Professional Documents
Culture Documents
CCNA Certification - Delegate Pack
CCNA Certification - Delegate Pack
CCNA Certification
theknowledgeacademy
About Us
Module 3: IP Connectivity 84
theknowledgeacademy
4
The 6 Domains of CCNA
• Domain 1: Network Fundamentals
• Domain 3: IP Connectivity
• Domain 4: IP Services
theknowledgeacademy
5
Examination Weights
10%
Domain 1: Network
20% Fundamentals
Domain 2: Network Access
15%
Domain 3: IP Connectivity
Domain 4: IP Services
10% 20%
Domain 5: Security Fundamentals
theknowledgeacademy
6
Domain 1
Network Fundamentals
theknowledgeacademy
7
Outlines of Domain 1
• Module 1: Explain the role and function of network components
theknowledgeacademy
8
Outlines of Domain 1
• Module 6: Configure and verify IPv4 addressing and subnetting
theknowledgeacademy
9
Outlines of Domain 1
• Module 10: Verify IP parameters for Client OS (Windows, Mac OS,
Linux)
theknowledgeacademy
10
Introduction to Networking
Network
theknowledgeacademy
11
Introduction to Networking
Types of Network
theknowledgeacademy
12
Introduction to Networking
Networking
theknowledgeacademy
13
Introduction to Networking
o Network Data: The information that is to be sent across a network. For eg. Web
browsing, instant messaging, email etc.
o Endpoint Devices: These are the equipments that require network data access. For eg.
Computers, tablets, phones, printers etc.
o Network Devices: These are the equipments that transfers the data between endpoints.
For eg. Firewalls, switches, routers, wireless access points
o Network Protocols: These are a set of rules that are to be followed when there is a
communication between endpoints in a network
theknowledgeacademy
14
Module 1: Explain the Role and Function
of Network Components
theknowledgeacademy
15
1.1.a Routers
• Routers implement functions of Network Layer or Layer 3. The primary function of a
router is to forward the packets according to the routing table
• Routers also provide multiple broadcast domains, traffic segmentation, and determine
the networks and network layer addressing subnets
• Those networks are defined by router network adapters or ports to which IP addresses
are assigned
• Those IP addresses are the default gateway to PCs and other networking devices
theknowledgeacademy
16
1.1.a Routers
(Continued)
o Static: Static routers require an administrator to set up and configure the routing
table manually and to define each route
• Routers communicate with each other to share information about accessible paths and
directly connected routes
theknowledgeacademy
17
1.1.b L2 and L3 Switches
Introduction to L2 Switch
• A L2 (Layer 2) switch is a type of device or network switch that operates on the second
layer of OSI Layer (data link layer) and uses MAC Address to determine the path through
which the frames are to be transmitted
• This uses techniques of hardware-based switching to connect and transmit data in a LAN
(local area network)
theknowledgeacademy
18
1.1.b L2 and L3 Switches
(Continued)
• The primary responsibility of a layer 2 switch is to transport data on a physical layer and
to perform error checks on every transmitted and received frame
• A layer 2 switch needs NIC's MAC address for the transmission of data on each network
node
• They automatically learn MAC addresses by copying the MAC address of each frame
received or by listening to devices on the network and maintaining the MAC address of
the devices in a forwarding table
theknowledgeacademy
19
1.1.b L2 and L3 Switches
Introduction to L3 Switch
• It serves as a switch for connecting devices on the same subnet or virtual LAN at
lightning speeds and has IP (Internet Protocol) routing intelligence built in to double up
as a router
• It can maintain routing protocols, inspect incoming packets and even make routing
decisions based on the addresses of the source and destination
theknowledgeacademy
20
1.1.b L2 and L3 Switches
Features of a Layer 3 Switch
theknowledgeacademy
21
1.1.c Next-Generation Firewalls and IPS
Introduction to Next-Generation Firewalls
theknowledgeacademy
22
1.1.c Next-Generation Firewalls and IPS
(Continued)
Application Streamlined
Multi-functional
Awareness Infrastructure
theknowledgeacademy
23
1.1.c Next-Generation Firewalls and IPS
Introduction to IPS
• There are several different threats that an IPS is designed to prevent, and it includes:
Distributed
Denial of Service Various types of
Denial of Service Worms Viruses
(DoS) attack exploits
(DDoS) attack
theknowledgeacademy
25
1.1.c Next-Generation Firewalls and IPS
Types of Prevention
• An IPS is typically configured to use many different procedures to secure the network
from an unauthorised user
• It includes:
Signature-Based
Anomaly-Based
Policy-Based
theknowledgeacademy
26
1.1.d Access Points
Introduction
• Just like a switch or HUB connects multiple devices in single or multiple wired LAN
networks, an access point connects multiple wireless devices in single or multiple
wireless networks
• You can also use an access point to extend the wired network to the wireless devices
theknowledgeacademy
28
1.1.d Access Points
(Continued)
• The access point is categorised into three types based on the functionalities:
theknowledgeacademy
29
1.1.e Controllers (Cisco DNA Center and WLC)
Introduction to Cisco DNA Center
• Cisco DNA Center is the foundational controller and analytics framework at the core of
intent-based network of Cisco
• Cisco DNA Center provides intuitive, centralised management which makes it fast and easy
to design, provision and implementation of policies across your network environment
• The Cisco DNA Center UI provides end-to-end visibility of the network and makes use of
network insights to optimise performance of the network and deliver the best user and
application experience
theknowledgeacademy
30
1.1.e Controllers (Cisco DNA Center and WLC)
Introduction to WLC
• A WLC (Wireless LAN Controller) is a wireless architecture that aims to meet changing
network requirements
• Wireless network access points are controlled by a WLAN controller which allows wireless
devices to connect to the network
• What an amplifier does for your home stereo is similar to what a wireless access point
does for your network
• The bandwidth, which is coming from a router, is taken and stretched by WLC so that
several devices can go on the network from farther distances away
theknowledgeacademy
31
1.1.f Endpoints
• An endpoint device is a hardware device that communicates across a network, connected
to a LAN or WAN
• One of the biggest problems with endpoint devices is that they involve robust security for
a system of enterprise or a network
• Security managers should determine whether several endpoint devices could be security
gaps for a network i.e. if the unauthorised users can access that endpoint device and use
the same to pull off sensitive or imperative data
theknowledgeacademy
32
1.1.g Servers
Introduction
theknowledgeacademy
34
1.2 2 –Tier/Collapsed Core
A general campus network consists of 3 tiers:
2) Distribution (generally all fiber connections, Layer 2 switching, uplink aggregation where
switch to switch links interconnect)
3) Access (generally all copper connections, where endpoints connect to the network)
theknowledgeacademy
35
1.2.a 2 -Tier
• In 2-tier design, the core and the distribution functionality is combined into 1 tier and
hence the access layer makes it a 2-tier architecture
Core/Distribution
Access
theknowledgeacademy
36
1.2.b 3 -Tier
• A 3-tier design separate the core and the distribution functionality onto dedicated devices
Core
Distribution
Access
theknowledgeacademy
37
1.2.c Spine-Leaf
Introduction
• For Data center solutions such as Fabric path and Cisco ACI, Spine and Leaf architectures
were introduced
• The main focus of this architecture is that there are no layer 2 loops and each destination
is reachable within a maximum of two routed hops
theknowledgeacademy
38
1.2.c Spine-Leaf
Spines
Leafs
theknowledgeacademy
39
1.2.d WAN
Introduction
• WAN (Wide area network) can be defined as a data communication network which work
beyond the geographic scope of LAN
• Wide area network utilises transmission facilities that are provided by the common
carriers like telephone companies
• The WAN technologies usually function at the OSI reference model’s lower three layers:
the network layer, the physical layer and the data link layer
theknowledgeacademy
40
Understanding WAN Technologies
WAN technologies includes following:
1. Circuit switching
• It dynamically builds a virtual connection for data or voice between the sender and the
receiver
• It is important to establish the connection through the service provider network before
the communication begins
theknowledgeacademy
41
Understanding WAN Technologies
(Continued)
1. Circuit switching
Circuit
Switching
theknowledgeacademy
42
Understanding WAN Technologies
(Continued)
2. Packet switching
• A packet-switched network (PSN) divides the traffic data into packets that are routed
over a shared network
• These networks do not need a circuit to be established, and they permit several nodes
pairs to interact over the same channel
• The switches in a packet-switched network ascertain the links that packets must be sent
over based on the addressing information in every packet
theknowledgeacademy
43
Understanding WAN Technologies
(Continued)
2. Packet switching
175
87
219
Gi0/1 Gi0/2
H1 SW1 H2
• It allows the two systems (computers) to communicate with each other. Perhaps to
share few files or play a multiplayer game
theknowledgeacademy
45
1.2.e Small Office/Home Office (SOHO)
(Continued)
H3
theknowledgeacademy
46
1.2.e Small Office/Home Office (SOHO)
R1
(Continued)
Internet
H3
theknowledgeacademy
47
1.2.f On-Premises and Cloud
Introduction to On-Premises
• On-premises software is installed on the servers of a company and behind its firewall,
and it is only provided to organisations for a long time and may continue to serve your
business requirements adequately
• This is because the software itself is licensed and the whole instance of the software is
located within the premises of an organisation, there is usually greater protection than
with a cloud computing infrastructure
theknowledgeacademy
48
1.2.f On-Premises and Cloud
Introduction to Cloud
theknowledgeacademy
49
Module 3: Compare Physical Interface
and Cabling Types
theknowledgeacademy
50
1.3.a Single-mode fiber, Multimode fiber,
Copper
Single-mode fiber
theknowledgeacademy
52
1.3.a Single-mode fiber, Multimode fiber,
Copper
Copper Cable
• Coaxial cable, shielded twisted pair, and unshielded twisted pair are the three types of
copper cable
theknowledgeacademy
53
1.3.a Single-mode fiber, Multimode fiber,
Copper
Comparison
Is used for long distances Is use for shorter distances Is used for shorter distances
theknowledgeacademy
54
1.3.b Connections (Ethernet Shared Media)
• In earlier days, Ethernet used shared media connections which means that all
endpoints connected to the network would share the same collision domain and it is
not a good thing
• In such a situation, network data can collide and cut down performance
• Now-a-days, endpoints are generally connected to switch interfaces that connect per-
port collision domains
theknowledgeacademy
55
1.3.b Connections (Ethernet Shared Media)
theknowledgeacademy
56
1.3.b Connections (Point-to-Point)
• Point-to-Point connections are when only two devices are connected logically or
physically
Point-to-Point Point-to-Multipoint
theknowledgeacademy
57
1.3.c Concepts of PoE
PoE (Power Over Ethernet) Basics
• Some devices with PoE, usually a LAN switch, act as the PSE (Power Sourcing Equipment)
and the device that supplies DC (Direct Current) power over the Ethernet UTP
(Unshielded Twisted Pair) cable (as shown in Figure)
Power Supply
• PoE, standardised by the IEEE (Institute of Electrical and Electronics Engineers), extends
the same IEEE auto-negotiation mechanisms. These mechanisms are required to work
before the initialisation of PD(Powered Device), because the PD needs power before it
can boot
• PoE can determine whether the device on the end of the cable needs power (i.e., it is a
PD) and how much power to supply, by using IEEE auto-negotiation messages and
watching for the return signal levels
theknowledgeacademy
59
Module 4: Identify Interface and Cable
Issues
theknowledgeacademy
60
1.4 Identify Interface and Cable Issues
Collisions
• A collision is a mechanism used by Ethernet for controlling access and allocating shared
bandwidth among stations that want to transmit on a shared medium simultaneously
• Because the medium is shared, there has to be a mechanism where two stations will
detect that they want to transmit simultaneously. This mechanism is collision detection
• Ethernet uses CSMA/CD (Carrier Sense Multiple Access/Collision Detect) as its collision
detection method
theknowledgeacademy
61
1.4 Identify Interface and Cable Issues
Errors
• Packets input gives the total number of error-free packets that the system receives
• The total number of bytes in the error-free packets is given by the bytes input that
received by the system, including data and MAC encapsulation
• Input error involves giants, runts, CRC (cyclic redundancy check), frame, overrun, no
buffer and ignored counts
theknowledgeacademy
62
1.4 Identify Interface and Cable Issues
Duplex and Speed
• On both ends, duplex and speed should match or else you will have problems
• Traffic can still transmit with inconsistent duplex and speed, but you will experience
retransmissions and decreased throughput
• Duplex is subservient to speed in the way that the duplex can not be changed manually if
speed is set to auto
• When both the duplex and speed settings on the two devices are hardcoded, you might
see Cyclic Redundancy Check (CRC) error messages
theknowledgeacademy
63
Module 5: Compare TCP to UDP
theknowledgeacademy
64
Transmission Control Protocol
• Based on the requirements of an application, every TCP/IP application choose to use
either TCP or UDP
• As an example, TCP offers error recovery but it consumes more bandwidth as well as
processing cycles in order to do so
theknowledgeacademy
65
User Datagram Protocol
• UDP offers applications with a service to exchange messages
• UDP is connection less protocol and it does not provide reliability, windowing, reordering
of the received data segmentation of large chunks of data into the right size for
transmission
• UDP offers some functions of TCP like multiplexing using port numbers, data transfer and
do it with fewer bytes of overhead and less processing needed as compared to TCP
• UDP Header
theknowledgeacademy
66
1.5 TCP Vs. UDP
• The basic difference between TCP and UDP is that TCP offer an extensive variety of
services to applications, however UDP does not provide these type of services
• As an example, routers discard packets for a variety of reasons such as congestion, bit
errors and those instances in which correct routes are not known
• Most of the data link protocols notice errors with the help of error detection process and
then discard those frames which have errors.
• TCP offers error recovery i.e. retransmission and help in avoiding congestion i.e. flow
control, however UDP does not
• As compared to TCP, UDP requires less bytes in its header which results into fewer bytes
of overhead in the network
• UDP software does not slow down the transfer of data in cases where TCP slow down
purposefully
• Some applications like Voice over IP or Video over IP do not require error recovery and
hence they use UDP
theknowledgeacademy
68
Module 6: Configure and Verify IPv4
Addressing and Subnetting
theknowledgeacademy
69
1.6 IPv4 Addressing
Classful Addressing
• The combination of a subnet mask and an IP address can be used to define a host ID and
a network ID
theknowledgeacademy
70
IPv4 Addressing
(Continued)
• Based on the first octet of the IP address, classful addressing allocates a network ID
• The classful addressing scheme was used before subnet masks are used to recognise the
network ID portion of an address
• Under classful addressing, the network IDs are classified into three classes describing
different sizes of IP network
theknowledgeacademy
71
IPv4 Addressing
Cont.
Number of First Octet of
Number of hosts per Address
Class A networks networks Range
Network ID Host ID
Class B
10?????? ???????? ???????? ????????
16,384 65,354 128-191
Network ID Host ID
Class C
110????? ???????? ???????? ????????
2,097,152 254 192-223
Network ID Host ID
• There are almost 16 thousand Class B networks, each comprising up to 65,000 hosts
• Class C networks support only 254 hosts each, but there are over 2 million of them
theknowledgeacademy
73
IPv4 Addressing
(Continued)
• The following table shows the way to identify an address class from the first octet of the
IP address in decimal:
theknowledgeacademy
74
IPv4 Addressing
o Class D and Class E Addresses
There are two additional classes of IP address (D and E) that use the remaining numbers:
• Class E addresses (240.0.0.0 through 255.255.255.255) are used for experimental use
and testing
theknowledgeacademy
75
IPv4 Addressing
Public versus Private Addressing
• A public IP network refers to one that can establish a connection with other public IP
networks and hosts over the Internet
• IANA governs the allocation of public IP addresses and regional registries and Internet
Service Providers (ISP) administer it
• Hosts interacting with one another over a LAN use a public addressing scheme but will
more typically use private addressing
theknowledgeacademy
76
1.7 Describe the Need for Private IPv4
Addressing
• Private IP addresses can be drawn from one of the pool of addresses as nonroutable over
the Internet:
theknowledgeacademy
77
1.7 Describe the Need for Private IPv4
Addressing
(Continued)
• Any organisation can use private addresses on their networks without applying to ISP,
and multiple organisations can use these ranges simultaneously
Internet access can be facilitated for hosts utilising a private addressing scheme in two
methods:
• Through a proxy server that accomplishes requests for Internet resources on behalf of
clients
theknowledgeacademy
78
IPv4 Addressing
Subnetting and Classless Addressing
• A public IP network address can represent an organisation on the Internet, but most
companies need to subdivide their private networks into different logical groups
o Subnet Design
Large networks are divided by organisations into logically distinct subnets for these reasons:
theknowledgeacademy
79
IPv4 Addressing
(Continued)
➢ VLANs are used by large networks to isolate broadcast domains and formulate
subnets to map to each VLAN
• Networks that use different data links and physical technologies, such as Ethernet and
Token Ring, should be separated logically as different subnets
theknowledgeacademy
80
IPv4 Addressing
o Subnet Design (Cont.)
• Several organisations have more than one site and WAN links between them. The WAN
link forms a separate subnet
• It is beneficial to divide a network into logically distinct zones for administrative and
security control
• While IPv4 was initially based on a classful address scheme, subnetting substituted the
idea of recognising the network portion of an IP address based on its class with the idea
of using a subnet mask
theknowledgeacademy
81
IPv4 Addressing
(Continued)
• The subnet mask length defines the length of the network portion of the IP address
• As the "1"s in a mask are always contiguous, every octet in decimal in a subnet mask will
always be one of the below mentioned:
theknowledgeacademy
82
IPv4 Addressing
(Continued)
theknowledgeacademy
83
IPv4 Addressing
o Default Subnet Masks and Subnet IDs
The default subnet masks correspond to the three classes of unicast IP address (A, B, and C).
The default masks include whole octets:
• Class A: 255.0.0.0
• Class B: 255.255.0.0
• Class C: 255.255.255.0
theknowledgeacademy
84
IPv4 Addressing
(Continued)
• These default masks can be changed to permit a single network to be divided into
several subnets
• For this, additional bits of the IP address has to be allocated to the network address
rather than the host ID
Network ID Host ID
16-bit 16-bit
Internetwork addressing (Class B address)
theknowledgeacademy
85
IPv4 Addressing
(Continued)
• The whole network is still referred to by the network ID and the default mask: 172.1.0.0 /
255.255.0.0
• However, routers within the network add bits to the mask for differentiating the subnets
theknowledgeacademy
86
IPv4 Addressing
o Classless Addressing
• With a classless addressing scheme, the concept of default masks and address classes is
abandoned in favour of representing the address with an adequately sized network
prefix
• The idea of aligning netmask along a particular octet boundary is wholly discarded
• For example, when expressed in binary, the subnet mask 255.255.240.0 includes 20 ones
followed by 12 zeroes. Therefore, the network prefix, displayed in slash notation, is
172.1.0.0/20
theknowledgeacademy
87
IPv4 Addressing
(Continued)
• The routers have performed classless routing for a very long time, and the class
terminology is still used widely
• Under classless addressing, the old classes are usually used as names for the netmasks
that align to whole octet boundaries; a Class A network is /8, a Class B network is /16,
and a Class C network is /24
theknowledgeacademy
88
IPv4 Addressing
Planning an IPv4 Addressing Scheme
A network designer requires to plan the IP network addressing scheme carefully. Before
selecting a scheme, examine the given below factors:
theknowledgeacademy
89
IPv4 Addressing
(Continued)
The following are some additional constraints to consider while planning an addressing
scheme:
• The network and host IDs cannot be all 1s in binary – this is reserved for broadcasts
• The network and host ID cannot be all zeroes in binary; 0 means "This Network"
theknowledgeacademy
90
IPv4 Addressing
(Continued)
While performing subnet calculations, it helps to identify that each power of two is double
the previous one:
22 23 24 25 26 27 28
4 8 16 32 64 128 256
theknowledgeacademy
91
IPv4 Addressing
Public Internet Addressing
When an organisation needs to connect to the Internet, it must apply for a range of public IP
addresses through its ISP
o Classful Addressing
• With the subnetting introduction, depending on the class of IP address, some octets
were fixed, but the left portion could use any valid addressing scheme
theknowledgeacademy
92
IPv4 Addressing
(Continued)
• For example, an organisation may allocate the network address 128.248.0.0 where it can
allocate the third and fourth octets as required
• Under this classful system, almost all the Class B addresses became allocated
• This deficiency of network addresses prompted the development of IPv6, which utilises a
much larger address space
theknowledgeacademy
93
IPv4 Addressing
(Continued)
• However, the deployment of IPv6 has been protracted enormously, so a series of stopgap
measures have been introduced over the years
• The subnetting and private address ranges are used to hide the private local networks
complexity from the wider Internet
theknowledgeacademy
94
IPv4 Addressing
o Classless Interdomain Routing (CIDR)
• Classless addressing was created to solve two main difficulties of the classful addressing
scheme as more and more networks are joining the Internet
• The first difficulty was that network addresses (especially, Class B addresses) were
becoming very scarce and the second difficulty was near exponential growth in Internet
routing tables
• Mostly, it utilises bits usually assigned to the network ID to mask them as subnet bits or
host
theknowledgeacademy
95
IPv4 Addressing
(Continued)
/21 External Network address Internal Network Addresses and Host IDs
21-bit 11-bit
theknowledgeacademy
96
IPv4 Addressing
(Continued)
• For example, instead of allocating a class B (or /16) network address to a company,
various contiguous class C (or /24) addresses could be assigned
• Eight /24 network addresses give 2032 hosts. This means complex routing with several
entries in the routing tables to represent eight IP networks at the same location
theknowledgeacademy
97
IPv4 Addressing
(Continued)
theknowledgeacademy
98
IPv4 Addressing
(Continued)
• If the ANDed result exhibits the same network ID as the destination address, then it is
the same network
theknowledgeacademy
99
IPv4 Addressing
(Continued)
• In the following table, the first two IP addresses belong to the same network (the second
is the broadcast address for the network) but the third is in a different one:
theknowledgeacademy
100
IPv4 Addressing
Variable Length Subnet Masks (VLSM)
• As the IPv4 address space becomes steadily more utilised, there is a need to use more
efficient methods of allocating IP addresses
• VLSM enables a network designer to allocate IP addresses ranges to subnets that match
the predicted requirement for numbers of subnets and hosts per subnet more closely
• Without VLSM, the user has to allocate subnetted ranges of addresses that are of the
same size and utilise the same subnet mask within a single class-based network
theknowledgeacademy
101
IPv4 Addressing
(Continued)
• This means that there is a need to install additional routing interfaces to connect various
smaller subnets within a department
• VLSM enables different length subnet masks to be used within the same IP network,
permitting more flexibility in the design process
theknowledgeacademy
102
IPv4 Addressing
o Planning a VLSM Addressing Scheme
• This scenario has six main offices each with differing network sizes and IP address
requirements
• There are also two subnets connecting the regional routers with the headquarters router,
which renders access to the Internet
theknowledgeacademy
103
IPv4 Addressing
(Continued)
theknowledgeacademy
104
IPv4 Addressing
(Continued)
• VLSM design continues by recognising the largest subnets and organising the scheme in
descending order
• Even though VLSM enables more precise allocation of address space, but there is a need
to design for growth and allow space in every subnet for additional hosts
• The need for the subnetted network are listed in the table given on the next slide, along
with the actual number of IP addresses that would be rendered by the VLSM design
theknowledgeacademy
105
IPv4 Addressing
(Continued)
theknowledgeacademy
106
IPv4 Addressing
(Continued)
theknowledgeacademy
107
IPv4 Addressing
(Continued)
theknowledgeacademy
108
IPv4 Addressing
(Continued)
theknowledgeacademy
109
Module 8: Configure and Verify IPv6
Addressing and Prefix
theknowledgeacademy
110
1.8 IPv6 Addressing
IPv6 Address Format
• However, the method in which addresses have been allocated is inefficient that leads to
wastage of available addresses
• Addressing scheme inefficiencies and increasing demand for addresses indicates that the
available IPv4 address supply is close to exhaustion
theknowledgeacademy
111
IPv6 Addressing
(Continued)
• Private addressing and network address translation (NAT) have rendered a 'stopgap'
solution to the problem
• Its 128-bit addressing scheme has space for 340 undecillion unique addresses
• Only a small part of the scheme can be allocated currently to hosts, but there is still
enough address space within that allocation
theknowledgeacademy
112
IPv6 Addressing
(Continued)
• IPv6 is designed to fulfil the demands of personal and handheld devices with internal
connectivity
• Currently, that means phones, but the IPv6 designers visualise a world of wireless
Internet connectivity for a huge variety of appliances
• For example, an advertising hoarding could be made "active" so that it can be linked to
the product through the phone
theknowledgeacademy
113
IPv6 Addressing
(Continued)
• Now, IPv6 has begun to be deployed in particular sections of corporate and public
networks
• While IPv6 has been a standard installed feature in the last few versions of both desktop
and Server of common OSes; it is only in the core network that IPv6 has been
implemented typically
• However, with the increasing problems with existing IPv4, the IPv6 will become more
mainstream for corporate networks down to the desktop and the web in general
theknowledgeacademy
114
IPv6 Addressing
(Continued)
o Hexadecimal Numbering
• For interpreting IPv6 addresses, the user needs to understand the hexadecimal notation
and the base numbering system
• Base 10 defines that each digit can have one of ten possible values (0…9)
• A digit placed to the left of another is ten times the value of the digit to the right
theknowledgeacademy
115
IPv6 Addressing
(Continued)
(2x10x10)+(5x10)+5
• Binary is base 2 so a digit in any given position can only have one of two values (0 or 1)
and each place position is the next power of 2
theknowledgeacademy
116
IPv6 Addressing
(Continued)
• The binary value 11111111 can be changed to the decimal value 255 with the help of
below-mentioned sum:
(1x2x2x2x2x2x2x2)+(1x2x2x2x2x2x2)+(1x2x2x2x2x2)+(1x2x2x2x2)+(1x2x2x2)+(1x2x2)+(1x2)+1
• Several values in computing, such as IPv4 addresses, are depicted in octets (or bytes)
theknowledgeacademy
117
IPv6 Addressing
(Continued)
• As the addresses of IPv6 are long (128 bits), the dotted decimal conversion becomes
difficult
• Hex is base 16 with the possible values of each digit signified by the numerals 0…9 and
the characters A, B, C, D, E, F
theknowledgeacademy
118
IPv6 Addressing
(Continued)
The following table is used to convert between binary, decimal, and hexadecimal values
theknowledgeacademy
119
IPv6 Addressing
(Continued)
theknowledgeacademy
120
IPv6 Addressing
o IPv6 Address Compression
• IPv6 addresses include eight 16-bit numbers with each double-byte number expressed as
4 hex digits. For example, the binary address:
0010 0000 0000 0001 : 0000 1101 1011 1000 : 0000 0000 0000 0000 :
0000 0000 0000 0000 : 0000 1010 1011 1100 : 0000 0000 0000 0000 :
1101 1110 1111 0000 : 0001 0010 0011 0100
2001:0db8:0000:0000:0abc:0000:def0:1234
theknowledgeacademy
121
IPv6 Addressing
(Continued)
• In addition, one contiguous series of zeroes can be substituted by a double colon place
marker
2001:db8::abc:0:def0:1234
theknowledgeacademy
122
IPv6 Addressing
(Continued)
• Double-colon compression can be used only single time in a given address. For example:
2001:db8::abc::def0:1234
• The above mentioned is not valid as it is ambiguous between the below two addresses:
2001:db8:0000:0abc:0000:0000:def0:1234
2001:db8:0000:0000:0abc:0000:def0:1234
theknowledgeacademy
123
IPv6 Addressing
(Continued)
• If IPv6 addresses are used as part of a URL, then the IPv6 address must be enclosed
within square brackets
• For example:
http://[2001:db8::abc:0:def0:1234]/index.htm
theknowledgeacademy
124
IPv6 Addressing
o IPv6 Packets
• An IPv6 packet comprises two or three elements: the main header, one or more optional
extension headers, and the payload
theknowledgeacademy
125
IPv6 Addressing
(Continued)
Flow Label 20 bits Used for QoS management, such as for real-time streams. This is set to 0
for packets not part of any delivery sequence or structure
Payload Length 16 bits Indicates the length of the packet pay load, up to a maximum of 64 KB; if
the payload is bigger than that, this field is 0 and a special Jumbo Payload
(4 GB) option is established
Next Header 8 bits Used to describe what the next extension header (if any) is, or where the
actual payload begins
theknowledgeacademy
126
IPv6 Addressing
(Continued)
theknowledgeacademy
127
IPv6 Addressing
IPv6 Addressing Schemes
• An IPv6 address is divided into two parts: the first 64 bits are utilised as a network ID and
the second 64 bits designate a specific interface
Network ID Interface ID
64-bit 64-bit
• Network addresses are written by utilising CIDR notation, where /nn is the routing prefix
length in bits
• Within the 64-bit network ID, as with CIDR, the network prefix length is utilised to decide
whether two addresses refer to the same IP network
theknowledgeacademy
128
IPv6 Addressing
(Continued)
• For example, if the prefix is /48, then if the IPv6 address' first 48 bits were the same as
another address, the two would belong to the same IP network
2001:db8:3c4d::/48 2001:db8:3c4d:01::/64
theknowledgeacademy
129
IPv6 Addressing
(Continued)
• IPv6 describes several addressing schemes. These are unicast, multicast, and anycast
• Global scopes render the equivalent of public addressing schemes in IPv4 while link-local
schemes render private addressing
theknowledgeacademy
130
IPv6 Addressing
o IPv6 Global Addressing
• Globally scoped unicast addresses are routable over the Internet and are the equivalent
of public IPv4 addresses
➢ The first 3 bits (001) denote that the address is within the global scope. Maximum
IPv6 address space is unused. The scope for globally unique unicast addressing holds
1/8th of the total address space. In hex, globally scoped unicast addresses will begin
with a 2 (0010) or 3 (0011)
theknowledgeacademy
131
IPv6 Addressing
(Continued)
➢ The next 45 bits are allotted hierarchically to regional registries and from them to
ISPs and end users
theknowledgeacademy
133
IPv6 Addressing
(Continued)
• The digits fffe are added in the middle of the address, and the U/L bit is flipped
• For example, the MAC address 00608c123abc would become the EUI-64 address
02608cfffe123abc, which when expressed in doublebytes becomes 0260:8cff:fe12:3abc,
or 260:8cff:fe12:3abc
• In the second technique, the client device uses a pseudorandom number for the
interface ID. This is referred to as a temporary interface ID or token
theknowledgeacademy
134
IPv6 Addressing
(Continued)
• Using interface identifiers would permit a specific host to be recognised and monitored
closely when connecting to the Internet and utilising a token mitigates this to some
degree
• Link-local addresses begin with a leading fe80 while the next 54 bits are set to zero and
the last 64 bits are the interface ID
• The equivalent in IPv4 is Automatic Private IP Addressing (APIPA) and its 169.254.0.0
addresses
theknowledgeacademy
136
IPv6 Addressing
(Continued)
• However, an IPv6 host is always configured with link-local addresses, even if it also has a
globally unique address
• A link-local address is also appended with a zone index of the form %1 (Windows) or
%eth0 (Linux)
• This is used to determine the address source and make it unique to a specific link
• For example, a host may have links to Ethernet, loopback address, and a VPN
theknowledgeacademy
137
IPv6 Addressing
(Continued)
• All these links use the same link-local address, so to make it unique each is assigned a
zone ID
• The host system generates zone indices, so where two hosts communicate, they may be
indicating to the link using different zone IDs
theknowledgeacademy
138
IPv6 Addressing
o IPv6 Unique Local Addressing
• Unique Local Addressing assigns addresses that are only routable within a site
• Unique Local Addressing (ULA) addresses are not routable over the Internet
• ULA is designed for hosts that will never access the Internet
theknowledgeacademy
139
IPv6 Addressing
(Continued)
• The prefix for unique local addressing is fc00;:/7 but it is more common to see addresses
of form fd00::/8 as to indicate the local addressing, the 8th bit should be fixed to 1
• A pseudo-random algorithm should generate the next 40 bits and used for a single site
only
• While designed for site-local addressing, ULA is global in scope, which indicates that no
organisation should assign the same ULA prefix. The remaining 16 bits can be utilised for
subnetting
theknowledgeacademy
140
IPv6 Addressing
o IPv6 Multicast Addressing
• A multicast address recognises multiple network interfaces, and unlike IPv4, IPv6 routers
must support multicast
➢ The first 8 bits show that the address is within the multicast scope (1111 1111 or ff)
➢ The next 4 bits are utilised to flag types of multicast if required (they are set to 0
otherwise)
theknowledgeacademy
141
IPv6 Addressing
(Continued)
➢ The next 4 bits define the scope; for example, 1 is node-local while 2 is link-local
➢ The final 112 bits define multicast groups within that scope
• Broadcast addresses are not executed in IPv6. Instead, hosts use a suitable multicast
address for a given situation
• The multicast addresses are reserved for these types of "broadcast" functionality. They
enable an interface to "broadcast" to all routers or interfaces on the same node or local
link
theknowledgeacademy
142
IPv6 Addressing
(Continued)
Address Target
theknowledgeacademy
143
IPv6 Addressing
(Continued)
• ARP is "chatty" and needs every node to process its messages, whether they are relevant
to the node or not. IPv6 substitutes ARP with the Neighbor Discovery (ND) protocol
theknowledgeacademy
144
IPv6 Addressing
(Continued)
• It includes the prefix ff02::1:ff and also the last 24 bits of the unicast address
• It decreases the hosts' number that is likely to receive ND messages and is therefore
more useful than the old ARP broadcast mechanism
theknowledgeacademy
145
IPv6 Addressing
o IPv6 Anycast Addressing
• Anycast is used when the message is required to be sent to any members of a group but
not certainly to all of them
• The packet is sent to the group member physically closest to the transmitting host
theknowledgeacademy
146
IPv6 Addressing
o IPv6 Reserved Addresses
theknowledgeacademy
147
IPv6 Addressing
o IPv6 Address Prefixes
• Following table is used to identify some commonly used classes of IPv6 address by prefix
notation or leading hex digits:
theknowledgeacademy
148
IPv6 Addressing
(Continued)
Multicast ff00::/8 ff
theknowledgeacademy
149
IPv6 Addressing
(Continued)
theknowledgeacademy
150
1.9 Compare IPv6 Address Types
There are numerous different types of IPv6 addresses:
o Range - 2000::/3
o Range – FD00::/8
theknowledgeacademy
151
1.9 Compare IPv6 Address Types
1.9.c Link Local
o Self-generated
o Range – FE80::/10
1.9.d AnyCast
o Range – FF00:/8
theknowledgeacademy
153
Module 10: Verify IP Parameters for
Client OS
theknowledgeacademy
154
1.10 Verify IP parameters for Client OS
• Every operating system has various commands which you can use to verify network
settings
a. Windows
The following are the steps to verify interface IP parameters in Windows OS:
1. Open the command prompt application by searching for “command prompt” with a
Windows search
theknowledgeacademy
155
Verify IP parameters for Client OS
theknowledgeacademy
156
Verify IP parameters for Client OS
b. MAC OS
The following are the steps to verify interface IP parameters in MAC OS:
theknowledgeacademy
157
Verify IP parameters for Client OS
c. Linux
The following are the steps to verify interface IP parameters in Linux OS:
1. Open the terminal application by searching for “terminal” with an application search
theknowledgeacademy
158
Module 11: Describe Wireless Principles
theknowledgeacademy
159
1.11.a Nonoverlapping Wi-Fi channels
• The wireless frequencies are used to transmit data over the air. They are split up into
smaller bands called channels
1 2 3 4 5 67 8 9 10 11
5 GHz channels (U.S.)
36 40 44 48
…
theknowledgeacademy
160
1.11.a Nonoverlapping Wi-Fi channels
(Continued)
theknowledgeacademy
161
1.11.a Nonoverlapping Wi-Fi channels
(Continued)
theknowledgeacademy
162
1.11.b SSID and 1.11.c RF
SSID
RF
theknowledgeacademy
163
1.11.d Encryption
• For secure wireless transmissions, encryption methods are used
theknowledgeacademy
164
Module 12: Explain Virtualisation
Fundamentals (Virtual Machines)
theknowledgeacademy
165
1.12 Server Virtualisation Basics
• Before virtualisation, physical server model was used in which each physical server runs
one Operating System that uses all the hardware in that one server
• Most companies, now a days, create a virtualised data centre i.e. the company purchases
server hardware, installs it in racks, and then treats all the CPU, RAM, and so on as
capacity in the data centre
• After that, each OS instance is decoupled from the hardware and is therefore virtual
• Every piece of hardware that we would previously have thought of as a server runs
multiple instances of an OS at the same time, with each virtual OS instance called a
virtual machine, or VM
theknowledgeacademy
166
Server Virtualisation Basics
(Continued)
Virtual Machine Virtual Machine Virtual Machine Virtual Machine
App App App App App App App App App App App App
OS OS OS OS
Hypervisor
• The management and allocation of the host hardware i.e. CPU, RAM, etc. to each VM
based on the settings for the VM is done by the hypervisor
theknowledgeacademy
168
Server Virtualisation Basics
• Server virtualisation tools provide a wide-ranging variety of options for how to connect
VMs to networks
• Generally, a physical server has one or more NICs, maybe as slow as 1 Gbps, often 10
Gbps today, and maybe as fast as 40 Gbps
• To make the OS work normally, every VM has at least one NIC, but for a VM, it is a virtual
NIC
theknowledgeacademy
169
Server Virtualisation Basics
• Lastly, the server must combine the ideas of the physical NICs with the vNICs used by the
VMs into some kind of a network
• Mostly, every server uses some kind of an internal Ethernet switch concept, known as a
virtual switch, or vSwitch
theknowledgeacademy
170
Module 13: Describe Switching Concepts
theknowledgeacademy
171
1.13.a MAC Learning and Aging
• MAC address learning occurs when the switch is started, and connected hosts start
sending frames
• By default, the switch removes MAC address table entries after every five minutes
• The layer 2 broadcast is transmitted to all devices on a single broadcast (segment) domain
• The switch generates the broadcast packet ffff.ffff.ffff as the MAC address of the
destination and transmits it to all ports except where the frame was learned
theknowledgeacademy
172
1.13.b Frame Switching
• The host sends packets encapsulated with an IP header in the frame
• The IP address of source and destination in the header are needed for end-to-end
connectivity
• Wireless access points and Switches are network devices which make forwarding
decisions on the basis of the destination MAC address in the frame
theknowledgeacademy
173
1.13.b Frame Switching
(Continued)
• In the frame, Wireless access points and Switches do not change MAC addressing
• The switch does not rewrite the MAC addressing in the header of frames
• It examines the MAC address of source and MAC address of the destination
• When not listed, the incoming frame's source MAC address is added to the MAC
address table
theknowledgeacademy
174
1.13.b Frame Switching
(Continued)
• The switch examines the frame header for the MAC address of the destination and
looks up the MAC address table for a forwarding decision
• Then, the frame is forwarded out the switch port related with the MAC address of the
destination where the host is connected
• Any MAC address of the destination which is not local is forwarded to the router
theknowledgeacademy
175
1.13.c Frame Flooding
• LAN switches use forwarding tables, i.e. Content Addressable Memory (CAM) tables,
Layer 2 (L2) tables for directing traffic to particular ports on the basis of the VLAN
number and the frame's MAC address destination
• Initially, the L2 table does not have a MAC address of the destination port. Therefore,
LAN switch broadcast the messages of all the connected ports to get the MAC address
of each of the connected ports. This causes the Frame Flooding
• Then, the second time LAN switch broadcast the messages to the specific port based on
MAC address of frame destination(MAC address of the destination port)
theknowledgeacademy
176
1.13.c Frame Flooding
(Continued)
Frame arrived at LAN switch
Is address of that
No destination port is Yes
available in the CAM
table
Forward frame to all the connected ports Forward frame only to the port which is
except the port on which it arrived connected with the destination address
theknowledgeacademy
177
1.13.d MAC Address Table
• The unique hardware address from the manufacturer is assigned to each network
device, which is known as MAC address
• A MAC address has the purpose of providing a unique identifier for layer 2
• That enables the communication between devices of the different segment of the
network (VLAN) or the same segments
• The decisions regarding switch forwarding are based on the assigned port and the MAC
address
theknowledgeacademy
178
1.13.d MAC Address Table
(Continued)
• The last 24 bits (bold) is a unique serial number (SN), and the first 24 bits is a
manufacturer OUI (Organisational Unique Identifier)
OUI | SN
0000.000a.aaaa
theknowledgeacademy
179
Domain 2
Network Access
theknowledgeacademy
180
Outlines of Domain 2
• Module 1: Configure and verify VLANs (normal range) spanning
multiple switches
theknowledgeacademy
181
Outlines of Domain 2
• Module 5: Describe the need for and basic operations of Rapid PVST+
Spanning Tree Protocol and identify basic operations
theknowledgeacademy
182
Cisco Router Modes
Modes of Router
3. Global
1. User 2. Privileged
Configuration
Execution Mode Mode
Mode
4. Interface
5. ROMMON
Configuration
Mode
Mode
theknowledgeacademy
183
2.1 Configure and Verify VLANs (Normal
Range) Spanning Multiple Switches
2.1.a Access Ports (Data and Voice)
• Access ports are also called edge ports, and they act as endpoints for establishing a
connection to the network
Access port
theknowledgeacademy
184
Configure and Verify VLANs (Normal Range)
Spanning Multiple Switches
(Continued)
• Data access ports are not intended for VLAN tagging. Therefore, connected devices
should send untagged frames
• When an access port receives untagged data traffic, the "access VLAN" provisioned on the
interface will determine on which VLAN the traffic will be forward
theknowledgeacademy
185
Configure and Verify VLANs (Normal Range)
Spanning Multiple Switches
(Continued)
theknowledgeacademy
186
Configure and Verify VLANs (Normal Range)
Spanning Multiple Switches
(Continued)
theknowledgeacademy
187
Configure and Verify VLANs (Normal Range)
Spanning Multiple Switches
(Continued)
theknowledgeacademy
188
Configure and Verify VLANs (Normal Range)
Spanning Multiple Switches
2.1.b Default VLAN
theknowledgeacademy
189
Configure and Verify VLANs (Normal Range)
Spanning Multiple Switches
2.1.c Connectivity
Connectivity is considered as a key factor in any business. The following are some types of
network connectivity:
• Generally, ISDN, DSL, mobile broadband and cable modem are usually classified as
broadband
theknowledgeacademy
190
Configure and Verify VLANs (Normal Range)
Spanning Multiple Switches
(Continued)
ii. Mobile Internet: is used to access networks from anywhere through wireless
connections
• For mobile internet, the higher the protocol, the higher the speed and connectivity
iii. Virtual Private Network (VPN): is used to create a private network to exchange data
securely over a public network
theknowledgeacademy
191
Configure and Verify VLANs (Normal Range)
Spanning Multiple Switches
(Continued)
iv. Dial-up Networks: These networks enable TCP/IP communication over ordinary
telephone lines
• They make use of analog modems that call specific telephone numbers to make
connections
v. Local Area Networks (LAN): These are used to connect multiple local devices and
computers to share information and access resources
• Routers and network switches are used to connect a LAN with outside networks
theknowledgeacademy
192
Configure and Verify VLANs (Normal Range)
Spanning Multiple Switches
(Continued)
vi. Direct Networks: This is the simplest form of connectivity in which the connection is
established between two devices directly
theknowledgeacademy
193
2. 2 Configure and Verify Interswitch
Connectivity
2.2.a Trunk Ports
• Trunk ports are used for connections when several VLANs need to send data
theknowledgeacademy
194
Configure and Verify Interswitch Connectivity
Trunk Port
(Tagged)
Access Port
(Untagged)
theknowledgeacademy
195
Configure and Verify Interswitch Connectivity
Enable trunk mode on an interface
1. Configuration of Switch 1
theknowledgeacademy
196
Configure and Verify Interswitch Connectivity
(Continued)
theknowledgeacademy
197
Configure and Verify Interswitch Connectivity
(Continued)
theknowledgeacademy
198
Configure and Verify Interswitch Connectivity
(Continued)
4. Configuration of Switch 2
theknowledgeacademy
199
Configure and Verify Interswitch Connectivity
(Continued)
theknowledgeacademy
200
2.2.b 802.1Q
• The standard defining VLAN tagging within an Ethernet frame is 802.1Q
4 Bytes
theknowledgeacademy
201
2.2.c Native VLAN
Introduction
• Cisco trunk ports can have one untagged VLAN, and it is also known as Native VLAN
• Traffic that is transmitted out of a trunk port that resides in the Native VLAN will be
forwarded without a VLAN tag
theknowledgeacademy
202
2.2.c Native VLAN
Example of Native VLAN configuration
theknowledgeacademy
203
2.2.c Native VLAN
(Continued)
• Configuration of switch 1
theknowledgeacademy
204
2.2.c Native VLAN
2. Enable trunk port at switch 1
theknowledgeacademy
205
2.2.c Native VLAN
3. Verify Native VLAN
theknowledgeacademy
206
2.2.c Native VLAN
4. Configuration of switch 2
theknowledgeacademy
207
2.3 Configure and Verify Layer 2 Discovery
Protocols (Cisco Discovery Protocol and LLDP)
CDP (Cisco Discovery Protocol)
• Cisco proprietary protocol which can be used to discover directly connected device's
information and it is enabled on most Cisco devices by default
• The command "show cdp neighbor" can be used to display CDP learned information
theknowledgeacademy
208
Configure and Verify Layer 2 Discovery
Protocols (Cisco Discovery Protocol and LLDP)
Example of CDP Configuration
theknowledgeacademy
209
Configure and Verify Layer 2 Discovery
Protocols (Cisco Discovery Protocol and LLDP)
1. Configuration of Router 1
theknowledgeacademy
210
Configure and Verify Layer 2 Discovery
Protocols (Cisco Discovery Protocol and LLDP)
2. Configuration of Router 2
theknowledgeacademy
211
Configure and Verify Layer 2 Discovery
Protocols (Cisco Discovery Protocol and LLDP)
3. Enable CDP
theknowledgeacademy
212
Configure and Verify Layer 2 Discovery
Protocols (Cisco Discovery Protocol and LLDP)
4. Command: “show cdp neighbors”
theknowledgeacademy
213
Configure and Verify Layer 2 Discovery
Protocols (Cisco Discovery Protocol and LLDP)
LLDP
• Similar to CDP except that it's an open standard protocol and it can be used by anyone
including Cisco
theknowledgeacademy
214
Configure and Verify Layer 2 Discovery
Protocols (Cisco Discovery Protocol and LLDP)
Example of LLDP Configuration
theknowledgeacademy
215
Configure and Verify Layer 2 Discovery
Protocols (Cisco Discovery Protocol and LLDP)
1. Enabling LLDP on Router 1
theknowledgeacademy
216
Configure and Verify Layer 2 Discovery
Protocols (Cisco Discovery Protocol and LLDP)
2. Enabling LLDP on Router 2
theknowledgeacademy
217
Configure and Verify Layer 2 Discovery
Protocols (Cisco Discovery Protocol and LLDP)
3. Enabling LLDP on Switch 1, and then assign the interface port
theknowledgeacademy
218
Configure and Verify Layer 2 Discovery
Protocols (Cisco Discovery Protocol and LLDP)
(Continued)
theknowledgeacademy
219
Configure and Verify Layer 2 Discovery
Protocols (Cisco Discovery Protocol and LLDP)
4. Now, we can check the number of neighbors on the Router 1
theknowledgeacademy
220
Configure and Verify Layer 2 Discovery
Protocols (Cisco Discovery Protocol and LLDP)
5. Enable LLDP on Switch 2, and assign the interface port. Now, you can check the number
of neighbors through “show lldp neighbors” command
theknowledgeacademy
221
Configure and Verify Layer 2 Discovery
Protocols (Cisco Discovery Protocol and LLDP)
5. You can also check the details of all connected devices using “show lldp neighbors
detail” command on Router 1
theknowledgeacademy
222
2.4 Configure and Verify (Layer 2/Layer 3)
EtherChannel (LACP)
• EtherChannel (AKA port channels) are a configuration option which allows you to logically
bundle multiple physical interfaces to provide additional redundancy and throughput of
links
theknowledgeacademy
223
Configure and Verify (Layer 2/Layer 3)
EtherChannel (LACP)
(Continued)
theknowledgeacademy
224
Configure and Verify (Layer 2/Layer 3)
EtherChannel (LACP)
1. Configure LACP on Switch 1
theknowledgeacademy
225
Configure and Verify (Layer 2/Layer 3)
EtherChannel (LACP)
2. Configure LACP on Switch 2
theknowledgeacademy
226
Configure and Verify (Layer 2/Layer 3)
EtherChannel (LACP)
(Continued)
theknowledgeacademy
227
2.5 Rapid PVST+ Spanning Tree Protocol
Need for and Basic Operations and
Identify Basic Operations
Switch 1
theknowledgeacademy
228
Rapid PVST+ Spanning Tree Protocol
Switch 1
With STP
Switch 2 Switch 2
HOST A HOST A
theknowledgeacademy
229
2.5.a Root Port, Root Bridge, and other Port
Names
Root Port
• Every switch elects the port closest to the root bridge as its root port in an STP topology
Designated Port
Alternate Port
theknowledgeacademy
230
2.5.a Root Port, Root Bridge, and other Port
Names
Root Bridge
• In each STP (Spanning Tree Protocol) topology, one switch is selected as the primary root
bridge. It acts as the central reference point for topology
o By default, the switch including the lowest MAC address will gain the root bridge
election
theknowledgeacademy
231
2.5.b Port States (Forwarding/Blocking)
Switchports running Rapid PVST+ operate in the following three different port states:
1. Discarding
2. Learning
The state of a
switchport when it 3. Forwarding
In this state, the
appears in blocking switchport starts to In this final state the
mode first learn MAC switchport finally
addresses starts forward traffic
theknowledgeacademy
232
2.5.c PortFast Benefits
The following are the benefits of PortFast:
• Many network devices cannot work properly while waiting for Rapid PVST+ to reach the
forwarding state
• Switchports can go directly into the forwarding state with the PortFast feature and
bypass the first two states (discarding & learning)
• PortFast should only be used on edge ports which do not have other switches
connected, as it bypasses the Rapid PVST+ loop prevention checks
theknowledgeacademy
233
2.6 Compare Cisco Wireless Architectures and
AP modes
• When access points are in the lightweight
mode, there are various options for
forwarding wireless endpoint traffic onto Endpoints wirelessly connects to AP
the network
o Local Mode: Access-points tunnel all AP Tunnels Endpoints Traffic to WLC with
CAPWAP
wireless endpoint traffic to a WLC that
then forwards to the wired network. It is
typically used for campus sites WLC forwards Endpoints Traffic onto the
Wired Network
theknowledgeacademy
234
Compare Cisco Wireless Architectures and AP
modes
(Continued)
Endpoints wirelessly connects to AP
o FlexConnect Local Switching Mode: Access
points forward all endpoint wireless traffic
right onto the wire. It is used for remote
WAN sites
theknowledgeacademy
235
2.7 Describe Physical Infrastructure
Connections of WLAN Components
• APs and WLCs need some type of physical connection, to forward wireless traffic onto a
wired network
• WLC Connections
o WLCs would typically have a trunk port, and it is connected to the core switching
devices
o This is because usually several VLANs are used for different SSIDs (Service Set
Identifier)
o A WLC trunk port can be a single link, but best practice is to use a Link Aggregation
(EtherChannel)
theknowledgeacademy
236
Describe Physical Infrastructure Connections
of WLAN Components
The following are the steps of configuring WLC:
Step 1: Create the given topology in the cisco packet tracer, and click on laptop
theknowledgeacademy
237
Describe Physical Infrastructure Connections
of WLAN Components
Step 2: Click on Desktop button form the menu bar, and then click Web Browser
theknowledgeacademy
238
Describe Physical Infrastructure Connections
of WLAN Components
Step 3: Give the following IP address of WLC in the URL bar and click on Go button
theknowledgeacademy
239
Describe Physical Infrastructure Connections
of WLAN Components
Step 4: Create username and password, and then click on Start button
theknowledgeacademy
240
Describe Physical Infrastructure Connections
of WLAN Components
Step 5: Give any System Name according to your requirement, and give the WLC IP address
in the Management IP Address box, Subnet Mask and Default Gateway as given in the
figure. After that click on Next button
theknowledgeacademy
241
Describe Physical Infrastructure Connections
of WLAN Components
Step 6: Give any name to Network Name and create any password according to your need,
and click on Next button
theknowledgeacademy
242
Describe Physical Infrastructure Connections
of WLAN Components
Step 7: Click on Next
theknowledgeacademy
243
Describe Physical Infrastructure Connections
of WLAN Components
Step 8: The previous filled information will appear. Now click on Apply button. After clicking
on Apply button, it will take some time to process but we have to close the web browser by
clicking on the cross button on the upper right corner
theknowledgeacademy
244
Describe Physical Infrastructure Connections
of WLAN Components
Step 9: Now, again open the web browser and type the IP address of WLC as given in the
figure and click on Go button. Note that, in the previous slide we gave the “http://10.10.10.5“
but here we have to give “https://10.10.10.5”
theknowledgeacademy
245
Describe Physical Infrastructure Connections
of WLAN Components
Step 10: Enter the previously created Username and password and click on login button
theknowledgeacademy
246
Describe Physical Infrastructure Connections
of WLAN Components
Step 11: After logging in, the following window will appear
LAG Trunk
Mode(Tagged)
theknowledgeacademy
247
Describe Physical Infrastructure Connections
of WLAN Components
• AP Connections
theknowledgeacademy
248
Describe Physical Infrastructure Connections
of WLAN Components
(Continued)
theknowledgeacademy
249
Describe Physical Infrastructure Connections
of WLAN Components
Example of Access Points
theknowledgeacademy
250
Describe Physical Infrastructure Connections
of WLAN Components
Configuration of Access Points
theknowledgeacademy
251
Describe Physical Infrastructure Connections
of WLAN Components
(Continued)
theknowledgeacademy
252
2.8 Describe AP and WLC Management
Access Connections
AP Management
• Once Lightweight APs get registered, they are managed by the WLC, and you really should
not need to have direct access to them
WLC Management
• WLCs are primarily managed through HTTPS (Hypertext Transfer Protocol Secure) & SSH
(Secure Shell)
theknowledgeacademy
253
Describe AP and WLC Management Access
Connections
(Continued)
theknowledgeacademy
254
Describe AP and WLC Management Access
Connections
Example of TELNET in Cisco Packet Tracer
theknowledgeacademy
255
Describe AP and WLC Management Access
Connections
Configuration of TELENT
theknowledgeacademy
256
Describe AP and WLC Management Access
Connections
Configuration of SSH
theknowledgeacademy
257
Describe AP and WLC Management Access
Connections
Example of SSH in Cisco Packet Tracer
theknowledgeacademy
258
2.9 Configure the Components of a Wireless
LAN Access for Client Connectivity
WLAN Creation
theknowledgeacademy
259
Configure the Components of a Wireless LAN
Access for Client Connectivity
Step 2: Give an appropriate Profile Name and SSID according to your requirement and then
click on Apply button
theknowledgeacademy
260
Outlines of Domain 3
• Module 1: Interpret the components of routing table
theknowledgeacademy
261
3.1 Interpret the Components of Routing
Table
3.1.a Routing Protocol Code
• There are various codes displayed in routing tables that identify how routes are added to
the routing table
theknowledgeacademy
262
Interpret the Components of Routing Table
Example of Static Routing Protocol
theknowledgeacademy
263
Interpret the Components of Routing Table
(Continued)
theknowledgeacademy
264
Interpret the Components of Routing Table
Configuration of Gateway of Lost Resort
theknowledgeacademy
265
Interpret the Components of Routing Table
(Continued)
theknowledgeacademy
266
Interpret the Components of Routing Table
3.1.b Prefix
theknowledgeacademy
267
Interpret the Components of Routing Table
3.1.c Network mask
• A network mask (also known as subnet mask) describes the component of the network
prefix of an IP address used for routing
• The blue highlighted values identify the network mask for the prefix 10.0.0.0/24
o 10.0.0.0/24 or 255.255.255.0
o Network mask 255.255.255.0 in binary
11111111.11111111.11111111.00000000
o 1 in a binary network mask= Part of network portion
o 0 in a binary network mask= Part of host portion
theknowledgeacademy
268
Interpret the Components of Routing Table
3.1.d Next Hop
• When network devices need to route to a destination, a next hop IP address is required to
forward packets in the right direction
• In the output below this layer 3 switch is sending default routed destinations to the next
hop IP address 10.0.0.2
theknowledgeacademy
269
Interpret the Components of Routing Table
3.1.e Administrative Distance
• Network devices rely on the administrative distance (AD) to know which route types are
better than others
• The pre-assigned default AD values for Each route type are shown in below table
Route Source Default Distance Values
Connected interface 0
Static route 1
Enhanced interior Gateway Routing 5
Protocol (EIGRP) summary route
theknowledgeacademy
270
Interpret the Components of Routing Table
(Continued)
OSPF 110
theknowledgeacademy
271
Interpret the Components of Routing Table
(Continued)
Unknown 225
theknowledgeacademy
272
Interpret the Components of Routing Table
(Continued)
• You can see the AD value in the routing table. It is the value on the left in the bracket
after the prefix
• In the figure below you can see the AD is “1” for the static route
theknowledgeacademy
273
Interpret the Components of Routing Table
3.1.f Metric
• You can use the metric value as a tie-breaker if the administrative distance value is the
same for two learned routes
• Routing protocols change advertised route metrics dynamically, based on things like
interface bandwidth
theknowledgeacademy
274
Interpret the Components of Routing Table
3.1.g Gateway of Last Resort
• If there are no specific routes for a particular destination in the routing table the last
resort gateway (Default route) is used
theknowledgeacademy
275
3.2 Determine how a Router makes a
Forwarding Decision by Default
Routing Lookup Order
theknowledgeacademy
276
Determine how a Router makes a Forwarding
Decision by Default
3.2.a Longest Match
• When a router looks at the routing table to decide a destination's best path, the first
thing to look for is the most specific match
• It means the route with the most network bit matches for the destination
theknowledgeacademy
277
Determine how a Router makes a Forwarding
Decision by Default
3.2.b Administrative Distance
• If a router has more than one route in the routing table that is the same network mask bit
match, then the AD can be used as a tie-breaker to decide which route should be more
preferred
• In the example two static routes are added to routers configuration with the same network
bit length but the one with the lower AD is installed in the routing table
theknowledgeacademy
278
Determine how a Router makes a Forwarding
Decision by Default
Administrative Distance
theknowledgeacademy
279
Determine how a Router makes a Forwarding
Decision by Default
3.2.c Routing Protocol Metric
• If the length of the prefix matches with the AD then the final tie-breaker is the routing
metric
• In the example the same route is learned from multiple sources via the routing protocol
OSPF (Default AD of 110) with the same prefix length and AD
• In this case the router will rely on the learned OSPF route metric to determine the best path
theknowledgeacademy
280
Determine how a Router makes a Forwarding
Decision by Default
theknowledgeacademy
281
3.3 Configure and Verify IPv4 and IPv6 Static
Routing
3.3.a Default Route
• This kind of route is used as a catch all route to send unknown destinations to a particular
device
theknowledgeacademy
282
Configure and Verify IPv4 and IPv6 Static
Routing
(Continued)
theknowledgeacademy
283
Configure and Verify IPv4 and IPv6 Static
Routing
(Continued)
theknowledgeacademy
284
Configure and Verify IPv4 and IPv6 Static
3.3.b Network Route
Routing
• This kind of route is used to send known network destinations to a specific device
• IPv4 static network route configuration example for network destination 10.0.0.0/24 with
next-hop 10.0.255.2
• IPv6 static network route configuration example for network destination 2001::/64 with
next-hop 2001:255::2
theknowledgeacademy
285
Configure and Verify IPv4 and IPv6 Static
Routing
3.3.c Host Route
theknowledgeacademy
286
Configure and Verify IPv4 and IPv6 Static
Routing
• Command to show configuration of Router 1
theknowledgeacademy
287
Configure and Verify IPv4 and IPv6 Static
Routing
• Command to show configuration of Router 2
theknowledgeacademy
288
Configure and Verify IPv4 and IPv6 Static
Routing
3.3.d Floating Static
• This kind of route is used as a backup route if a primary next-hop device is not available
• You set the AD to be higher than the primary route and set a different next-hop to make a
route “floating”
theknowledgeacademy
289
Configure and Verify IPv4 and IPv6 Static
Routing
• An example of IPv4 floating static configuration
theknowledgeacademy
290
Configure and Verify IPv4 and IPv6 Static
Routing
Step 2: IP configuration of UK Router
Primary Route
Administrative Distance
Secondary Route
theknowledgeacademy
291
Configure and Verify IPv4 and IPv6 Static
Routing
Step 3: IP configuration of USA Router
theknowledgeacademy
292
Configure and Verify IPv4 and IPv6 Static
Routing
Step 4: IP configuration of India Router
theknowledgeacademy
293
3.4 Configure and Verify Single Area OSPFv2
OSPFv2 Overview
• OSPF (Open Shortest Path First) is a link-state protocol that can be used to advertise
routes between routers
theknowledgeacademy
294
3.4 Configure and Verify Single Area OSPFv2
(Continued)
theknowledgeacademy
295
3.4 Configure and Verify Single Area OSPFv2
3.4.a Neighbor Adjacencies
• For routers to exchange routes with each other with they must first form a neighbor
adjacency
4. Same HELLO
1. Common 2. Unique 3. Same AREA 5. Same MTU
and DEAD
Subnet Router-ID ID Value
Timers
theknowledgeacademy
296
3.4 Configure and Verify Single Area OSPFv2
Router 2
Router 1
theknowledgeacademy
297
3.4 Configure and Verify Single Area OSPFv2
(Continued)
• Configuration of Router 2
theknowledgeacademy
298
3.4 Configure and Verify Single Area OSPFv2
(Continued)
theknowledgeacademy
299
3.4 Configure and Verify Single Area OSPFv2
(Continued)
Check to see if any OSPF routes are learned from adjacent neighbors
theknowledgeacademy
300
3.4 Configure and Verify Single Area OSPFv2
• Configuration of Router 1
theknowledgeacademy
301
3.4 Configure and Verify Single Area OSPFv2
(Continued)
theknowledgeacademy
302
3.4 Configure and Verify Single Area OSPFv2
3.4.b Point-to-point
• If OSPF uses L2 WAN protocols such as HDLC (High-Level Data Link Control) & PPP (Point-
to-Point Protocol) over point-to-point serial links it runs as a point-to-point network type
• In this mode, DR/BDR (Backup Designated Router) roles are not needed since it is not a
multi-access connection
theknowledgeacademy
303
3.4 Configure and Verify Single Area OSPFv2
Example of OSPFv2 point-to-point interface configuration:
theknowledgeacademy
304
3.4 Configure and Verify Single Area OSPFv2
3.4.c Broadcast (DR/BDR Selection)
• Designated Routers (DR) and Backup Designated Routers (BDR) are used in a multi-access
(Broadcast) OSPF topology to relay routing updates
• DR routers help to scale OSPF topologies so that less information is available for each
router to process
theknowledgeacademy
305
3.4 Configure and Verify Single Area OSPFv2
(Continued)
• In each multi-access OSPF topology 1 DR and 1 BDR are selected OSPF DR/BDR Selection
Process:
theknowledgeacademy
306
3.4 Configure and Verify Single Area OSPFv2
Configuration of OSPF
theknowledgeacademy
307
3.4 Configure and Verify Single Area OSPFv2
Configuration of Router A
theknowledgeacademy
308
3.4 Configure and Verify Single Area OSPFv2
Configuration of Router B
theknowledgeacademy
309
3.4 Configure and Verify Single Area OSPFv2
Configuration of Router C
theknowledgeacademy
310
3.4 Configure and Verify Single Area OSPFv2
(Continued)
theknowledgeacademy
311
3.4 Configure and Verify Single Area OSPFv2
Configuration of Router 1
theknowledgeacademy
312
3.4 Configure and Verify Single Area OSPFv2
Configuration of Router 2
theknowledgeacademy
313
3.4 Configure and Verify Single Area OSPFv2
Configuration of Router 3
theknowledgeacademy
314
3.4 Configure and Verify Single Area OSPFv2
3.4.d Router ID
• With FHRP if multiple core devices are on a network and one goes down, another can
take control, so that clients do not lose access to the network
• As the default gateway, routers participating in an FHRP share a virtual IP address (VIP)
theknowledgeacademy
316
Describe the Purpose of First Hop
Redundancy Protocol
(Continued) HSRP
VIP
1
.2 10.0.0.0/24 .3
10.0.0.100 255.255.255.0
default gateway 10.0.0.1
theknowledgeacademy
317
Describe the Purpose of First Hop
Redundancy Protocol
(Continued) HSRP
VIP
1
.2 10.0.0.0/24 .3 Standby
10.0.0.100 255.255.255.0
default gateway 10.0.0.1
theknowledgeacademy
318
Describe the Purpose of First Hop
Redundancy Protocol
(Continued) HSRP
VIP
1
.2 10.0.0.0/24 .3 Active
10.0.0.100 255.255.255.0
default gateway 10.0.0.1
theknowledgeacademy
319
Domain 4
IP Services
theknowledgeacademy
320
Outlines of Domain 4
• Module 1: Configure and verify inside source NAT using static and pools
• Module 2: Configure and verify NTP operating in a client and server mode
• Module 3: Explain the role of DHCP and DNS within the network
theknowledgeacademy
321
Outlines of Domain 4
• Module 6: Configure and verify DHCP client and relay
• Module 7: Explain the forwarding per-hop behaviour (PHB) for QoS such
as classification, marking, queuing, congestion, policing, shaping
theknowledgeacademy
322
4.1 Configure and Verify inside Source NAT
using Static and Pools
• Static NAT (Network Address Translation) is usually used for one-to-one IP mappings for
public-facing services such as web servers
theknowledgeacademy
323
Configure and Verify inside Source NAT using
Static and Pools
Configuration of Router 1
theknowledgeacademy
324
Configure and Verify inside Source NAT using
Static and Pools
(Continued)
theknowledgeacademy
325
Configure and Verify inside Source NAT using
Static and Pools
(Continued)
theknowledgeacademy
326
Configure and Verify inside Source NAT using
Static and Pools
(Continued)
theknowledgeacademy
327
Configure and Verify inside Source NAT using
Static and Pools
• Dynamic NAT Pool is usually used for one-to-many IP mappings for outbound internet
access
• Configuration example for translating traffic from the private IP network 10.1.0.0/24 to
public IP NAT pool 97.8.22.21 - 97.8.22.31
theknowledgeacademy
328
Configure and Verify inside Source NAT using
Static and Pools
• Configuration of Router 1
theknowledgeacademy
329
Configure and Verify inside Source NAT using
Static and Pools
(Continued)
theknowledgeacademy
330
Configure and Verify inside Source NAT using
Static and Pools
(Continued)
theknowledgeacademy
331
Configure and Verify inside Source NAT using
Static and Pools
(Continued)
theknowledgeacademy
332
Configure and Verify inside Source NAT using
Static and Pools
(Continued)
theknowledgeacademy
333
Configure and Verify inside Source NAT using
Static and Pools
• Configuration of Router 2
theknowledgeacademy
334
Configure and Verify inside Source NAT using
Static and Pools
(Continued)
theknowledgeacademy
335
4.2 Configure and Verify NTP Operating in a
Client and Server Mode
• NTP Client Mode: Network devices can maintain accurate time through using the
network time protocol (NTP)
• NTP Server Mode: A network device can work as an NTP server without any
configurations as long as their time is synced to another NTP server
• NTP Master: A network device can act as a NTP server using its local time information if it
is configured as an NTP master. An NTP master can sync to its local clock and still provide
time to NTP clients
theknowledgeacademy
336
Configure and Verify NTP Operating in a
Client and Server Mode
• Example of NTP master configuration:
theknowledgeacademy
337
Configure and Verify NTP Operating in a
Client and Server Mode
Configuration of Router 1
theknowledgeacademy
338
Configure and Verify NTP Operating in a
Client and Server Mode
Configuration of Router 2
theknowledgeacademy
339
Configure and Verify NTP Operating in a
Client and Server Mode
(Continued)
theknowledgeacademy
340
4.3 Explain the Role of DHCP and DNS within
the Network
• Dynamic Host Control Protocol (DHCP) is used to assign IP addresses to network clients
dynamically
o DHCP Server: It is a host running a DHCP server application with IP address pools for
client assignments
theknowledgeacademy
341
Explain the Role of DHCP and DNS within the
Network
• DHCP Operation
DHCP IP Address Pool
• IP Address-10.0.10.21-10.0.10.254
• Subnet Mask-255.255.255.0
• Default Gateway-10.0.10.1
• DNS Server-8.8.8.8
theknowledgeacademy
342
Explain the Role of DHCP and DNS within the
Network
• Domain Name System (DNS) is used to resolve hostnames to IP addresses
o DNS Server: It is a host running a DNS server application that manages a database of
hot name to IP address mappings
theknowledgeacademy
343
Explain the Role of DHCP and DNS within the
Network
• DNS Operation
6. Client connects to the website using the IP Address it learned from DNS
www.ipversity.com = 172.217.3.110
DNS Server
Web Server
theknowledgeacademy
www.google.com
345
Explain the Role of DHCP and DNS within the
Network
Example of DHCP configuration on Router
theknowledgeacademy
346
Explain the Role of DHCP and DNS within the
Network
Configuration on Router
theknowledgeacademy
347
Explain the Role of DHCP and DNS within the
Network
DHCP Server Configuration
theknowledgeacademy
348
Explain the Role of DHCP and DNS within the
Network
DNS Server Configuration
theknowledgeacademy
349
Explain the Role of DHCP and DNS within the
Network
• For DNS configuration, Go to Server>Services option. After that click on DNS option
theknowledgeacademy
350
4.4 Explain the Function of SNMP in Network
Operations
• Simple Network Management Protocol (SNMP) reads and writes information which is
available on network devices
o SNMP Collector: Server running an SNMP collector application with a database for store
information. Examples of SNMP are Cisco Prime and SolarWinds
theknowledgeacademy
352
Explain the Function of SNMP in Network
Operations
(Continued)
o Traps are sent by network devices to SNMP collectors when certain events take place like
high CPU or interface alarms
theknowledgeacademy
353
4.5 Describe the Use of Syslog features
including Facilities and Levels
• Syslog is a logging service used to view network device events for troubleshooting and
monitoring
access-list block
url-filtering
malware block Database
Ids/ips logs Configuration change
Debug message
Hardware failure
error message Access-list block
configuration change url-filtering
Debug message Syslog Server Malware block
hardware failure Ids/ips logs
error message
configuration change error message
Debug message configuration change
hardware failure Debug message
hardware failure
theknowledgeacademy
354
Describe the Use of Syslog features including
Facilities and Levels
The following are the components of Syslog:
o Syslog Server: It is a server running a Syslog application with a database to store log
information
theknowledgeacademy
355
4.6 Configure and Verify DHCP Client and
Relay
• DHCP Relay (AKA DHCP Helper) is a method used by a Layer 3 device to forward DHCP
messages to DHCP servers on behalf of the DHCP client
theknowledgeacademy
356
Configure and Verify DHCP Client and Relay
• Configuration of Router 1
theknowledgeacademy
357
Configure and Verify DHCP Client and Relay
(Continued)
theknowledgeacademy
358
Configure and Verify DHCP Client and Relay
(Continued)
theknowledgeacademy
359
Configure and Verify DHCP Client and Relay
• Configuration of Router 2
theknowledgeacademy
360
Configure and Verify DHCP Client and Relay
(Continued)
theknowledgeacademy
361
Configure and Verify DHCP Client and Relay
(Continued)
theknowledgeacademy
362
Configure and Verify DHCP Client and Relay
• Configuration of Router 3
theknowledgeacademy
363
Configure and Verify DHCP Client and Relay
(Continued)
theknowledgeacademy
364
Configure and Verify DHCP Client and Relay
(Continued)
theknowledgeacademy
365
4.7 Explain the Forwarding Per-Hop
Behaviour (PHB)
• Quality of Service (QoS) is used to apply controls to network traffic like preferential
forwarding treatment, bandwidth consumption, and rate-limiting
• Classification is a method used to identify traffic types so that the network devices can
apply proper QoS
• Marking is a method used to set QoS values that can be used to apply proper QoS
theknowledgeacademy
366
Explain the Forwarding Per-Hop Behaviour
(PHB)
The following are the types of markings:
• DSCP
o Decimal values 0-63
o CS 0-7
o Assured Forwarding
Worst Default
theknowledgeacademy
367
Explain the Forwarding Per-Hop Behaviour
(PHB)
• COS
Best
Layer 2
COS0 COS1 COS2 COS3 COS4 COS5 COS6 DOT1Q Tag
Worst
theknowledgeacademy
368
Explain the Forwarding Per-Hop Behaviour
(PHB)
• Queuing is a method used to prioritise when different traffic types are forwarded out of
an interface
o When traffic requires to forward out of a router or switch port is added to a traffic
queue
o Such queues can be thought of as a way to buffer packets until they are transmitted
out of an interface
Queue 1
Interface Queue 2
Queue 3
theknowledgeacademy
369
Explain the Forwarding Per-Hop Behaviour
(PHB)
• Congestion: It occurs when a network device interface runs out of queue depth (buffer)
because of high bandwidth utilisation
o If an interface is overloaded with congestion, network devices will tail drop traffic
o QoS policies can be used to prioritise which traffic is dropped first to improve
performance for critical applications like voice and video
theknowledgeacademy
370
Explain the Forwarding Per-Hop Behaviour
(PHB)
• Policing: It is a method used to limit how much bandwidth can be used on an interface by
dropping traffic which exceeds QoS policy
o Usually used to prevent low-priority traffic from using all the bandwidth
theknowledgeacademy
371
Explain the Forwarding Per-Hop Behaviour
(PHB)
• Shaping: It is a technique used to limit how much bandwidth can be used on an interface
through buffering traffic that exceeds QoS policy
o Usually used to smooth traffic speeds to match provider circuit speeds so traffic like a
voice is buffered rather than dropped
theknowledgeacademy
372
4.8 Configure Network Devices for Remote
Access using SSH
• Unlike Telnet, SSH is a secure way to connect and manage network devices remotely
• Example of configuration
theknowledgeacademy
373
4.8 Configure Network Devices for Remote
Access using SSH
Example of SSH in Cisco Packet Tracer
theknowledgeacademy
374
4.9 Describe the Capabilities and Function of
TFTP/FTP in the Network
• TFTP (Trivial File Transfer Protocol) & FTP (File Transfer Protocol) are both protocols which
can be used to transfer data over a network using a client/server model
• Software upgrades and configuration backups are common uses for using TFTP/FTP in
networking
FTP
Server FTP TRANSFER
FTP Client
theknowledgeacademy
375
Describe the Capabilities and Function of
TFTP/FTP in the Network
• TFTP – UDP port 69
o No authentication
o Unreliable
o Only supports small file transfers
theknowledgeacademy
376
Domain 5
Security Fundamentals
theknowledgeacademy
377
Outlines of Domain 5
• Module 1: Define key security concepts
theknowledgeacademy
378
Outlines of Domain 5
• Module 6: Configure and verify access control lists
• Module 10: Configure WLAN using WPA2 PSK using the GUI
theknowledgeacademy
379
5.1 Key Security Concepts
Threats
• Threat means a new or a newly discovered happening that has the ability to harm a
particular system or even to the whole organisation
theknowledgeacademy
380
Key Security Concepts
Vulnerability
• It is not an open door instead a weakness which if attacked could provide a way in
• Exploiting is the action of trying to turn a vulnerability (a weakness) into an actual way
to breach a system
theknowledgeacademy
381
Key Security Concepts
Exploit
• Exploits are not easy to spot as they can take place behind firewalls
• If they are not detected they can even cause irretrievable damage
theknowledgeacademy
382
Key Security Concepts
Mitigation Techniques
o Antimalware
o Firewall
o Software Patches
theknowledgeacademy
383
5.2 Security Program Elements
User Awareness
• Awareness regarding requirement for data confidentiality in order to protect corporate info and
also their own credentials and personal information should be spread among all users
• Users should also be made aware about potential threats, schemes to mislead and appropriate
procedures to report security incidents
• They should also be instructed to follow strict guidelines related to data loss
• As an example, users should not include sensitive information in emails or attachments should
not keep or transmit such information from a smartphone, or store it on cloud services or
removable storage drives
theknowledgeacademy
384
Security Program Elements
User Training
• All users should take part in periodic formal training so that they become aware with all
corporate security policies
• The organisation should develop as well as publish formal security policies for its users,
employees and business partners to follow
theknowledgeacademy
385
Security Program Elements
Physical Access Control
• Infrastructure locations such as data centres and network closets should be locked
securely
• A scalable solution to sensitive locations is badge access that offers an audit trail of
identities and timestamps when access is granted
theknowledgeacademy
386
5.3 Configure Device Access Control using
Local Passwords
Example of configuration Local user account
theknowledgeacademy
387
5.4 Security Password Policies Elements
To secure network resources user passwords should follow best practices standards:
Complexity
Management
• A single factor that a user must enter to be authenticated is a simple password string
theknowledgeacademy
389
Security Password Policies Elements
i. Multifactor Authentication
• Multifactor credentials need that users provide values/factors coming from different
sources, thereby reducing the chance that an attacker might possess all of the factors
• Two- factor credentials are described as “something you have” i.e. a text message with
a time-limited code or a dynamic changing cryptographic key and “something you
know” i.e. a password
theknowledgeacademy
390
Security Password Policies Elements
ii. Digital Certificate
• If an organisation supports use of digital certificate, then a user must request and be
granted a unique certificate to use for a particular purpose
• Digital certificates are time sensitive i.e. each one is approved for a specific time range
• After the certificate expiration, any attempts to authenticate with it will be rejected
and the user who has the certificate can request a new one prior to the expiration date
or at any time afterward
theknowledgeacademy
391
Security Password Policies Elements
iii. Biometrics
• Generally, physical attributes are unique to a body structure of an individual and cannot
be easily duplicated or stolen
• Other examples can be voice recognition, face recognition, iris recognition etc.
theknowledgeacademy
392
5.5 Remote Access and Site-to-Site VPNs
• VPN (Virtual Private Network) allows users to send and receive data across shared or
public networks as if their computing devices were connected to the network directly
Trusted Trusted
Encrypted Data VPN Tunnel Encrypted Data
Untrusted
theknowledgeacademy
393
5.5 Remote Access and Site-to-Site VPNs
• Site-to-Site VPN – A tunnel between multiple VPN gateways such as firewalls and
routers
Gateway Gateway
LAN LAN
VPN Tunnel
theknowledgeacademy
394
5.5 Remote Access and Site-to-Site VPNs
• Remote VPN – A tunnel between mobile user device (Laptop, phone, etc.) and remote
VPN gateway such as a firewall
LAN Gateway
LAN
VPN Tunnel
theknowledgeacademy
395
5.6 Configure and Verify Access Control Lists
• Access Control Lists (ACLs): It a method to use security filtering on network devices
2. Extended: Extended ACLs can match source/destination IP and port information plus
much more
theknowledgeacademy
396
5.6 Configure and Verify Access Control Lists
(Continued)
1. Numbered: Standard numbered ACLs can be configured in the range 1–99 and 1300–
1999
2. Named: Extended numbered ACLs can be configured in the range 100–199 and 2000–
2699
theknowledgeacademy
397
5.6 Configure and Verify Access Control Lists
• Example of Extended named ACL configuration:
theknowledgeacademy
398
5.6 Configure and Verify Access Control Lists
Configuration of Ports on Router 1
theknowledgeacademy
399
5.6 Configure and Verify Access Control Lists
Configuration of Ports on Router 2
theknowledgeacademy
400
5.6 Configure and Verify Access Control Lists
Configuration of Router 2 for block whole network
theknowledgeacademy
401
5.7 Configure Layer 2 Security Features
DHCP Snooping
• A switch feature that will only allow DHCP server response packets on interfaces that
are defined as “trusted”
theknowledgeacademy
402
5.7 Configure Layer 2 Security Features
• Example of DHCP snooping configuration:
theknowledgeacademy
403
5.7 Configure Layer 2 Security Features
• Configuration of trusted Router:
theknowledgeacademy
404
5.7 Configure Layer 2 Security Features
• Configuration of Switch
theknowledgeacademy
405
5.7 Configure Layer 2 Security Features
• Configuration of Switch
theknowledgeacademy
406
5.7 Configure Layer 2 Security Features
• Configuration of untrusted Router
theknowledgeacademy
407
5.7 Configure Layer 2 Security Features
Dynamic ARP Inspection
• Trusted ARP replies that will only be permitted by switch features are learned from
DHCP responses either “trusted” interfaces. By default, interfaces are untrusted.
Port Security
• Switch feature that can (1) Limit how many MAC addresses are learned on a single
interface and (2) Limit which MAC addresses are learned
theknowledgeacademy
408
5.7 Configure Layer 2 Security Features
Example of Port Security
Switch 1
theknowledgeacademy
409
5.7 Configure Layer 2 Security Features
Configuration of Switch 1
theknowledgeacademy
410
5.7 Configure Layer 2 Security Features
Configuration of Switch 1
theknowledgeacademy
411
5.7 Configure Layer 2 Security Features
Configuration of Switch 1
theknowledgeacademy
412
5.8 Differentiate Authentication,
Authorisation, and Accounting Concepts
• User activity can be managed with AAA (authentication, authorisation, and accounting)
mechanisms
• Before authorising or allowing access to any user, AAA uses standardised methods to
challenge them for their credentials
• AAA is generally used to control and monitor access to various network devices such as
switches, routers, firewalls etc.
theknowledgeacademy
413
Differentiate Authentication, Authorisation,
and Accounting Concepts
1. Authentication
• Credentials for users that request network access are validated (Who is the user?)
Username: Jack
Password: *****
Authentication
Switch 1
Authentication
Jack is a valid user Username: Jack
and has been Password: *****
authenticated
User
Accounts
theknowledgeacademy
414
Differentiate Authentication, Authorisation,
and Accounting Concepts
2. Authorisation
• Access restrictions for authenticated users (What is the user allowed to do?)
Authorised
Jack is
authorised for
privilege level
15
User
theknowledgeacademy
Accounts
415
Differentiate Authentication, Authorisation,
and Accounting Concepts
3. Accounting
• Event history containing activity for authenticated/authorised users (What did the user
do?)
Log Off
Switch 1
Accounting
User Accounts
theknowledgeacademy
416
5.9 Wireless Security Protocols
• WPA (Wireless Protected Access) methods are used to secure wireless networking
WPA
WPA2
theknowledgeacademy
417
Wireless Security Protocols
(Continued)
WPA3
• More secure
theknowledgeacademy
418
5.10 Configure WLAN using WPA2 PSK using
the GUI
• WPA2 PSK SSIDs also called as WPA2 personal is an easy way to secure a wireless
network
theknowledgeacademy
419
5.10 Configure WLAN using WPA2 PSK using
the GUI
1. We have already created two WLANs as shown in the figure. So if you want to create a
new WLAN then click on Go Button
theknowledgeacademy
420
5.10 Configure WLAN using WPA2 PSK using
the GUI
2. In this example, we are creating WLAN named as “Campus”. Give the profile name and
SSID and then click on Apply Button
theknowledgeacademy
421
5.10 Configure WLAN using WPA2 PSK using
the GUI
3. Click on Enabled check box of status
theknowledgeacademy
422
5.10 Configure WLAN using WPA2 PSK using
the GUI
4. Give WPA+WPA2 security in Layer 2 Security and enable the WPA2 and WPA2
Encryption and PSK and give the password according to your requirement
theknowledgeacademy
423
5.10 Configure WLAN using WPA2 PSK using
the GUI
5. Go to AP Groups
theknowledgeacademy
424
5.10 Configure WLAN using WPA2 PSK using
the GUI
6. After giving the AP Group Name and Description click on Add button. Then click on
WLANs option for check WLAN creation
theknowledgeacademy
425
5.10 Configure WLAN using WPA2 PSK using
the GUI
7. Now assign a access point to a created WLAN and click on Student
theknowledgeacademy
426
5.10 Configure WLAN using WPA2 PSK using
the GUI
8. After clicking on Student WLAN the following figure will be appeared
theknowledgeacademy
427
5.10 Configure WLAN using WPA2 PSK using
the GUI
9. Here we have assigned an Access Points to Student WLAN
theknowledgeacademy
428
5.10 Configure WLAN using WPA2 PSK using
the GUI
10. Go to topology and click on SMARTPHONE0 and go to config>wireless0. Give Access
point name “Student” in the SSID Tab and enable the WPA2-PSK PSK Pass Phrase,
and give password. After that enable DHCP
theknowledgeacademy
429
5.10 Configure WLAN using WPA2 PSK using
the GUI
11. Go to topology and click on SMARTPHONE1 and go to config>wireless0. Give Access
point name “Professor” in the SSID Tab and enable the WPA2-PSK PSK Pass Phrase,
and give password. After that enable DHCP. Now you can see in the topology that both
smartphones are connected with different WLAN
theknowledgeacademy
430
Domain 6
theknowledgeacademy
431
Outlines of Domain 6
• Module 1: Explain how automation impacts network management
theknowledgeacademy
432
Outlines of Domain 6
• Module 5: Describe characteristics of REST-based APIs
theknowledgeacademy
433
6.1 How Automation Impacts Network
Management
• Networks are growing constantly and becoming more complex in order to keep pace
with the business needs
• Because of this, networks are harder to manage and there is more room for human
error
• If done manually, the tasks that would take hours can be completed in seconds with
programming
theknowledgeacademy
434
6.2 Compare Traditional Networks with
Controller-based Networking
• Controller based networks provide a single pane of glass for network administrators
• Instead of individually managing network devices they can simply login to the
controller for provisioning and troubleshooting
IT Admin IT Admin
Controller DNAC
Traditional Network
Controller Based Network
theknowledgeacademy
435
6.3 Controller-based and Software Defined
Architectures
• All Cisco software defined solutions share the same three concepts: underlay, overlay,
and fabric
Underlay
Examples are:
i. MPLS
ii. Internet
theknowledgeacademy
436
Controller-based and Software Defined
Architectures
(Continued)
Overlay
Examples are:
i. GRE
ii. IPSec
iii. CAPWAP
theknowledgeacademy
437
Controller-based and Software Defined
Architectures
VPN Tunnel
(Overlay)
Home
Internet
(Underlay)
theknowledgeacademy
438
Controller-based and Software Defined
Architectures
(Continued)
Fabric
Examples are:
i. SDA
ii. ACI
theknowledgeacademy
439
6.3 a Separation of Control Plane and Data
Plane
• One of the major differentiators of legacy networking and SDN is the separation of the
control plane and data place
• It signifies to offload the processing of information from network device like routing
computations
• The notion behind is that if control plane processing can be centralised, then network
devices can use more resources for data place forwarding
theknowledgeacademy
440
6.3 b North-bound and South-bound APIs
Application Programmable Interface (API)
• It is a method that is used to exchange information between two software programs i.e.
machine to machine
theknowledgeacademy
441
North-bound and South-bound APIs
APP APP APP
Northbound API
SDN Controller
Southbound API
theknowledgeacademy
442
6.4 Traditional Device Management Vs. Cisco
DNA Center Enabled Device Management
Traditional Device Management
IT Admin
theknowledgeacademy
443
Traditional Device Management Vs. Cisco DNA
Center Enabled Device Management
DNAC Device Management
• Devices are centrally monitored and managed from a single pane of glass (DNAC)
IT Admin
Controller DNAC
DNAC Management
theknowledgeacademy
444
6.5 Characteristics of REST-based APIs
• REST stands for Representational State Transfer
• REST-based APIs follow a set of basic rules regarding what makes a REST API and what
does not
b) Stateless operation
theknowledgeacademy
445
Characteristics of REST-based APIs
(Continued)
d) Uniform interface
e) Layered
f) Code-on-demand
• The working of REST API depends upon first three attributes mainly
theknowledgeacademy
446
Characteristics of REST-based APIs
REST APIs and HTTP
• A few APIs are designed as an interface between programs running on the same
computer, because of this the communication between programs happens within a
single OS
• Several APIs must be available to programs that run on other computers, hence the API must
define the type of networking protocols supported by the API
theknowledgeacademy
447
Characteristics of REST-based APIs
(Continued)
• The creators of REST-based APIs choose HTTP for the reason that the logic of HTTP
matches with some concepts defined more generally for REST APIs
• HTTP uses the same principles as REST. For example, it operates with a client/ server
model; it uses a stateless operational model; and it includes headers that clearly mark
objects as cacheable or not cacheable
• HTTP also includes verbs; the words that dictate the anticipated action for a pair HTTP
Request and Reply that matches how applications like to work.
theknowledgeacademy
448
Characteristics of REST-based APIs
Software CRUD Actions and HTTP Verbs
• The acronym CRUD is used by software industry for the four primary actions performed
by any application:
1) Create
• Permits the client to create a few new instances of variables and data structures at the
server and initialisation of their values as kept at the server
theknowledgeacademy
449
Characteristics of REST-based APIs
(Continued)
2) Read
• Permits the client to read (retrieve) the current values of variables that exist at the
server and store a copy of the variables, values, and structures at the client
3) Update
• Permits the client to update (change) the value of variables that exist at the server
4) Delete
Permits the client to delete from the server different instances of data variables
theknowledgeacademy
450
Characteristics of REST-based APIs
• An example of CRUD actions include: checking a status of new configuration i.e. a read
action, an update to modify some particular setting in new configuration i.e. an update
action or an action to remove the security policy definition completely i.e. a delete
action
• It defines an HTTP request and reply concept, with the client sending a request and
with the server answering back with a reply
• Every request or reply lists an action verb in the HTTP request header that defines the
HTTP action
theknowledgeacademy
451
Characteristics of REST-based APIs
• The HTTP messages also include a URI that identifies the resource being manipulated
for this request
• The HTTP message is carried in IP and TCP, with headers and data, as represented
HTTP
• When we open a web browser and click a link, the browser generates an HTTP GET
request message
• This message includes an HTTP header with the GET verb and the URI
• The resources that are returned in the reply are the components of a web page, such as
text files, image files, and video files
• HTTP works well with REST as HTTP has verbs that match the common program actions
in the CRUD paradigm
theknowledgeacademy
453
Characteristics of REST-based APIs
Action CRUD Term REST (HTTP) Verb
Create new data structures and Create POST
variables
Read (Retrieve) variable Read GET
names, values and structures
Update or replace the values of Update PUT
some variables
Delete Some variables and Delete DELETE
data structures
theknowledgeacademy
454
Characteristics of REST-based APIs
HTTP Request
GET/Networks
Send me a list of networks
List of Networks
HTTP Response
HTTP 200 OK
{ JSON Data}
• Postman is a great App that can be used for sending API calls
theknowledgeacademy
455
6.6 Recognise the Capabilities of Configuration
Management Mechanisms
• Puppet, Chef, and Ansible are software packages
• Most people use these names to the companies as well as their primary configuration
management products
theknowledgeacademy
456
Recognise the Capabilities of Configuration
Management Mechanisms
Puppet
• It can be installed on own Linux Host, but for production purposes, it will be normally
installed on a Linux server known as Puppet master
• Puppet uses various important text files with different components such as
theknowledgeacademy
457
Recognise the Capabilities of Configuration
Management Mechanisms
(Continued)
o Resource, Class, Module – Components of the manifest, with the largest modules
being composed of smaller classes
theknowledgeacademy
458
Recognise the Capabilities of Configuration
Management Mechanisms
Chef
• Chef offers various products such as Chef Automate which is generally referred to as
Chef by most people
• With Puppet, in production Chef is probably run as a server with multiple Chef
workstations used by the engineering staff to build Chef files that are stored on the
Chef server
theknowledgeacademy
459
Recognise the Capabilities of Configuration
Management Mechanisms
(Continued)
• Once Chef is installed, various text files can be created with different components such as
o Recipe - The Chef logic that is applied to resources to find out when, how, and whether to
act against the resources that are analogous to a recipe in a cookbook
o Cookbooks - A set of recipes related to same types of work, grouped collectively for
easier management and sharing
theknowledgeacademy
460
Recognise the Capabilities of Configuration
Management Mechanisms
(Continued)
o Runlist - An ordered list of recipes that should be run against a given device
• Every managed device known as a Chef node or Chef client runs an agent for network
devices
theknowledgeacademy
461
Recognise the Capabilities of Configuration
Management Mechanisms
Ansible
o Playbooks
• These files provide logic and actions about what Ansible should perform
theknowledgeacademy
462
Recognise the Capabilities of Configuration
Management Mechanisms
(Continued)
o Inventory – These files provide device with info about every device such as device roles
that is why Ansible can perform functions for subsets of the inventory
o Templates - They represent a device’s configuration but with variables using Jinja2
language
o Variables - A file can list variables that Ansible will substitute into templates using YAML
theknowledgeacademy
463
Recognise the Capabilities of Configuration
Management Mechanisms
Comparing Puppet, Chef, and Ansible
theknowledgeacademy
464
6.7 Interpret JSON Encoded data
• JavaScript Object Notation tries to strike a balance between human and machine
readability
• Along with a few JSON rules, most humans can read JSON data, move past just guessing
at what it means, and confidently interpreting the data structures defined by the JSON
data
• At the same time, JSON data makes it easy for programs to convert JSON text into
variables, making it very useful for data exchange between applications using APIs
theknowledgeacademy
465
Interpret JSON Encoded data
Interpreting JSON Key: Value Pairs
The following are key rules about key:value pairs in JSON, which can be thought of as
individual variable names and their values:
o Key: Value Pair: Every colon recognises one key:value pair, with the key before the
colon and the value after the colon
o Key: Text, inside double quotes, before the colon is used as the name that references a
value
theknowledgeacademy
466
Interpret JSON Encoded data
(Continued)
o Value: The item after the colon that represents the value of the key that can be
o Multiple Pairs: When listing multiple key:value pairs, separate the pairs with a comma
at the end of each pair (except the last pair)
theknowledgeacademy
467
Interpret JSON Encoded data
Interpreting JSON Objects and Arrays
• JSON uses JSON objects and JSON arrays to communicate data structures beyond a
key:value pair with a simple value
• Objects can be flexible to some extent, but in most uses, they act like a dictionary
• There are a set of rules about interpreting the syntax of JSON objects and arrays
theknowledgeacademy
468
Interpret JSON Encoded data
The rules are:
o [ ] - Array: A series of values that are not key:value pairs enclosed in a matched pair of
square brackets, with an opening left square bracket and its matching right square
bracket
o Key:value pairs inside objects: All key:value pairs inside an object conform to the
earlier rules for key:value pairs
o Values inside arrays: All values conform to the previous rules for formatting values
theknowledgeacademy
469
The World’s Largest Global Training Provider
theknowledgeacademy.com
info@theknowledgeacademy.com
/The.Knowledge.Academy.Ltd
/TKA_Training
/the-knowledge-academy
/TheKnowledgeAcademy
Congratulations
470