CCNA Certification - Delegate Pack

theknowledgeacademy
CCNA Certification
theknowledgeacademy
About Us
The world's largest provider of classroom and online

training courses
✓ World Class Training Solutions
✓ Subject Matter Experts
✓ Highest Quality Training Material
✓ Accelerated Learning Techniques
✓ Project, Programme, and Change Management, ITIL®
Consultancy
✓ Bespoke Tailor Made Training Solutions
✓ PRINCE2®, MSP®, ITIL®, Soft Skills, and More
theknowledgeacademy Course Syllabus
Module 1: Network Fundamentals 4
Module 2: Network Access 35
Module 3: IP Connectivity 84
Module 4: IP Services 102
Module 5: Security Fundamentals 132
Module 6: Automation and Programmability 154

Module 1: Selection and Drawing Tools
theknowledgeacademy
4
The 6 Domains of CCNA
• Domain 1: Network Fundamentals
• Domain 2: Network Access
• Domain 3: IP Connectivity
• Domain 4: IP Services
• Domain 5: Security Fundamentals
• Domain 6: Automation and Programmability
theknowledgeacademy
5
Examination Weights
10%
Domain 1: Network
20% Fundamentals
Domain 2: Network Access
15%
Domain 3: IP Connectivity
Domain 4: IP Services
10% 20%
Domain 5: Security Fundamentals
Domain 6: Automation and

Programmability
25%
theknowledgeacademy
6
Domain 1
Network Fundamentals
theknowledgeacademy
7
Outlines of Domain 1
• Module 1: Explain the role and function of network components
• Module 2: Describe characteristics of network topology architectures
• Module 3: Compare physical interface and cabling types
• Module 4: Identify interface and cable issues
• Module 5: Compare TCP to UDP
theknowledgeacademy
8
• Module 6: Configure and verify IPv4 addressing and subnetting
• Module 7: Describe the need for private IPv4 addressing
• Module 8: Configure and verify IPv6 addressing and prefix
• Module 9: Compare IPv6 address types
theknowledgeacademy
9
• Module 10: Verify IP parameters for Client OS (Windows, Mac OS,
Linux)
• Module 11: Describe wireless principles
• Module 12: Explain virtualisation fundamentals (virtual machines)
• Module 13: Describe switching concepts
theknowledgeacademy
10
Introduction to Networking
Network
• It consists of two or more computers that are linked

in order to share resources (such as printers and
CDs), exchange files, or allow electronic
communications
• The computers on a network may be linked through

cables, telephone lines, radio waves, satellites, or
infrared light beams
theknowledgeacademy
11
Types of Network
Local Area network Metropolitan Area Network Wide Area Network

• It consists of a computer • It consists of a computer • It occupies a very large
network at a single site, network across an entire area, such as an entire
typically an individual city, college campus or country or the entire
office building small region world
• It is very useful for sharing • A MAN is often used to • A WAN can contain
resources, such as data connect several LANs multiple smaller networks,
storage and printers together to form a bigger such as LANs or MANs
network
theknowledgeacademy
12
Networking
• A method which is used to transfer data between different devices
The following are examples of networking:
i. Posting something on Facebook
ii. Searching on Google
iii. Watching a YouTube video
theknowledgeacademy
13
o Network Data: The information that is to be sent across a network. For eg. Web
browsing, instant messaging, email etc.
o Endpoint Devices: These are the equipments that require network data access. For eg.
Computers, tablets, phones, printers etc.
o Network Devices: These are the equipments that transfers the data between endpoints.
For eg. Firewalls, switches, routers, wireless access points
o Network Protocols: These are a set of rules that are to be followed when there is a
communication between endpoints in a network
theknowledgeacademy
14
Module 1: Explain the Role and Function
of Network Components
theknowledgeacademy
15
1.1.a Routers
• Routers implement functions of Network Layer or Layer 3. The primary function of a
router is to forward the packets according to the routing table
• Routers also provide multiple broadcast domains, traffic segmentation, and determine
the networks and network layer addressing subnets
• Those networks are defined by router network adapters or ports to which IP addresses
are assigned
• Those IP addresses are the default gateway to PCs and other networking devices
theknowledgeacademy
16
1.1.a Routers
(Continued)
• The two major types of routers are:
o Static: Static routers require an administrator to set up and configure the routing
table manually and to define each route
o Dynamic: Dynamic routers are intended to discover routes automatically. So, it

requires a minimal amount of setting up and configuration
• Routers communicate with each other to share information about accessible paths and
directly connected routes
theknowledgeacademy
17
1.1.b L2 and L3 Switches
Introduction to L2 Switch
• A L2 (Layer 2) switch is a type of device or network switch that operates on the second
layer of OSI Layer (data link layer) and uses MAC Address to determine the path through
which the frames are to be transmitted
• This uses techniques of hardware-based switching to connect and transmit data in a LAN
(local area network)
• A Layer 2 switch can also be known as a multiport bridge
theknowledgeacademy
18
(Continued)
• The primary responsibility of a layer 2 switch is to transport data on a physical layer and
to perform error checks on every transmitted and received frame
• A layer 2 switch needs NIC's MAC address for the transmission of data on each network
node
• They automatically learn MAC addresses by copying the MAC address of each frame
received or by listening to devices on the network and maintaining the MAC address of
the devices in a forwarding table
theknowledgeacademy
19
Introduction to L3 Switch
• A layer 3 switch combines the functionality of a switch and a router
• It serves as a switch for connecting devices on the same subnet or virtual LAN at
lightning speeds and has IP (Internet Protocol) routing intelligence built in to double up
as a router
• It can maintain routing protocols, inspect incoming packets and even make routing
decisions based on the addresses of the source and destination
theknowledgeacademy
20
Features of a Layer 3 Switch
Switching Algorithm is simple

Comes with 24 Ethernet Ports,
and is the same for most
but no WAN Interface
Routed Protocols
It acts as a Switch to Connect

Performs on two OSI Layers:
Devices within the same
Layer 2 and Layer 3
Subnet
theknowledgeacademy
21
1.1.c Next-Generation Firewalls and IPS
Introduction to Next-Generation Firewalls
• A Next-Generation Firewall is a network security

device which provides more capabilities than a
conventional, stateful firewall
• The next-generation firewall involves additional

features such as cloud-delivered threat intelligence,
application awareness and control, and integrated
intrusion prevention, while a conventional firewall
only provides stateful inspection of incoming and
outgoing network traffic
theknowledgeacademy
22
(Continued)
• The following are some advantages of Next-Generation Firewalls:
Application Streamlined
Multi-functional
Awareness Infrastructure
Network Speed Threat Protection
theknowledgeacademy
23
Introduction to IPS
• An IPS (Intrusion Prevention System) is a type of network

security which works to detect and prevent identified
threats
• Intrusion prevention systems monitor the network

continuously, looking for possible malicious incidents and
gather data about them
• The IPS reports these activities to system administrators

and takes preventive action to prevent future attacks, such
as closing access points and configuring firewalls
theknowledgeacademy
24
How Do Intrusion Prevention Systems Work?
• Intrusion Prevention Systems (IPS) work by scanning every network traffic
• There are several different threats that an IPS is designed to prevent, and it includes:
Distributed
Denial of Service Various types of
Denial of Service Worms Viruses
(DoS) attack exploits
(DDoS) attack
theknowledgeacademy
25
Types of Prevention
• An IPS is typically configured to use many different procedures to secure the network
from an unauthorised user
• It includes:
Signature-Based
Anomaly-Based
Policy-Based
theknowledgeacademy
26
1.1.d Access Points
Introduction
• A wireless AP (Access Point) is a device which allows

the wireless devices to connect to a wired network
through Wi-Fi
• The Access Point connects to a router as a separate

device via a wired network, but it can also be an
integral part of the router itself
• Usually, a wireless access point connects directly to a

wired Ethernet connection, and then the access
point provides wireless connections to other devices
via radio frequency links
theknowledgeacademy
27
1.1.d Access Points
(Continued)
• An access point is a device which permits communication between various wireless

devices
• Just like a switch or HUB connects multiple devices in single or multiple wired LAN
networks, an access point connects multiple wireless devices in single or multiple
wireless networks
• You can also use an access point to extend the wired network to the wireless devices
theknowledgeacademy
28
1.1.d Access Points
(Continued)
• The access point is categorised into three types based on the functionalities:
1. Standalone access point
2. Multifunction access point
3. Controlled access point
theknowledgeacademy
29
1.1.e Controllers (Cisco DNA Center and WLC)
Introduction to Cisco DNA Center
• Cisco DNA Center is the foundational controller and analytics framework at the core of
intent-based network of Cisco
• Cisco DNA Center provides intuitive, centralised management which makes it fast and easy
to design, provision and implementation of policies across your network environment
• The Cisco DNA Center UI provides end-to-end visibility of the network and makes use of
network insights to optimise performance of the network and deliver the best user and
application experience
theknowledgeacademy
30
1.1.e Controllers (Cisco DNA Center and WLC)
Introduction to WLC
• A WLC (Wireless LAN Controller) is a wireless architecture that aims to meet changing
network requirements
• Wireless network access points are controlled by a WLAN controller which allows wireless
devices to connect to the network
• What an amplifier does for your home stereo is similar to what a wireless access point
does for your network
• The bandwidth, which is coming from a router, is taken and stretched by WLC so that
several devices can go on the network from farther distances away
theknowledgeacademy
31
1.1.f Endpoints
• An endpoint device is a hardware device that communicates across a network, connected
to a LAN or WAN
• It can refer to any network-connected device such as laptops, desktop computers,

smartphones, printers, tablets, or other specialised hardware like retail kiosks or POS
terminal, which act as endpoints for users in a distributed network
• One of the biggest problems with endpoint devices is that they involve robust security for
a system of enterprise or a network
• Security managers should determine whether several endpoint devices could be security
gaps for a network i.e. if the unauthorised users can access that endpoint device and use
the same to pull off sensitive or imperative data
theknowledgeacademy
32
1.1.g Servers
Introduction
• A server is a machine designed to process requests

and deliver data to another computer over the local
network or internet
• A server act as the central repository of data and

several programs that are shared by different users
in a network
• There are different types of servers, including local

ones like file servers that store data within an
intranet network
theknowledgeacademy
33
Module 2: Describe Characteristics of
Network Topology Architectures
theknowledgeacademy
34
1.2 2 –Tier/Collapsed Core
A general campus network consists of 3 tiers:
1) Core (includes default gateways and Layer 3 routing)
2) Distribution (generally all fiber connections, Layer 2 switching, uplink aggregation where
switch to switch links interconnect)
3) Access (generally all copper connections, where endpoints connect to the network)
theknowledgeacademy
35
1.2.a 2 -Tier
• In 2-tier design, the core and the distribution functionality is combined into 1 tier and
hence the access layer makes it a 2-tier architecture
• This architecture is generally used with smaller networks
Core/Distribution
Access
theknowledgeacademy
36
1.2.b 3 -Tier
• A 3-tier design separate the core and the distribution functionality onto dedicated devices
• This architecture is generally used on larger networks
Core
Distribution
Access
theknowledgeacademy
37
1.2.c Spine-Leaf
Introduction
• For Data center solutions such as Fabric path and Cisco ACI, Spine and Leaf architectures
were introduced
• Usually, nexus switches are used in this architecture
• The main focus of this architecture is that there are no layer 2 loops and each destination
is reachable within a maximum of two routed hops
theknowledgeacademy
38
1.2.c Spine-Leaf
Spines
Leafs
theknowledgeacademy
39
1.2.d WAN
Introduction
• WAN (Wide area network) can be defined as a data communication network which work
beyond the geographic scope of LAN
• Wide area network utilises transmission facilities that are provided by the common
carriers like telephone companies
• The WAN technologies usually function at the OSI reference model’s lower three layers:
the network layer, the physical layer and the data link layer
theknowledgeacademy
40
Understanding WAN Technologies
WAN technologies includes following:
1. Circuit switching
• A circuit-switched network builds a dedicated channel between terminals and nodes

before the users communicate
• It dynamically builds a virtual connection for data or voice between the sender and the
receiver
• It is important to establish the connection through the service provider network before
the communication begins
theknowledgeacademy
41
(Continued)
1. Circuit switching
Circuit
Switching
theknowledgeacademy
42
(Continued)
2. Packet switching
• A packet-switched network (PSN) divides the traffic data into packets that are routed
over a shared network
• These networks do not need a circuit to be established, and they permit several nodes
pairs to interact over the same channel
• The switches in a packet-switched network ascertain the links that packets must be sent
over based on the addressing information in every packet
theknowledgeacademy
43
(Continued)
2. Packet switching
175
87
219
Labeled data is passed from switch to switch.

It may have to wait its turn on a link
theknowledgeacademy
44
1.2.e Small Office/Home Office (SOHO)
• The Small Office/Home Office (SOHO) LAN is usually used at home for internet
connectivity and possibly to share some files between computers
• In its most simple form, it is only a switch and two computers:
Gi0/1 Gi0/2
H1 SW1 H2
• It allows the two systems (computers) to communicate with each other. Perhaps to
share few files or play a multiplayer game
theknowledgeacademy
45
(Continued)
• Wireless networking is also based on Gi0/1 Gi0/2
standards that are published by the IEEE H1 H2

Gi0/3
(Institute of Electrical and Electronics
Engineers)
Gi0/0
• Wireless things generally start with

802.11
H3
theknowledgeacademy
46
R1
(Continued)
Internet
• For wireless connectivity, we add an Gio0/0

access point to the network
GiO/4
• It enables the wired and wireless GiO/1 GiO/2

devices to communicate with each
GiO/3
other H1 H2
GiO/0
• But to leave the LAN and communicate

with the outside world, we will need a
router
H3
theknowledgeacademy
47
1.2.f On-Premises and Cloud
Introduction to On-Premises
• On-premises software is installed on the servers of a company and behind its firewall,
and it is only provided to organisations for a long time and may continue to serve your
business requirements adequately
• It is required to buy a license for an enterprise to use an on-premises software
• This is because the software itself is licensed and the whole instance of the software is
located within the premises of an organisation, there is usually greater protection than
with a cloud computing infrastructure
theknowledgeacademy
48
1.2.f On-Premises and Cloud
Introduction to Cloud
• Cloud computing differs from on-premises

software. In an on-premise environment , a
company hosts everything in-house, while in a
cloud environment, a third-party provider hosts all
that for you
• It allows companies to pay on an as-needed basis

and quickly scale up or down depending on entire
usage, user requirements as well as the growth of
the company
theknowledgeacademy
49
Module 3: Compare Physical Interface
and Cabling Types
theknowledgeacademy
50
1.3.a Single-mode fiber, Multimode fiber,
Copper
Single-mode fiber
• Single-mode fiber is the type of fiber-Optic cable that allows

only one mode (or wavelength) of light for propagating through
the fiber
• It is capable of higher bandwidth and greater distances than

multimode cable
• This type of cable uses lasers as the method of light-generating

and is more costly than multimode cable
• 37+ miles (60+ km) is the maximum length of single-mode cable

theknowledgeacademy
51
Copper
Multimode fiber
• Multimode fiber cable allows various modes

of light propagation through the fiber
• By using light-emitting diodes (LEDs) as light-

generating devices, the multimode cable is
often used for workgroup applications
• 1.2 miles (2 km) is the maximum cable length

of multimode cable
theknowledgeacademy
52
Copper
Copper Cable
• Copper cable pass data between networks by using electrical signals
• Coaxial cable, shielded twisted pair, and unshielded twisted pair are the three types of
copper cable
Coaxial Cable It degenerates over long distances
It uses copper shielding around the twisted

Shielded Twisted Pair wires to reduce susceptible to interference
It is made by twisting the copper cables

Unshielded Twisted Pair around each other, which reduces
degeneration
theknowledgeacademy
53
Copper
Comparison
Single Mode Fiber Multi-mode fiber Copper cabling
Is used for long distances Is use for shorter distances Is used for shorter distances
Use Cases Use Cases Use Cases

• 1Gig – 100Gig • 1Gig – 100Gig • 10Meg – 1Gig
• Switch to switch • Switch to switch • Endpoint to switch
• Building to building • Closet to closet • Server to switch
• City to city • Floor to floor
theknowledgeacademy
54
1.3.b Connections (Ethernet Shared Media)
• In earlier days, Ethernet used shared media connections which means that all
endpoints connected to the network would share the same collision domain and it is
not a good thing
• In such a situation, network data can collide and cut down performance
• Hence, usage of more collision domains is better
• Now-a-days, endpoints are generally connected to switch interfaces that connect per-
port collision domains
theknowledgeacademy
55
1.3.b Connections (Ethernet Shared Media)
Collison Collison Domain Collison Domain

Domain
Collison Domain Collison Domain
Shared Ethernet Switched Ethernet
theknowledgeacademy
56
1.3.b Connections (Point-to-Point)
• Point-to-Point connections are when only two devices are connected logically or
physically
Point-to-Point Point-to-Multipoint
theknowledgeacademy
57
1.3.c Concepts of PoE
PoE (Power Over Ethernet) Basics
• Some devices with PoE, usually a LAN switch, act as the PSE (Power Sourcing Equipment)
and the device that supplies DC (Direct Current) power over the Ethernet UTP
(Unshielded Twisted Pair) cable (as shown in Figure)
Power Supply
Ethernet Cables AC Power

(DC Power) Cable
Power Sourcing AC Power Outlet

Powered Devices (PDs) Equipment (PSE)
theknowledgeacademy
58
1.3.c Concepts of PoE
PoE Operation
• PoE, standardised by the IEEE (Institute of Electrical and Electronics Engineers), extends
the same IEEE auto-negotiation mechanisms. These mechanisms are required to work
before the initialisation of PD(Powered Device), because the PD needs power before it
can boot
• PoE can determine whether the device on the end of the cable needs power (i.e., it is a
PD) and how much power to supply, by using IEEE auto-negotiation messages and
watching for the return signal levels
theknowledgeacademy
59
Module 4: Identify Interface and Cable
Issues
theknowledgeacademy
60
1.4 Identify Interface and Cable Issues
Collisions
• A collision is a mechanism used by Ethernet for controlling access and allocating shared
bandwidth among stations that want to transmit on a shared medium simultaneously
• Because the medium is shared, there has to be a mechanism where two stations will
detect that they want to transmit simultaneously. This mechanism is collision detection
• Ethernet uses CSMA/CD (Carrier Sense Multiple Access/Collision Detect) as its collision
detection method
theknowledgeacademy
61
Errors
• Packets input gives the total number of error-free packets that the system receives
• The total number of bytes in the error-free packets is given by the bytes input that
received by the system, including data and MAC encapsulation
• Input error involves giants, runts, CRC (cyclic redundancy check), frame, overrun, no
buffer and ignored counts
theknowledgeacademy
62
Duplex and Speed
• On both ends, duplex and speed should match or else you will have problems
• Traffic can still transmit with inconsistent duplex and speed, but you will experience
retransmissions and decreased throughput
• Duplex is subservient to speed in the way that the duplex can not be changed manually if
speed is set to auto
• When both the duplex and speed settings on the two devices are hardcoded, you might
see Cyclic Redundancy Check (CRC) error messages
theknowledgeacademy
63
Module 5: Compare TCP to UDP
theknowledgeacademy
64
Transmission Control Protocol
• Based on the requirements of an application, every TCP/IP application choose to use
either TCP or UDP
• As an example, TCP offers error recovery but it consumes more bandwidth as well as
processing cycles in order to do so
• The fields in the TCP header are
• The message created by TCP beginning

with a TCP header and followed by
application data is known as a TCP segment
theknowledgeacademy
65
User Datagram Protocol
• UDP offers applications with a service to exchange messages
• UDP is connection less protocol and it does not provide reliability, windowing, reordering
of the received data segmentation of large chunks of data into the right size for
transmission
• UDP offers some functions of TCP like multiplexing using port numbers, data transfer and
do it with fewer bytes of overhead and less processing needed as compared to TCP
• UDP Header
theknowledgeacademy
66
1.5 TCP Vs. UDP
• The basic difference between TCP and UDP is that TCP offer an extensive variety of
services to applications, however UDP does not provide these type of services
• As an example, routers discard packets for a variety of reasons such as congestion, bit
errors and those instances in which correct routes are not known
• Most of the data link protocols notice errors with the help of error detection process and
then discard those frames which have errors.
• TCP offers error recovery i.e. retransmission and help in avoiding congestion i.e. flow
control, however UDP does not
• As a result, many applications prefer to use TCP

theknowledgeacademy
67
TCP Vs. UDP
• However, lack of services do not make UDP worse than TCP
• As compared to TCP, UDP requires less bytes in its header which results into fewer bytes
of overhead in the network
• UDP software does not slow down the transfer of data in cases where TCP slow down
purposefully
• Some applications like Voice over IP or Video over IP do not require error recovery and
hence they use UDP
• Hence UDP is also having a vital place in today’s TCP/IP model
theknowledgeacademy
68
Module 6: Configure and Verify IPv4
Addressing and Subnetting
theknowledgeacademy
69
1.6 IPv4 Addressing
Classful Addressing
• The combination of a subnet mask and an IP address can be used to define a host ID and
a network ID
• These parameters permit an internetwork to be segmented into logically separate IP

networks and for every network to be split into subnets
• "Addressing schemes" explains various methods of configuring IP addressing to suit

different sizes and types of networks
theknowledgeacademy
70
IPv4 Addressing
(Continued)
• Based on the first octet of the IP address, classful addressing allocates a network ID
• The classful addressing scheme was used before subnet masks are used to recognise the
network ID portion of an address
o Class A, Class B, and Class C Addresses
• Under classful addressing, the network IDs are classified into three classes describing
different sizes of IP network
theknowledgeacademy
71
IPv4 Addressing
Cont.
Number of First Octet of
Number of hosts per Address
Class A networks networks Range
0??????? ???????? ???????? ????????

126 16,777,214 1-126
Network ID Host ID
Class B
10?????? ???????? ???????? ????????
16,384 65,354 128-191
Network ID Host ID
Class C
110????? ???????? ???????? ????????
2,097,152 254 192-223
Network ID Host ID
Choosing an address class theknowledgeacademy

72
IPv4 Addressing
o Class A, Class B, and Class C Addresses (Cont.)
• Class A network addresses support vast numbers of hosts—over 16 million. However,

there are only 126 of them
• There are almost 16 thousand Class B networks, each comprising up to 65,000 hosts
• Class C networks support only 254 hosts each, but there are over 2 million of them
• When examining classful addressing, it is essential to be able to recognise the address

class from the first octet of the IP address
theknowledgeacademy
73
IPv4 Addressing
(Continued)
• The following table shows the way to identify an address class from the first octet of the
IP address in decimal:
First Octet Class

1-126 Class A
128-191 Class B
192-223 Class C
theknowledgeacademy
74
IPv4 Addressing
o Class D and Class E Addresses
There are two additional classes of IP address (D and E) that use the remaining numbers:
• Class D addresses (224.0.0.0 through 239.255.255.255) are used for multicasting
• Class E addresses (240.0.0.0 through 255.255.255.255) are used for experimental use
and testing
theknowledgeacademy
75
IPv4 Addressing
Public versus Private Addressing
• A public IP network refers to one that can establish a connection with other public IP
networks and hosts over the Internet
• IANA governs the allocation of public IP addresses and regional registries and Internet
Service Providers (ISP) administer it
• Hosts interacting with one another over a LAN use a public addressing scheme but will
more typically use private addressing
theknowledgeacademy
76
1.7 Describe the Need for Private IPv4
Addressing
• Private IP addresses can be drawn from one of the pool of addresses as nonroutable over
the Internet:
➢ 10.0.0.0 to 10.255.255.255 (Class A private address range)
➢ 172.16.0.0 to 172.31.255.255 (Class B private address range)
➢ 192.168.0.0 to 192.168.255.255 (Class C private address range)
theknowledgeacademy
77
1.7 Describe the Need for Private IPv4
Addressing
(Continued)
• Any organisation can use private addresses on their networks without applying to ISP,
and multiple organisations can use these ranges simultaneously
Internet access can be facilitated for hosts utilising a private addressing scheme in two
methods:
• Through a router configured with a single or block of valid public IP addresses
• Through a proxy server that accomplishes requests for Internet resources on behalf of
clients
theknowledgeacademy
78
IPv4 Addressing
Subnetting and Classless Addressing
• A public IP network address can represent an organisation on the Internet, but most
companies need to subdivide their private networks into different logical groups
• These groups are known as subnets or subnetworks
o Subnet Design
Large networks are divided by organisations into logically distinct subnets for these reasons:
➢ It is incapable to have extensive numbers of computers on the same IP network
theknowledgeacademy
79
IPv4 Addressing
(Continued)
➢ A single IP network is a single broadcast domain; excessive broadcast traffic is

generated when there are several hosts on the same network
➢ VLANs are used by large networks to isolate broadcast domains and formulate
subnets to map to each VLAN
• Networks that use different data links and physical technologies, such as Ethernet and
Token Ring, should be separated logically as different subnets
theknowledgeacademy
80
IPv4 Addressing
o Subnet Design (Cont.)
• Several organisations have more than one site and WAN links between them. The WAN
link forms a separate subnet
• It is beneficial to divide a network into logically distinct zones for administrative and
security control
o Subnet Mask Format
• While IPv4 was initially based on a classful address scheme, subnetting substituted the
idea of recognising the network portion of an IP address based on its class with the idea
of using a subnet mask
theknowledgeacademy
81
IPv4 Addressing
(Continued)
• The subnet mask length defines the length of the network portion of the IP address
• As the "1"s in a mask are always contiguous, every octet in decimal in a subnet mask will
always be one of the below mentioned:
Number of mask bits Decimal equivalent

1 (10000000) 128
2 (11000000) 192
3 (11100000) 224
theknowledgeacademy
82
IPv4 Addressing
(Continued)
Number of mask bits Decimal equivalent

4 (11110000) 240
5 (11111000) 248
6 (11111100) 252
7 (11111110) 254
8 (11111111) 255
theknowledgeacademy
83
IPv4 Addressing
o Default Subnet Masks and Subnet IDs
The default subnet masks correspond to the three classes of unicast IP address (A, B, and C).
The default masks include whole octets:
• Class A: 255.0.0.0
• Class B: 255.255.0.0
• Class C: 255.255.255.0
theknowledgeacademy
84
IPv4 Addressing
(Continued)
• These default masks can be changed to permit a single network to be divided into
several subnets
• For this, additional bits of the IP address has to be allocated to the network address
rather than the host ID
Network ID Host ID
16-bit 16-bit
Internetwork addressing (Class B address)
theknowledgeacademy
85
IPv4 Addressing
(Continued)
Network ID Subnet ID Host ID
16-bit 4-bit 16-bit

Subnet addressing
• The whole network is still referred to by the network ID and the default mask: 172.1.0.0 /
255.255.0.0
• However, routers within the network add bits to the mask for differentiating the subnets
theknowledgeacademy
86
IPv4 Addressing
o Classless Addressing
• With a classless addressing scheme, the concept of default masks and address classes is
abandoned in favour of representing the address with an adequately sized network
prefix
• The idea of aligning netmask along a particular octet boundary is wholly discarded
• For example, when expressed in binary, the subnet mask 255.255.240.0 includes 20 ones
followed by 12 zeroes. Therefore, the network prefix, displayed in slash notation, is
172.1.0.0/20
theknowledgeacademy
87
IPv4 Addressing
(Continued)
• Therefore, the network prefix, shown in slash notation, is 172.1.0.0/20
• The routers have performed classless routing for a very long time, and the class
terminology is still used widely
• Under classless addressing, the old classes are usually used as names for the netmasks
that align to whole octet boundaries; a Class A network is /8, a Class B network is /16,
and a Class C network is /24
theknowledgeacademy
88
IPv4 Addressing
Planning an IPv4 Addressing Scheme
A network designer requires to plan the IP network addressing scheme carefully. Before
selecting a scheme, examine the given below factors:
• Whether you require a public or private addressing scheme
• How many IP networks and subnetworks are required
• How many hosts per subnet
theknowledgeacademy
89
IPv4 Addressing
(Continued)
The following are some additional constraints to consider while planning an addressing
scheme:
• The network ID must be from a valid public or a private range
• The network and host IDs cannot be all 1s in binary – this is reserved for broadcasts
• The network and host ID cannot be all zeroes in binary; 0 means "This Network"
theknowledgeacademy
90
IPv4 Addressing
(Continued)
• The host ID must be unique on the IP network or subnet
• The network ID must be unique on the Internet
While performing subnet calculations, it helps to identify that each power of two is double
the previous one:
22 23 24 25 26 27 28
4 8 16 32 64 128 256
theknowledgeacademy
91
IPv4 Addressing
Public Internet Addressing
When an organisation needs to connect to the Internet, it must apply for a range of public IP
addresses through its ISP
o Classful Addressing
• In the classful addressing system, an organisation will be allocated a network address

from a suitable class (A, B, or C)
• With the subnetting introduction, depending on the class of IP address, some octets
were fixed, but the left portion could use any valid addressing scheme
theknowledgeacademy
92
IPv4 Addressing
(Continued)
• For example, an organisation may allocate the network address 128.248.0.0 where it can
allocate the third and fourth octets as required
• Under this classful system, almost all the Class B addresses became allocated
• This deficiency of network addresses prompted the development of IPv6, which utilises a
much larger address space
theknowledgeacademy
93
IPv4 Addressing
(Continued)
• However, the deployment of IPv6 has been protracted enormously, so a series of stopgap
measures have been introduced over the years
• The subnetting and private address ranges are used to hide the private local networks
complexity from the wider Internet
• Another important measure was the introduction of Classless Interdomain Routing

(CIDR) or supernetting
theknowledgeacademy
94
IPv4 Addressing
o Classless Interdomain Routing (CIDR)
• Classless addressing was created to solve two main difficulties of the classful addressing
scheme as more and more networks are joining the Internet
• The first difficulty was that network addresses (especially, Class B addresses) were
becoming very scarce and the second difficulty was near exponential growth in Internet
routing tables
• Mostly, it utilises bits usually assigned to the network ID to mask them as subnet bits or
host
theknowledgeacademy
95
IPv4 Addressing
(Continued)
/24 Network ID Host ID

/21 External Network address Internal Network Addresses and Host IDs
21-bit 11-bit
theknowledgeacademy
96
IPv4 Addressing
(Continued)
• For example, instead of allocating a class B (or /16) network address to a company,
various contiguous class C (or /24) addresses could be assigned
• Eight /24 network addresses give 2032 hosts. This means complex routing with several
entries in the routing tables to represent eight IP networks at the same location
• CIDR is utilised to collapse these routing entries into a single entry
theknowledgeacademy
97
IPv4 Addressing
(Continued)
• If the network addresses assigned to a company were 192.32.168.0 through to

192.32.175.0 and to view this as one network, consider only the first 21 bits of the
address
192.32.168.0 11000000.00100000.10101 000.00000000

192.32.169.0 11000000.00100000.10101 001.00000000
192.32.170.0 11000000.00100000.10101 010.00000000
192.32.171.0 11000000.00100000.10101 011.00000000
192.32.172.0 11000000.00100000.10101 100.00000000
192.32.173.0 11000000.00100000.10101 101.00000000
192.32.174.0 11000000.00100000.10101 110.00000000
192.32.175.0 11000000.00100000.10101 111.00000000
theknowledgeacademy
98
IPv4 Addressing
(Continued)
• The network address could also be shown in classless notation as 192.32.168.0/21,

which means that the network prefix includes 21 bits
• As with subnetting, an ANDing process is utilised to decide whether to route
• If the ANDed result exhibits the same network ID as the destination address, then it is
the same network
theknowledgeacademy
99
IPv4 Addressing
(Continued)
• In the following table, the first two IP addresses belong to the same network (the second
is the broadcast address for the network) but the third is in a different one:
Mask 255.255.248. 0 11111111.11111111.11111000.00000000

IP 192. 32.168. 1 11000000.00100000.10101000.00000001
IP 192. 32.175.255 11000000.00100000.10101111.11111111
IP 192. 32.176. 1 11000000.00100000.10110000.00000001
theknowledgeacademy
100
IPv4 Addressing
Variable Length Subnet Masks (VLSM)
• As the IPv4 address space becomes steadily more utilised, there is a need to use more
efficient methods of allocating IP addresses
• VLSM enables a network designer to allocate IP addresses ranges to subnets that match
the predicted requirement for numbers of subnets and hosts per subnet more closely
• Without VLSM, the user has to allocate subnetted ranges of addresses that are of the
same size and utilise the same subnet mask within a single class-based network
theknowledgeacademy
101
IPv4 Addressing
(Continued)
• This means that there is a need to install additional routing interfaces to connect various
smaller subnets within a department
• VLSM enables different length subnet masks to be used within the same IP network,
permitting more flexibility in the design process
• VLSM has some similarities to CIDR
theknowledgeacademy
102
IPv4 Addressing
o Planning a VLSM Addressing Scheme
• Assume a company which is part of a multinational organisation with several hundreds

of subnetworks worldwide
• This scenario has six main offices each with differing network sizes and IP address
requirements
• There are also two subnets connecting the regional routers with the headquarters router,
which renders access to the Internet
theknowledgeacademy
103
IPv4 Addressing
(Continued)
theknowledgeacademy
104
IPv4 Addressing
(Continued)
• VLSM design continues by recognising the largest subnets and organising the scheme in
descending order
• Even though VLSM enables more precise allocation of address space, but there is a need
to design for growth and allow space in every subnet for additional hosts
• The need for the subnetted network are listed in the table given on the next slide, along
with the actual number of IP addresses that would be rendered by the VLSM design
theknowledgeacademy
105
IPv4 Addressing
(Continued)
Office / Subnet Required Number of IP Addresses Actual Number of IPAddresses
Regional Office South 2060 4094
Regional Office North 1200 2046
Branch Office A 420 510
Branch Office D 300 510
theknowledgeacademy
106
IPv4 Addressing
(Continued)
Office / Subnet Required Number of IPAddresses Actual Number of IPAddresses
Branch Office B 180 254
Branch Office C 70 126
Router Subnet North 2 2
Router Subnet South 2 2
theknowledgeacademy
107
IPv4 Addressing
(Continued)
• The actual IP address ranges generated by the VLSM design are:
Office Subnet Useable Subnet Address Range
Regional Office South 172.16.0.0/20 172.16.16.1 - 172.16.23.254
Regional Office North 172.16.16.0/21 172.16.0.1 - 172.16.15.254
Branch Office A 172.16.24.0/23 172.16.24.1 - 172.16.25.254
Branch Office D 172.16.26.0/23 172.16.26.1 - 172.16.27.254
theknowledgeacademy
108
IPv4 Addressing
(Continued)
Office Subnet Useable Subnet Address Range
Branch Office B 172.16.28.0/24 172.16.28.1 - 172.16.28.254
Branch Office C 172.16.29.0/25 172.16.29.1 - 172.16.29.126
Router Subnet North 172.16.29.128/30 172.16.29.129 - 172.16.29.130
Router Subnet South 172.16.29.132/30 172.16.29.133 - 172.16.29.134
theknowledgeacademy
109
Module 8: Configure and Verify IPv6
Addressing and Prefix
theknowledgeacademy
110
1.8 IPv6 Addressing
IPv6 Address Format
• The addressing scheme in IPv4 is based on a 32-bit binary number
• 32 bits can express 232 unique addresses
• However, the method in which addresses have been allocated is inefficient that leads to
wastage of available addresses
• Addressing scheme inefficiencies and increasing demand for addresses indicates that the
available IPv4 address supply is close to exhaustion
theknowledgeacademy
111
IPv6 Addressing
(Continued)
• Private addressing and network address translation (NAT) have rendered a 'stopgap'
solution to the problem
• IPv6 renders a long-term solution to the address space exhaustion problem
• Its 128-bit addressing scheme has space for 340 undecillion unique addresses
• Only a small part of the scheme can be allocated currently to hosts, but there is still
enough address space within that allocation
theknowledgeacademy
112
IPv6 Addressing
(Continued)
• IPv6 is designed to fulfil the demands of personal and handheld devices with internal
connectivity
• Currently, that means phones, but the IPv6 designers visualise a world of wireless
Internet connectivity for a huge variety of appliances
• For example, an advertising hoarding could be made "active" so that it can be linked to
the product through the phone
theknowledgeacademy
113
IPv6 Addressing
(Continued)
• Now, IPv6 has begun to be deployed in particular sections of corporate and public
networks
• While IPv6 has been a standard installed feature in the last few versions of both desktop
and Server of common OSes; it is only in the core network that IPv6 has been
implemented typically
• However, with the increasing problems with existing IPv4, the IPv6 will become more
mainstream for corporate networks down to the desktop and the web in general
theknowledgeacademy
114
IPv6 Addressing
(Continued)
o Hexadecimal Numbering
• For interpreting IPv6 addresses, the user needs to understand the hexadecimal notation
and the base numbering system
• Decimal numbering can also be known as base 10
• Base 10 defines that each digit can have one of ten possible values (0…9)
• A digit placed to the left of another is ten times the value of the digit to the right
theknowledgeacademy
115
IPv6 Addressing
(Continued)
For example, the number 255 can be written as below:
(2x10x10)+(5x10)+5
• Binary is base 2 so a digit in any given position can only have one of two values (0 or 1)
and each place position is the next power of 2
theknowledgeacademy
116
IPv6 Addressing
(Continued)
• The binary value 11111111 can be changed to the decimal value 255 with the help of
below-mentioned sum:
(1x2x2x2x2x2x2x2)+(1x2x2x2x2x2x2)+(1x2x2x2x2x2)+(1x2x2x2x2)+(1x2x2x2)+(1x2x2)+(1x2)+1
• Several values in computing, such as IPv4 addresses, are depicted in octets (or bytes)
• 1 octet (or byte) is 8 bits
theknowledgeacademy
117
IPv6 Addressing
(Continued)
• As the addresses of IPv6 are long (128 bits), the dotted decimal conversion becomes
difficult
• Hex is considered to be a more convenient method of referring to the long sequences of

bytes that are used in IPv6
• Hex is base 16 with the possible values of each digit signified by the numerals 0…9 and
the characters A, B, C, D, E, F
theknowledgeacademy
118
IPv6 Addressing
(Continued)
The following table is used to convert between binary, decimal, and hexadecimal values
Decimal Hexadecimal Binary Decimal Hexadecimal Binary

0 0 0000 8 8 1000
1 1 0001 9 9 1001
2 2 0001 9 9 1001
theknowledgeacademy
119
IPv6 Addressing
(Continued)
Decimal Hexadecimal Binary Decimal Hexadecimal Binary

3 3 0011 11 B 1011
4 4 0100 12 C 1100
5 5 0101 13 D 1101
6 6 0110 14 E 1110
7 7 0111 15 F 1111
theknowledgeacademy
120
IPv6 Addressing
o IPv6 Address Compression
• IPv6 addresses include eight 16-bit numbers with each double-byte number expressed as
4 hex digits. For example, the binary address:
0010 0000 0000 0001 : 0000 1101 1011 1000 : 0000 0000 0000 0000 :
0000 0000 0000 0000 : 0000 1010 1011 1100 : 0000 0000 0000 0000 :
1101 1110 1111 0000 : 0001 0010 0011 0100
• Can be expressed in hex notation as:
2001:0db8:0000:0000:0abc:0000:def0:1234
theknowledgeacademy
121
IPv6 Addressing
(Continued)
• If a double-byte includes leading zeroes, then they can be ignored
• In addition, one contiguous series of zeroes can be substituted by a double colon place
marker
• Thus the address will become:
2001:db8::abc:0:def0:1234
theknowledgeacademy
122
IPv6 Addressing
(Continued)
• Double-colon compression can be used only single time in a given address. For example:
2001:db8::abc::def0:1234
• The above mentioned is not valid as it is ambiguous between the below two addresses:
2001:db8:0000:0abc:0000:0000:def0:1234
2001:db8:0000:0000:0abc:0000:def0:1234
theknowledgeacademy
123
IPv6 Addressing
(Continued)
• If IPv6 addresses are used as part of a URL, then the IPv6 address must be enclosed
within square brackets
• For example:
http://[2001:db8::abc:0:def0:1234]/index.htm
theknowledgeacademy
124
IPv6 Addressing
o IPv6 Packets
• An IPv6 packet comprises two or three elements: the main header, one or more optional
extension headers, and the payload
• The IPv6 packet key features are as follows:
Field Size Explanation

Version 4 bits Used to indicate which version of IP is being used (0110 or 0x06 for IPv6)
Traffic Class 8 bits Describes the packet’s priority
theknowledgeacademy
125
IPv6 Addressing
(Continued)
Flow Label 20 bits Used for QoS management, such as for real-time streams. This is set to 0
for packets not part of any delivery sequence or structure
Payload Length 16 bits Indicates the length of the packet pay load, up to a maximum of 64 KB; if
the payload is bigger than that, this field is 0 and a special Jumbo Payload
(4 GB) option is established
Next Header 8 bits Used to describe what the next extension header (if any) is, or where the
actual payload begins
theknowledgeacademy
126
IPv6 Addressing
(Continued)

Hop Limit 8 bits Replaces the TTL field in IPv4 but performs the same function
Source Address 128 bits The originating address
Destination Address 128 bits The target address
theknowledgeacademy
127
IPv6 Addressing
IPv6 Addressing Schemes
• An IPv6 address is divided into two parts: the first 64 bits are utilised as a network ID and
the second 64 bits designate a specific interface
Network ID Interface ID
64-bit 64-bit
• Network addresses are written by utilising CIDR notation, where /nn is the routing prefix
length in bits
• Within the 64-bit network ID, as with CIDR, the network prefix length is utilised to decide
whether two addresses refer to the same IP network
theknowledgeacademy
128
IPv6 Addressing
(Continued)
• For example, if the prefix is /48, then if the IPv6 address' first 48 bits were the same as
another address, the two would belong to the same IP network
• This indicates that a given network of an organisation can be described by a network

prefix 48 bits long and then to subnet their network they have 16 bits left in the network
ID. For example,
2001:db8:3c4d::/48 2001:db8:3c4d:01::/64
represent a network address represent a subnet within that network address
theknowledgeacademy
129
IPv6 Addressing
(Continued)
• IPv6 describes several addressing schemes. These are unicast, multicast, and anycast
o IPv6 Unicast Addressing
• As with IPv4, a unicast address recognises a single network interface
• IPv6 unicast addressing is scoped; a scope is defined as a region of the network
• Global scopes render the equivalent of public addressing schemes in IPv4 while link-local
schemes render private addressing
theknowledgeacademy
130
IPv6 Addressing
o IPv6 Global Addressing
• Globally scoped unicast addresses are routable over the Internet and are the equivalent
of public IPv4 addresses
• The parts of a global address are given below:
➢ The first 3 bits (001) denote that the address is within the global scope. Maximum
IPv6 address space is unused. The scope for globally unique unicast addressing holds
1/8th of the total address space. In hex, globally scoped unicast addresses will begin
with a 2 (0010) or 3 (0011)
theknowledgeacademy
131
IPv6 Addressing
(Continued)
➢ The next 45 bits are allotted hierarchically to regional registries and from them to
ISPs and end users
➢ The next 16 bits recognise site-specific subnet addresses
➢ The final 64 bits are the interface ID
Global routing prefix

001 Network ID
Subnet Interface ID
3-bit 45-bit 16-bit 64-bit
IPv6 global unicast address format

theknowledgeacademy
132
IPv6 Addressing
o Interface ID / EUI-64
By using below two techniques, the interface ID can be determined:
• One is by utilising the interface's MAC address. This is referred to as an interface

identifier or MAC-derived address
• As MAC address is currently 48 bits (6 bytes), a simple translation mechanism permits

driver software to generate a 64-bit interface ID (an EUI-64) from these 48 bits
theknowledgeacademy
133
IPv6 Addressing
(Continued)
• The digits fffe are added in the middle of the address, and the U/L bit is flipped
• For example, the MAC address 00608c123abc would become the EUI-64 address
02608cfffe123abc, which when expressed in doublebytes becomes 0260:8cff:fe12:3abc,
or 260:8cff:fe12:3abc
• In the second technique, the client device uses a pseudorandom number for the
interface ID. This is referred to as a temporary interface ID or token
theknowledgeacademy
134
IPv6 Addressing
(Continued)
• Using interface identifiers would permit a specific host to be recognised and monitored
closely when connecting to the Internet and utilising a token mitigates this to some
degree
o IPv6 Link-local addressing
• IPv6 uses Link-local addresses for network housekeeping traffic
• Link-local addresses span a single subnet (routers do not forward them)
• Nodes on the same link are known as neighbors

theknowledgeacademy
135
IPv6 Addressing
(Continued)
• Link-local addresses begin with a leading fe80 while the next 54 bits are set to zero and
the last 64 bits are the interface ID
1111 110 10 0000…0000 Interface ID
10-bit 54-bit 64-bit
IPv6 link-local unicast address format
• The equivalent in IPv4 is Automatic Private IP Addressing (APIPA) and its 169.254.0.0
addresses
theknowledgeacademy
136
IPv6 Addressing
(Continued)
• However, an IPv6 host is always configured with link-local addresses, even if it also has a
globally unique address
• A link-local address is also appended with a zone index of the form %1 (Windows) or
%eth0 (Linux)
• This is used to determine the address source and make it unique to a specific link
• For example, a host may have links to Ethernet, loopback address, and a VPN
theknowledgeacademy
137
IPv6 Addressing
(Continued)
• All these links use the same link-local address, so to make it unique each is assigned a
zone ID
• The host system generates zone indices, so where two hosts communicate, they may be
indicating to the link using different zone IDs
theknowledgeacademy
138
IPv6 Addressing
o IPv6 Unique Local Addressing
• Unique Local Addressing assigns addresses that are only routable within a site
• Unique Local Addressing (ULA) addresses are not routable over the Internet
• ULA is designed for hosts that will never access the Internet
theknowledgeacademy
139
IPv6 Addressing
(Continued)
• The prefix for unique local addressing is fc00;:/7 but it is more common to see addresses
of form fd00::/8 as to indicate the local addressing, the 8th bit should be fixed to 1
• A pseudo-random algorithm should generate the next 40 bits and used for a single site
only
• While designed for site-local addressing, ULA is global in scope, which indicates that no
organisation should assign the same ULA prefix. The remaining 16 bits can be utilised for
subnetting
theknowledgeacademy
140
IPv6 Addressing
o IPv6 Multicast Addressing
• A multicast address recognises multiple network interfaces, and unlike IPv4, IPv6 routers
must support multicast
• The multicast address parts are subdivided as below:
➢ The first 8 bits show that the address is within the multicast scope (1111 1111 or ff)
➢ The next 4 bits are utilised to flag types of multicast if required (they are set to 0
otherwise)
theknowledgeacademy
141
IPv6 Addressing
(Continued)
➢ The next 4 bits define the scope; for example, 1 is node-local while 2 is link-local
➢ The final 112 bits define multicast groups within that scope
• Broadcast addresses are not executed in IPv6. Instead, hosts use a suitable multicast
address for a given situation
• The multicast addresses are reserved for these types of "broadcast" functionality. They
enable an interface to "broadcast" to all routers or interfaces on the same node or local
link
theknowledgeacademy
142
IPv6 Addressing
(Continued)
• Below are some of the well-known multicast addresses:
Address Target
ff02::1 All link-local nodes
ff02::2 All link-local routers
ff02::1:2 All link-local DHCP servers and relay agents
theknowledgeacademy
143
IPv6 Addressing
(Continued)
• In IPv4, IP address resolution to a specific hardware interface is performed by using ARP
• ARP is "chatty" and needs every node to process its messages, whether they are relevant
to the node or not. IPv6 substitutes ARP with the Neighbor Discovery (ND) protocol
• Every unicast address for an interface is configured with a corresponding solicited-node

multicast address
theknowledgeacademy
144
IPv6 Addressing
(Continued)
• It includes the prefix ff02::1:ff and also the last 24 bits of the unicast address
• neighbor discovery (ND) uses solicited-node address to execute address resolution
• It decreases the hosts' number that is likely to receive ND messages and is therefore
more useful than the old ARP broadcast mechanism
theknowledgeacademy
145
IPv6 Addressing
o IPv6 Anycast Addressing
• An anycast address also identifies multiple addresses
• Anycast is used when the message is required to be sent to any members of a group but
not certainly to all of them
• The packet is sent to the group member physically closest to the transmitting host
• Anycast is used for routing protocol traffic
theknowledgeacademy
146
IPv6 Addressing
o IPv6 Reserved Addresses
• The 0000::/8 block is reserved for special functions
There are two special addresses within this block:
➢ Unspecified address (0:0:0:0:0:0:0:0)
➢ Loopback address (0:0:0:0:0:0:0:1)
theknowledgeacademy
147
IPv6 Addressing
o IPv6 Address Prefixes
• Following table is used to identify some commonly used classes of IPv6 address by prefix
notation or leading hex digits:
Type Prefix Leading Hex Characters
Global unicast 2000::/3 2, 3
Link-local unicast fe80::/64 fe80
ULA fd00::/8 fd00
theknowledgeacademy
148
IPv6 Addressing
(Continued)
Multicast ff00::/8 ff
Multicast (local- link) ff02::/16 ff02::1 (all nodes),

ff02::2 (all routers),
ff:02::1:2 (DHCP)
Solicited-node ff02::1:ff00:0/104 ff02::1:ff
Unspecified ::/128 ::, 0::0
theknowledgeacademy
149
IPv6 Addressing
(Continued)
Loopback ::1/128 ::1
Teredo 2001::/32 2001
6to4 2002::/16 2002
Documentation / Examples 2001:db8::/32 2001:db8
theknowledgeacademy
150
1.9 Compare IPv6 Address Types
There are numerous different types of IPv6 addresses:
1.9.a Global Unicast
o Similar to IPv4 public addresses
o Range - 2000::/3
1.9.b Unique Local
o Similar to IPv4 private addresses
o Range – FD00::/8
theknowledgeacademy
151
1.9.c Link Local
o Self-generated
o Not routable and meant for local VLAN only
o Range – FE80::/10
1.9.d AnyCast
o An IPv6 address which is assigned to multiple nodes
o Used to provide redundancy and optimised traffic flow

theknowledgeacademy
152
1.9.e Multicast
o Similar to IPv4 multicast addresses
o Range – FF00:/8
1.9.f Modified EUI 64
o A method used to generate an IPv6 host addresses automatically
theknowledgeacademy
153
Module 10: Verify IP Parameters for
Client OS
theknowledgeacademy
154
1.10 Verify IP parameters for Client OS
• Every operating system has various commands which you can use to verify network
settings
a. Windows
The following are the steps to verify interface IP parameters in Windows OS:
1. Open the command prompt application by searching for “command prompt” with a
Windows search
2. Then run the command “ipconfig/all”
theknowledgeacademy
155
Verify IP parameters for Client OS
theknowledgeacademy
156
b. MAC OS
The following are the steps to verify interface IP parameters in MAC OS:
1. Open the terminal located in /Applications/Utilities/
2. Then run the command “ifconfig”
theknowledgeacademy
157
c. Linux
The following are the steps to verify interface IP parameters in Linux OS:
1. Open the terminal application by searching for “terminal” with an application search
2. Then run the command “ifconfig”
theknowledgeacademy
158
Module 11: Describe Wireless Principles
theknowledgeacademy
159
1.11.a Nonoverlapping Wi-Fi channels
• The wireless frequencies are used to transmit data over the air. They are split up into
smaller bands called channels
2.4 GHz channels (U.S.)
1 2 3 4 5 67 8 9 10 11
5 GHz channels (U.S.)
36 40 44 48
…
theknowledgeacademy
160
(Continued)
• In an RF environment, wireless channels should not overlap
Channel 1 Channel 6 Channel 11
theknowledgeacademy
161
(Continued)
• Due to overlapping channels, interference, and degradation can be caused in wireless

performance
Channel 1 Channel 1 Channel 1
theknowledgeacademy
162
1.11.b SSID and 1.11.c RF
SSID
• SSID (Service Set Identifier) is also called WLAN (Wireless

Local Area Network), and it is connected with wireless
devices
• A wireless computer is an example of SSID
RF
• Radio frequency (RF) signals are used for transmitting

data between wireless devices
theknowledgeacademy
163
1.11.d Encryption
• For secure wireless transmissions, encryption methods are used
• The following are the types of wireless encryption:
WPA2 + AES WPA + TKIP/AES

*Most secure WPA + AES (TKIP is there as a WPA + TKIP
option fallback method)
Open Network (no

WEP
security at all)
theknowledgeacademy
164
Module 12: Explain Virtualisation
Fundamentals (Virtual Machines)
theknowledgeacademy
165
1.12 Server Virtualisation Basics
• Before virtualisation, physical server model was used in which each physical server runs
one Operating System that uses all the hardware in that one server
• Most companies, now a days, create a virtualised data centre i.e. the company purchases
server hardware, installs it in racks, and then treats all the CPU, RAM, and so on as
capacity in the data centre
• After that, each OS instance is decoupled from the hardware and is therefore virtual
• Every piece of hardware that we would previously have thought of as a server runs
multiple instances of an OS at the same time, with each virtual OS instance called a
virtual machine, or VM
theknowledgeacademy
166
Server Virtualisation Basics
(Continued)
Virtual Machine Virtual Machine Virtual Machine Virtual Machine
App App App App App App App App App App App App
OS OS OS OS
Hypervisor
Storage CPU RAM Network
Four VMs Running on One Host; Hypervisor Manages the Hardware

theknowledgeacademy
167
• Every physical server uses a hypervisor to make server virtualisation work
• The management and allocation of the host hardware i.e. CPU, RAM, etc. to each VM
based on the settings for the VM is done by the hypervisor
• Every Virtual Machine runs as if it is running on a self-contained physical server, with a

particular number of virtual CPUs and NICs and a set amount of RAM and storage
theknowledgeacademy
168
• Server virtualisation tools provide a wide-ranging variety of options for how to connect
VMs to networks
• Generally, a physical server has one or more NICs, maybe as slow as 1 Gbps, often 10
Gbps today, and maybe as fast as 40 Gbps
• Also, an OS has one NIC or maybe more
• To make the OS work normally, every VM has at least one NIC, but for a VM, it is a virtual
NIC
theknowledgeacademy
169
• Lastly, the server must combine the ideas of the physical NICs with the vNICs used by the
VMs into some kind of a network
• Mostly, every server uses some kind of an internal Ethernet switch concept, known as a
virtual switch, or vSwitch
• The vSwitch can be supplied by the hypervisor vendor or by Cisco
theknowledgeacademy
170
Module 13: Describe Switching Concepts
theknowledgeacademy
171
1.13.a MAC Learning and Aging
• MAC address learning occurs when the switch is started, and connected hosts start
sending frames
• Also, MAC learning is activated after the aging time expires
• By default, the switch removes MAC address table entries after every five minutes
• The layer 2 broadcast is transmitted to all devices on a single broadcast (segment) domain
• The switch generates the broadcast packet ffff.ffff.ffff as the MAC address of the
destination and transmits it to all ports except where the frame was learned
theknowledgeacademy
172
1.13.b Frame Switching
• The host sends packets encapsulated with an IP header in the frame
• The IP address of source and destination in the header are needed for end-to-end
connectivity
• The switches in layer 2 do not examine or understand the IP addresses
• Wireless access points and Switches are network devices which make forwarding
decisions on the basis of the destination MAC address in the frame
theknowledgeacademy
173
(Continued)
• In the frame, Wireless access points and Switches do not change MAC addressing
• The switch does not rewrite the MAC addressing in the header of frames
• It examines the MAC address of source and MAC address of the destination
• When not listed, the incoming frame's source MAC address is added to the MAC
address table
theknowledgeacademy
174
(Continued)
• The switch examines the frame header for the MAC address of the destination and
looks up the MAC address table for a forwarding decision
• Then, the frame is forwarded out the switch port related with the MAC address of the
destination where the host is connected
• Any MAC address of the destination which is not local is forwarded to the router
• The IP addressing between source and destination does not alter
theknowledgeacademy
175
1.13.c Frame Flooding
• LAN switches use forwarding tables, i.e. Content Addressable Memory (CAM) tables,
Layer 2 (L2) tables for directing traffic to particular ports on the basis of the VLAN
number and the frame's MAC address destination
• Initially, the L2 table does not have a MAC address of the destination port. Therefore,
LAN switch broadcast the messages of all the connected ports to get the MAC address
of each of the connected ports. This causes the Frame Flooding
• Then, the second time LAN switch broadcast the messages to the specific port based on
MAC address of frame destination(MAC address of the destination port)
theknowledgeacademy
176
1.13.c Frame Flooding
(Continued)
Frame arrived at LAN switch
Read Mac address of the Destination

port
Find that address in CAM table
Is address of that
No destination port is Yes
available in the CAM
table
Forward frame to all the connected ports Forward frame only to the port which is
except the port on which it arrived connected with the destination address
theknowledgeacademy
177
1.13.d MAC Address Table
• The unique hardware address from the manufacturer is assigned to each network
device, which is known as MAC address
• A MAC address has the purpose of providing a unique identifier for layer 2
• That enables the communication between devices of the different segment of the
network (VLAN) or the same segments
• The decisions regarding switch forwarding are based on the assigned port and the MAC
address
theknowledgeacademy
178
1.13.d MAC Address Table
(Continued)
• The MAC address is a hexadecimal numbering of 48 bits, which is also known as

physical address
• The last 24 bits (bold) is a unique serial number (SN), and the first 24 bits is a
manufacturer OUI (Organisational Unique Identifier)
OUI | SN
0000.000a.aaaa
theknowledgeacademy
179
Domain 2
Network Access
theknowledgeacademy
180
• Module 1: Configure and verify VLANs (normal range) spanning
multiple switches
• Module 2: Configure and verify interswitch connectivity
• Module 3: Configure and verify Layer 2 discovery protocols (Cisco

Discovery Protocol and LLDP)
• Module 4: Configure and verify (Layer 2/Layer 3) EtherChannel

(LACP)
theknowledgeacademy
181
• Module 5: Describe the need for and basic operations of Rapid PVST+
Spanning Tree Protocol and identify basic operations
• Module 6: Compare Cisco Wireless Architectures and AP modes
• Module 7: Describe physical infrastructure connections of WLAN

components (AP, WLC, access/trunk ports, and LAG)
• Module 8: Describe AP and WLC management access connections
• Module 9: Configure the components of a wireless LAN access for

client connectivity using GUI
theknowledgeacademy
182
Cisco Router Modes
Modes of Router
• The following are the main 5 modes in a router:
3. Global
1. User 2. Privileged
Configuration
Execution Mode Mode
Mode
4. Interface
5. ROMMON
Configuration
Mode
Mode
theknowledgeacademy
183
2.1 Configure and Verify VLANs (Normal
Range) Spanning Multiple Switches
2.1.a Access Ports (Data and Voice)
• Access ports are also called edge ports, and they act as endpoints for establishing a
connection to the network
Access port
theknowledgeacademy
184
Configure and Verify VLANs (Normal Range)
Spanning Multiple Switches
(Continued)
• Data access ports are not intended for VLAN tagging. Therefore, connected devices
should send untagged frames
• When an access port receives untagged data traffic, the "access VLAN" provisioned on the
interface will determine on which VLAN the traffic will be forward
theknowledgeacademy
185
(Continued)
• Enable access mode on an interface
theknowledgeacademy
186
(Continued)
• Assigning VLAN membership to an interface in access mode
theknowledgeacademy
187
(Continued)
• Verify access interface status
theknowledgeacademy
188
2.1.b Default VLAN
• Cisco switch ports are assigned to VLAN 1 by default
• The best practice is not to use VLAN 1 when possible
theknowledgeacademy
189
2.1.c Connectivity
Connectivity is considered as a key factor in any business. The following are some types of
network connectivity:
i. Broadband: Permits companies to access the Internet from a fixed location
• A successor of the old dial-up method of connecting networks
• Generally, ISDN, DSL, mobile broadband and cable modem are usually classified as
broadband
theknowledgeacademy
190
(Continued)
ii. Mobile Internet: is used to access networks from anywhere through wireless
connections
• For mobile internet, the higher the protocol, the higher the speed and connectivity
iii. Virtual Private Network (VPN): is used to create a private network to exchange data
securely over a public network
• The transferring of data is typically secured by a method called ‘tunneling’
theknowledgeacademy
191
(Continued)
iv. Dial-up Networks: These networks enable TCP/IP communication over ordinary
telephone lines
• They make use of analog modems that call specific telephone numbers to make
connections
v. Local Area Networks (LAN): These are used to connect multiple local devices and
computers to share information and access resources
• Routers and network switches are used to connect a LAN with outside networks
theknowledgeacademy
192
(Continued)
vi. Direct Networks: This is the simplest form of connectivity in which the connection is
established between two devices directly
• In these networks, only close range connections can be made easily
theknowledgeacademy
193
2. 2 Configure and Verify Interswitch
Connectivity
2.2.a Trunk Ports
• Trunk ports are used for connections when several VLANs need to send data
• Trunk ports are mainly used for interswitch connections
• VLAN IDs are added as a tag to the Ethernet frames
• That's why trunk ports are often called tagged
theknowledgeacademy
194
Configure and Verify Interswitch Connectivity
Trunk Port
(Tagged)
Access Port
(Untagged)
theknowledgeacademy
195
Enable trunk mode on an interface
1. Configuration of Switch 1
theknowledgeacademy
196
(Continued)
2. Showing status of VLANs
theknowledgeacademy
197
(Continued)
3. Enable Trunk Port
theknowledgeacademy
198
(Continued)
4. Configuration of Switch 2
theknowledgeacademy
199
(Continued)
5. Showing status of VLANs
theknowledgeacademy
200
2.2.b 802.1Q
• The standard defining VLAN tagging within an Ethernet frame is 802.1Q
4 Bytes
Destination Source 802.1Q Frame

Type/Len Data
Address Address VLAN Tag Check
2 Bytes 2 Bytes (Tag Control Information)

User Canonical
Tag Protocol VLAN ID (12
Priority (3 Format
ID Ox8100 Bits)
Bits) Indicator(1 Bit)
theknowledgeacademy
201
2.2.c Native VLAN
Introduction
• Cisco trunk ports can have one untagged VLAN, and it is also known as Native VLAN
• Traffic that is transmitted out of a trunk port that resides in the Native VLAN will be
forwarded without a VLAN tag
theknowledgeacademy
202
2.2.c Native VLAN
Example of Native VLAN configuration
theknowledgeacademy
203
2.2.c Native VLAN
(Continued)
1. Verification of Native VLAN
• Configuration of switch 1
theknowledgeacademy
204
2.2.c Native VLAN
2. Enable trunk port at switch 1
theknowledgeacademy
205
2.2.c Native VLAN
3. Verify Native VLAN
theknowledgeacademy
206
2.2.c Native VLAN
4. Configuration of switch 2
theknowledgeacademy
207
2.3 Configure and Verify Layer 2 Discovery
Protocols (Cisco Discovery Protocol and LLDP)
CDP (Cisco Discovery Protocol)
• Cisco proprietary protocol which can be used to discover directly connected device's
information and it is enabled on most Cisco devices by default
• The command "show cdp neighbor" can be used to display CDP learned information
theknowledgeacademy
208
Configure and Verify Layer 2 Discovery
Example of CDP Configuration
theknowledgeacademy
209
1. Configuration of Router 1
theknowledgeacademy
210
2. Configuration of Router 2
theknowledgeacademy
211
3. Enable CDP
theknowledgeacademy
212
4. Command: “show cdp neighbors”
theknowledgeacademy
213
LLDP
• Similar to CDP except that it's an open standard protocol and it can be used by anyone
including Cisco
• It is not enabled on Cisco devices by default
theknowledgeacademy
214
Example of LLDP Configuration
theknowledgeacademy
215
1. Enabling LLDP on Router 1
theknowledgeacademy
216
2. Enabling LLDP on Router 2
theknowledgeacademy
217
3. Enabling LLDP on Switch 1, and then assign the interface port
theknowledgeacademy
218
(Continued)
theknowledgeacademy
219
4. Now, we can check the number of neighbors on the Router 1
theknowledgeacademy
220
5. Enable LLDP on Switch 2, and assign the interface port. Now, you can check the number
of neighbors through “show lldp neighbors” command
theknowledgeacademy
221
5. You can also check the details of all connected devices using “show lldp neighbors
detail” command on Router 1
theknowledgeacademy
222
2.4 Configure and Verify (Layer 2/Layer 3)
EtherChannel (LACP)
• EtherChannel (AKA port channels) are a configuration option which allows you to logically
bundle multiple physical interfaces to provide additional redundancy and throughput of
links
• LACP is a standard protocol which can be used by network devices to negotiate an

EtherChannel link
theknowledgeacademy
223
Configure and Verify (Layer 2/Layer 3)
EtherChannel (LACP)
(Continued)
• Example of Layer 2 EtherChannel trunk port configuration with LACP
theknowledgeacademy
224
EtherChannel (LACP)
1. Configure LACP on Switch 1
theknowledgeacademy
225
EtherChannel (LACP)
2. Configure LACP on Switch 2
theknowledgeacademy
226
EtherChannel (LACP)
(Continued)
• You can also verify the status of

EtherChannel using “show etherchannel
summary” command
theknowledgeacademy
227
2.5 Rapid PVST+ Spanning Tree Protocol
Need for and Basic Operations and
Identify Basic Operations
Switch 1
• In redundant switching topologies, the Traffic Loop
forwarding of MAC addresses is

susceptible to layer 2 traffic loops and it
Switch 2 Switch 33
can cause storms and takedown networks Switch
• Spanning-tree (STP) is a protocol used to

prevent these layer 2 traffic loops HOST A HOST A
theknowledgeacademy
228
Rapid PVST+ Spanning Tree Protocol
Switch 1
With STP
Switch 2 Switch 2
HOST A HOST A
theknowledgeacademy
229
2.5.a Root Port, Root Bridge, and other Port
Names
Root Port
• Every switch elects the port closest to the root bridge as its root port in an STP topology
• This port is always in the forwarding state
Designated Port
Alternate Port
theknowledgeacademy
230
2.5.a Root Port, Root Bridge, and other Port
Names
Root Bridge
• In each STP (Spanning Tree Protocol) topology, one switch is selected as the primary root
bridge. It acts as the central reference point for topology
• All root bridge ports will always be in forwarding state
o Root bridges are chosen based on the lowest priority of bridge
o By default, the switch including the lowest MAC address will gain the root bridge
election
theknowledgeacademy
231
2.5.b Port States (Forwarding/Blocking)
Switchports running Rapid PVST+ operate in the following three different port states:
1. Discarding
2. Learning
The state of a
switchport when it 3. Forwarding
In this state, the
appears in blocking switchport starts to In this final state the
mode first learn MAC switchport finally
addresses starts forward traffic
theknowledgeacademy
232
2.5.c PortFast Benefits
The following are the benefits of PortFast:
• Many network devices cannot work properly while waiting for Rapid PVST+ to reach the
forwarding state
• An example would be an endpoint giving up on DHCP (Dynamic Host Configuration

Protocol) responses while sitting in the discarding or learning port states
• Switchports can go directly into the forwarding state with the PortFast feature and
bypass the first two states (discarding & learning)
• PortFast should only be used on edge ports which do not have other switches
connected, as it bypasses the Rapid PVST+ loop prevention checks
theknowledgeacademy
233
2.6 Compare Cisco Wireless Architectures and
AP modes
• When access points are in the lightweight
mode, there are various options for
forwarding wireless endpoint traffic onto Endpoints wirelessly connects to AP
the network
o Local Mode: Access-points tunnel all AP Tunnels Endpoints Traffic to WLC with
CAPWAP
wireless endpoint traffic to a WLC that
then forwards to the wired network. It is
typically used for campus sites WLC forwards Endpoints Traffic onto the
Wired Network
theknowledgeacademy
234
Compare Cisco Wireless Architectures and AP
modes
(Continued)
Endpoints wirelessly connects to AP
o FlexConnect Local Switching Mode: Access
points forward all endpoint wireless traffic
right onto the wire. It is used for remote
WAN sites
AP forwards Endpoints Traffic onto the

Wired Network
theknowledgeacademy
235
2.7 Describe Physical Infrastructure
Connections of WLAN Components
• APs and WLCs need some type of physical connection, to forward wireless traffic onto a
wired network
• WLC Connections
o WLCs would typically have a trunk port, and it is connected to the core switching
devices
o This is because usually several VLANs are used for different SSIDs (Service Set
Identifier)
o A WLC trunk port can be a single link, but best practice is to use a Link Aggregation
(EtherChannel)
theknowledgeacademy
236
Describe Physical Infrastructure Connections
of WLAN Components
The following are the steps of configuring WLC:
Step 1: Create the given topology in the cisco packet tracer, and click on laptop
theknowledgeacademy
237
of WLAN Components
Step 2: Click on Desktop button form the menu bar, and then click Web Browser
theknowledgeacademy
238
of WLAN Components
Step 3: Give the following IP address of WLC in the URL bar and click on Go button
theknowledgeacademy
239
of WLAN Components
Step 4: Create username and password, and then click on Start button
theknowledgeacademy
240
of WLAN Components
Step 5: Give any System Name according to your requirement, and give the WLC IP address
in the Management IP Address box, Subnet Mask and Default Gateway as given in the
figure. After that click on Next button
theknowledgeacademy
241
of WLAN Components
Step 6: Give any name to Network Name and create any password according to your need,
and click on Next button
theknowledgeacademy
242
of WLAN Components
Step 7: Click on Next
theknowledgeacademy
243
of WLAN Components
Step 8: The previous filled information will appear. Now click on Apply button. After clicking
on Apply button, it will take some time to process but we have to close the web browser by
clicking on the cross button on the upper right corner
theknowledgeacademy
244
of WLAN Components
Step 9: Now, again open the web browser and type the IP address of WLC as given in the
figure and click on Go button. Note that, in the previous slide we gave the “http://10.10.10.5“
but here we have to give “https://10.10.10.5”
theknowledgeacademy
245
of WLAN Components
Step 10: Enter the previously created Username and password and click on login button
theknowledgeacademy
246
of WLAN Components
Step 11: After logging in, the following window will appear
LAG Trunk
Mode(Tagged)
theknowledgeacademy
247
of WLAN Components
• AP Connections
o Local Mode APs: As local mode APs Local Mode AP

tunnel endpoint data to the WLC access
mode ports should be used in a
dedicated AP management network
Access Mode
(Untagged)
theknowledgeacademy
248
of WLAN Components
(Continued)
o FlexConnect Mode APs: As flexconnect FlexConnect

mode APs forward endpoint data onto the Mode AP
local wired connection trunk ports should be
used to let multiple wireless data VLANs
Trunk Mode
(Tagged)
theknowledgeacademy
249
of WLAN Components
Example of Access Points
theknowledgeacademy
250
of WLAN Components
Configuration of Access Points
theknowledgeacademy
251
of WLAN Components
(Continued)
theknowledgeacademy
252
2.8 Describe AP and WLC Management
Access Connections
AP Management
• Once Lightweight APs get registered, they are managed by the WLC, and you really should
not need to have direct access to them
WLC Management
• WLCs are primarily managed through HTTPS (Hypertext Transfer Protocol Secure) & SSH
(Secure Shell)
• Local or Tacacs+/Radius AAA (Authentication, Authorisation and Accounting) is supported
theknowledgeacademy
253
Describe AP and WLC Management Access
Connections
(Continued)
TACACS+ or RADIUS Server

Admin manages the WLC with
HTTPS/SSH
WLC manages the AP with CAPWAP
theknowledgeacademy
254
Connections
Example of TELNET in Cisco Packet Tracer
theknowledgeacademy
255
Connections
Configuration of TELENT
theknowledgeacademy
256
Connections
Configuration of SSH
theknowledgeacademy
257
Connections
Example of SSH in Cisco Packet Tracer
theknowledgeacademy
258
2.9 Configure the Components of a Wireless
LAN Access for Client Connectivity
WLAN Creation
The following are the steps of creating WLAN:
Step 1: Go to WLANs option and click on Go button to create a WLAN
theknowledgeacademy
259
Configure the Components of a Wireless LAN
Access for Client Connectivity
Step 2: Give an appropriate Profile Name and SSID according to your requirement and then
click on Apply button
theknowledgeacademy
260
• Module 1: Interpret the components of routing table
• Module 2: Determine how a router makes a forwarding decision by

default
• Module 3: Configure and verify IPv4 and IPv6 static routing
• Module 4: Configure and verify single area OSPFv2
• Module 5: Describe the purpose of first hop redundancy protocol
theknowledgeacademy
261
3.1 Interpret the Components of Routing
Table
3.1.a Routing Protocol Code
• There are various codes displayed in routing tables that identify how routes are added to
the routing table
theknowledgeacademy
262
Interpret the Components of Routing Table
Example of Static Routing Protocol
“S” is showing the network

of router 2 in the routing
table of the router 1
Here we
provide the
network of
router 2,
manually
theknowledgeacademy
263
(Continued)
“S” is showing the network

of router 1 in the routing
Here we table of the router 2
provide the
network of
router 1,
manually
theknowledgeacademy
264
Configuration of Gateway of Lost Resort
theknowledgeacademy
265
(Continued)
theknowledgeacademy
266
3.1.b Prefix
• In the routing table, a prefix is simply a network route
• In the below output 10.0.0.0/8 is a prefix
theknowledgeacademy
267
3.1.c Network mask
• A network mask (also known as subnet mask) describes the component of the network
prefix of an IP address used for routing
• The blue highlighted values identify the network mask for the prefix 10.0.0.0/24
o 10.0.0.0/24 or 255.255.255.0
o Network mask 255.255.255.0 in binary
11111111.11111111.11111111.00000000
o 1 in a binary network mask= Part of network portion
o 0 in a binary network mask= Part of host portion
theknowledgeacademy
268
3.1.d Next Hop
• When network devices need to route to a destination, a next hop IP address is required to
forward packets in the right direction
• In the output below this layer 3 switch is sending default routed destinations to the next
hop IP address 10.0.0.2
theknowledgeacademy
269
3.1.e Administrative Distance
• Network devices rely on the administrative distance (AD) to know which route types are
better than others
• The lower the Administrative Distance, the better the route is
• The pre-assigned default AD values for Each route type are shown in below table
Route Source Default Distance Values
Connected interface 0
Static route 1
Enhanced interior Gateway Routing 5
Protocol (EIGRP) summary route
theknowledgeacademy
270
(Continued)

External Border Gateway Protocol 20
Internal EIGRP 90
IGRP 100
OSPF 110
Intermediate System-to- 115

Intermediate System (IS-IS)
Routing Information Protocol 120
Exterior Gateway Protocol 140
theknowledgeacademy
271
(Continued)

On Demand Routing (ODR) 160
External EIGRP 170
Internal BGP 200
Unknown 225
theknowledgeacademy
272
(Continued)
• You can see the AD value in the routing table. It is the value on the left in the bracket
after the prefix
• In the figure below you can see the AD is “1” for the static route
theknowledgeacademy
273
3.1.f Metric
• You can use the metric value as a tie-breaker if the administrative distance value is the
same for two learned routes
• The lower the metric, the better the route is considered
• Routing protocols change advertised route metrics dynamically, based on things like
interface bandwidth
theknowledgeacademy
274
3.1.g Gateway of Last Resort
• If there are no specific routes for a particular destination in the routing table the last
resort gateway (Default route) is used
theknowledgeacademy
275
3.2 Determine how a Router makes a
Forwarding Decision by Default
Routing Lookup Order
1. Check for the Longest Prefix Match
2. Lowest Administrative Distance (AD)
3. Lowest Routing Metric
theknowledgeacademy
276
Determine how a Router makes a Forwarding
Decision by Default
3.2.a Longest Match
• When a router looks at the routing table to decide a destination's best path, the first
thing to look for is the most specific match
• It means the route with the most network bit matches for the destination
theknowledgeacademy
277
Decision by Default
3.2.b Administrative Distance
• If a router has more than one route in the routing table that is the same network mask bit
match, then the AD can be used as a tie-breaker to decide which route should be more
preferred
• In the example two static routes are added to routers configuration with the same network
bit length but the one with the lower AD is installed in the routing table
theknowledgeacademy
278
Decision by Default
Administrative Distance
theknowledgeacademy
279
Decision by Default
3.2.c Routing Protocol Metric
• If the length of the prefix matches with the AD then the final tie-breaker is the routing
metric
• In the example the same route is learned from multiple sources via the routing protocol
OSPF (Default AD of 110) with the same prefix length and AD
• In this case the router will rely on the learned OSPF route metric to determine the best path
theknowledgeacademy
280
Decision by Default
Routing Protocol Metric
theknowledgeacademy
281
3.3 Configure and Verify IPv4 and IPv6 Static
Routing
3.3.a Default Route
• This kind of route is used as a catch all route to send unknown destinations to a particular
device
• You would mostly direct your default route to an internet firewall
theknowledgeacademy
282
Configure and Verify IPv4 and IPv6 Static
Routing
(Continued)
• IPv4 static default route configuration example with next-hop 10.0.255.2
theknowledgeacademy
283
Routing
(Continued)
theknowledgeacademy
284
3.3.b Network Route
Routing
• This kind of route is used to send known network destinations to a specific device
• IPv4 static network route configuration example for network destination 10.0.0.0/24 with
next-hop 10.0.255.2
• IPv6 static network route configuration example for network destination 2001::/64 with
next-hop 2001:255::2
theknowledgeacademy
285
Routing
3.3.c Host Route
• This kind of route is used send

known host destinations to a
specific device
• An example of IPv4 floating static

configuration
Step 1: Draw the following topology in

the Cisco Packet Tracer
theknowledgeacademy
286
Routing
• Command to show configuration of Router 1
theknowledgeacademy
287
Routing
• Command to show configuration of Router 2
theknowledgeacademy
288
Routing
3.3.d Floating Static
• This kind of route is used as a backup route if a primary next-hop device is not available
• After it is configured, it is not installed in the routing table until it is required
• You set the AD to be higher than the primary route and set a different next-hop to make a
route “floating”
theknowledgeacademy
289
Routing
• An example of IPv4 floating static configuration
Step 1: Draw the following topology in the Cisco Packet Tracer
theknowledgeacademy
290
Routing
Step 2: IP configuration of UK Router
Primary Route
Administrative Distance
Secondary Route
theknowledgeacademy
291
Routing
Step 3: IP configuration of USA Router
theknowledgeacademy
292
Routing
Step 4: IP configuration of India Router
theknowledgeacademy
293
3.4 Configure and Verify Single Area OSPFv2
OSPFv2 Overview
• OSPF (Open Shortest Path First) is a link-state protocol that can be used to advertise
routes between routers
• Default Administrative Distance – 110
• Link Local Multicast Address - 224.0.0.5 & 224.0.0.6 (DR/BDR)

•
• Algorithm - Dijkstra SPF(Shortest Path First)
theknowledgeacademy
294
(Continued)
• Uses process IDs instead of autonomous system numbers

•
• Uses AREAs which are routing domains within OSPF
• Default timers - Hello=10 and Dead=40
• Metric value - Cost
theknowledgeacademy
295
3.4.a Neighbor Adjacencies
• For routers to exchange routes with each other with they must first form a neighbor
adjacency
• The following are the requirements of OSPF Neighbor Adjacency:
4. Same HELLO
1. Common 2. Unique 3. Same AREA 5. Same MTU
and DEAD
Subnet Router-ID ID Value
Timers
theknowledgeacademy
296
Example of OSPFv2 Configuration for Area 0 between two routers:
Router 2
Router 1
theknowledgeacademy
297
(Continued)
• Configuration of Router 2
theknowledgeacademy
298
(Continued)
theknowledgeacademy
299
(Continued)
Check to see if any OSPF routes are learned from adjacent neighbors
theknowledgeacademy
300
theknowledgeacademy
301
(Continued)
theknowledgeacademy
302
3.4.b Point-to-point
• If OSPF uses L2 WAN protocols such as HDLC (High-Level Data Link Control) & PPP (Point-
to-Point Protocol) over point-to-point serial links it runs as a point-to-point network type
• In this mode, DR/BDR (Backup Designated Router) roles are not needed since it is not a
multi-access connection
theknowledgeacademy
303
Example of OSPFv2 point-to-point interface configuration:
theknowledgeacademy
304
3.4.c Broadcast (DR/BDR Selection)
• Designated Routers (DR) and Backup Designated Routers (BDR) are used in a multi-access
(Broadcast) OSPF topology to relay routing updates
• DR routers help to scale OSPF topologies so that less information is available for each
router to process
theknowledgeacademy
305
(Continued)
• In each multi-access OSPF topology 1 DR and 1 BDR are selected OSPF DR/BDR Selection
Process:
1. Highest OSPF interface priority (1 by default)
2. Highest router ID if the interface priority is the same
theknowledgeacademy
306
Configuration of OSPF
theknowledgeacademy
307
Configuration of Router A
theknowledgeacademy
308
Configuration of Router B
theknowledgeacademy
309
Configuration of Router C
theknowledgeacademy
310
(Continued)
theknowledgeacademy
311
Configuration of Router 1
theknowledgeacademy
312
theknowledgeacademy
313
theknowledgeacademy
314
3.4.d Router ID
• It should be unique for each and every OSPF router
• It can be any decimal value in the following format – X.X.X.X
• The process of election of Router ID:
o Manually configured router-id
o Highest Loopback IP address
o Highest Interface IP address theknowledgeacademy

315
3.5 Describe the Purpose of First Hop
Redundancy Protocol
• FHRP (First Hop Redundancy Protocol) protocols such as HSRP (Hot Standby Routing
Protocol) can be used to provide default redundancy to gateways
• With FHRP if multiple core devices are on a network and one goes down, another can
take control, so that clients do not lose access to the network
• As the default gateway, routers participating in an FHRP share a virtual IP address (VIP)
theknowledgeacademy
316
Describe the Purpose of First Hop
Redundancy Protocol
(Continued) HSRP
VIP
1
.2 10.0.0.0/24 .3
10.0.0.100 255.255.255.0
default gateway 10.0.0.1
theknowledgeacademy
317
Redundancy Protocol
(Continued) HSRP
VIP
1
.2 10.0.0.0/24 .3 Standby
10.0.0.100 255.255.255.0
theknowledgeacademy
318
Redundancy Protocol
(Continued) HSRP
VIP
1
.2 10.0.0.0/24 .3 Active
10.0.0.100 255.255.255.0
theknowledgeacademy
319
Domain 4
IP Services
theknowledgeacademy
320
• Module 1: Configure and verify inside source NAT using static and pools
• Module 2: Configure and verify NTP operating in a client and server mode
• Module 3: Explain the role of DHCP and DNS within the network
• Module 4: Explain the function of SNMP in network operations
• Module 5: Describe the use of syslog features including facilities and

levels
theknowledgeacademy
321
• Module 6: Configure and verify DHCP client and relay
• Module 7: Explain the forwarding per-hop behaviour (PHB) for QoS such
as classification, marking, queuing, congestion, policing, shaping
• Module 8: Configure network devices for remote access using SSH
• Module 9: Describe the capabilities and function of TFTP/FTP in the

network
theknowledgeacademy
322
4.1 Configure and Verify inside Source NAT
using Static and Pools
• Static NAT (Network Address Translation) is usually used for one-to-one IP mappings for
public-facing services such as web servers
• Configuration example for translating traffic destined to public IP 202.56.215.1 to private

IP 192.168.0.2
theknowledgeacademy
323
Configure and Verify inside Source NAT using
Static and Pools
theknowledgeacademy
324
Static and Pools
(Continued)
theknowledgeacademy
325
Static and Pools
(Continued)
theknowledgeacademy
326
Static and Pools
(Continued)
theknowledgeacademy
327
Static and Pools
• Dynamic NAT Pool is usually used for one-to-many IP mappings for outbound internet
access
• Configuration example for translating traffic from the private IP network 10.1.0.0/24 to
public IP NAT pool 97.8.22.21 - 97.8.22.31
theknowledgeacademy
328
Static and Pools
theknowledgeacademy
329
Static and Pools
(Continued)
theknowledgeacademy
330
Static and Pools
(Continued)
theknowledgeacademy
331
Static and Pools
(Continued)
theknowledgeacademy
332
Static and Pools
(Continued)
theknowledgeacademy
333
Static and Pools
theknowledgeacademy
334
Static and Pools
(Continued)
theknowledgeacademy
335
4.2 Configure and Verify NTP Operating in a
Client and Server Mode
• NTP Client Mode: Network devices can maintain accurate time through using the
network time protocol (NTP)
• NTP Server Mode: A network device can work as an NTP server without any
configurations as long as their time is synced to another NTP server
• NTP Master: A network device can act as a NTP server using its local time information if it
is configured as an NTP master. An NTP master can sync to its local clock and still provide
time to NTP clients
theknowledgeacademy
336
Configure and Verify NTP Operating in a
• Example of NTP master configuration:
theknowledgeacademy
337
theknowledgeacademy
338
theknowledgeacademy
339
(Continued)
theknowledgeacademy
340
4.3 Explain the Role of DHCP and DNS within
the Network
• Dynamic Host Control Protocol (DHCP) is used to assign IP addresses to network clients
dynamically
• The following are the components of DHCP
o DHCP Client: It is an endpoint asking for an IP Address
o DHCP Server: It is a host running a DHCP server application with IP address pools for
client assignments
theknowledgeacademy
341
Explain the Role of DHCP and DNS within the
Network
• DHCP Operation
DHCP IP Address Pool
• IP Address-10.0.10.21-10.0.10.254
• Subnet Mask-255.255.255.0
• Default Gateway-10.0.10.1
• DNS Server-8.8.8.8
DHCP assigned IP Address

Discovery
Information DHCP Client
Offer
• IP Address-10.0.00.2
Request
• Subnet Mask-255.255.255.0
• Default Gateway-10.0.10.1 Acknowledgement
DHCP Server
• DNS Server-8.8.8.8
theknowledgeacademy
342
Network
• Domain Name System (DNS) is used to resolve hostnames to IP addresses
• The following are the components of DNS
o DNS Server: It is a host running a DNS server application that manages a database of
hot name to IP address mappings
theknowledgeacademy
343
Network
• DNS Operation
1. Client attempts to go to website www.google.com
2. Client needs an IP Address of the website to connect
3. Client asks a DNS Server that IP address is mapped to www.google.com
4. DNS Server checks locally or asks other servers for mapping
5. DNS Server responds with the IP address of www.google.com

theknowledgeacademy
344
Network
(Continued)
6. Client connects to the website using the IP Address it learned from DNS
What is IP Address of www.google.com
www.ipversity.com = 172.217.3.110
DNS Server
Web Server
theknowledgeacademy
www.google.com
345
Network
Example of DHCP configuration on Router
theknowledgeacademy
346
Network
Configuration on Router
theknowledgeacademy
347
Network
DHCP Server Configuration
theknowledgeacademy
348
Network
DNS Server Configuration
theknowledgeacademy
349
Network
• For DNS configuration, Go to Server>Services option. After that click on DNS option
theknowledgeacademy
350
4.4 Explain the Function of SNMP in Network
Operations
• Simple Network Management Protocol (SNMP) reads and writes information which is
available on network devices
ntp server pool.ntp.org

SNMP Write
Cisco Prime SNMP Read

Running-config
Hostname r1
!
Interface f0/0
!
Interface f0/1
theknowledgeacademy
351
Explain the Function of SNMP in Network
Operations
• The following are the components of SNMP:
o SNMP Collector: Server running an SNMP collector application with a database for store
information. Examples of SNMP are Cisco Prime and SolarWinds
o Community Strings: Passwords for SNMP communication
theknowledgeacademy
352
Explain the Function of SNMP in Network
Operations
(Continued)
o MIB (Management Information Base): Collection of information on network devices.

Examples of MIB are interfaces, routing tables, and hardware resources
o Traps are sent by network devices to SNMP collectors when certain events take place like
high CPU or interface alarms
theknowledgeacademy
353
4.5 Describe the Use of Syslog features
including Facilities and Levels
• Syslog is a logging service used to view network device events for troubleshooting and
monitoring
access-list block
url-filtering
malware block Database
Ids/ips logs Configuration change
Debug message
Hardware failure
error message Access-list block
configuration change url-filtering
Debug message Syslog Server Malware block
hardware failure Ids/ips logs
error message
configuration change error message
Debug message configuration change
hardware failure Debug message
hardware failure
theknowledgeacademy
354
Describe the Use of Syslog features including
Facilities and Levels
The following are the components of Syslog:
o Syslog Server: It is a server running a Syslog application with a database to store log
information
• Examples of syslog are Cisco Prime, SolarWinds & Splunk
o Facilities: Categories for different Syslog messages
theknowledgeacademy
355
4.6 Configure and Verify DHCP Client and
Relay
• DHCP Relay (AKA DHCP Helper) is a method used by a Layer 3 device to forward DHCP
messages to DHCP servers on behalf of the DHCP client
• An example of DHCP Relay configuration:
theknowledgeacademy
356
Configure and Verify DHCP Client and Relay
theknowledgeacademy
357
(Continued)
theknowledgeacademy
358
(Continued)
theknowledgeacademy
359
theknowledgeacademy
360
(Continued)
theknowledgeacademy
361
(Continued)
theknowledgeacademy
362
theknowledgeacademy
363
(Continued)
theknowledgeacademy
364
(Continued)
theknowledgeacademy
365
4.7 Explain the Forwarding Per-Hop
Behaviour (PHB)
• Quality of Service (QoS) is used to apply controls to network traffic like preferential
forwarding treatment, bandwidth consumption, and rate-limiting
• Classification is a method used to identify traffic types so that the network devices can
apply proper QoS
o NBAR (Network Based Application Recognition)

o ACL (Access-Control List)
• Marking is a method used to set QoS values that can be used to apply proper QoS
theknowledgeacademy
366
Explain the Forwarding Per-Hop Behaviour
(PHB)
The following are the types of markings:
• DSCP
o Decimal values 0-63
o CS 0-7
o Assured Forwarding
AF11 AF12 AF13

Layer 3
AF21 AF22 AF23
AF31 AF32 AF33

IP Packet
AF41 AF42 AF43
Best EF Voice
Worst Default
theknowledgeacademy
367
(PHB)
• COS
Best
Layer 2
COS0 COS1 COS2 COS3 COS4 COS5 COS6 DOT1Q Tag
Worst
theknowledgeacademy
368
(PHB)
• Queuing is a method used to prioritise when different traffic types are forwarded out of
an interface
o When traffic requires to forward out of a router or switch port is added to a traffic
queue
o Such queues can be thought of as a way to buffer packets until they are transmitted
out of an interface
Queue 1
Interface Queue 2
Queue 3
theknowledgeacademy
369
(PHB)
• Congestion: It occurs when a network device interface runs out of queue depth (buffer)
because of high bandwidth utilisation
o If an interface is overloaded with congestion, network devices will tail drop traffic
o QoS policies can be used to prioritise which traffic is dropped first to improve
performance for critical applications like voice and video
theknowledgeacademy
370
(PHB)
• Policing: It is a method used to limit how much bandwidth can be used on an interface by
dropping traffic which exceeds QoS policy
o Usually used to prevent low-priority traffic from using all the bandwidth
Police guest internet speeds to 20Mbps
100Mbps > 20Mbps Internet
theknowledgeacademy
371
(PHB)
• Shaping: It is a technique used to limit how much bandwidth can be used on an interface
through buffering traffic that exceeds QoS policy
o Usually used to smooth traffic speeds to match provider circuit speeds so traffic like a
voice is buffered rather than dropped
Shape voice speeds to 20Mbps
100Mbps > 20Mbps MPLS
theknowledgeacademy
372
4.8 Configure Network Devices for Remote
Access using SSH
• Unlike Telnet, SSH is a secure way to connect and manage network devices remotely
• Example of configuration
theknowledgeacademy
373
4.8 Configure Network Devices for Remote
Access using SSH
Example of SSH in Cisco Packet Tracer
theknowledgeacademy
374
4.9 Describe the Capabilities and Function of
TFTP/FTP in the Network
• TFTP (Trivial File Transfer Protocol) & FTP (File Transfer Protocol) are both protocols which
can be used to transfer data over a network using a client/server model
• Software upgrades and configuration backups are common uses for using TFTP/FTP in
networking
FTP
Server FTP TRANSFER
FTP Client
theknowledgeacademy
375
Describe the Capabilities and Function of
TFTP/FTP in the Network
• TFTP – UDP port 69
o No authentication
o Unreliable
o Only supports small file transfers
• FTP – TCP ports 20 & 21

o Authentication supported
o Reliable
o Supports large file transfers
theknowledgeacademy
376
Domain 5
Security Fundamentals
theknowledgeacademy
377
• Module 1: Define key security concepts
• Module 2: Describe security program elements
• Module 3: Configure device access control using local passwords
• Module 4: Describe security password policies elements, such as

management, complexity, and password alternatives
• Module 5: Describe remote access and site-to-site VPNs
theknowledgeacademy
378
• Module 6: Configure and verify access control lists
• Module 7: Configure Layer 2 security features
• Module 8: Differentiate authentication, authorisation, and

accounting concepts
• Module 9: Describe wireless security protocols
• Module 10: Configure WLAN using WPA2 PSK using the GUI
theknowledgeacademy
379
5.1 Key Security Concepts
Threats
• We define threat as something which has a negative effect or an undesired event
• Threat means a new or a newly discovered happening that has the ability to harm a
particular system or even to the whole organisation
• A threat is demonstrated as an intention to harm an asset or make it to become

unavailable
theknowledgeacademy
380
Key Security Concepts
Vulnerability
• A vulnerability can be a flaw in a system, or in some software in a system, which can

provide a way to an attacker to bypass the security infrastructure of the host OS or of
the software itself
• It is not an open door instead a weakness which if attacked could provide a way in
• Exploiting is the action of trying to turn a vulnerability (a weakness) into an actual way
to breach a system
theknowledgeacademy
381
Exploit
• It refers to the unintended application performing interface that can be documented as

well as non-documented
• Exploits are not easy to spot as they can take place behind firewalls
• If they are not detected they can even cause irretrievable damage
• It is another name for vulnerability which is a flaw in a software code
theknowledgeacademy
382
Mitigation Techniques
• A mitigation technique is a method to counteract or prevent malicious activity or

threats
Some examples of mitigation techniques are:
o Antimalware
o Firewall
o Software Patches
theknowledgeacademy
383
5.2 Security Program Elements
User Awareness
• Awareness regarding requirement for data confidentiality in order to protect corporate info and
also their own credentials and personal information should be spread among all users
• Users should also be made aware about potential threats, schemes to mislead and appropriate
procedures to report security incidents
• They should also be instructed to follow strict guidelines related to data loss
• As an example, users should not include sensitive information in emails or attachments should
not keep or transmit such information from a smartphone, or store it on cloud services or
removable storage drives
theknowledgeacademy
384
Security Program Elements
User Training
• All users should take part in periodic formal training so that they become aware with all
corporate security policies
• The organisation should develop as well as publish formal security policies for its users,
employees and business partners to follow
theknowledgeacademy
385
Security Program Elements
Physical Access Control
• Infrastructure locations such as data centres and network closets should be locked
securely
• A scalable solution to sensitive locations is badge access that offers an audit trail of
identities and timestamps when access is granted
• Access can be controlled by administrators on a granular basis and when an employee

is dismissed, access is quickly removed
theknowledgeacademy
386
5.3 Configure Device Access Control using
Local Passwords
Example of configuration Local user account
theknowledgeacademy
387
5.4 Security Password Policies Elements
To secure network resources user passwords should follow best practices standards:
Complexity
• Use special characters such as #$!@%&*
• Length should be minimum of 6 characters
• Change passwords regularly
Management
• To store passwords securely, password managers can be used

theknowledgeacademy
388
Security Password Policies Elements
Password Alternatives
• A single factor that a user must enter to be authenticated is a simple password string
• As a password should not be written anywhere and remembered, it can be thought of

as “something you know” and nobody else knows it; otherwise they can use it to
imitate you while authenticating
• Enterprises should consider using alternative techniques to bring more complexity as

well as security
theknowledgeacademy
389
i. Multifactor Authentication
• Multifactor credentials need that users provide values/factors coming from different
sources, thereby reducing the chance that an attacker might possess all of the factors
• Two- factor credentials are described as “something you have” i.e. a text message with
a time-limited code or a dynamic changing cryptographic key and “something you
know” i.e. a password
theknowledgeacademy
390
ii. Digital Certificate
• A digital certificate is a trusted form of identification, follows a standardised format and

contains encrypted information
• If an organisation supports use of digital certificate, then a user must request and be
granted a unique certificate to use for a particular purpose
• Digital certificates are time sensitive i.e. each one is approved for a specific time range
• After the certificate expiration, any attempts to authenticate with it will be rejected
and the user who has the certificate can request a new one prior to the expiration date
or at any time afterward
theknowledgeacademy
391
iii. Biometrics
• Biometric credentials provides a factor that represents “something you are”
• Generally, physical attributes are unique to a body structure of an individual and cannot
be easily duplicated or stolen
• As an example, fingerprints of a user can be scanned and used as an authentication

factor
• Other examples can be voice recognition, face recognition, iris recognition etc.
theknowledgeacademy
392
5.5 Remote Access and Site-to-Site VPNs
• VPN (Virtual Private Network) allows users to send and receive data across shared or
public networks as if their computing devices were connected to the network directly
Trusted Trusted
Encrypted Data VPN Tunnel Encrypted Data
Untrusted
theknowledgeacademy
393
• Site-to-Site VPN – A tunnel between multiple VPN gateways such as firewalls and
routers
Gateway Gateway
LAN LAN
VPN Tunnel
theknowledgeacademy
394
• Remote VPN – A tunnel between mobile user device (Laptop, phone, etc.) and remote
VPN gateway such as a firewall
LAN Gateway
LAN
VPN Tunnel
theknowledgeacademy
395
5.6 Configure and Verify Access Control Lists
• Access Control Lists (ACLs): It a method to use security filtering on network devices
• It can be implemented in the inbound or outbound directions on switch/router

interfaces
• There are two types of ACLs:
1. Standard: Standard ACLs match source IP information only
2. Extended: Extended ACLs can match source/destination IP and port information plus
much more
theknowledgeacademy
396
(Continued)
• There are two ways to configure ACLs:
1. Numbered: Standard numbered ACLs can be configured in the range 1–99 and 1300–
1999
2. Named: Extended numbered ACLs can be configured in the range 100–199 and 2000–
2699
theknowledgeacademy
397
• Example of Extended named ACL configuration:
theknowledgeacademy
398
Configuration of Ports on Router 1
theknowledgeacademy
399
Configuration of Ports on Router 2
theknowledgeacademy
400
Configuration of Router 2 for block whole network
theknowledgeacademy
401
5.7 Configure Layer 2 Security Features
DHCP Snooping
• A switch feature that will only allow DHCP server response packets on interfaces that
are defined as “trusted”
• By default, interfaces are untrusted
theknowledgeacademy
402
• Example of DHCP snooping configuration:
theknowledgeacademy
403
• Configuration of trusted Router:
theknowledgeacademy
404
• Configuration of Switch
theknowledgeacademy
405
• Configuration of Switch
theknowledgeacademy
406
• Configuration of untrusted Router
theknowledgeacademy
407
Dynamic ARP Inspection
• Trusted ARP replies that will only be permitted by switch features are learned from
DHCP responses either “trusted” interfaces. By default, interfaces are untrusted.
Port Security
• Switch feature that can (1) Limit how many MAC addresses are learned on a single
interface and (2) Limit which MAC addresses are learned
theknowledgeacademy
408
Example of Port Security
Switch 1
theknowledgeacademy
409
Configuration of Switch 1
theknowledgeacademy
410
theknowledgeacademy
411
theknowledgeacademy
412
5.8 Differentiate Authentication,
Authorisation, and Accounting Concepts
• User activity can be managed with AAA (authentication, authorisation, and accounting)
mechanisms
• Before authorising or allowing access to any user, AAA uses standardised methods to
challenge them for their credentials
• AAA is generally used to control and monitor access to various network devices such as
switches, routers, firewalls etc.
theknowledgeacademy
413
Differentiate Authentication, Authorisation,
and Accounting Concepts
1. Authentication
• Credentials for users that request network access are validated (Who is the user?)
Username: Jack
Password: *****
Authentication
Switch 1
Authentication
Jack is a valid user Username: Jack
and has been Password: *****
authenticated
User
Accounts
theknowledgeacademy
414
2. Authorisation
• Access restrictions for authenticated users (What is the user allowed to do?)
SSH Terminal Access

Switch 1
Authorised
Jack is
authorised for
privilege level
15
User
theknowledgeacademy
Accounts
415
3. Accounting
• Event history containing activity for authenticated/authorised users (What did the user
do?)
Log Off
Switch 1
Accounting
User Accounts
theknowledgeacademy
416
5.9 Wireless Security Protocols
• WPA (Wireless Protected Access) methods are used to secure wireless networking
The following are three different types of WPA security protocols:
WPA
i. Make use of Temporal Key Integrity Protocol (TKIP)
ii. Significant enhancement of WEP (Wired Equivalent Privacy)
WPA2
• Make use of Advanced Encryption Standards (AES)
theknowledgeacademy
417
Wireless Security Protocols
(Continued)
• More secure as compared to WPA but still has several vulnerabilities
WPA3
• Next generation of Wi-Fi security
• More secure
• Supports an easy way to onboard devices securely with QR code scanning
theknowledgeacademy
418
5.10 Configure WLAN using WPA2 PSK using
the GUI
• WPA2 PSK SSIDs also called as WPA2 personal is an easy way to secure a wireless
network
• Example of WPA2 PSK configuration:
theknowledgeacademy
419
the GUI
1. We have already created two WLANs as shown in the figure. So if you want to create a
new WLAN then click on Go Button
theknowledgeacademy
420
the GUI
2. In this example, we are creating WLAN named as “Campus”. Give the profile name and
SSID and then click on Apply Button
theknowledgeacademy
421
the GUI
3. Click on Enabled check box of status
theknowledgeacademy
422
the GUI
4. Give WPA+WPA2 security in Layer 2 Security and enable the WPA2 and WPA2
Encryption and PSK and give the password according to your requirement
theknowledgeacademy
423
the GUI
5. Go to AP Groups
theknowledgeacademy
424
the GUI
6. After giving the AP Group Name and Description click on Add button. Then click on
WLANs option for check WLAN creation
theknowledgeacademy
425
the GUI
7. Now assign a access point to a created WLAN and click on Student
theknowledgeacademy
426
the GUI
8. After clicking on Student WLAN the following figure will be appeared
theknowledgeacademy
427
the GUI
9. Here we have assigned an Access Points to Student WLAN
theknowledgeacademy
428
the GUI
10. Go to topology and click on SMARTPHONE0 and go to config>wireless0. Give Access
point name “Student” in the SSID Tab and enable the WPA2-PSK PSK Pass Phrase,
and give password. After that enable DHCP
theknowledgeacademy
429
the GUI
11. Go to topology and click on SMARTPHONE1 and go to config>wireless0. Give Access
point name “Professor” in the SSID Tab and enable the WPA2-PSK PSK Pass Phrase,
and give password. After that enable DHCP. Now you can see in the topology that both
smartphones are connected with different WLAN
theknowledgeacademy
430
Domain 6
Automation and Programmability
theknowledgeacademy
431
• Module 1: Explain how automation impacts network management
• Module 2: Compare traditional networks with controller-based

networking
• Module 3: Describe controller-based and software defined

architectures
• Module 4: Compare traditional campus device management with

Cisco DNA Center enabled device management
theknowledgeacademy
432
• Module 5: Describe characteristics of REST-based APIs
• Module 6: Recognise the capabilities of configuration management

mechanisms Puppet, Chef, and Ansible
• Module 7: Interpret JSON encoded data
theknowledgeacademy
433
6.1 How Automation Impacts Network
Management
• Networks are growing constantly and becoming more complex in order to keep pace
with the business needs
• Because of this, networks are harder to manage and there is more room for human
error
• Those problems can be fixed with automation as it introduces efficiency and

consistency
• If done manually, the tasks that would take hours can be completed in seconds with
programming
theknowledgeacademy
434
6.2 Compare Traditional Networks with
Controller-based Networking
• Controller based networks provide a single pane of glass for network administrators
• Instead of individually managing network devices they can simply login to the
controller for provisioning and troubleshooting
IT Admin IT Admin
Controller DNAC
Traditional Network
Controller Based Network
theknowledgeacademy
435
6.3 Controller-based and Software Defined
Architectures
• All Cisco software defined solutions share the same three concepts: underlay, overlay,
and fabric
Underlay
• A network transport that provides IP connectivity required for overlay networking
Examples are:
i. MPLS
ii. Internet
theknowledgeacademy
436
Controller-based and Software Defined
Architectures
(Continued)
Overlay
• These are advanced protocols that run over top of an underlay
Examples are:
i. GRE
ii. IPSec
iii. CAPWAP
theknowledgeacademy
437
Architectures
VPN Tunnel
(Overlay)
Home
Internet
(Underlay)
theknowledgeacademy
438
Architectures
(Continued)
Fabric
• Software-defined networks are sometimes referred to as fabrics
Examples are:
i. SDA
ii. ACI
theknowledgeacademy
439
6.3 a Separation of Control Plane and Data
Plane
• One of the major differentiators of legacy networking and SDN is the separation of the
control plane and data place
• It signifies to offload the processing of information from network device like routing
computations
• The notion behind is that if control plane processing can be centralised, then network
devices can use more resources for data place forwarding
CPU { Control Plane EIGRP

ARP
Data Plane
CAM { PACKETS
theknowledgeacademy
440
6.3 b North-bound and South-bound APIs
Application Programmable Interface (API)
• It is a method that is used to exchange information between two software programs i.e.
machine to machine
Data Request via API
Information via API
• North-bound APIs – Used between SDN controllers and applications
• South-bound APIs – Used between SDN controllers and network devices
theknowledgeacademy
441
North-bound and South-bound APIs
APP APP APP
Northbound API
SDN Controller
Southbound API
Network Devices Network Devices
theknowledgeacademy
442
6.4 Traditional Device Management Vs. Cisco
DNA Center Enabled Device Management
Traditional Device Management
• In traditional campus device management, each device is managed independently
IT Admin
Traditional Network Management
theknowledgeacademy
443
Traditional Device Management Vs. Cisco DNA
Center Enabled Device Management
DNAC Device Management
• Devices are centrally monitored and managed from a single pane of glass (DNAC)
IT Admin
Controller DNAC
DNAC Management
theknowledgeacademy
444
6.5 Characteristics of REST-based APIs
• REST stands for Representational State Transfer
• REST-based APIs follow a set of basic rules regarding what makes a REST API and what
does not
• REST APIs include six attributes:
a) Client/ server architecture
b) Stateless operation
c) Clear statement of cacheable/ uncacheable
theknowledgeacademy
445
Characteristics of REST-based APIs
(Continued)
d) Uniform interface
e) Layered
f) Code-on-demand
• The working of REST API depends upon first three attributes mainly
theknowledgeacademy
446
REST APIs and HTTP
• APIs allow two programs to exchange data between them
• A few APIs are designed as an interface between programs running on the same
computer, because of this the communication between programs happens within a
single OS
• Several APIs must be available to programs that run on other computers, hence the API must
define the type of networking protocols supported by the API
• Numerous REST-based APIs use the HTTP protocol
theknowledgeacademy
447
(Continued)
• The creators of REST-based APIs choose HTTP for the reason that the logic of HTTP
matches with some concepts defined more generally for REST APIs
• HTTP uses the same principles as REST. For example, it operates with a client/ server
model; it uses a stateless operational model; and it includes headers that clearly mark
objects as cacheable or not cacheable
• HTTP also includes verbs; the words that dictate the anticipated action for a pair HTTP
Request and Reply that matches how applications like to work.
theknowledgeacademy
448
Software CRUD Actions and HTTP Verbs
• The acronym CRUD is used by software industry for the four primary actions performed
by any application:
1) Create
• Permits the client to create a few new instances of variables and data structures at the
server and initialisation of their values as kept at the server
theknowledgeacademy
449
(Continued)
2) Read
• Permits the client to read (retrieve) the current values of variables that exist at the
server and store a copy of the variables, values, and structures at the client
3) Update
• Permits the client to update (change) the value of variables that exist at the server
4) Delete
Permits the client to delete from the server different instances of data variables
theknowledgeacademy
450
• An example of CRUD actions include: checking a status of new configuration i.e. a read
action, an update to modify some particular setting in new configuration i.e. an update
action or an action to remove the security policy definition completely i.e. a delete
action
• HTTP make use of verbs that mirror CRUD actions
• It defines an HTTP request and reply concept, with the client sending a request and
with the server answering back with a reply
• Every request or reply lists an action verb in the HTTP request header that defines the
HTTP action
theknowledgeacademy
451
• The HTTP messages also include a URI that identifies the resource being manipulated
for this request
• The HTTP message is carried in IP and TCP, with headers and data, as represented
HTTP
IP TCP Request Header Other Headers Data
Verb URI Some API

Parameters
HTTP Verb and URI in an HTTP Request Header

theknowledgeacademy
452
(Continued)
• When we open a web browser and click a link, the browser generates an HTTP GET
request message
• This message includes an HTTP header with the GET verb and the URI
• The resources that are returned in the reply are the components of a web page, such as
text files, image files, and video files
• HTTP works well with REST as HTTP has verbs that match the common program actions
in the CRUD paradigm
theknowledgeacademy
453
Action CRUD Term REST (HTTP) Verb
Create new data structures and Create POST
variables
Read (Retrieve) variable Read GET
names, values and structures
Update or replace the values of Update PUT
some variables
Delete Some variables and Delete DELETE
data structures
Comparison of CRUD Actions to REST Verbs
theknowledgeacademy
454
HTTP Request
GET/Networks
Send me a list of networks
List of Networks
HTTP Response
HTTP 200 OK
{ JSON Data}
• Postman is a great App that can be used for sending API calls
theknowledgeacademy
455
6.6 Recognise the Capabilities of Configuration
Management Mechanisms
• Puppet, Chef, and Ansible are software packages
• Most people use these names to the companies as well as their primary configuration
management products
• All of these emerged as part of the transition from hardware-based servers to

virtualised servers that greatly increased the number of servers and created the need
for software automation to create, configure, and remove VMs
theknowledgeacademy
456
Recognise the Capabilities of Configuration
Puppet
• To use Puppet, begin by installing it on a Linux host
• It can be installed on own Linux Host, but for production purposes, it will be normally
installed on a Linux server known as Puppet master
• Puppet uses various important text files with different components such as
o Manifest - A human readable text file on the puppet master
theknowledgeacademy
457
(Continued)
o Resource, Class, Module – Components of the manifest, with the largest modules
being composed of smaller classes
o Templates – These files permit Puppet use a puppet domain-specific language to

generate manifests by substituting variables into the template
• Puppet usually uses an agent-based architecture for network device support
theknowledgeacademy
458
Chef
• Chef also exists as software package that is installed and run
• Chef offers various products such as Chef Automate which is generally referred to as
Chef by most people
• With Puppet, in production Chef is probably run as a server with multiple Chef
workstations used by the engineering staff to build Chef files that are stored on the
Chef server
theknowledgeacademy
459
(Continued)
• Once Chef is installed, various text files can be created with different components such as
o Resource - These are configuration objects whose state is managed by Chef
o Recipe - The Chef logic that is applied to resources to find out when, how, and whether to
act against the resources that are analogous to a recipe in a cookbook
o Cookbooks - A set of recipes related to same types of work, grouped collectively for
easier management and sharing
theknowledgeacademy
460
(Continued)
o Runlist - An ordered list of recipes that should be run against a given device
• Chef make use of an architecture that is similar to Puppet
• Every managed device known as a Chef node or Chef client runs an agent for network
devices
theknowledgeacademy
461
Ansible
• Ansible needs to be installed on some computer such as Linux, Mac, a Linux VM or a

Windows host to use it
• Once installed, several text files are created such as
o Playbooks
• These files provide logic and actions about what Ansible should perform
theknowledgeacademy
462
(Continued)
o Inventory – These files provide device with info about every device such as device roles
that is why Ansible can perform functions for subsets of the inventory
o Templates - They represent a device’s configuration but with variables using Jinja2
language
o Variables - A file can list variables that Ansible will substitute into templates using YAML
theknowledgeacademy
463
Comparing Puppet, Chef, and Ansible
Action Ansible Puppet Chef

Term for the file that Playbook Manifest Recipe
lists actions Runlist
Protocol to network SSH, NETCONF HTTP (REST) HTTP (REST)
device
Uses agent or agentless Agentless Agent_* Agent
model
Push or pull model Push Pull Pull
theknowledgeacademy
464
6.7 Interpret JSON Encoded data
• JavaScript Object Notation tries to strike a balance between human and machine
readability
• Along with a few JSON rules, most humans can read JSON data, move past just guessing
at what it means, and confidently interpreting the data structures defined by the JSON
data
• At the same time, JSON data makes it easy for programs to convert JSON text into
variables, making it very useful for data exchange between applications using APIs
theknowledgeacademy
465
Interpret JSON Encoded data
Interpreting JSON Key: Value Pairs
The following are key rules about key:value pairs in JSON, which can be thought of as
individual variable names and their values:
o Key: Value Pair: Every colon recognises one key:value pair, with the key before the
colon and the value after the colon
o Key: Text, inside double quotes, before the colon is used as the name that references a
value
theknowledgeacademy
466
(Continued)
o Value: The item after the colon that represents the value of the key that can be
– Text: Listed in double quotes
– Numeric: Listed without quotes
– Array: A special Value
– Object: A special Value
o Multiple Pairs: When listing multiple key:value pairs, separate the pairs with a comma
at the end of each pair (except the last pair)
theknowledgeacademy
467
Interpreting JSON Objects and Arrays
• JSON uses JSON objects and JSON arrays to communicate data structures beyond a
key:value pair with a simple value
• Objects can be flexible to some extent, but in most uses, they act like a dictionary
• Arrays list a series of values
• There are a set of rules about interpreting the syntax of JSON objects and arrays
theknowledgeacademy
468
The rules are:
o { } - Object: A series of key:value pairs enclosed in a matched pair of curly brackets,

with an opening left curly bracket and its matching right curly bracket
o [ ] - Array: A series of values that are not key:value pairs enclosed in a matched pair of
square brackets, with an opening left square bracket and its matching right square
bracket
o Key:value pairs inside objects: All key:value pairs inside an object conform to the
earlier rules for key:value pairs
o Values inside arrays: All values conform to the previous rules for formatting values
theknowledgeacademy
469
The World’s Largest Global Training Provider
theknowledgeacademy.com
info@theknowledgeacademy.com
/The.Knowledge.Academy.Ltd
/TKA_Training
/the-knowledge-academy
/TheKnowledgeAcademy
Congratulations
470

CCNA Certification - Delegate Pack

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCNA Certification - Delegate Pack

Uploaded by

Copyright:

Available Formats

theknowledgeacademy

The world's largest provider of classroom and online

Module 2: Network Access 35

Module 4: IP Services 102

Module 5: Security Fundamentals 132

Module 6: Automation and Programmability 154

• Domain 2: Network Access

• Domain 5: Security Fundamentals

• Domain 6: Automation and Programmability

Domain 6: Automation and

• Module 2: Describe characteristics of network topology architectures

• Module 3: Compare physical interface and cabling types

• Module 4: Identify interface and cable issues

• Module 5: Compare TCP to UDP

• Module 7: Describe the need for private IPv4 addressing

• Module 8: Configure and verify IPv6 addressing and prefix

• Module 9: Compare IPv6 address types

• Module 11: Describe wireless principles

• Module 12: Explain virtualisation fundamentals (virtual machines)

• Module 13: Describe switching concepts

• It consists of two or more computers that are linked

• The computers on a network may be linked through

Local Area network Metropolitan Area Network Wide Area Network

• A method which is used to transfer data between different devices

The following are examples of networking:

i. Posting something on Facebook

ii. Searching on Google

iii. Watching a YouTube video

• The two major types of routers are:

o Dynamic: Dynamic routers are intended to discover routes automatically. So, it

• A Layer 2 switch can also be known as a multiport bridge

• A layer 3 switch combines the functionality of a switch and a router

Switching Algorithm is simple

It acts as a Switch to Connect

• A Next-Generation Firewall is a network security

• The next-generation firewall involves additional

• The following are some advantages of Next-Generation Firewalls:

Network Speed Threat Protection

• An IPS (Intrusion Prevention System) is a type of network

• Intrusion prevention systems monitor the network

• The IPS reports these activities to system administrators

• Intrusion Prevention Systems (IPS) work by scanning every network traffic

• A wireless AP (Access Point) is a device which allows

• The Access Point connects to a router as a separate

• Usually, a wireless access point connects directly to a

• An access point is a device which permits communication between various wireless

1. Standalone access point

2. Multifunction access point

3. Controlled access point

• It can refer to any network-connected device such as laptops, desktop computers,

• A server is a machine designed to process requests

• A server act as the central repository of data and

• There are different types of servers, including local

1) Core (includes default gateways and Layer 3 routing)

• This architecture is generally used with smaller networks

• This architecture is generally used on larger networks

• Usually, nexus switches are used in this architecture

• A circuit-switched network builds a dedicated channel between terminals and nodes

Labeled data is passed from switch to switch.

• In its most simple form, it is only a switch and two computers:

• Wireless networking is also based on Gi0/1 Gi0/2

standards that are published by the IEEE H1 H2

• Wireless things generally start with

• For wireless connectivity, we add an Gio0/0