledgement: the server sends the ack packet to the client, it includes lease duration

and other config info.

DHCPv4 Relay: relay agents are installed on subnets that are not directly connected to the DHCP

server. Relay agents receive the discover broadcast and nicest it to one or more DHCP servers. It

continues to act as the intermediary in the process.

DHCPv6:

-uses UDP port 546 (data to the server) and UDP 547 (data to the client)

1. Router Announcement: indicate to clients if additional config parameters are available via

DHCPv6

2. DHCPv6 Solicit: client sends solicit message to multicast address to discover all available servers

3. DHCPv6 Advertise: all servers that receive the Solicit message from the client send an Advertise

message back. Other config into for the client may be included.

4. DHCPv6 Request: The client sends a Request message to the selected server using the Server

identifier option request the use of the selected config. If the SI sent by the client does not match the

SI offered by a server, that server puts its offered IPv6 address back into the pool.

5. DHCPv6 Reply: the server assigned the config to the client and send a reply message with either

no status code option or with a status code option with the value of Success to the client.

DHCP Server Configuration on IOS

(config)ip dhcp excluded addresses <start ip> <end up> (if you need to exclude addresses from the

pool)

(config)ip dhcp pool <pool name>

(config-dhcp)network <network/mask>

(config-dhcp)lease <# of days>

(config-dhcp)dns-server <server address>

(config-dhcp)default-router <ip address>

DHCP Relay Configuration on IOS

(config-if)ip helper-address <address>

(config-if)ip forward-protocol udp <port>

DHCP Client Config on IOS

(config-if)ip address dhcp

WAN Encapsulation

DSL

-Cisco maintains that PPPoE is the common setup in consumer DSL*

PPP � Point to Point:

Asynchronous serial - POTS dial-up

Synchronous serial - ISDN or PPP leased lines

-Data link layer subdivided into two:

-NCP

-LCP (Link Control Protocol): Authentication, advanced error detection, compression

PAP vs CHAP:

-PAP passwords send in plaintext, two way exchange

-CHAP 3 way exchange of a shared secret

Configuring PPP and Authentication

(config)hostname <Router name> (hostname is required)

(config)username <other router name> password <password>

(config-if)encapsulation PPP

(config-if)ppp authentication chap (optionally pap)

show interface serial0 (to verify selected encapsulation, HDLC is default)

PPPoE Authentication Process

PPPoE Active Discovery Initiation (PADI)

PPPoE Active Discovery Offer (PADO)

PPPoE Active Discovery Request (PADR)

PPPoE Active Discovery Session-confirmation (PADS)

LCP/IPCP

Frame Relay

-uses DLCI as the virtual circuit identifier (VCI)

Packet over SONET (POS)

-carries packets within the SONET synchronous payload (SPE) by using small amount of HDLC or

PPP framing (note this HDLC is NOT Cisco proprietary)

-operates seamlessly with existing SONET infrastructure

-point-to-point, but does not use time division multiplexing (TDM)

-IP to PPP Frame to HDLC Frame to SONET/SDH Frame

(config)int pos 0/2/0

(config-if)clock source {internal | line}

show controllers (verify POS interface operation)

VPNs

L2TP: Layer 2 Tunneling Protocol (newer than PPTP). Two main components: L2TP network server

(LNS), which is the termination point for the tunnel and the access point where PPP frames are

processed then passed to higher level protocols; and the LAC (L2TP Access Concentrator) which the

client directly connects to and PPP frames are tunnelled to the LNS

IPSec: -Not bound to specific algorithms (ciphers

-Confidentiality, Integrity, and Authentication, anti-replay protection

Secure Sockets Layer (SSL): predecessor to TLS, supports various cryptographic algorithms (

asymmetric with public and private keys). Can be used to encrypt plaintext email protocols.

Generic Routing Encapsulation (GRE): -tunneling protocol that encapsulates arbitrary types of

network layer packets inside of arbitrary types of network layers

-developed by Cisco

-allows routing information to be passed between connected networks (can be used with IPSec VPNs,

as IPSec does not support broad/multicast, and routing protocols rely on those heavily)

Configuring GRE Tunnels:

(config)interface tunnel <number>

(config-if)ip address <IP address> <net mask>

(config-if)tunnel source <IP address | interface>

(config-if)tunnel destination <destination IP address>

(config-if)no shut

(config-if)exit

(config)ip route <remote network> <remote netmask> tunnel <tunnel number>

Cisco Discovery Protocol (CDP)

-Cisco proprietary tool that enables access to protocol and address info about other directly

connected Cisco devices (device identifiers, address list, port identifier, capabilities list, platform)

-runs on the data link layer

-Physical media for CDP devices must support Subnetwork Access Protocol (SNAP) protocol

-devices send periodic messages, known as advertisements, to a multicast address (default 60

seconds, holdtime 180 seconds)

-Default states on IOS: global: enabled; CDP int: enabled (on ME switches, enabled only on NNI, n

ot supported on UNI)

-Default states on IOSXR: global: disabled; interface: disabled

Configuring CDP:

IOS:

(config) cdp run (will be enabled by default

(config)interface FastEthernet0/2

(config-if)cdp enable

IOS XR:

(config)cdp (disabled by default)

(config)interface GigabitEthernet0/0/0/0

(config-if)cdp

show cdp

show cdp traffic

show cdp neighbors

show cdp neighbors detail

Simple Network Management Protocol (SNMP)

-application layer protocol

-consists of SNMP manager, agents, and an MIB (management information base)

-3 versions: 1, 2c, and 3 (supports encryption)

-SNMP agents are polled periodically to gather data (improper user authentication, link status, CPU

usage)

-the agent gathers data from the MIB, but can respond to get or set requests from the manager

-inform operations are not supported in IOS XR software*

Configuring SNMP (IOS and IOSXR)

(config)snmp-server community cisco RW (configures community access string �cisco� to permit re

ad-write access to the SNMP)

(config)snmp-server traps bgp (enables trap notifications regarding BGP protocol)

(config)snmp-server host 10.1.1.254 version 2c cisco (specifies the recipient of an SNMP notification

operation, version, and community to be used)

Syslogs

-protocol that allows a machine to send event notification messages across IP networks to event

message collectors

-by default, system messages and debug commands to a logging process, if the process is disabled,

messages are sent only to the console

Severity Levels:

0 � Emergency

1 - Alert

2 � Critical

3- Error

4 � Warning

5 � Notification

6- Informational

7- Debugging

�Do I Notice When Evening Comes Around Early� (in reverse order)

Configuring Syslog on Cisco Devices:

IOS and IOS XR:

(config)logging console debugging (specifies debugging and numerically lower should be logged on

the console)

(config)logging buffered information (logging buffer is the destination for informational and numerically

lower level messages )

(config)logging monitor debugging (specifies vty lines as destination for debugging)

(config)logging 10.1.1.253 (specifies a syslog server host as a destination for messages)

(config)logging trap alerts (specifies severity of messages to be sent to the server)

Other commands:

show logging

(config)logging buffered <buffer size in bytes>

Netflow

-Cisco developed protocol for collecting IP traffic information, including:

-application and network usage

-network productivity and utilization of network resources

-impact of changes to the network

-network anomaly and security vulnerability

-Attributes NetFlow can use: IP source/destination address, source/destination port, Layer 3 protocol

port, Class of Service, router or switch interface

-Generally Netflow is used for the following: Accounting and billing, network planning and analysis,

network monitoring

SPAN

-copies network traffic from network ports on VLANs to another port for analysis

-can monitor: Receive (Rx), Transmit (Tx), or both (by default)

Guidelines for Configuring SPAN

-total of 66 SPAN sessions on a Cisco ME 3400

-destination port cannot be a source port

-cannot have two SPAN sessions using the same destination port

-when you config a port as a SPAN destination, it is no longer a normal switch port, only monitored

traffic passes through

-entering SPAN config commands does not remove previously configured SPAN parameters

Configuring SPAN

IOS:

(config)no monitor session <session number> (disables existing SPAN config for sessions)

(config)monitor session 1 source int fa0/1 <rx|tx>

(config)monitor session 1 destination int fa0/2 (monitors traffic on fa0/1 and send it to fa0/2)

show monitor session 1

IP Service Level Agreement (SLA)

-An SLA is a contract between the provider and its customers:

-provides guaranteed service level

-specifies connectivity and performance agreements for an end-user service

-supports problem isolation and network planning

-Uses SNMP to gather data

-consists of a source (where all measurement probe operations are configured), the responder is the

destination of those probes

Configuring IP SLA:

IOS:

(config)ip sla monitor <monitor number>

(config-rtr)path-echo 10.10.10.253 (IMCP echo operation to destination IP address)

(config-rtr)frequency <number of seconds>

(config-rtr)exit

(config)ip sla monitor schedule 432 life forever

(config)start-time now

show ip sla statistics

IOS XR:

(config)ipsla

(config-ipsla)operation <operation number>

(config-ipsla)type icmp echo

(config-ipsla)destination address 10.10.10.19

(config-ipsla)frequency 300

(config-ipsla)schedule operation <operation number>

(config-ipsla)start-time now

(config-ipsla)life forever

show ipsla statistics 432

Network Time Protocol (NTP)

-synchronizes clocks of computer systems over variable-latency data network. Example: routers will

synch with a NTP server

-uses UDP port 123 for transport layer

-clock synch is critical for: tracking of network events in the correct order (syslog data), and for digital cert

s, amongst other things

-3 ways a network device can obtain NTP time info: polling the NTP server, listening to NTP broadcasts,

listening to NTP multicasts

Configuring NTP:

IOS:

(config)ntp server <server ip> (forms server association with another system, see IOS XR example below)

show ntp associations

show ntp status

IOS XR:

(config)ntp

(config-ntp)master 1 (makes the router an authoritative NTP server)

(conifig-ntp)int gi0/0/0/1 disable

Cisco Technical Assistance Center

-opening a case online has priority (http://www.cisco.com/techsupport/servicerequest)

-Issues resolved quickly by allowing Cisco engineers remote access

Authentication, Authorization, Accounting/Auditing (AAA)

-Authentication: requires users/admins to provide they really are who they say they are. Username/

password, challenge/response, token cards, etc.

-Authorization: After authentication, decides which resources the user/admin is allowed to access and

what operation they are allowed to perform

-Accounting: Records what the user/admin actually did, when, and how long

-basic authentication is the globally configured username and password

-larger enterprises will generally use AAA servers (RADIUS and TACACS+)

AAA User Config on IOS XR:

admin config

(admin-config)username user1

(admin-config-un)group netadmin (note these groups would have already been created with the usergrou

p command, can be added to multiple groups)

(admin-config-un)secret newpassword

(admin-config-un)password oldpassword