Ch1

*2-1-5 Converged Network

*2-1-5 collaboration
*Borderless Network is a network architecture that allow organizations to
connect anyone, anywhere, anytime, and on any device securely, reliably,
and seamlessly , are built upon the following principles: Hierarchical
Modularity Resiliency Flexibility
, Designed as follow :access distrubtion
core
*It builds a table called a MAC address, or content addressable memory
(CAM) table
*collision domain(hub ,switch port) VS broadcast domain
Ch2
*POST-BOOT-IOS-NVRAM
*(conf-if)#duplex full , (conf-if)#speed 100
* (conf-if)#auto mdix , (conf-if)#duplex auto , (conf-if)#speed auto
*show (interfaces-startup-running-flash-version-history-ip-(mac-addresstable))

show ssh-show ip ssh

to prevent spoofing
*Secure MAC addresses can be configured in a number of ways:
>Static secure MAC addresses-Dynamic secure MAC addresses-Sticky
secure MAC addresses
>Protect-Restrict0Shutdown

*
Show port security address
A shutdown/no shutdown interface command must be issued to re-enable
the port

*
Ch3
*vlan 1 is native and management and default vlan and cant be deleted

ip phone

*Normal Range VLANs

VLAN numbers from 1 through 1005

Configurations stored in the vlan.dat (in the flash)

VTP can only learn and store normal range VLANs

Extended Range VLANs

VLAN numbers from 1006 through 4096

Configurations stored in the running-config (in the NVRAM)

VTP does not learn extended range VLANs

*
*Dynamic Trunking Protocol (DTP) is a protocol to manage trunk
negotiation

show interfaces
trunk
*To prevent a basic switch spoofing attack, turn off trunking on all ports,
except the ones that specifically require trunking
*Most switches perform only one level of 802.1Q de-encapsulation,
allowing an attacker to embed a second, unauthorized attack header in
the frame , After removing the first and legit 802.1Q header, the switch
forwards the frame to the VLAN specified in the unauthorized 802.1Q
header
The best approach to mitigating double-tagging attacks is to ensure that
the native VLAN of the trunk ports is different from the VLAN of any user
ports
*Private VLAN (PVLAN) Edge feature, also known as protected ports,
ensures that there is no exchange of unicast, broadcast, or multicast

traffic between protected ports on the switch

Ch4
*Process switching An older packet forwarding mechanism still available
for Cisco routers.
Fast switching A common packet forwarding mechanism which uses a
fast-switching cache to store next hop information.
Cisco Express Forwarding (CEF) The most recent, fastest, and preferred
Cisco IOS packet-forwarding mechanism. Table entries are not packettriggered like fast switching but change-triggered

used on ospf

*A value of 0 (zero) prevents the router from pausing between screens of

output.
To filter specific output of commands use the (|)pipe character after show
command. Parameters that can be used after pipe include: section,
include, exclude, begin

*Administrative Distance is the trustworthiness

The Lower the AD the more trustworthy the route.

*Dynamic routing protocols use their own rules and metrics to build and
update routing tables for example:
Routing Information Protocol
(RIP) - Hop count
Open Shortest Path First (OSPF) - Cost based on cumulative bandwidth
from source to destination
Enhanced Interior Gateway Routing Protocol (EIGRP) delay, load, reliability

Bandwidth,

*An active, configured directly connected interface creates two routing

table entries Link Local (L) and Directly Connected (C)
*Static route to a specific network : ip routenetworkmask {next-hopip | exit-intf}
Next-hop route - Only the next-hop IP address is specified.
Directly connected static route - Only the router exit interface is specified.

Fully specified static route - The next-hop IP address and exit interface are
specified. used when the output interface is a multi-access interface
Default Static Route used when the routing table does not contain a path
for a destination network
ip route 0.0.0.0 0.0.0.0 {exit-intf | next-hop-ip}
Ch5
*Inter-VLAN routing(Legacy Inter-VLAN Routing VS Router-On-A-Stick)
=(physical -virtual)connection
*show run show interfaces
*Layer 3 switch : A routed port is a physical port that acts similarly to an
interface on a router
Routed ports are not associated with any VLANs
Layer 2 protocols, such as STP, do not function on a routed interface
Routed ports on a Cisco IOS switch do not support sub interfaces
To configure routed ports, use the no switchport interface configuration
mode command
*The sdm lanbase-routingtemplate can be enabled to allow the switch to
route between VLANs and to support static routing
*To troubleshoot Layer 3 switching issues, check the following items for
accuracy:
VLANs : VLANs must be defined across all the switches/VLANs must be
enabled on the trunk ports/Ports must be in the right VLANs
SVIs : SVI must have the correct IP address or subnet mask/SVI must be
up/SVI must match with the VLAN number
*Routing : Routing must be enabled/Each interface or network should be
added to the routing protocol
Ch6

*
Floating static routes are static routes that are used to provide a backup
path to a primary static or dynamic route, in the event of a link failure.
The floating static route is only used when the primary route is not
available. In order to accomplish this, the floating static
route is
configured with a higher administrative distance than the primary route.
*Configure a Next-Hop Static Route : therefore it search 2 times firstly to
look at the next hop secondly to find which exit interface connected to
that next hop

fully(link local)

next hop(global)

exit interface

(8-16-24)

*classeful(class a-b-c-d) VS classeless(CIDR)

9

*Fixed Length Subnet Masking(27-27-27) VS Variable Length Subnet

Masking(VLSM)(27-30-26)
*Multiple static IPv6 routes can be summarized into a single static IPv6
route if:
The destination networks are contiguous ( )and can be summarized
into a single network address.
The multiple static routes all use the same exit interface or next-hop IPv6
address
*floating static route

*ping /traceroute /show ip route/show ip interface brief/show cdp

neighbors detail
Ch7

10

*Purpose of dynamic routing protocols includes:

Discovery of remote networks /Maintaining up-to-date routing
information /Choosing the best path to destination networks /Ability to
find a new best path if the current path is no longer available

*Disadvantages of dynamic routing

Dedicate part of a routers resources for protocol operation, including CPU
time and network link bandwidth and less secure.

*Main components of dynamic routing protocols include:

Data structures - Routing protocols typically use tables or databases for
its operations. This information is kept in RAM.
Routing protocol messages - Routing protocols use various types of
messages to discover neighboring routers, exchange routing information,
and other tasks to learn and maintain accurate information about the
network.
Algorithm - Routing protocols use algorithms for facilitating routing
information for best path determination.
*slide 16 >>>>>>>>>> 22
*convergence:
Network converged when all routers have complete and accurate
information about the entire network.
Convergence time is the time it takes routers to share information,
calculate best paths, and update their routing tables.
A network is not completely operable until the network has converged.
*convergence time of rip > of OSPF &EIGRP
*

11

Interior Gateway Protocols (IGP) -:Used for routing within an AS while EGP
used between AS
*distance vector protocol forward updates every 30 sec(RIPV1-RIPV2-IGRP)
of time while link state protocols forward updates at any change in the
network(EIGRP-OSPF..)
*Classful routing protocols do not send subnet mask information in their
routing updates like RIPV1 &IGRP remaining protocols use classless

*
*RIP uses the Bellman-Ford algorithm as its routing algorithm
IGRP and EIGRP use the Diffusing Update Algorithm (DUAL) routing
algorithm developed by Cisco

12

Link-State Routing Protocol Operation Dijkstras Algorithm

*in RIP max hops is 15 in EIGRP & IGRP use (bandwidth-delay-reliabilityload)

* RIPv1 and IGRP use broadcast addresses while RIPv2 and EIGRP use
multicast addresses
*enabling RIPV2 : router rip/version 2 /^z
*passive interface : router rip/passive-interface g0/0 (receive but not to
send)

Propagating a Default Route

13

*
*

*slide 51 >>>>>>>>>>> 60
* Routes are discussed in terms of: Ultimate route: directly connected
and link local routes
Level 1 route : supernet-default-network (a route you configured
manually)
Level 1 parent route: contain childes of the network
Level 2 child routes: childes network of the parent network

14

*
*adminstrative distance: connection(directly connected-rip-static-ospf.)
Metric: the cost of thast path
Ch8
*

15

*slide 9-10-11

16

* Dead interval is the period that the router waits to receive a Hello
packet before declaring the neighbor down , Ciscos default is 4 times the
Hello interval 40 seconds (default on multiaccess and point-to-point
networks) , 120 seconds (default on NBMA networks; for example, Frame
Relay)
*slide 21 >>>>>26-29-30
* passive interface : router ospf 10/passive-interface g0/0 (receive but not
to send

*
* OSPF uses a reference bandwidth of 100 Mb/s for any links that are equal to or
faster than a fast Ethernet connection && the default bandwidth on most serial
interfaces is set to 1.544 Mb/s to solve

*show ip ospf neighbor: to check that router makes adjacency with other
routers and router id
17

*show ip ospf interface brief:cost-area-state

*
* FF02::5 address is the all OSPF router address &&FF02::6 is the DR/BDR
multicast address
*
ospf for ipv6

conf. router id and

Ch9
* Packet filtering (ACL) work on layer 3 and 4 (src & dest IP and src & dest
port)

*
inbound and
outbound ACL deny every thing by default unless permit comand is entered
*Standard(ports(1-99)&(1300-1999)) VS extended acl (ports(100-199)&(2000-2699))

18

*wildcard mask opposite of subnet mask

*
*ACL per(protocol-direction-interface)
*steps to do ACL: 1-base it on security polices of organization 2description 3-text editor 4-test

*Extended ACLs: Locate extended ACLs as close as possible to the source

of the traffic to be filtered.
*Standard ACLs: Because standard ACLs do not specify destination
addresses, place them as close to the destination as possible.
*standard ACL

19

extended ACL

* To remove the ACL, the global configuration no access-list command is

used
* access list statements are processed sequentially(in order)
*to add access list to interface after creating it enter this command : int
eth0/0 then
ip access-group (number or name of ACL)
(in or out)
*to remove access list from interface and delete it enter :no ip accessgroup Then no access-list
*numbering and naming access list

20

*same for named but remove every (1) and put name

*show ip interface eth0/0 (to verify acl is configured on it) &&

*slide 38 using standard acl to detect telnet and ssh despite it can be
done by extended acl
*Extended ACL use src and dest ip and port no and protocol ::: structure:

21

22

*named extended acl

* In a production network, the amount of information provided by debug

commands can be overwhelming and can cause network interruptions.
Some debug commands can be combined with an access list to limit
output so that only the information needed for verification or
troubleshooting a specific issue is displayed
Using the extended acl icmp
* Standard ACLs Decision Process : only examine the source IPv4 address.
The destination of the packet and the ports involved are not considered.
* Extended ACL Decision Process : on the source address, then on the
port and protocol of the source. It then filters on the destination address,

23

then on the port and protocol of the destination, and makes a final permit
or deny decision.
*slide 59>>>>>>>>>>>>>63

*
*IPV6 ACL

*
*Command : show access lists show ipv6 interface brief

Ch10

24

25