CCNA SP 640-875 SPNGN1 Study Notes
Cisco IP NGN Architecture:
Application Layer: Mobile Access, Residential Access, Business Access
Services Layer: Mobile Services, Video Services, Cloud Services
Cisco IP NGN Infrastructure Layer: Access, Aggregation, IP Edge, Core
Full Mesh Topology: n * (n-1) / 2
OSI Model:
Application
Presentation
Session
Transport
Network
Data Link
Physical
Ports
20/21 �TCP - FTP
22 � TCP - SSH
23 - TCP � Telnet
25 - TCP� SMTP
53 � UDP,TCP � DNS
67, 68 � UDP � DHCP
69 � UDP � TFTP
80 � TCP � HTTP
110 � TCP � POP3
161 � UDP � SNMP
443 � TCP � SSL (HTTPS)
IP Theory
TCP/IP Stack:
Application (5-7)
Transport (4)
Internet (3)
Network Access (1 and 2)
IPv4
IPv4 Classes
Class A � 1.0.0.0 � 126.255.255.255
Class B � 128.0.0.0 � 191.255.255.255
Class C � 192.0.0.0 � 223.255.255.255
Class D � 224.0.0.0 � 239.255.255.255
Class E � 240.0.0.0 � 255.255.255.255
IPv4 Private Address Ranges
Class A � 10.0.0.0 � 10.255.255.255
Class B - 172.16.0.0 � 172.31.255.255
Class C - 192.168.0.0 � 192.168.255.255
Auto Configuration Addresses: 169.254.0.0 � 169.254.255.255
IPv6
-128 bits, 8 octets with 16 bit hexadecimal fields (4 hex characters)
-leading 0s in a field are optional
-once per address successive fields of zeroes can be represented as a double colon
-Dynamic stateful (DHCPv6), dynamic stateless (auto config with 64 bit interface ID)
-uses router solicitation (RS) and router advertisements (RA) for router and prefix discovery*
-neighbor discovery protocol replaces IPv4 ARP functions*
-IPv6 loopback: ::1
Link-Local Addresses
-All IPv6 interfaces must have one
-for addressing on a single link (scope is limited to the link)
-created dynamically by using prefix FE80::/10 and a 64 bit interface ID
-used for auto address config neighbour discovery, and router discovery (many routing protocols can use
them)
Global Unicast
-/48 assigned to a site, 16 bit subnet used to identify links in a site
-stateless auto config using 64 bit interface ID
-200X:: onwards (IANA assignments)
Unique Local
-fd00::/8 prefix, site specific scope by almost assured to be globally unique
-after prefix is a 40 bit pseudo random global ID, then a 16 bit subnet, then a 64 bit interface ID
IPv6 Multicast:
-replaces broadcast, one-to-many
-FFxy formation
FF01::1 All MC hosts
FF01::2 All MC Routers
FF02::5/6 OSPFv4
FF02::9 RIPng
FF02:A EIGRP
DNS
-A record: IPv4 to name
-AAAA record: IPv6 to name
-MX record � IP address of mail server
-Top of DNS hierarchy are 13 server clusters (root servers), followed by: Primary authoritative DNS,
secondary authoritative DNS, caching DNS, client-based DNS resolver library
-there are primary and secondary servers at each hierarchy level
TCP
-Three-way handshake to begin: SYN, SYN ACK, established
-Connection teardown: FIN, ACK then FIN ACK, send return ACK
-TCP Acknowledgement Example:-Sender A: Send 1-Receiver B: Receive 1, send ACK 2-A: Receive ACK 2, Send 2-B: Receive 2, send ACK 3-A: Receive ACK 3, Send 3-B: Receive 3, send ACK 4
-Windows allows sender to send multiple packets without acknowledgment, controls the transmission rate
to prevent data lost, windows can slide (can up and down in size)
MAC Addressing Theory
-2 components: 24 bit OUI indicating the manufacturer (with broadcast and local bits in front), 24 bit
vendor assigned second half
Address Resolution Protocol ARP: Mapping IP address to a MAC address
-ARP table is generally dynamic and default table entry hold time is 300 seconds
-ARP MAC Broadcast: FFFF.FFFF.FFFF
Network Security
-Hardware threats � access to equipment
-Environmental threats: -temp and humidity control, remove EMI
-Electrical Threats � install UPS, backup generator, and redundant power. Test these regularly
-Maintenance Threats � ESD, label equipment, maintain stock of critical spares, mind hardware threats
-Reconnaissance Attack � discovery and mapping of systems/services/vulnerabilities. What ports are
open, what IPs are live, etc.
-CIA: Confidentiality: only authorized users allowed; Integrity: only authorized people can CHANGE data;
Availability: Uninterrupted access for authorized users
Cisco Network Foundation
Control Plane: ability to route traffic (protected by routing protocol authentication)*
Management plane: ability to manage device
Data Plane: ability to forward data
Classes of Attack: Passive (analysis, monitoring), Active (circumvent or break protection, introduce
malicious code, steal or modify data), Close-in (gaining physical proximity), Insider, Distributed (DDoS)
Switching Theory
LAN Specifications:
802.3u: 100BASE-TX, 100BASE-T4, 100BASE-FX
802.3z: 1000BASE-X
802.3ab: 100BASE-T
CSMA/CD: Carrier Sense Multiple Access with Collision Detection, when a collision is noted, jamming
signals are used and random backoff timers are used
100BASE-TX Cat 5 UTP 2 pair 100m RJ 45
100BASE-T Cat 5 UTP 4 pair 100m RJ-45
1000BASE-SX 50 or 62.5 micron MMF 275m (62.5) or 550m (50) N/A
1000BASE-LX 9 micron SMF 3-10km N/A
10GBASE-SR 62.5 or 50 micron MMF 26-82m(62.5) or 300m (50) N/A
10GBASE-LR 9 micro SMF 10-25km N/A
40GBASE SMF 10km N/A
100GBASE SMF 40km N/A
Unshielded Twisted Pair (UTP)
Cat 1: telephone communication, not suitable for data
Cat 2: data at speeds up to 4Mbps
Cat 3: used in 10BASE-T networks, up to 10Mbps
Cat 4: Used in Token Ring networks, up to 16Mbps
Cat 5: Capable of transmitting data up to 100 Mbps
Cat 5e: up to 1000Mbps
Cat 6: 4 pairs of 24 gauge copper wire, up to 1Gbps
Cat 7: up to 10Gbps
Straight and Crossover Cabling
-switches/hubs are crossed internally
-�like� devices need a crossover to connect
-Auto MDIX determines the required cable connection
Examples:
Switch to Router � Straight
Switch to PC or Server � Straight
Switch to Switch � Crossover
Router to Router � Crossover
Router Ethernet Port to PC NIC � Crossover
PC to PC � crossover
DWDM � Dense Wavelength Division Multiplexing, passively combining multiple wavelengths by color so
they do not interfere with another. Increases bandwidth over fiber
Hubs, Bridges, and Switches
Hubs
-Regenerates signal (extends it)
-connects multiple devices and makes them act as a single network segment
-Every signal is sent out every port, creates many collisions
-not really used anymore
Bridge
-connects multiple network segments at layer 2
-has only a few ports
-not used anymore
Switch
-same function as bridge, more ports though
-mixture of port speeds
-fast internal switching
-internal frame buffer
-Advanced functions: VLANs, trunking, security, media rate adapt, CoS (layer 2 version of QofS), port
buffers, high port density
Types of Switching
Cut-Through: acts upon data as soon as it�s received (does not wait for complete transmission) . No
error checking
Store and Forward: stores data in buffers until complete frame is received, during this process analyzes
the frame for info about its destination. In this process, also performs an error check
Fragment-Free: ensures enough bytes are read from the source to detect a collision before forwarding.
Cisco�s preferred method
Collision/Broadcast Domains
Hub Port: All hubs ports are in the SAME collision and broadcast domains
Switch port: Each switchport is an individual collision domain, but all ports on a switch are part of ONE
broadcast domain
Router Port: Each port is a broadcast/collision domain
Connecting to a Cisco Device
Console terminal
-Rollover cable
-terminal program with the following settings: Speed 9600bps, Data bits: 8, Parity: none, Stop bit: 1, Flow
control: none
Router/Switch Internal Components
RAM: stores running-config, routing tables, and packet buffers
ROM: microcode for basic function: bootstrap code, POST, ROMMON
Flash memory: storing IOS image
NVRAM: start-up config
Editing Commands
Ctrl-A: moves to beginning of command line
Ctrl-E: moves to the end of the command line
Esc-B: Move back one word
Esc-F: Move forward one word
Ctrl-B: Move back one character
Ctrl-F: Move forward one character
Ctrl-D: Delete a single character
Tab: Completes command
Ctrl-P or Up Arrow: Recalls last command
Ctrl-N or Down Arrow: Recalls more recent commands
show history: Shows command buffer contents
terminal history <size lines>: sets session command buffer size
General Cisco Config
show flash: displays contents of flash memory
show version: displays config of the system hardware including: IOS software release, platform, uptime
copy tftp: run (config stored in TFTP server merges the running config)*
erase start removes start-up configuration
Boot-up Sequence
1. Perform POST
2. Load and run bootstrap code
3. Find the IOS software
4. Load the IOS software
5. Find the config
6. Load the config
7. Run the configured IOS software
Finding Cisco IOS Image
1. Checks config register
2. Parses config for boot system command
3. Defaults to first file in flash memory
4. Attempts to boot from network server
5. Boot helper image
6. ROMMON
0x2100: ROMMON
0x2101: Boot Helper
0x2102 to 0x210F: Normal Boot
0x2142: Bypass start-up config
To access ROMMON: With console cable, reboot router, WITHIN 30 SECONDS use break key to bypass
passwords
Basic Switch Config Commands
(config)hostname CiscoSwitch
(config)ip domain name <name>
(config)ip default-gateway <ip address>
Switch Security
Configuring Passwords
(config)line console 0
(config-if)login
(config-if)password cisco
(config)line vty 0 4 (then same as above, note there is a total of 16 vty lines normally)
(config)enable password cisco
(config)service password-encryption
(config)enable secret ottawa
Telnet and SSH
-Telnet is in plain text, avoid using it
Enabling SSH:
(config)ip domain-name cisco.com
(config)crypto key generate rsa (you are then prompted to set key size)
(config)username cisco password cisco (creates a user account, when used will force user to enter the
username and the password)
(config)ip ssh version 2
(config)line vty 0 15
(config-if)login local (forces the use of username AND password)
(config-if)transport input ssh (allows ONLY SSH, no telnet)
show ip ssh � verifies SSH is enabled and which version
show ssh � shows connected ssh sessions
ssh �l <username> <password> (SSH from one Cisco device to another)
Port Security
-remember to shut down unused ports
(config)int fa0/1
(config-if)switchport port-security
(config-if)switchport port-security maximum 2 (sets number of MACs allowed to be learned/set)
(config-if)switchport port-security mac-address 0000.1111.aaaa
(config-if)switchport port-security mac-address 0000.1111.bbbb
(config-if)switchport port-security violation shutdown (other options: protect or restrict �drops frames and
creates logs/SNMP traps)
show port-security int gi0/1
show port-security
(config)int fa0/2
(config0if)switchport port-security mac-address sticky (learns connect MAC address)
show port-security address
Switched Network Optimization
Speed and Duplex
-speed and duplex must match on each side (for example: only one side cannot be auto-austo)
-full duplex is collision free
-set duplex THEN speed
show int fa0/1
show ip int br
Cisco ME 3400 Port Types
Network to Network Int, NNI: -prior to 12.2 only four ports can be NNI, newer versions ALL can be
-these are ports connected to end devices such as routers or other switches
User Network Int, UNI: -no switching of local traffic
-no control plane data (CDP, STP, LACP, PAgP)
-connects to hosts like PC or Cisco IP phone
Enhanced Network Interface: -same functionality as UNI ports
-some support for additional protocols not on UNI: CDP, STP, LACP, PAgP
Control Plane: Route Table, ARP Table, CPU, IOS
Data Plane: FIB (TCAM, route table ASIC), Adj DB (CAM, MAC table ASIC)
Configuring Port Type
(config-if)port-type nni (other options: UNI or ENI)
Spanning Tree Protocol (STP)
-broadcast storms: bridges flood broadcasts endlessly
-multiple frame transmission: multiple copies of same frame can case unrecoverable errors
-MAC database instability
-STP provides loop free topology by placing some ports in blocking state
-originally 802.1D specification
-MST and PVRST+ are predominant STPs
-RSTP � 802.1w, improves converge by adding roles to ports and enhancing BPDU exchanges
-PVST+: Cisco enhancement that provided separate 802.1D ST for each VLAN configured
-Rapid PVST+: Cisco enhancement of RSTP using PVST+
Determining Root Bridge:
1. Lowest Bridge ID: Priority. Extended System (VLAN). Base MAC.
2. Lowest Aggregate Root Path Cost: 10gpbs=2, 1gpbs=4, 100mbps=19, 10mbps=100
3. Lowest Sender�s Bridge ID
4. Lowest Port ID
Spanning Tree Convergence:
1. Elect one root bridge per broadcast domain (per VLAN), all ports on this are designated
2. Elect one root port per non-root bridge
3. Elect one designated port per segment
4. Non-designated ports are blocking logically
802.1D Port Roles: Root, Designated, Non-Designated
Port States: Discarding, Listening, Learning, Forwarding
802.1w (RSTP): Root, Designated, Alternate Back-up
Port States: Discarding, Learning, Forwarding
Default STP config for Catalyst Switches:
-PVST+
-Enabled on all ports in VLAN 1
-slower convergence after topology change
Default STP config for Cisco ME switches:
-Rapid PVST+
-Faster convergence
-Enabled on NNI ports in VLAN 1
-Disabled on ENI ports (can be enabled)
-not supported on UNI ports
Configuring Rapid PVST+ on ME Switch:
(config)spanning-tree mode rapid-pvst
(config-if)port-type eni
(config-if)spanning-tree (not necessary for NNI)
show spanning-tree vlan 1
show spanning-tree root
EtherChannel
-creates logical links made up of several similar physical links
-viewed as one logical link to STP
-more bandwidth, load balancing, redundancy
-support for switch ports and routed ports
-once port channel is created, ONLY config the PO, never the individual physical interface
-all ints in the channel must have the same speed/duplex, mode (access or trunk), same native or allowed
VLANs for trunks, same access VLAN for access ports
Configuring EtherChannel
(config)int range fa0/21 � 22
(config-if-range)channel-group 1 mode on (creates Port Channel 1)
show etherchannel summary
show int fa0/21 etherchannel
Flex Link
-pair of Layer 2 interfaces
-Alternative to STP
-provides basic link redundancy
-only one link is forwarding traffic
Troubleshooting Switch Issues
Copper Media: damaged wiring, EMI, traffic patterns change, new equipment is installed
Fiber Media macrobend losses, splice losses
show int fa0/1
-check interface and line protocol status (want up-up)
-input errors: CRC errors and framing errors
-output errors
-collisions
IOS XR
-built upon QNX: pre-emptive, memory protected, micro-kernel based OS: higher availability, better
scalability, package-based software distribute model (some optional features can be installed while router
is in service)
-web-based CLI
-Example IOS XR systems: 800, 1900, 2900, and 2900 Integrated Service Routers
-Catalyst 6500 series switches
-Cisco 7200 and 7600 Series Routers
-Cisco Carrier Routing System (CSR)
Management Access:
-console to RP (route processor) and standby RP
-Aux console (modem) to RP and standby RP
-Two ethernet management ints (IP connectivity)
Users/Task Groups*
-users are associated with a particular user group that links to a set of Task Ids
-every user group is associated with one or more task groups
-each task group is defined by a set of task IDs
Meaning of RP/0/RSP0/CPU0:Router Name#
RP = route processor
0 = single-rack chassis
RSP0 = Route Switch Processor (either 0 or 1)
CPU0 = always the same
Router Name = whatever the configured router name is
IOS XR Config
-only a running-config
-all changes must be committed, which default to atomic commit (attempts to commit all, if fails, no config
applies)
-turboboot procedure: install IOS XR software from scratch using ROMMON*
(config)commit ? (view all options, best-effort is often preferable)
show config
show config merge (shows potential config after commit)
show config history
show config lock
show hw-module fpd location all (used to determine if firmware on ASR 9000 Series cards can be
upgraded)
Routing Theory
Administrative Distance:
Directly Connected 0
Static Routes 1
EIGRP Summary Route 5
External BGP 20
Internal EIGRP 90
OSPF 110
IS-IS 115
RIP 120
External EIGRP 170
Unreachable/Unknown 255
Route summarization: uses to control growth of routing tables, a group of subnets is rolled up into one
summarizing router table entry
Classless Inter-Domain Routing: method for allocating IP addresses and routing IP packets, replaces cla
ssful network design, goal is to slow growth of routing tables
Configuring Static Routes:
IOS:
(config)ip route 10.1.10.0 255.255.255.0 GigabitEthernet0/2
(config)ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/2 (This is a default route)
IOS XR:
(config)router static
(config-static)address-family ipv4 unicast
(config-static-afi) 10.1.10.0/24 GigabitEthernet0/0/0/0 (or IP address)
RIP Version 2:
-Hop count is distance metric
-maximum allowable hop count is 16
-Routing Updates every 30 seconds
-capable of load balancing up to 6 equal cost paths
-uses multicast for routing updates (IPv4: 224.0.0.p, IPv6: FF02::9)
RIPng:
-enabled on a per interface basis (instead of per network)
Configuring RIPv2:
IOS:
(config)router rip
(config-router)version 2
(config-router)network 10.0.0.0
(config-router)network 192.168.101.0
(config-router)no auto-summary (allows discontinuous networks)
Note: The network command enables routing on ints in that range and advertise the directly connected
network.
IOS XR:
(config)router rip
(config-rip)interface GigabitEthernet0/0/0/0 (enables RIP on this int)
Note: On IOS XR, RIPv2 is enabled by default
Configuring RIPng
IOS:
(config)ipv6 unicast-routing (enables IPv6 on the router)
(config)ipv6 rip <RIP process name> enabled
(config)Interface Loopback0
(config-int)ipv6 address FC00:10:1:10::/64 eui-64
(config-int)ipv6 enable
Verifying Routing Configuration:
IOS:
show ip protocols
show ip route <routing protocol>
IOS XR:
show protocols <protocol type> default-context
show route <routing protocol>
EIGRP:
-rapid convergence (uses DUAL algorithm)
-reduced bandwidth usage (only routing info needed and to who needs it)
-Multiple network layer support (IPv4, IPv6, IPX, AppleTalk)
-Class routing (supports discontiguous subnets and VLSMs)
-Less overhead (Multicast addresses: 224.0.0.10 and FF02::A)
-Load balancing : equal and unequal metric
-Easy summarization (create summary routes anywhere)
-Composite metric: Bandwidth, Delay, Reliability, Loading, MUT
-Hellos: 5 seconds Hold-time: 15 seconds
-Autosummarization disabled on IOS XR, and on more recent IOS versions
Advertised distance: metric for a EIGRP neighbour to reach a particular network
Feasible distance: AD learned from EIGRP neighbour PLUS the metric to reach that neighbour
*Note: To choose a feasible successor, the AD must be less than the FD of the current successor
EIGRP configuration:
IOS:
(config)router eigrp 100 (remember EIGRP process numbers must match between routers)
(config-router)network 10.1.10.0 0.0.0.255 (second address is the wildcard value)
(config-router)network 192.168.101.0 (wildcard only required for further subnetting)
IOS XR:
(config)router eigrp 100
(config-eigrp) address-family ipv4
(config-eigrp-afi)int Loopback0
(config-eigrp-afi)int GigabitEthernet0/0/0/0
NAT and PAT
Static NAT: One to one address mapping
Dynamic NAT: Many to many, from a pool of public IPs
NAT overloading: One to many (requires PAT)
Inside local address: IPv4 address assigned to a host on the (your) inside network (Private)
Inside global address: Legitimate IPv4 address assigned (usually be the SP) that represents one or more
inside local IPv4 addresses to the outside world (Public)
Outside local address: IPv4 address of an outside host as it appears to the inside network. Not
necessarily legitimate, the outside local address is allocated from a routable address space on the inside. (
Private)
Outside global address: IPv4 address assigned to a host on the outside network by the host owner, the
address is allocated from a globally routable address or network space. (Public)
PAT:
-uses unique source port numbers on the inside global addresses to distinguish between translations
Configuring Static NAT translation:
(config)ip nat inside source static <local ip> <global ip>
(note that these entries will not the the router ints directly, but the next device they�d be connected to)
(config)int <int id>
(config-if)ip nat inside
(config-if)ip nat outside (note this line is for a different int that will face the outside)
show ip nat translations
Configuring Dynamic NAT:
(config)ip nat pool <name> <start IP> <end IP> <netmask or pre-fix length>
(config)access-list <access list number> permit <source> <source wildcard>
(config)ip nat inside source list <access list number> pool <name>
(config)int <interface>
(config-if)ip nat inside
(config-if)ip nat outside (note this line is for a different int that will face the outside)
show ip nat translations
Configuring Overloading (PAT)
(config)access-list <access list number> permit <source> <source wildcard>
(config)ip nat inside source list <access-list-number> interface <outside source interface> overload
Then specific the inside and outside devices (remember the ip nat outside you configure must match the
one configured above)
DHCP
-uses UDP port 67 (to server) and UDP port 68 (to client)
Four DHCP steps:
DHCP discover: client broadcasts DHCP discover messages with its own MAC to find available
DHCP servers.
DHCP offer: When the server receives the discover message, it reserves an IP for that client and
sends the offer to them.
DHCP request: a client can receive multiple offers, but will only accept one. The DHCP request
message is broadcasted (due to still not having an IP).
DHCP Acknowledgement: the server sends the ack packet to the client, it includes lease duration
and other config info.
DHCPv4 Relay: relay agents are installed on subnets that are not directly connected to the DHCP
server. Relay agents receive the discover broadcast and nicest it to one or more DHCP servers. It
continues to act as the intermediary in the process.
DHCPv6:
-uses UDP port 546 (data to the server) and UDP 547 (data to the client)
1. Router Announcement: indicate to clients if additional config parameters are available via
DHCPv6
2. DHCPv6 Solicit: client sends solicit message to multicast address to discover all available servers
3. DHCPv6 Advertise: all servers that receive the Solicit message from the client send an Advertise
message back. Other config into for the client may be included.
4. DHCPv6 Request: The client sends a Request message to the selected server using the Server
identifier option request the use of the selected config. If the SI sent by the client does not match the
SI offered by a server, that server puts its offered IPv6 address back into the pool.
5. DHCPv6 Reply: the server assigned the config to the client and send a reply message with either
no status code option or with a status code option with the value of Success to the client.
DHCP Server Configuration on IOS
(config)ip dhcp excluded addresses <start ip> <end up> (if you need to exclude addresses from the
pool)
(config)ip dhcp pool <pool name>
(config-dhcp)network <network/mask>
(config-dhcp)lease <# of days>
(config-dhcp)dns-server <server address>
(config-dhcp)default-router <ip address>
DHCP Relay Configuration on IOS
(config-if)ip helper-address <address>
(config-if)ip forward-protocol udp <port>
DHCP Client Config on IOS
(config-if)ip address dhcp
WAN Encapsulation
DSL
-Cisco maintains that PPPoE is the common setup in consumer DSL*
PPP � Point to Point:
Asynchronous serial - POTS dial-up
Synchronous serial - ISDN or PPP leased lines
-Data link layer subdivided into two:
-NCP
-LCP (Link Control Protocol): Authentication, advanced error detection, compression
PAP vs CHAP:
-PAP passwords send in plaintext, two way exchange
-CHAP 3 way exchange of a shared secret
Configuring PPP and Authentication
(config)hostname <Router name> (hostname is required)
(config)username <other router name> password <password>
(config-if)encapsulation PPP
(config-if)ppp authentication chap (optionally pap)
show interface serial0 (to verify selected encapsulation, HDLC is default)
PPPoE Authentication Process
PPPoE Active Discovery Initiation (PADI)
PPPoE Active Discovery Offer (PADO)
PPPoE Active Discovery Request (PADR)
PPPoE Active Discovery Session-confirmation (PADS)
LCP/IPCP
Frame Relay
-uses DLCI as the virtual circuit identifier (VCI)
Packet over SONET (POS)
-carries packets within the SONET synchronous payload (SPE) by using small amount of HDLC or
PPP framing (note this HDLC is NOT Cisco proprietary)
-operates seamlessly with existing SONET infrastructure
-point-to-point, but does not use time division multiplexing (TDM)
-IP to PPP Frame to HDLC Frame to SONET/SDH Frame
(config)int pos 0/2/0
(config-if)clock source {internal | line}
show controllers (verify POS interface operation)
VPNs
L2TP: Layer 2 Tunneling Protocol (newer than PPTP). Two main components: L2TP network server
(LNS), which is the termination point for the tunnel and the access point where PPP frames are
processed then passed to higher level protocols; and the LAC (L2TP Access Concentrator) which the
client directly connects to and PPP frames are tunnelled to the LNS
IPSec: -Not bound to specific algorithms (ciphers
-Confidentiality, Integrity, and Authentication, anti-replay protection
Secure Sockets Layer (SSL): predecessor to TLS, supports various cryptographic algorithms (
asymmetric with public and private keys). Can be used to encrypt plaintext email protocols.
Generic Routing Encapsulation (GRE): -tunneling protocol that encapsulates arbitrary types of
network layer packets inside of arbitrary types of network layers
-developed by Cisco
-allows routing information to be passed between connected networks (can be used with IPSec VPNs,
as IPSec does not support broad/multicast, and routing protocols rely on those heavily)
Configuring GRE Tunnels:
(config)interface tunnel <number>
(config-if)ip address <IP address> <net mask>
(config-if)tunnel source <IP address | interface>
(config-if)tunnel destination <destination IP address>
(config-if)no shut
(config-if)exit
(config)ip route <remote network> <remote netmask> tunnel <tunnel number>
Cisco Discovery Protocol (CDP)
-Cisco proprietary tool that enables access to protocol and address info about other directly
connected Cisco devices (device identifiers, address list, port identifier, capabilities list, platform)
-runs on the data link layer
-Physical media for CDP devices must support Subnetwork Access Protocol (SNAP) protocol
-devices send periodic messages, known as advertisements, to a multicast address (default 60
seconds, holdtime 180 seconds)
-Default states on IOS: global: enabled; CDP int: enabled (on ME switches, enabled only on NNI, n
ot supported on UNI)
-Default states on IOSXR: global: disabled; interface: disabled
Configuring CDP:
IOS:
(config) cdp run (will be enabled by default
(config)interface FastEthernet0/2
(config-if)cdp enable
IOS XR:
(config)cdp (disabled by default)
(config)interface GigabitEthernet0/0/0/0
(config-if)cdp
show cdp
show cdp traffic
show cdp neighbors
show cdp neighbors detail
Simple Network Management Protocol (SNMP)
-application layer protocol
-consists of SNMP manager, agents, and an MIB (management information base)
-3 versions: 1, 2c, and 3 (supports encryption)
-SNMP agents are polled periodically to gather data (improper user authentication, link status, CPU
usage)
-the agent gathers data from the MIB, but can respond to get or set requests from the manager
-inform operations are not supported in IOS XR software*
Configuring SNMP (IOS and IOSXR)
(config)snmp-server community cisco RW (configures community access string �cisco� to permit re
ad-write access to the SNMP)
(config)snmp-server traps bgp (enables trap notifications regarding BGP protocol)
(config)snmp-server host 10.1.1.254 version 2c cisco (specifies the recipient of an SNMP notification
operation, version, and community to be used)
Syslogs
-protocol that allows a machine to send event notification messages across IP networks to event
message collectors
-by default, system messages and debug commands to a logging process, if the process is disabled,
messages are sent only to the console
Severity Levels:
0 � Emergency
1 - Alert
2 � Critical
3- Error
4 � Warning
5 � Notification
6- Informational
7- Debugging
�Do I Notice When Evening Comes Around Early� (in reverse order)
Configuring Syslog on Cisco Devices:
IOS and IOS XR:
(config)logging console debugging (specifies debugging and numerically lower should be logged on
the console)
(config)logging buffered information (logging buffer is the destination for informational and numerically
lower level messages )
(config)logging monitor debugging (specifies vty lines as destination for debugging)
(config)logging 10.1.1.253 (specifies a syslog server host as a destination for messages)
(config)logging trap alerts (specifies severity of messages to be sent to the server)
Other commands:
show logging
(config)logging buffered <buffer size in bytes>
Netflow
-Cisco developed protocol for collecting IP traffic information, including:
-application and network usage
-network productivity and utilization of network resources
-impact of changes to the network
-network anomaly and security vulnerability
-Attributes NetFlow can use: IP source/destination address, source/destination port, Layer 3 protocol
port, Class of Service, router or switch interface
-Generally Netflow is used for the following: Accounting and billing, network planning and analysis,
network monitoring
SPAN
-copies network traffic from network ports on VLANs to another port for analysis
-can monitor: Receive (Rx), Transmit (Tx), or both (by default)
Guidelines for Configuring SPAN
-total of 66 SPAN sessions on a Cisco ME 3400
-destination port cannot be a source port
-cannot have two SPAN sessions using the same destination port
-when you config a port as a SPAN destination, it is no longer a normal switch port, only monitored
traffic passes through
-entering SPAN config commands does not remove previously configured SPAN parameters
Configuring SPAN
IOS:
(config)no monitor session <session number> (disables existing SPAN config for sessions)
(config)monitor session 1 source int fa0/1 <rx|tx>
(config)monitor session 1 destination int fa0/2 (monitors traffic on fa0/1 and send it to fa0/2)
show monitor session 1
IP Service Level Agreement (SLA)
-An SLA is a contract between the provider and its customers:
-provides guaranteed service level
-specifies connectivity and performance agreements for an end-user service
-supports problem isolation and network planning
-Uses SNMP to gather data
-consists of a source (where all measurement probe operations are configured), the responder is the
destination of those probes
Configuring IP SLA:
IOS:
(config)ip sla monitor <monitor number>
(config-rtr)path-echo 10.10.10.253 (IMCP echo operation to destination IP address)
(config-rtr)frequency <number of seconds>
(config-rtr)exit
(config)ip sla monitor schedule 432 life forever
(config)start-time now
show ip sla statistics
IOS XR:
(config)ipsla
(config-ipsla)operation <operation number>
(config-ipsla)type icmp echo
(config-ipsla)destination address 10.10.10.19
(config-ipsla)frequency 300
(config-ipsla)schedule operation <operation number>
(config-ipsla)start-time now
(config-ipsla)life forever
show ipsla statistics 432
Network Time Protocol (NTP)
-synchronizes clocks of computer systems over variable-latency data network. Example: routers will
synch with a NTP server
-uses UDP port 123 for transport layer
-clock synch is critical for: tracking of network events in the correct order (syslog data), and for digital cert
s, amongst other things
-3 ways a network device can obtain NTP time info: polling the NTP server, listening to NTP broadcasts,
listening to NTP multicasts
Configuring NTP:
IOS:
(config)ntp server <server ip> (forms server association with another system, see IOS XR example below)
show ntp associations
show ntp status
IOS XR:
(config)ntp
(config-ntp)master 1 (makes the router an authoritative NTP server)
(conifig-ntp)int gi0/0/0/1 disable
Cisco Technical Assistance Center
-opening a case online has priority (http://www.cisco.com/techsupport/servicerequest)
-Issues resolved quickly by allowing Cisco engineers remote access
Authentication, Authorization, Accounting/Auditing (AAA)
-Authentication: requires users/admins to provide they really are who they say they are. Username/
password, challenge/response, token cards, etc.
-Authorization: After authentication, decides which resources the user/admin is allowed to access and
what operation they are allowed to perform
-Accounting: Records what the user/admin actually did, when, and how long
-basic authentication is the globally configured username and password
-larger enterprises will generally use AAA servers (RADIUS and TACACS+)
AAA User Config on IOS XR:
admin config
(admin-config)username user1
(admin-config-un)group netadmin (note these groups would have already been created with the usergrou
p command, can be added to multiple groups)
(admin-config-un)secret newpassword
(admin-config-un)password oldpassword