1 - 50 Days CCNA Journey - Study Notes - Complete Book
Uploaded by
Ku Abhi1 - 50 Days CCNA Journey - Study Notes - Complete Book
Uploaded by
Ku Abhi1
“CCNA 200-301 Study Notes”
Complete Book
A ©Network Nuggets Copyright Material
Reach Us At:
Email – [email protected]
YouTube - http://www.youtube.com/c/NetworkNuggets
LinkedIn - www.linkedin.com/in/kuldeep-sheokand-05636998
Strictly for personal uses.
Not to be circulated without prior permission of the owner.
NETWORK NUGGETS
http://www.youtube.com/c/NetworkNuggets
Krishna [email protected] 972-7506874
2
Table of Contents
1. Introduction to networking
1.1 Basic networking terms
1.2 What is network and types of network?
1.3 Protocols
1.4 Cabling
1.5 Data transmission types
1.6 Data modes
1.7 What to learn to start networking career?
2. OSI model
2.1 Types of network reference models
2.2 OSI model: Introduction
2.2.1 Layered architecture
2.2.2 Upper layers
2.2.3 Lower layers
2.2.4 Application layer
2.2.5 Concept of headers and trailers
2.2.6 Presentation layer
2.2.7 Session layer
2.2.8 Transport layer
2.2.9 Concept of TCP/UDP port numbers
2.2.10 TCP 3-way handshaking process
2.2.11 Internet using sockets
2.2.12 Network layer
2.2.13 Data link layer
2.2.14 Physical layer
2.2.15 PDU explained
2.2.16 Why layered architecture?
2.2.17 Encapsulation and de-encapsulation
Krishna [email protected] 972-7506874
3
2.3 Where is OSI model helpful in real life?
3. IP addressing
3.1 3-tier IP address assignment architecture
3.2 Introduction
3.3 Classes of IP address
3.4 Number conversion methods (binary to decimal and vice-versa)
3.5 Class A ip address
3.6 Subnet mask
3.7 Class B ip address
3.8 Class C ip address
3.9 Class D and E ip addresses
3.10 Reserved IP addresses
3.11 Types of IP addresses
3.12 Public and private ip addresses
3.13 Static and dynamic ip addresses
4. Subnetting
4.1 Introduction
4.2 What is subnetting?
4.3 Need of subnetting?
4.4 Subnetting of class C
4.5 Subnet mask and subnetting
4.6 Subnetting in 5 simple steps
4.7 Types of subnetting
5. Network devices
5.1 Types of network devices
5.2 Hub
5.3 Bridge
5.4 Switch
5.5 Router
Krishna [email protected] 972-7506874
4
5.5 Comparison of hub, switch & router
5.6 Gateway
5.7 Access point
5.8 Firewall
5.9 Wireless LAN controller
5.10 IP phone
5.11 PBX
5.12 Data center devices
6. Basics of Cisco routers & iOS
6.1 Router memories
6.1.1 ROM
6.1.2 FLASH
6.1.3 NVRAM
6.1.4 VRAM
6.1.5 Router boot process
6.2 Router identification
6.2.1 Types of modules
6.2.2 LAN & WAN ports
6.3 Taking console of a router
6.3.1 Initial connection
6.3.2 Terminal emulation
6.4 Introduction to Cisco iOS
6.4.1 Cisco iOS
6.4.2 IOS functions
6.4.3 IOS versions
6.4.4 IOS variants
6.4.5 IOS version selection
6.5 iOS working modes
6.5.1 Modes of a router
Krishna [email protected] 972-7506874
5
6.5.2 Functions of router modes
6.5.3 Sub-working modes of a router
6.5.4 Router mode navigation
6.5.5 Some important commands
6.5.6 Important show commands
6.5.7 Configuration registers
6.5.8 Saving configuration files
6.5.9 Deleting configuration files
6.6 Router basic commands
6.6.1 Interface configuration
6.6.2 Hostname configuration
6.6.3 Description
6.6.4 Speed & duplex
6.7 Router memories backup & restore
6.7.1 TFTP server setup
6.7.2 TFTP conditions
6.7.3 Backup using TFTP server
6.7.4 Restoring files using TFTP
6.8 iOS clean installation
6.8.1 IOS installation using TFTP server (When there is no IOS in the router)
6.9 iOS upgradation and licensing
6.9.1 IOS backup
6.9.2 Configuration file backup
6.9.3 Factory reset
6.9.4 iOS image upgradation
6.9.5 iOS licensing
6.9.6 Licensing procedure
6.10 Password setting
6.10.1 Types of passwords
Krishna [email protected] 972-7506874
6
6.10.2 Console password
6.10.3 User password
6.10.4 AUX password
6.10.5 Telnet password
6.10.6 SSH password
6.11 Telnet & SSH configuration
6.11.1 Telnet V/S SSH
6.11.2 Telnet conditions
6.11.3 Telnet configuration
6.11.4 SSH conditions
6.11.5 SSH configuration
6.12 Router password recovery
6.12.1 Configuration registers
6.12.2 Password recovery
7. Routing fundamentals
7.1 What is routing?
7.2 Router lookup process
7.3 Analyzing routing table
7.4 Connected & local routes
8. Static routing
8.1 Concept
8.2 Configuration
8.3 Floating static routes
9. Default routing
9.1 Concept
9.2 Configuration
9.3 Practical applications
10. Dynamic routing protocols
10.1 Working of routing protocols
Krishna [email protected] 972-7506874
7
10.2 Dynamic V/S static routing
10.3 Advantages of dynamic routing
11. Types of routing protocols
11.1 Protocol types – IGP V/S EGP
11.2 Distance vector protocols
11.3 Link state protocols
12. OSPF
12.1 Introduction
12.2 Link state concept
12.2.1 Explanation of link-state concept – why?
12.2.2 Explanation of link-state concept – how?
12.2.3 Explanation of link-state concept…
12.2.4 Explanation of link-state concept – what?
12.2.5 Here's a live OSPF database...
12.2.6 Here is the routing table made using LSDBs…
12.2.7 Lsa sequence numbers – why?
12.2.8 Lsa sequence numbers – how?
12.3 Process-ID
12.4 Wildcard mask
12.4.1 How to calculate Wildcard mask?
12.5 Area concept
12.5.1 Area ID
12.5.2 Concept of backbone area
12.6 OSPF Packet types
12.6.1 OSPF hello packets
12.7 Single area configuration
12.8 Neighborship conditions
12.9 Infinite state machines
12.10 Multi-area configuration
Krishna [email protected] 972-7506874
8
12.11 OSPF Router types
12.12 OSPF Network types
12.13 Concept of DR & BDR
12.13.1 DR & BDR working principal
12.13.2 DR & BDR election process
12.13.3 What is router id or R-ID?
12.13.4 How to manually configure router id?
12.13.5 How to configure loopback interface?
12.13.6 Why use loopback interface for R-ID?
12.13.7 How to make particular routers DR & BDR?
12.14 OSPF timers
12.14.1 How to change ospf timers on a link?
12.15 OSPF cost
12.15.1 How to change reference bandwidth in OSPF?
12.15.2 How to change cost of a link in OSPF?
12.16 OSPF area types
12.17 OSPF LSA types
13. IP services
13.1 Need scenarios
13.2 Types of IP services
13.3 DHCP & DHCP relay
13.3.1 DHCP DORA process
13.3.2 DHCP configuration
13.3.3 DHCP relay process
13.3.4 DHCP relay configuration
13.2 FHRP (HSRP, VRRP & GLBP)
13.2.1 Network design scenarios
13.2.2 Introduction to FHRP
13.2.3 Introduction to HSRP
Krishna [email protected] 972-7506874
9
13.2.4 HSRP configuration
13.2.5 Introduction to VRRP & GLBP
13.3 NAT
13.3.1 Introduction
13.3.2 NAT types
13.3.3 NAT terminology
13.3.4 NAT configuration
13.4 NTP
13.4.1 Introduction
13.4.2 Stratum level
13.4.3 Configuration
13.5 SNMP
13.5.1 Introduction
13.5.2 SNMP versions
13.7 Syslog
13.7.1 Introduction
13.7.2 Syslog server types
13.7.3 Syslog message types
13.8 QoS
13.8.1 Introduction
13.8.2 Classification and marking
13.8.3 Queuing
13.8.4 Policing and shaping
14. Working of a switch
14.1 Introduction
14.2 MAC address table – MAT
14.3 Aging time
14.4 Working of a switch
14.5 Functions of a switch
Krishna [email protected] 972-7506874
10
15. Vlan
15.1 Broadcast domain
15.2 Why use VLAN?
15.3 What is VLAN?
15.4 VLAN id
15.5 Types of VLAN
15.6 How to configure VLANs
15.7 Types of switch ports
15.8 Trunking/Tagging concept
15.9 Operations on native VLAN
15.10 Operations on trunk links
16. VTP
16.1 Introduction
16.2 VTP conditions
16.3 VTP configurations
16.4 VTP modes
17. Inter-VLAN routing
17.1 Inter-VLAN using a router
17.2 Inter-VLAN using Router on a stick
17.3 SVI – switched virtual interface
18. STP
18.1 STP & loop conditions
18.1.1 What is a Loop in networking?
18.1.2 Loop conditions
18.2 Function of STP
18.2.1 Why use STP?
18.2.2 STP convergence
18.2.3 Working of STP
18.2.4 Broadcast storm
Krishna [email protected] 972-7506874
11
18.3 Root bridge election process
18.3.1 BPDU, B-ID & R-ID
18.3.2 STP operations
18.4 STP port roles
18.4.1 STP cost
18.5 STP states
18.6 STP timers
18.6.1 STP timers & convergence
18.7 How to manually make a switch as “Root Bridge?”
18.8 Root Bridge: Primary, Secondary
18.9 PVSTP
18.9.1 Loop prevention v/s slow convergence STP advanced
18.10 Portfast
18.10.1 How to configure port fast?
18.11 BPDU guard
18.11.1 How to configure bpdu guard?
18.12 BPDU filter
18.12.1 How to configure BPDU filter?
18.13 Root guard
18.13.1 How to configure root guard?
18.14 Loop guard
18.14.1 How to configure loop guard?
18.15 RSTP – rapid spanning tree protocol
18.15.1 How to configure rstp?
19. RSTP and MSTP
19.1 RSTP standards – clear the confusion
19.2 RSTP timers
19.3 RSTP state and port roles
19.3.1 STP state
Krishna [email protected] 972-7506874
12
19.3.2 STP & RSTP transitioning
19.4 RSTP advanced operations
19.4.1 Ether-channel & Rstp convergence
19.4.2 RSTP & portfast
19.4.3 RSTP & bpduguard
19.6 Introduction to MSTP
19.7 How to detect switching loops?
20. CDP & LLDP
20.1 Concept of CDP
20.2 CDP configuration
20.3 Concept of LLDP
20.4 LLDP configuration
21. Ether channel using LACP
21.1 Concept
21.2 What is LACP?
21.3 Switch LACP configuration
21.4 Router LACP configuration
22. 802.3 Ethernet standards
22.1 LAN revised concept
22.2 Ethernet LANs
22.3 Ethernet links
22.4 Cabling architecture
22.5 Ethernet family of standards
22.6 What is Ethernet frame?
22.7 Ethernet frame structure
23. IPv6 addressing
23.1 IPv4 limitations
23.2 IPv6 features
23.3 Introduction to IPv6
Krishna [email protected] 972-7506874
13
23.4 How to compress IPv6 address?
23.5 Types of IPv6 addresses
23.5.1 Global Unicast IPv6 Addresses
23.5.2 Site/Unique Local IPv6 Address
23.5.3 Link Local IPv6 Addresses
23.5.4 Multicast Addresses
23.5.5 Unspecified Addresses
23.5.6 IPv6 Special Addresses & well known prefixes
23.6 IPv6 address assignment
23.6.1 Using Stateless Auto configuration – SLAAC
23.6.2 Static IPv6 Address Configuration
23.7 Routing in IPv6
23.7.1 IPv6 Static Routing
23.7.2 IPv6 default Routing
23.7.3 How to Configure OSPFv3
24. Cisco wireless
24.1 Fundamentals of wireless
24.1.1 Basic service set – BSS
24.1.2 Basic service area – BSA
24.1.3 BSS identifier – BSSID
24.1.4 Distribution system – DS
24.1.5 Extended service set – ESS
24.1.6 Wireless topologies
24.1.7 RF overview
24.1.8 Wireless bands & channels
24.1.9 Wireless generations
24.1.9 Wireless generations
24.1.10 Channel assignment
24.2 Cisco wireless architectures
Krishna [email protected] 972-7506874
14
24.2.1 Autonomous AP
24.2.2 Cisco meraki
24.2.3 Lightweight AP
24.2.4 WLC functions
24.2.5 WLC deployment models
24.2.6 Cisco AP modes
24.3 Building a wireless LAN
24.3.1 Connecting a Cisco AP
24.3.2 Accessing a Cisco WLC
24.3.3 Types of ports & interfaces
24.3.4 Connecting a Cisco WLC
24.3.5 Using interfaces
24.3.6 WLAN configuration
24.4 Securing wireless networks
24.4.1 Authentication
24.4.2 Encryption
24.4.3 Authentication methods
24.4.4 Encryption methods
24.4.5 WPA protocols & versions
24.4.6 Security types
25. Cisco security
25.1 Security fundamentals
25.1.1 Common security terms
25.1.2 Common security threats
25.1.3 Human vulnerabilities
25.1.4 Password vulnerabilities
25.1.5 Password alternatives
25.1.6 Managing user access
25.1.7 AAA server
Krishna [email protected] 972-7506874
15
25.1.8 Security policies
25.2 Access control lists
25.2.1 Concept
25.2.2 Types of ACL
25.2.3 Standard numbered ACL
25.2.4 Extended numbered ACL
25.2.5 Standard named ACL
25.2.6 Extended named ACL
25.3 Securing network devices
25.3.1 CLI protection
25.3.2 Password attacks
25.3.3 VTY access control
25.4 Firewalls and IPS
25.4.1 Traditional firewalls
25.4.2 Stateful firewall concept
25.4.3 Security zones
25.4.4 Firewalls V/S IPS
25.4.5 NGFW features
25.4.6 NGIPS features
25.5 Switch port security
25.5.1 Concept
25.5.2 Configuration
25.6 DHCP behind the scenes
25.6.1 Concept
25.6.2 DORA process
25.6.3 DHCP relay
25.7 DHCP allocation modes
25.8 Router as DHCP client
25.9 Host IP settings
Krishna [email protected] 972-7506874
16
25.7 DCHP snooping
25.7.1 DHCP attacks
25.7.2 Logic behind DHCP snooping
25.7.3 Configuring DHCP snooping
25.8 Dynamic ARP inspection
25.8.1 Concept
25.8.2 Gratuitous ARP
25.8.3 Inspection logic
25.8.4 Configuring DAI
26. Network automation & programmability
26.1 Controller based networking
26.1.1 Automation concept
26.1.2 Processing planes
26.1.3 Concept of API, SBI & NBI
26.1.4 REST based APIs
26.1.5 Controllers types
26.1.6 Cisco ACI
26.1.7 Spine & leaf network design
26.1.8 Intent based networking
26.1.9 Cisco APIC-EM
26.1.10 Network management
26.1.11 How Automation Impacts Network Management
26.1.12 Traditional v/s controller based networks
26.2 Software defined access – SDA
26.2.1 SDA – fabric, overlay & underlay
26.2.2 Routed access layer design
26.2.3 Concept of VXLAN tunnel
26.2.4 Data center & SDA
26.2.5 Example of automation policies
Krishna [email protected] 972-7506874
17
26.2.6 IBN concept
26.2.7 Network management platform
26.2.8 Cisco prime infrastructure as network management platform
26.2.9 Cisco DNA center as network management platform
26.3 Understanding REST and JSON
26.3.1 Understanding APIs
26.3.2 RESTful APIs
26.3.3 Basics of programming
26.3.4 HTTP and REST APIs
26.3.5 CRUD actions of software
26.3.6 HTTP verbs
26.3.7 Serialization languages
26.3.8 Interpreting JSON output
26.4 Configuration automation tools
26.4.1 Network Device Configuration – The challenges and the solutions
26.4.2 Central configuration management
26.4.3 Configuration monitoring
26.4.4 Configuration provisioning
26.4.5 Features of a configuration management tool
26.4.6 Templates & variables
26.4.7 Ansible
26.4.8 Puppet
26.4.9 Chef
Krishna [email protected] 972-7506874
18
1. Introduction to Networking
What is networking?
1.1 Basic networking terms
Communication
Medium
Signal
Electrical & Electronics
Networks/ Types of network
Protocols
Cables
What to learn to start networking career
What is communication?
It is the process of – Sending information from one place to another place – Using signals –
Via a medium.
What is information?
It is any type of data: Text, Image, Audio and Video.
What is medium?
It is a link (way to connect devices) through which signals travel from one place to another
place. A medium can be either wired, or wireless.
What is signal?
It is a way of sending information through a medium.
Types of signals:
- Analog
- Digital
- Electrical
- Optical/ Light
- Radio frequency
Krishna [email protected] 972-7506874
19
What do you mean by “Electrical?”
Electrical means electric systems which uses high powered electricity (AC).
For example: AC, TV, Refrigerator and Washing machine.
What do you mean by “Electronics?”
Electronic means systems which uses low powered electricity (DC).
For example: Mobile phones, Laptop/ Tabs, Smartphones and PC/ Computer.
1.2 What is a network?
It is a group of devices connected with each other to share data, hardware and software
resources.
For example: Bluetooth file sharing, Share it and Internet.
Types of Networks:
• PAN
• LAN
• CAN
• MAN
• WAN
• INTERNET
Personal Area Network (PAN)
It is the network between only two devices connected using wires or wirelessly. For
example: when you share data between 2 devices using a cross cable, that is the example of
a personal area network.
Local Area Network (LAN)
It is the network created by a switch. When you need to create a network for an office or a
building, you need to bring multiple hosts/devices on a single network. This single network
is created using switches. So, all hosts (PCs, phones, cameras etc.) are connected to the
switch. This type of network is called a local area network.
Campus Area Network (CAN)
It is the name given to the LAN designed for campuses and educational institutes like
schools, colleges and universities etc. It is much bigger than local area network and require
special network designs (Cisco 3-layer architecture, will be discussed in later chapters) and
specialized switches like distribution and core switches and some other devices like access-
points, wireless lan controller and PBX etc.
Krishna [email protected] 972-7506874
20
Metropolitan Area Network (MAN)
It is the network designed to provide connectivity throughout a city. A city cable network
(Dish TV) is the perfect example of metropolitan area network.
Remember:
Network doesn’t always means internet or data network. There are other types of networks
also like telephone networks (old ISDN and PSTN) and satellite networks etc.
Wire Area Network (WAN)
While local area network is the network created in a smaller area and for a small number of
devices, a wide area network is a network which covers a greater distance (in kilometres)
and connecting a large number of different devices. It uses a number of different
technologies for network connectivity and data transfer.
In pure sense, WAN means connectivity of multiple branches of a single organization
spanning across different locations using its own links. But you can imagine how
troublesome and costly process is this going to be if all organizations needed to connect
their networks and branches like this.
So, what companies prefer is this:
Internet service providers (ISPs) already have cables laid across the city and the globe. So,
for example if a company “X” need to connect its 3 branches named: A, B and C, it will lease
the cable connection already laid out by the ISP instead of laying its own cables.
ISPs use various technologies to provide such dedicated private services to their customers
which are always evolving. For example: ATM was there, then Frame-Relay was used and
then MPLS replaced most of the uses of frame-relay and now it is the era of SD-WAN
(software defined wide area network).
Krishna [email protected] 972-7506874
21
So, yes technology is always in flux, always changing, always improving, always being better
and better making it easier for people to access network and internet resources.
Internet
It is the network of networks, the biggest network of the planet. It is the interconnection of
multiple smaller and bigger networks spanned across the globe for different purposes.
It is the mutual agreement of different vendors to follow and use OSI and TCP/IP standards
to create hardware and software compatible with each other.
It is the reason of current economic independence, social media connectivity and work
culture flexibilities and emerging concepts like work from home.
Intranet
It is a term given to the inside/private network of an organization.
Extranet
It is a term given to the outside network (network of some other branch) of an organization.
1.3 What is a protocol?
It is the set of rules & regulations to do something specific.
In networking, all tasks need a particular protocol to perform its function. For example to
send email you will need SMTP. Following are some of the protocols used in networking: IP,
MAC, DNS and HTTP/HTTPS.
1.4 Network cables:
Following are some of the cables used in different types of networks:
• Co-axial (rarely used nowadays)
• Twisted pair (mostly used in LAN)
• Fiber (widely used in WAN)
1.5 Data transmission types:
Data transmission means when you are transferring some information in the network, how
many devices are receiving it at a time. There are 3 types of data transmission types:
1. Unicast (one to one communication)
2. Multicast (one to many or one to group communication)
3. Broadcast (one to all communication)
1.6 Data modes:
Data modes means the way how data is being sent and received in between devices in a
network. It means if two devices can send and receive data at a time or not. There are 2
possible data modes:
1. Simplex
Krishna [email protected] 972-7506874
22
2. Duplex
Simplex – means one sided communication.
Duplex – means two sided communication.
Duplex mode is also of 2 types:
- Half duplex
- Full duplex
Half duplex – means only one side can communicate at a time.
Full duplex – means both of the sides can communicate simultaneously.
1.7 What to learn to start networking career?
IT and networking are ever growing field. But to master the advance concept and latest
technology trends, you will need to master the existing fundamental concepts.
All technology in IT are inter-related. For example, to learn Linux you will need to learn IP
addressing and other similar concepts.
Following are the topics to be mastered to enter into networking:
- Network reference models like OSI and TCP/IP model
- IP addressing and Subnetting
- Network devices and network Cabling
Krishna [email protected] 972-7506874
23
2. OSI model
2.1 Types of network reference models
There are 3 network reference models, as following:
1. OSI Model
2. TCP/IP Model
3. Cisco 3 Layer Architecture Model
OSI model is used for just training purposes, just to understand the logical flow of data in
the networks.
TCP/IP model is the actual implementation of the OSI model in real world. It explains various
protocols used for different purposes at different layers.
Cisco 3 layer architecture model is for network designing reference.
Why OSI model?
- To create vendor independent networks
- To understand the logical flow of data across networks
- To make the troubleshooting process easier
2.2 OSI model: Introduction
Developed by ISO - International Organization for Standardization
Stands for - Open System Interconnect Model
It just explains how internet works and how data flow in networks
Has no physical appearance in the network, only used for teaching purposes
Krishna [email protected] 972-7506874
24
2.2.1 Seven Layered architecture
7 – Application Layer
6 – Presentation Layer
5 – Session Layer
4 – Transport Layer
3 – Network Layer
2 – Data Link Layer
1 – Physical Layer
How to Remember
“Asman Pe Sitare The Nahi Dekh Paye” – for Hindi
“Always Pay Salute To Newton’s Discovered Physics” – for English
These 7 Layers are further divided into 2 more categories for the sake of simplicity:
Upper Layers – closer to the user (also known as host layers or media layers)
Lower Layers – closer to the network (also known as network layers)
2.2.2 Upper layers
Application Layer
Presentation Layer
Session Layer
- These are the layers that generally deals with the applications only.
- They have no real involvement with the real data packaging or transportation.
2.2.3 Lower layers
Transport Layer
Network Layer
Data Link Layer
Physical Layer
- These layers actually deals with how data is really being transferred through the
network.
- Vast majority of network engineering is all about these lower layers.
- You would be focusing on upper layers if you are more of a programmer and writing
applications.
Krishna [email protected] 972-7506874
25
Summary of OSI layers
2.2.4 Application layer
This layer provides an interface to the user to get on the network or to use the network.
E.g. Browsers, WhatsApp etc.
This is the layer which talks to the end hosts/devices.
E.g. Mail, Telnet, FTP etc.
Remember: Networking is all about using the applications over the network.
2.2.5 Concept of headers & trailers
Krishna [email protected] 972-7506874
26
2.2.6 Presentation layer
This layer makes sure that 2 end devices on the network can talk to each other and understand each
other regardless of the operating systems or encryption types they are using. Other functions:
- Encryption/Decryption
- Compression/Decompression
- Synchronization
2.2.7 Session layer
It handles the sessions between end hosts & web-servers. Means to say it starts, maintain
and terminates sessions between clients & servers. Everything on the web is handled by
using sessions.
E.g. As long as you are using Gmail or Facebook, you are maintaining the dedicated sessions
with their servers. Once you logout, you have terminated that session. Now, if you have to
login again, you have to create a new session all over.
Note: Type ‘NETSTAT’ in your CMD and you will see the sessions I am talking about!
2.2.8 Transport layer
It breaks up data between into smaller parts as complete data can’t be send over the
network as a single unit. So, it has to be converted/divided into many smaller units (called
Data Units) before transmission at sending side, which are then re-assembled at receiving
side.
This whole process is known as Segmentation & these smaller units are known as Segments
at transport layer. It establishes end-to-end connectivity using port numbers and ensure
reliable data delivery via error detection & re-transmission (using TCP).
Protocols Used: (TCP/UDP)
TCP is used for reliable communication (by TCP 3-way handshaking process). E.g. SMTP, FTP
UDP is used for unreliable communications. E.g. Phone calls, Video calls
2.2.9 Concept of TCP/UDP port numbers
Krishna [email protected] 972-7506874
27
2.2.10 TCP 3-way handshaking process
2.2.11 Internet using sockets
2.2.12 Network layer
It provides connectivity & path selection – Routing (Packet Switching)
Defines logical addressing
- IPv4
- IPv6
Devices & Protocol at this layer:
- Router
- IPv4, IPv6, ICMP
Note: Type ‘IPCONFIG’ in your CMD and see the IP address details.
2.2.13 Data link layer
It completes the Final Formatting of the data before actually sending it over the physical
links.
Krishna [email protected] 972-7506874
28
Defines Physical Addressing – MAC addressing
Controls Error Detection – Cyclic Redundancy Check (CRC)
Devices & Protocols at L2 – Switches, Bridges, Wireless Access Points, Ethernet, PPP
2.2.14 Physical layer
It defines physical media properties:
• Electrical/ optical functions
• Physical data rates
• Physical connectors
• Cable distances
• Optical wavelengths
• Wireless frequencies
Devices & Protocols – Hubs, Repeaters, CAT cables, Fiber Optics etc.
2.2.15 PDU explained
Krishna [email protected] 972-7506874
29
Note: PC works at all seven layers.
2.2.16 Why layered architecture?
Devices only need to be aware of their own layer:
Web-Servers don’t care if the requests are coming from Wired cables or Wireless
frequencies
Switches don’t care if they are sending either IPv4 or IPv6 as they have nothing to do
with it
Allows inter-operability between devices & vendors:
Google Chrome can freely talk to Apache Server as they both agree on HTML
standards
HUAWEI Ethernet switch can talk to D-Link Ethernet switch as they agree on
Ethernet standards
CISCO router can connect to Juniper router as they agree on IP routing standards
2.2.17 Encapsulation and de-encapsulation
It is the process of:
Breaking a large amount of data into smaller pieces
Adding information of each layer in the forms of headers & trailers
Creating a Protocol Data Unit (PDU)
So, basically PDU is the resulting data that each layer creates.
Header is added at the start of data
Trailer is added at the end of data
Note: Data link layer is the only layer that uses trailer as well as a header.
Krishna [email protected] 972-7506874
30
Encapsulation:
• Process of adding data formatting on the Sending Host to create a PDU
• It occurs when data moves down the OSI stack i.e. 7>6>5> and so on
• Data is passed to the layer below
• The process repeats until the physical layer is reached
De-Capsulation:
• Process of removing data formatting on the Receiving Host to retrieve information
from a PDU
• It occurs when data moves up the OSI stack i.e. 1>2>3 and so on
• Each layer removes its own header/trailer
• Data is then passed up to the layer above
• Process repeats until the application is reached
2.3 Where is OSI model helpful in real life?
When troubleshooting a network problem we often go up the OSI model:
Physical - Is the network cable plugged in?
Data Link - Do you have a link light?
Network - Are you getting an IP?
Transport - Can you ping your default gateway?
Session - Do you have DNS information?
– Can you ping 8.8.8.8 but not www.google.com?
Presentation & Application - Can you browse a website?
Krishna [email protected] 972-7506874
31
3. IP Addressing
3.1 3-tier IP address assignment architecture
What is IANA?
IANA – Internet Assigned Numbers Authority
It is an internet organization which deals in the assignment of numbers used in networks
and internet. For example:
- IP address (Internet Protocol Addresses)
- MAC address (Media Access Control Addresses)
- ASN (Autonomous System Numbers)
What is RIR?
RIR – Regional Internet Registries
For better and effective management of addresses globally, IANA divided the operations of
whole world into 5 different parts, known as RIRs.
Tier 1 ISP – ISP having its own undersee cabling and direct contribution in internet.
Tier 2 ISP – ISP having its addresses purchased from T1 ISPs.
Tier 3 ISP – ISP having its addresses purchased from T2 ISPs.
Note that T1 ISPs get their address blocks from RIR itself and RIRs are given the address
blocks directly from IANA.
Krishna [email protected] 972-7506874
32
So, you can understand that you don’t just directly get internet address from IANA when
you are using home Wi-Fi or wired internet. You get IP from your local vendor (T3
providers), who get their addresses from T2 providers and they get their addresses from T1
providers like Jio.
So, this is how IP address assignment works and operate and makes internet possible
globally.
3.2 Introduction
• 32 bit, Binary Number
• Have 2 parts: Network Part & Host Part
• 32 bit long binary number is difficult to understand for us, so for simplicity, it is
divided into 4 parts. Each part is of 1 Byte called an octet:
• 1 Octet = 8 Bits
• This format is called ‘Dotted Decimal Notation’
• As each number is of 1byte (8bits): 2^8 = 256 where decimal range would be 0 – 255
Note: that total numbers are still 256.
3.3 Classes of IP address
Total IPv4 Addresses are broken into 5 different classes: A, B, C, D, & E
Class is determined by first 4 most significant bits of 1st octet!
Class A (0 – 127) - It starts with 0XXXXXXX
Class B (128 – 191) - Starts with 10XXXXXX
Class C (192 – 223) - Starts with 110XXXXX
Class D (224 – 239) - Starts with 1110XXXX
Class E (240 – 255) - Starts with 1111XXXX
Classes defined IP addresses into 2 parts:
Network Address – Used by network devices such as routers. E.g. 192.168.10.0
Host Address – Used by end devices like PCs. E.g. 192.168.10.5
Krishna [email protected] 972-7506874
33
Krishna [email protected] 972-7506874
34
3.4 Number conversion methods (binary to decimal and vice-versa)
3.5 Class A ip address
Class A: N.H.H.H
Network bits: 8
Host bits: 24
Total hosts: 2^24
Valid Address range: 1.0.0.0 to 126.255.255.255
Private address range: 10.0.0.0 to 10.255.255.255
Default subnet mask: 255.0.0.0
Reserved addresses: 0.0.0.0 for default route &
127.0.0.1 for loopback testing
Note: Class A address is used in very big enterprise networks!
3.6 Subnet mask
Krishna [email protected] 972-7506874
35
3.7 Class B ip address
Class A: N.N.H.H
Network bits: 16
Host bits: 16
Total hosts: 2^16
Address range: 128.0.0.0 to 191.255.255.255
Private address range: 172.16.0.0 to 172.31.255.255
Default subnet mask: 255.255.0.0
Reserved addresses: 169.254.0.0 for APIPA
(APIPA – Automatic Private IP Addressing)
Note: Class B address is used in moderate sized networks!
3.8 Class C ip address
Class A: N.N.N.H
Network bits: 24
Host bits: 8
Total hosts: 2^8
Address range: 192.0.0.0 to 223.255.255.255
Private address range: 192.168.0.0 to 192.168.255.255
Default subnet mask: 255.255.255.0
Reserved addresses: No address
Note: Class C address is used in very small networks!
3.9 Class D and E ip addresses
Not assigned to any host in any kind of network as they are reserved for:
Class D – for Multicasting & Class E – for Experimental uses
3.10 Reserved IP addresses
1. Default Route : 0.0.0.0
2. Loopback Address : 127.0.0.1
3. Link Local Address : 169.254.0.0
4. Multicast Addresses : 224.0.0.0 to 239.255.255.255
Krishna [email protected] 972-7506874
36
5. Future Usable Addresses : 240.0.0.0 to 255.255.255.255
3.11 Types of IP addresses
3.12 Public and private ip addresses
Public IP address:
These addresses are used in WAN and are provided by internet service providers.
- Each customer need to have a unique public IP address for the proper functioning of
internet.
- E.g. 119.123.67.89
Private IP address:
These IP addresses are used in LAN and are chosen by network admins according to their
needs and type of network.
- These addresses need not to be unique. Same IP scheme can be used in multiple
networks.
- Some of the IP ranges have been reserved as private IP ranges, as discussed in
previous slides.
- E.g. 192.168.20.47
Krishna [email protected] 972-7506874
37
3.13 Static and dynamic ip addresses
Static IP Address:
Manually configured addresses are known as static IP addresses.
- In such IP addressing schemes, network admin have to manually configure the IP
address, subnet mask and default gateway etc.
- Used in small scale networks, not convenient for bigger networks.
Dynamic IP Address:
Automatically configured IP addresses are known as dynamic IP addresses.
- are provided automatically is known as dynamic IP addressing.
- DHCP server is used for automatically providing IP address, subnet mask and default
gateway etc.
- Very useful in larger networks.
Krishna [email protected] 972-7506874
38
4. Subnetting
4.1 Introduction
- Foundation of Internet
- Essential knowledge part for the administrator of any network
- Proved its worth in various areas like saving address spaces, Security and Traffic
control etc.
4.2 What is subnetting?
It is the process of dividing a single network into multiple sub-networks by borrowing bits
from host field & moving them to network field. The result is more number of sub-networks
with lesser number of hosts per sub-net.
Note: It doesn't gives you more hosts, but actually costs you 2 hosts per sub-network.
1 – for Network address and 1 – for Broadcast address. But, on a larger scale, it saves IP.
4.3 Need of subnetting?
• When company is using 2 or more different technologies (like Ethernet & token ring)
in their different LAN segments
• When hosts dominating most of the LAN bandwidth need to be isolated
• Breakdown network to decrease latency
• Breakdown broadcast domain to reduce network congestion
• To restrict 2 network segments by distance limitations
Note: CISCO recommends less than 500 hosts in one subnet.
Krishna [email protected] 972-7506874
39
4.4 Subnetting of class C
192.168.1.0 /24 = Network here which need to be sub-networked
As per the default values, we have 256 (total) hosts in a class C network.
But, what if: I only need 30 hosts in a network or 5 sub-networks each with 30 hosts.
Here's comes the concept of Subnetting!
By Default:
192.168.1.0/24
11111111.11111111.11111111.00000000 /24
With Subnetting:
11111111.11111111.11111111.11100000 /27
The trick for doing Subnetting is to find out the required magic number which is the “Prefix
Notation”
Prefix Notation:
It is the total number of network bits in a network address which is the “/” value.
192.168.1.0 /24
By Default:
11111111.11111111.11111111.00000000 /24 (24=P.F Notation)
With Subnetting:
11111111.11111111.11111111.11100000 /27 (27=P.F Notation)
So, Subnetting is all about changing P.F Notations.
Default / values of different IP classes:
Class A - /8
Class B - /16
Class C - /24
Analyze it by this way by taking this example:
256 is the number of IP addresses required to be divided among various even number of
possible sub-networks (like 2,4,8,16 etc.).
So, if I need to break a class “C” network into 2 sub-networks, its binary value will look like
this:
11111111.11111111.11111111.10000000 /25
Krishna [email protected] 972-7506874
40
Borrowing a bit from the host portion and writing it as power of 2 (as we are using binary
system), means changing the PF notation.
For 4 sub-networks:
11111111.11111111.11111111.11000000 /26
For 8 sub-networks:
11111111.11111111.11111111.11100000 /27
& so on...
It is how sub-netting is done on the basis of number of sub-networks needed.
In such case, we borrow the number of bits from host portion & increase the network bits
(converting host's 0s into network's 1s from left to right, in host portion).
Following is how sub-netting is done on the basis of number of IP addresses/ hosts needed.:
In such case, we reduce the number of bits from host portion (keeping as many host bits as
needed from right to left and converting all rest 0s into 1s)
For <= 254 hosts; use 8 host bits (0s); as 2^8 – 256
Similarly:
2^7 <= 126
2^6 <= 62
2^5 <= 30
2^4 <= 14
2^3 <= 6
2^2 <= 2
Why 6 bits are needed to create 60 hosts?
Convert 60 into binary number – 111100
So, as we can see here, 6 bits is needed for creating a number equal to 60!
So, this is the reason behind the following pattern:
256 – 2^8
128 – 2^7
64 – 2^6
And so on...
Like if we need 5 hosts in a sub-net;
Krishna [email protected] 972-7506874
41
11111111.11111111.11111111.11111000 /29
255. 255. 255. 248
Or if we need 12 hosts per sub-network;
11111111.11111111.11111111.11110000 /28
255. 255. 255. 240
Similarly, for 50 hosts per sub-network;
11111111.11111111.11111111.11000000 /26
255. 255. 255. 192
4.5 Subnet mask and subnetting
What is Subnet Mask?
It is an address that tells us about the total no. of network bits and hosts bits in an IP
address or that separate network part from the host part.
192.168.1.0/24
By Default:
11111111.11111111.11111111.00000000 /24 (N/W bits=24; Host bits=8)
255. 255. 255. 0
With Subnetting:
11111111.11111111.11111111.11100000 /27 (N/W bits=27; Host bits=5)
255. 255. 255. 224
How it is calculated?
11111111.11111111.11111111.00000000 / 24
Let's take single octet (8bits) of network portion for explanation:
1 1 1 1 1 1 1 1
128 64 32 16 8 4 2 1
Now, add the numbers falling under all the total 1s to get the desired subnet mask.
Here it is: 128+64+32+16+8+4+2+1 = 255
11111111.11111111.11111111.11100000 / 27
1 1 1 0 0 0 0 0
128 64 32 0 0 0 0 0
Krishna [email protected] 972-7506874
42
128+64+32+0+0+0+0+0 = 224
192.168.1.0 / 26
11111111.11111111.11111111.1100000
It will result into:
255. 255. 255. 192
Similarly: 192.168.1.0 / 29
11111111.11111111.11111111.11111000
255. 255. 255. 248
Note: For all 1's in the octet, subnet mask will always be 255
Note: Don't add the numbers falling under 0s
Subnetting of 192.168.1.0 /27
Let’s understand Subnetting by dividing it into 4 simple steps:
1st Step
Calculate total no. of sub-networks formed by new PF notation!
Formula is = 2^no of on bits (bits borrowed from host portion)
2^3 = 8
So, total 8 sub-networks will be created by using / 27 notation.
2nd Step
Calculate total no. of hosts (IP addresses) per sub-net!
Formula is = 2^no of off bits (remaining host bits)
2^5 = 32
So, there will be 32 hosts available per sub-net.
3rd Step
Calculate the IP range which will be used to create 8 sub-network blocks!
For the sake of simplification, consider it like this:
As we know that without Subnetting there are 256 total hosts in 1 network of class C's
which has range from 0 to 255 not from 1 to 256, reason being we are using binary no.
system.
In the same way; With Subnetting here;
Total no. of hosts per subnet = 32
Krishna [email protected] 972-7506874
43
IP range = 0 to 31 (0.0.0.31)
Note: There is an alternate way also. (Using subnet masks)
Default subnet mask of class C:
255.255.255.0
New obtained subnet mask after Subnetting:
255.255.255.224
Now, to find IP range, use this formula:
Total subnet mask 255.255.255.255
– New obtained subnet mask - 255.255.255.224
--------------------------------------------------- -----------------------------------
0 .0 .0 .31
-------------------------------------------------- -----------------------------------
So, it’s clear that by using either way, same IP range is achieved.
4th Step
Find out the address blocks of all 8 sub-networks formed!
1st Subnet:
192.168.1.0 + IP Range means 192.168.1.0 + 0.0.0.31
192.168.1.0 – 192.168.1.31
This is the range of first sub-network's address block where
192.168.1.0 = Network Address &
192.168.1.31 = Broadcast Address
And both of these addresses can't be assigned to any host in the network.
So, out of 32 total hosts, only 30 hosts will be usable.
Remember:
192.168.1.31 is the broadcast address for first sub-net block, so the second block with start
with the next number which is 192.168.1.32.
2nd Subnet:
192.168.1.0 + IP Range = 192.168.1.32 + 0.0.0.31
192.168.1.32 – 192.168.1.63
Krishna [email protected] 972-7506874
44
Similarly; 3rd 192.168.1.64 – 192.168.1.95 4th, 5th and so on…
8th 192.168.1.224 – 192.168.1.255
4.6 Subnetting in 5 simple steps
Subnetting of class C with example
Krishna [email protected] 972-7506874
45
Subnetting of class B with example
4.7 Types of subnetting
Krishna [email protected] 972-7506874
46
5. Network devices
5.1 Types of network devices
- Hub
- Bridge
- Switch
- Router
- Gateway
- Access Point (AP)
- Firewall (FW)
- Wireless Controller (WLC)
- Private Branch Exchange (PBX)
5.2 Hub
Hub is a device that allows multiple computers to communicate with each other over a
network. It has several Ethernet ports that are used to connect two or more hosts together.
Each computer or device connected to the hub can communicate with any other device
connected to one of the hub's Ethernet ports.
Hubs are similar to switches, but are not as "smart." While switches send incoming data to a
specific port, hubs broadcast all incoming data to all active ports. For example, if five devices
are connected to an 8-port hub, all data received by the hub is relayed to all the five active
ports. While this ensures the data gets to the right port, it also leads to inefficient use of the
network bandwidth.
For this reason, switches are much more commonly used than hubs.
Disadvantages of hub
- It uses more bandwidth of the network due to unnecessary network broadcast.
- Hubs works on half duplex which means hub can’t send or receive data at the same
time.
- Due to this data collision may occur which may corrupt your data or may need to
send again.
Hubs in brief
Layer 1 Device and are called as dumb devices because they always broadcast
1 Collision Domain
1 Broadcast Domain
Work on Half duplex
Wasted Bandwidth
Security Risks
Use CSMA/CD method to recover from collisions
Replaced by switches
Krishna [email protected] 972-7506874
47
5.3 Bridge
Bridge connects two or more local area networks (LANs) together. It is a layer 2 device
which work on MAC address and understands frame. It has usually 2 ports and segments
LAN into smaller sections. It have multiple collision domains (usually 2) within single
broadcast domain, it means data can be send or receive on segment of the network at the
same time.
A bridge can transfer data between different protocols and technologies (i.e. a Token Ring
and Ethernet network). The device is similar to a router, but it does not analyze the data
being forwarded. Because of this, bridges are typically fast at transferring data, but not as
versatile as a router. A bridge cannot be used as a firewall like most routers can be.
Now a days bridges are not being used anymore it has been replaced by switches.
Functions of a bridge
- It allows a single LAN to be extended to greater distances. You can join different
types of network links with a bridge while retaining the same broadcast domain.
- For example, you can bridge two distant LANs with bridges joined by fiber-optic
cable.
- A bridge forwards frames, but a filtering mechanism can be used to prevent
unnecessary frames from propagating across the network.
- They provide a barrier that keeps electrical or other problems on one segment from
propagating to the other segment.
- A bridge isolates each LAN from the collisions that occur on other LANs. Thus, it
creates separate collision domains within the same broadcast domain.
Remember:
On Ethernet networks, collisions occur when two nodes attempt to transmit at the
same time.
As more nodes are added to a network, collisions increase.
Krishna [email protected] 972-7506874
48
A bridge can be used to divide a network into separate collision domains while
retaining the broadcast domain.
A broadcast domain is basically a LAN as compared to an internetwork, which is
multiple LANs connected by routers.
In a broadcast domain, any node can send a message to any other node using data
link layer addressing, while a routed network requires internetwork addressing.
5.4 Switch
A switch is used to network multiple end devices together to bring on a network. They
comes with more port than hubs, generally with 12, 24 and 48 Ethernet ports. These ports
can connect to computers, cable or DSL modems, and other switches. High-end switches can
have more than 50 ports and often are rack mounted.
Switches are more advanced than hubs and less capable than routers. Unlike hubs, switches
can limit the traffic to and from each port so that each device connected to the switch has a
sufficient amount of bandwidth.
For this reason, you can think of a switch as a "smart hub." However, switches don't provide
the firewall and logging capabilities that routers do.
Switches in brief
Layer 2 device
Intelligent devices, broadcast once then unicast
Work on MAC address
Understands frames
Can work on both Full – Duplex and Half – Duplex
Have multiple Collision Domains
Have single broadcast domain
Save Bandwidth in comparison of Bridge
Increased security
5.5 Router
This is a hardware device that routes data (hence the name) from a local area network (LAN)
to another network connection. So, a router used to connect two network, Internal and
external networks. It is also used to find best path for packets to travel in the network.
It can have other functions as well, like packet filtering etc.
Routers in brief
- Layer 3 device
- Work on IP address
- Understand packets
- Few ports in compare of switch
- Can be used as a firewall
- Have multiple broadcast domains
Krishna [email protected] 972-7506874
49
- By default, never support broadcast traffic
- Used to forward traffic on the basis of certain parameters
5.5 Comparison of hub, switch & router
5.6 Gateway
A gateway is a hardware device that acts as a "gate" between two networks. It may be a
router, firewall, server, or other device that enables traffic to flow in and out of the
network.
While a gateway protects the nodes within network, it is also a node itself. The gateway
node is considered to be on the "edge" of the network as all data must flow through it
before coming in or going out of the network.
It may also translate data received from outside networks into a format or protocol
recognized by devices within the internal network.
Krishna [email protected] 972-7506874
50
A router is a common type of gateway used in home networks. This is the reason it is known
as default gateway.
It allows computers within the local network to send and receive data over the Internet.
A firewall is a more advanced type of gateway, which filters inbound and outbound traffic,
disallowing incoming data from suspicious or unauthorized sources.
A proxy server is another type of gateway that uses a combination of hardware and
software to filter traffic between two networks. For example, a proxy server may only allow
local computers to access a list of authorized websites.
5.7 Access point
An access point is a device, such as a wireless router, that allows wireless devices to connect
to a network. Most access points have built-in routers, while others must be connected to a
router in order to provide network access. In either case, access points are typically
hardwired to other devices, such as network switches or broadband modems.
Access points can be found in many places, including houses, businesses, and public
locations. In most houses, the access point is a wireless router, which is connected to a DSL
or cable modem. However, some modems may include wireless capabilities, making the
modem itself the access point.
Large businesses often provide several access points, which allows employees to wirelessly
connect to a central network from a wide range of locations. Public access points can be
found in stores, coffee shops, restaurants, libraries, and other locations.
While access points typically provide wireless access to the Internet, some are intended only
to provide access to a closed network. For example, a business may provide secure access
points to its employees so they can wirelessly access files from a network server.
Also, most access points provide Wi-Fi access, but it is possible for an access point to refer
to a Bluetooth device or other type of wireless connection.
However, the purpose of most access points is to provide Internet access to connected
users.
It may also be abbreviated AP or WAP (for wireless access point). However, WAP is not as
commonly used as AP since WAP is the standard acronym for Wireless Access Protocol.
Krishna [email protected] 972-7506874
51
5.8 Firewall
Firewall is a network security device. It can be either hardware or software. A hardware
firewall acts as a barrier between a trusted system or network and outside connections,
such as the Internet.
However, a computer or software firewall is more of a filter than a wall, allowing trusted
data to flow through it. Software firewalls are more common for individual users and can be
custom configured via a software interface. Both Windows and OS X include built-in
firewalls.
Many businesses and organizations protect their internal networks using hardware firewalls.
A single or double firewall may be used to create a demilitarized zone (DMZ), which
prevents untrusted data from ever reaching the LAN.
DMZ – collection of servers which are available for public uses. They are kept separate from
other dedicated LAN servers.
5.9 Wireless LAN controller
A WLAN controller manages wireless network access points that allow wireless devices to
connect to the network. What a wireless access point does for your network is similar to
what an amplifier does for your home stereo.
It takes the bandwidth coming from a router and stretches it so that many devices can go on
the network from farther distances away.
Krishna [email protected] 972-7506874
52
5.10 IP Phone
As technology is evolving, so is our voice industry. Traditional landline phones are being
replaced with IP phones. These phones run on existing Ethernet links (RJ-45 ports) instead of
old Rj-11 lines.
5.11 PBX
PBX stands for Private Branch Exchange, which is a private telephone network used within a
company or organization.
The users of the PBX phone system can communicate internally (within their company) and
externally (with the outside world), using different communication channels like Voice over
IP, ISDN or analog.
Krishna [email protected] 972-7506874
53
6. Basics of Cisco routers & iOS
6.1 Router memories
1. ROM
2. Flash
3. NVRAM
4. VRAM
6.1.1 ROM (Read only Memory)
- Holds diagnostic software used when router is powered up.
- Stores the router's bootstrap program.
What is bootstrap all about?
Well, when you turn on the router, it needs something to tell it what to do? And that's what
we find in the bootstrap.
So what do we need it to do?
Well I need my device to check the hardware, see what's installed, look at the various
components, and make sure they're functioning properly. And what do we call that
particular phase?
- POST (Power On Self-Test)
6.1.2 Flash memory
- Contains the operating system (Cisco IOS)
- VLAN.dat (Information of virtual LANs in switches)
6.1.3 NVRAM
Stores startup configuration.
This may include IP addresses (routing protocol, hostname of a router).
Startup-configuration:
It's a backup copy of your running configuration and it's stored in NVRAM because NVRAM
is nonvolatile.
6.1.4 VRAM
- Contains the running copy of the configuration file.
- Stores the routing table.
- ARP information can be stored here.
And remember, RAM is volatile. – Power is turned off, everything in RAM is gone.
Krishna [email protected] 972-7506874
54
6.1.5 Router boot process
ROM
FLASH
- Bootstrap Program
- POST
NVRAM
Find & Load IOS
VRAM
Load Saved Configurations
(Also known as Startup config)
Stores running
Configurations Only
6.2 Router identification:
WAN Ports LAN Ports Console Port
6.2.1 Types of modules
LAN and WAN
Krishna [email protected] 972-7506874
55
6.2.2 LAN ports
Ethernet port or Eth
(10 mbps – rare these days)
Fast Ethernet port or Fe
(100 mbps – 2 ports generally on branch routers)
Gigabit Ethernet or Gig
(1000 mbps – for higher throughput)
10 Gigabit Ethernet or 10 Gig
(10,000 mbps – in higher end routers)
6.2.2 WAN ports
WAN ports are also knows as WIC – WAN Interface Cards
There are 2 types of WIC:
1. WIC 1T
(1.544 mbps – known as Serial port)
One port in one slot.
2. WIC 2T
Two ports in one slot (2.048 mbps – known as Smart serial port)
6.3 Taking console of a router
Console port is needed on the network devices for the initial configurations
- Console port can be used to troubleshoot the bootup process
- It can also be used for out of band management
- Console port is RJ-45 port with 8 pins
6.3.1 Initial connection
Console cable is needed to connect the network device to the computer
One side of console cable is 8 pin RJ-45 used to connect to the console port of router, while
other side is RS-232 serial port which is connected on the PC’s serial port.
Note: Console cable maybe of the following types:
RJ-45 to RS-232
RJ-45 to USB
USB to USB
Krishna [email protected] 972-7506874
56
6.3.2 Console access and terminal emulation: Putty
A 3rd party software used to configure router using console port and console cable.
6.4 Introduction to Cisco iOS
6.4.1 Cisco iOS
IOS is the operating system used on the majority of cisco devices like routers and
switches.
Previously cisco catalyst switches used CatOS which was then replaced with iOS.
Cisco’s PIX firewall used Fitness operating system which was then replaced with iOS.
The command line interface of all of the operating systems are mostly identical.
It's been under continuous development since 1984.
It is a gigantic single image which is coded in C language.
The current stable version of cisco iOS is 15.8
IOS configuration is usually done through a text-based command line interface (CLI).
The core function of Cisco IOS is to enable data communications between
network nodes.
6.4.2 IOS functions
Cisco IOS also offers dozens of additional services that an administrator can use to improve
the performance and security of network traffic, like:
Krishna [email protected] 972-7506874
57
Encryption
Authentication
Firewall capabilities
- Policy enforcement
- Deep packet inspection
Quality of service
Intelligent routing and
Proxy capability etc.
In Cisco's Integrated Services Routers (ISRs), IOS can also support call processing and unified
communications services.
6.4.3 IOS versions
For cisco, there are 4 IOS version:
1. LAN Lite
2. LAN Base
3. IP Base and
4. IP Service
Source:http://nhprice.com/comparison-of-cisco-ios-image.html
6.4.4 IOS variants
There are three variants of the operating system:
- IOS XE
- IOS XR &
- Nexus OS
IOS XE runs on enterprise-grade Cisco ISRs, Aggregation Services Routers and Catalyst
switches.
IOS XR runs on Cisco's service provider products, such as its Carrier Routing System routers.
Nexus OS runs on Cisco's Nexus family of data center switches.
Krishna [email protected] 972-7506874
58
6.4.5 IOS version selection
The most important factors to take into account are:
1. Hardware Support
Use CFN – cisco feature navigator
2. Feature Support
#show version – shows the features of your iOS
3. Cisco IOS Software Release Version
Either it is a major release or minor or maintenance version.
4. Memory Requirements
#show version – shows the details of all router memories
6.5 IOS working modes
6.5.1 Modes of a router
There are 3 working modes of a cisco router:
1. User execution mode
2. Privilege execution mode
3. Global configuration mode
Each mode has its own designated functions, command sets and access rights.
6.5.2 Functions of router modes
1. User execution mode
- It is used for basic monitoring and troubleshooting purposes.
- It is mainly used for password security implementation.
Some important commands of 1st mode are: Ping, Traceroute, Telnet and SSH
2. Privilege execution mode
- It is used mainly for displaying outputs of the router functions by using show
command.
- It is also used for saving and deleting configurations.
Some important commands of 2nd mode are: Copy, Show, Delete, Erase, Reload and Setup
3. Global configuration mode
- It is used for the execution of all major commands of the router.
- It is used for assigning ip address on the router interface, to change the hostname, to
run the routing protocols and all similar advanced stuff.
Krishna [email protected] 972-7506874
59
As, all of the commands are run in this mode (even the commands of first and second
modes), so, this is called the global configuration mode.
6.5.3 Sub-working modes of a router
There are some sub-modes of a router:
1. Interface sub mode
When you are in some interface of a router.
Router(config-if)#
2. Line sub mode
When you are in console mode.
Router(config-line)#
3. Protocol sub mode
When you are running some routing protocol.
Router(config-rtr)#
6.5.4 Router mode navigation
Exit drops back down a level.
Router(config)# exit
Router# exit
Router>
End drops back to Privilege Exec Mode from any level.
For example:
Router(config)# interface fa0/1
Router(config-if)# end
Router#
6.5.5 Some important 2nd mode commands
#clock – to set date & time settings
#copy – to copy data from one location to another
#debug – to troubleshoot network problems
#delete – to delete the content of flash memory
#erase – to erase the content of NVRAM
#ping – to check the connectivity between two nodes in the network
Krishna [email protected] 972-7506874
60
#reload – to restart the router
#ssh – to take remote access (secure)
#telnet – to take remote access (unsecure)
#write – to save the content of VRAM into NVRAM
6.5.6 Important show commands
#show arp – to check the mac addresses learned by the router
#show cdp neighbors – to check the details of neighbor cisco devices
#show controllers – to see the details of serial interface (DCE or DTE side)
#show flash – to see the content of flash memory
#show interfaces – to see the complete details of all interface of a router
#show ip interface brief – to see the brief details of all interfaces of a router
#show processes – to see the currently running process of a router
#show protocols – to see which routing protocols are running on the router
#show running-config – to see the content of VRAM of the router
#show sessions – to see all the remote (telnet/ssh) sessions of a router
#show startup-config – to see the content of NVRAM of the router
6.5.7 Configuration registers
- IOS is stored in flash memory
- Startup configuration file is stored in NVRAM
- Running configuration is stored in VRAM
6.5.8 Saving configuration files: copy commands
To save the content of VRAM into NVRAM:
#copy running-config startup-config OR
#copy run start
To save the content of VRAM into Flash:
#copy run flash:
To save the content of NVRAM into Flash:
#copy start flash:
6.5.9 Deleting configuration files: erase and delete commands
To delete iOS:
Krishna [email protected] 972-7506874
61
#show flash: Copy the filename of iOS image
#delete flash: Paste the filename copied above and press enter
# reload
rommon1>
To delete the content of NVRAM:
#write erase OR
#erase startup-config
To delete the content of VRAM:
Just reload the router or switch.
6.6 Router basic commands
6.6.1 Interface configuration
Router(config)# interface fa0/1
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# exit
6.6.2 Hostname configuration
- A descriptive hostname makes it easier to identify the device.
- It is also helpful in troubleshooting.
Router(config)# hostname ISP_Router
(It can be any convenient name, suitable for your network requirement.)
6.6.3 Description
Interface description can also be very useful in troubleshooting.
Router(config)# interface fa0/1
Router(config-if)# description “Link to R1”
Write something specific to that particular interface.
Krishna [email protected] 972-7506874
62
Router(config-if)# exit
Router(config)# do show run
Command to verify the description set on the router interface.
6.6.4 Speed & duplex settings
- Interface speed & duplex is set to ‘auto’ by default.
- Both sides of a link should auto-negotiate to full duplex, & fastest available speed.
- Best practice is to manually set the speed & duplex on ports which are connected to
another network infrastructure device or server.
- It is very important to set matching speed and duplex settings on both sides of the
link.
Router(config)# interface fa0/0
Router(config-if)# duplex full
Router(config-if)# speed 100
Router(config-if)# exit
Router(config)#
Router(config)# do show run
6.7 Router memories backup & restore
6.7.1 TFTP server setup
- Download & Install TFTP Server application on the PC.
- In this way, PC will now act as a TFTP server and the router will act as a TFTP client.
- We can now transfer the data in between router and PC.
Krishna [email protected] 972-7506874
63
6.7.2 TFTP conditions
- Router port no. fa0/0 should be used instead of fa0/1
- A cross cable should be used to connect router with the PC
- Router and PC must be on the same network.
6.7.3 Backup using TFTP server
How to back-up the NVRAM on TFTP server:
#copy startup-config tftp:
- Press enter and provide ip address of tftp server
- Press enter and provide destination filename – keep the same filename
How to back-up the iOS on TFTP server:
#show flash: copy the iOS filename
#copy flash: tftp:
- Provide source filename copied above and press enter
- Provide the ip address of tftp server and press enter
- Keep the same name as destination filename and press enter
6.7.4 Restoring files using TFTP
How to restore iOS from TFTP server to Flash:
#copy tftp: flash:
- Provide the ip address of tftp server and press enter
- Provide the source filename (file which is stored on tftp server)
- Keep the same name as destination filename and press enter twice
How to restore startup-config file from TFTP server to NVRAM:
#copy tftp: startup-config
- Provide the ip address of tftp server and press enter
- Provide the source filename (file which is stored on tftp server)
- Keep the same name as destination filename and press enter
6.8 IOS clean installation
6.8.1 IOS installation using TFTP server (When there is no IOS in the router)
This method is used when the router or switch don’t have an iOS image file installed.
To do the same, follow the following commands in exact order in rommon mode:
Rommon> tftpdnld
Rommon> IP_ADDRESS=10.0.0.1
Krishna [email protected] 972-7506874
64
Rommon> IP_SUBNET_MASK=255.0.0.0
Rommon> IP_DEFAULT_GATEWAY=10.0.0.2
Rommon> TFTP_SERVER=10.0.0.2
Rommon> TFTP_FILE=manav.bin (type the iOS filename which is stored on tftp sever)
Rommon> tftpdnld
Type “y” on the output screen.
Rommon> set
Rommon> reset
6.9 iOS upgradation and licensing
6.9.1 IOS backup
- Copies of the device’s system iOS image and configuration can be saved to Flash,
TFTP, or USB.
- If you copy a configuration file into the running-config, it will be merged with the
current configurations.
- To replace a configuration, factory reset the device and then copy the new
configuration into the startup-config.
#copy flash: tftp
#copy start tftp
#copy run usb
6.9.2 Factory reset
How to factory reset a router:
Router# write erase
Factory resetting a router means to erase all the startup configurations of the router.
Reload to boot up with a blank configuration.
6.9.3 IOS image upgradation
IOS software images can be downloaded from: https://software.cisco.com/
After downloading the software, copy it to the device’s flash using TFTP server:
#copy tftp flash:
Delete the old system image or use the ‘boot system’ command to change the boot image.
#boot system
Krishna [email protected] 972-7506874
65
6.9.5 IOS licensing
- Prior to iOS 15.0, different iOS system images were available for different feature
sets, such as security or telephony.
- Licensing was not enforced.
- A universal system image is provided from iOS 15.0
- License code must be entered to activate the technology package.
6.9.6 Licensing procedure
When you purchase a license, you will be provided with a Product Activation Key (PAK)
code.
The license will be tied to an individual device. To get the device’s Unique Device Identifier
(UDI), enter the following command:
#show license udi
Go to the cisco license portal https://www.cisco.com/go/license and enter the PAK code
and UDI to generate the license.
Copy the license in the flash of the router.
#license install flash:
#show license
6.10 Password setting
6.10.1 Types of passwords
1. Console password
2. User mode password
- Enable password
- Enable secret
3. Aux password
4. Telnet password
5. SSH password
6.10.2 Console password
It is used to restrict the physical access of the CISCO device from unauthorized users on
console port. It is applied on the physical line of the device (line console).
()# line console 0
(-line)# password ****
(-line)# login
Krishna [email protected] 972-7506874
66
(-login)# exit
6.10.3 User password
6.10.4 AUX password
It is used to restrict the physical access of the CISCO device from unauthorized users on aux
port. It is applied on the physical line of the device (line console).
()# line aux 0
(-line)# password ****
(-line)# login
6.10.5 Telnet password
()# line vty 0 15
(-line)# password ****
(-line)# login
6.10.6 SSH password
()# line vty 0 15
(-login)# transport input ssh
(-line)# password ****
(-line)# login
6.11 Telnet & SSH configuration
6.11.1 Telnet V/S SSH
Krishna [email protected] 972-7506874
67
6.11.2 Telnet conditions
Following are the conditions to enable telnet on a CISCO device:
1. Set hostname (unique on each device)
2. Set user password (enable secret)
3. Set telnet password (line vty)
6.11.3 Telnet configuration
1. Set hostname
()#hostname R1
2. Set user password
()#enable secret 123
3. Set telnet password
()# line vty 0 15
(-line)# password 321
(-line)# login
How to access a device using telnet:
# telnet (ip of remote device)
# telnet 192.168.10.1
6.11.4 SSH conditions
Following are the conditions to enable telnet on a CISCO device:
1. Set hostname (unique on each device)
2. Set user password (enable secret)
3. Set SSH password (line vty)
4. Set domain-name
5. Generate crypto keys
6.11.5 SSH configuration
1. Set hostname
()#hostname R1
2. Set user password
()#enable secret 123
Krishna [email protected] 972-7506874
68
3. Set SSH password
()# line vty 0 15
(-login)# transport input ssh
(-line)# password 321
(-line)# login
4. Set domain-name
()# ip domain-name (any name)
For example:
()# ip domain-name cisco
5. Generate crypto keys
()# crypto key generate rsa
Press double time enter!
How to access a device using SSH:
# ssh –l (domain name) (remote device ip address)
# ssh –l cisco 192.168.10.1
6.12 Router password recovery
6.12.1 Configuration registers
The configuration registers can be used to change the way the router boots.
Use the “config-register” command in global configuration mode or “confreg” in the
rommon mode.
For example:
()#config-register 0x2142
0X2102 – boot normally (default)
0X2120 – boot into rommon
0X2142 – ignore the contents of NVRAM (startup-config)
6.12.2 Password recovery
Step 1:
Press the break sequence (ctrl+break in PC and ctrl+shift+c in laptop) at power on to break
into rommon mode prompt.
Rommon1>
Krishna [email protected] 972-7506874
69
Step 2:
Type the following command in the rommon mode to ignore the startup-config at boot:
Rommon 1> confreg 0X2142
The startup-config is still there with the full configuration including the unknown enable
secret, but the router doesn’t check it when it boots. Type the reset command to reload:
Rommon1> reset
Step 3:
The router will boot up with no configuration. Type ‘no’ to bypass the setup wizard.
Enter enable mode. You will not be asked for the enable secret as it is not in the running-
config.
Step 4:
Copy the startup-config into the running-config.
# copy start run
Step 5:
Enter a new enable secret in global configuration mode to override the old one. It will go
into the running-config.
()# enable secret cisco@123
Step 6:
Change the value of configuration register from 0X2142 (which we did at the time of router
restart) to the original value which is 0X2102 for normal boot.
()# config-register 0X2102
Step 7:
Run the following command to save the running-config into startup-config:
# copy run start
This will merge the new enable secret with the existing startup-config.
Krishna [email protected] 972-7506874
70
7. Routing fundamentals
7.1 What is routing?
7.2 Router lookup process
Router has 2 main functions:
1. Determining the best paths to available networks.
2. Forwarding traffic to those networks.
When there are multiple routes, the longest prefix will be selected.
When multiple equal length routes are there for the same destination, all of them will be
added to the routing table and traffic will be load-balanced between them.
Scenario for lab practice:
Krishna [email protected] 972-7506874
71
7.3 Analyzing routing table
Routing table is the collection of all the routes learned by the router. It can be:
- Directly connected routes (C)
- Statically configured routes by the network admin (S)
- Dynamically learned routes using routing protocols (R, D, O etc.)
The best available path or paths to a destination network are listed in router’s routing table
and will be used for forwarding traffic.
7.4 Connected & local routes
Krishna [email protected] 972-7506874
72
8. Static routing
8.1 Concept
- Manually configured by the network admin.
- Only suitable for a small network.
- In bigger networks, it is a burden on the network admins.
- The reason is all the entries have to be manually added and/or deleted.
- It is the fastest and safest type of routing, however.
8.2 Configuration
8.3 Floating static routes
If the best path to a destination is lost (for example because a link went down) it will be
removed from the routing table and replaced with the next best route.
We might want to configure a static route as a backup for the route learned via a routing
protocol.
A problem is that static routes have a default Administrative Distance of 1 which will always
be preferred over routes learned via an IGP.
We can change the Administrative Distance of a static route to make it act as the backup
(rather than the preferred) route.
Floating static route for OSPF example :
R4(config)#ip route 10.0.1.0 255.255.255.0 10.1.3.2 115
Floating static routes can also be used where we are using purely static routing:
ip route 10.0.1.0 255.255.255.0 10.1.1.2
ip route 10.0.1.0 255.255.255.0 10.1.3.2 5
Krishna [email protected] 972-7506874
73
9. Default routing
9.1 Concept
- It is a type of routing which is useful in those cases when the destination network id
is unknown to the router.
- In such cases, router will use a default route and will send all the incoming traffic to
that route, by default.
- We can say that it is a special case of static routing.
9.2 Configuration
Router(config)# ip route (any destination) (any subnet mask) (next-hop ip address)
Router(config)# ip route 0.0.0.0 0.0.0.0 123.19.17.33
9.3 Practical applications
Customer routers need default routing to be connected to ISP networks.
Krishna [email protected] 972-7506874
74
10. Dynamic routing protocols
10.1 Working of routing protocols
- When a routing protocol is used, routers automatically advertise their best paths to
known networks to each other.
- Routers use this information to determine their own best path to the known
destinations.
- When the state of the network changes, such as a link going down or a new subnet
being added, the routers update each other.
- Routers will automatically calculate a new best path and update the routing table if
the network changes.
10.2 Dynamic V/S static routing
Routing protocols are more scalable than administrator-defined static routes.
Using purely static routes is only feasible in very small environments.
10.3 Advantages of dynamic routing
The routers automatically advertise available subnets to each other without the
administrator having to manually enter every route on every router.
If a subnet is added or removed the routers will automatically discover that and
update their routing tables.
If the best path to a subnet goes down routers automatically discover that and will
calculate a new best path if one is available.
Using a combination of a dynamic routing protocol and static routes is very common
in real world environments.
In this case the routing protocol will be used to carry the bulk of the network
information.
Static routes can also be used on an as needed basis. For example for backup
purposes or for a static route to the Internet (which will typically be injected into the
dynamic routing protocol and advertised to the rest of the routers – will be discussed
in NAT)
Krishna [email protected] 972-7506874
75
11. Types of routing protocols
11.1 Protocol types – IGP V/S EGP
Routing protocols can be split into two main types:
- Interior gateway protocols (IGPs)
- Exterior gateway protocols (EGPs)
Interior gateway protocols are used for routing within an organisation.
Exterior gateway protocols are used for routing between organisations over the Internet.
The only EGP in use today is BGP (Border Gateway Protocol)
11.2 IGP v/s EGP
Interior gateway protocols can be split into two main types:
1. Distance Vector routing protocols
2. Link State routing protocols
11.3 Distance vector protocols
In Distance Vector protocols, each router sends it’s directly connected neighbors a list of all
its known networks along with its own distance to each of those networks. Distance vector
routing protocols do not advertise the entire network topology.
A router only knows its directly connected neighbors and the lists of networks those
neighbors have advertised. It doesn't have detailed topology information beyond its directly
connected neighbors.
Krishna [email protected] 972-7506874
76
Distance Vector routing protocols are often called “Routing by Rumor”
11.4 Link state protocols
All of the IGPs do the same job, which is to advertise routes within an organization and
determine the best path or paths.
An organization will typically pick one of the IGPs.
If an organization has multiple IGPs in effect (for example because of a merger), information
can be redistributed between them. This should generally be avoided if possible.
Link state routing protocols are also known as “Intelligent Routing”
Krishna [email protected] 972-7506874
77
12. OSPF
12.1 Introduction
• O – Open & SPF – Shortest Path First
• IEEE developed this open source protocol which work on Shortest Path First i.e. SPF
algorithm and support biggest possible networks.
• OSPF is a link state protocol.
• The metric of OSPF is “Cost”.
• Cost formula of OSPF: 10^8
--------------------
Bandwidth
• AD value is = 110
• OSPF works on Dijkstra algorithm.
• OSPF normally uses 224.0.0.5 as its multicast ip.
• OSPF creates and maintain all three tables:
- Routing table (#show ip route)
- Topology table and (#show ip ospf database)
- Neighbour table (#show ip ospf neighbour)
• Timers of OSPF:
- Hello timer - 10 secs
- Dead Interval/Flush timer - 40 secs
12.2 Link state concept
12.2.1 Explanation of link-state concept – why?
A major drawback of distance vector protocols is that they not only send routing updates at
a regularly scheduled time, but these routing updates contain full routing tables for that
protocol.
If the sending router knows of more than 25 RIP routes, the update will require multiple
packets, since a RIP update packet contains a max of 25 routes.
This takes up valuable bandwidth and puts an unnecessary drain on the receiving router's
CPU and memory.
Krishna [email protected] 972-7506874
78
12.2.2 Explanation of link-state concept – how?
Link state protocols do not exchange routes and metrics. Link-state protocols exchange just
that — the state of their links, and the cost associated with those links. As these Link State
Advertisements (LSAs) arrive from OSPF neighbors, the router performs a series of
computations on these LSAs, giving the router a complete picture of the network.
This series of computations is known as the Shortest Path First (SPF) algorithm, also referred
to as the Dijkstra algorithm.
12.2.3 Explanation of link-state concept…
Once the OSPF network has reached a state of convergence, the routers have synchronized
link state databases. The beauty of the Dijkstra algorithm is that recalculation of routes due
to a network change is so fast that routing loops literally have no time to form.
12.2.4 Explanation of link-state concept – what?
This exchange of LSAs between neighbors helps bring about one major advantage of link
state protocols - all routers in the network will have a similar view of the overall network.
In comparison to RIP updates (every 30 seconds!), OSPF LSAs aren't sent out all that often —
they're flooded when there's an actual change in the network, and each LSA is refreshed
every 30 minutes.
Before any LSA exchange can begin, a neighbor relationship must be formed. Neighbors
must be discovered and form an adjacency, after which LSAs will be exchanged.
12.2.5 Here's a live OSPF database
12.2.6 Here is the routing table made using LSDBs
Krishna [email protected] 972-7506874
79
12.2.7 Lsa sequence numbers – why?
To ensure that OSPF routers have the most recent information possible in their database,
the LSAs are assigned sequence numbers.
When an OSPF-enabled router receives an LSA, that router checks its OSPF database for any
pre-existing entries for that link.
If there is an entry for the link, the sequence numbers come into play:
12.2.8 Lsa sequence numbers – how?
Sequence number is the same: LSA is ignored, no additional action taken.
Sequence number is lower: The router ignores the update and transmits an LSU containing
an LSA back to the original sender. Basically, the router with the most recent information is
telling the original sender “Hey, you sent me old info. Here’s the latest info on that link.”
Sequence number is higher: The router adds the LSA to its database and sends an
LSAcknowledgement back to the original sender. The router floods the LSA and updates its
own routing table by running the SPF algorithm against the now-updated database.
12.3 Process-ID
OSPF needs a 16 bit ID known as “Process ID” to start its process.
Total value: 2^16 = 65536
0 - Not used
1 - 65535 -> Usable range
• Process ID can be same or different on each router. It means this ID is local to the
router only, it is not send to the other routers in hello packet information and it is
not matched during ospf Neighborship formation process.
• Multiple OSPF processes can be run on a single router, and routes are not exchanged
between such processes by default.
12.4 Wildcard mask concept
In simple words, it is opposite to the subnet mask.
In subnet mask, network part is given importance and host part is ignored. So, network part
is represented by 1 & host part by 0.
But, in wildcard mask, host part is given importance and network part is ignored.
So, network part is represented by 0 & host part is represented by 1.
12.4.1 How to calculate Wildcard mask?
So, wildcard mask for class A: 00000000.1111111.11111111.11111111 => 0.255.255.255
Class B => 0.0.255.255
Krishna [email protected] 972-7506874
80
Class C => 0.0.0.255
For => 255.255.254.0 it will be 0.0.1.255
Wildcard mask = Total subnet mask – Given subnet mask
Class C: 255.255.255.255
- 255.255.255.0
---------------------------------
0. 0. 0. 255
----------------------------------
12.5 Area concept
OSPF uses 2 level hierarchical approach in its network depending upon the areas.
As we discussed in earlier slides that OSPF can support a large network. But it is obvious that
if there are hundreds and thousands of routers in OSPF network, then it would be a tough
and kind of impossible job for a router to handle all the routes of these routers. It would
require a great amount of RAM and CPU processing which means everywhere massive
capacity core routers should be used which is in turn a cost burden for the organizations.
SO, to solve this problem, OSPF uses area concept.
12.5.1 Area ID
Single bigger ospf network topology is divided into multiple smaller parts known as areas.
• A router in a particular area need to handle the routes of its own area.
• To identify these areas, we have some number representation.
- Area is a 32 bit ID.
- So, total areas = 2^32
- But areas from 0 to 255 are commonly used.
• There can be unlimited number of routers in a single ospf area.
• But cisco suggested value is 50.
12.5.2 Concept of backbone area
OSPF areas allow us to build a hierarchy into our network, where we have a "backbone
area" (Area 0), and expand the network from there. It means the routers of other areas
should be connected to such a router which has at least one of its interfaces in area 0.
This is the basis of OSPF 2 level hierarchy: area 0 and all other areas.
This is the reason area 0 is known as “Backbone Area”.
Krishna [email protected] 972-7506874
81
12.6 OSPF Packet types
12.6.1 OSPF hello packets
Hello packets are the "Heartbeats" Of OSPF.
OSPF-enabled interfaces send hello packets at regularly scheduled intervals.
Hello packets perform two main tasks in OSPF:
1. OSPF Hellos allow neighbors to dynamically discover each other.
2. OSPF Hellos allow the neighbors to remind each other that they are still there, which
means they're still neighbors!
12.7 Single area configuration
Krishna [email protected] 972-7506874
82
R1()#router ospf 10
network 192.168.10.0 0.0.0.255 area 0
network 172.19.0.0 0.0.255.255 area 0
exit
R2()#router ospf 10
network 192.168.10.0 0.0.0.255 area 0
network 10.0.0.0 0.255.255.255 area 0
exit
12.8 Neighborship conditions
12.9 Infinite state machines
This process can be verified by using the following command:
#debug ip ospf adj
Command to see the states:
#ip ospf neighbor
Krishna [email protected] 972-7506874
83
12.10 Multi-area configuration
R1()#router ospf 10
network 10.0.0.0 0.255.255.255 area 10
network 30.0.0.0 0.255.255.255 area 10
exit
R2()#router ospf 10
network 10.0.0.0 0.255.255.255 area 10
network 20.0.0.0 0.255.255.255 area 10
exit
R3()#router ospf 10
network 30.0.0.0 0.255.255.255 area 10
network 40.0.0.0 0.255.255.255 area 10
exit
R4()#router ospf 10
network 40.0.0.0 0.255.255.255 area 10
network 20.0.0.0 0.255.255.255 area 10
network 172.16.0.0 0.0.255.255 area 0
network 172.17.0.0 0.0.255.255 area 0
Krishna [email protected] 972-7506874
84
12.11 OSPF Router types
1. Internal Router (IR)
• Routers which are the part of a single area.
• Means all of the interfaces of the router are in just one area.
2. Area Border Router (ABR)
• Routers which are the part of more than one areas.
• Routers with interfaces in more than areas.
• Means they are at the border of more than one areas.
• Ideally, a router should not be the part of more than 3 areas, including area 0.
3. Backbone Router (BR)
• Area border router which is also the part of backbone area.
• All BRs are ABRs but all ABRs need not to be BRs.
4. Autonomous System Boundary/Border Router (ASBR)
• Routers which are at the border of an autonomous system.
• Means these are the routers which are at the border of a company and they connect
internal networks of one AS with external network of another AS.
• They are the routers where re-distribution is done.
12.12 OSPF Network types
1. Point to Point (Serial links)
2. Point to Multipoint (Wireless Internet)
3. Broadcast multi-access (Ethernet networks)
4. Non-broadcast multi-access (Frame relay links)
12.13 Concept of DR & BDR
If all routers in an OSPF network had to form adjacencies with every other router, and
continued to exchange LSAs with every other router, a large amount of bandwidth would be
used any time a router flooded a network topology change.
So, OSPF uses a designated router (DR) and a backup designated router (BDR) to handle
adjacency changes in its segments.
There's no need to have all four routers flooding news of the same network change -- so the
router that detects the change will let the DR and BDR for this segment know, and in turn
the DR will flood the change.
Krishna [email protected] 972-7506874
85
The Designated Router (DR) is the router that will receive the LSAs from the other routers in
the area, and then flood the LSA indicating the network change to all non-DR and non-BDR
routers.
If the DR fails, the Backup Designated Router (BDR) takes its place. The BDR is promoted to
DR and another election is held, this one to elect a new BDR.
Routers that are neither the DR nor the BDR for a given network segment are known as
DROTHERS.
12.13.1 DR & BDR working principal
When a router on an OSPF segment with a DR and BDR detects a change in the network, the
detecting router will not notify all of its neighbors.
The detecting router will send a multicast to 224.0.0.6, the All Designated Routers address,
where both the DR and BDR will hear it.
The DR then sends a multicast to 224.0.0.5, the All OSPF Routers Address, where every
OSPF-speaking router on that segment will hear it.
The BDR updates its OSPF database in order to stay ready to step into the DR role if needed,
but only the DR sends this multicast.
12.13.2 DR & BDR election process
Krishna [email protected] 972-7506874
86
Here's an overview of the DR/BDR election process:
• All router interfaces on the segment with an OSPF interface priority of 1 or greater
are eligible to participate in the election.
• The router with the highest interface priority is elected DR.
• This process is repeated to elect a new BDR. A single router cannot be the DR and
BDR for the same segment.
• Setting the interface priority to zero will disqualify that router from participating in
the election.
12.13.3 What is router id or R-ID?
As we have seen that by default priority is same for all the routers which is 1. So, there is a
tie between all the routers.
#show ip ospf neighbor
In such scenario, router id comes into picture and plays its role.
Router ID:
1st priority – Manually Configured R-ID
2nd priority – Highest ip on Loopback interface
3rd priority – Highest IP on Physical interface
12.13.4 How to manually configure router id?
Krishna [email protected] 972-7506874
87
12.13.5 How to configure loopback interface?
12.13.6 Why use loopback interface for R-ID?
Why use a loopback address for the OSPF RID instead of the physical interfaces?
• A physical Interface can become unavailable in a number of ways -the actual
hardware can go bad, the cable attached to the interface can come loose - but the
only way for a loopback interface to be unavailable is for it to be manually deleted or
for the entire router to go down.
• In turn, a loopback interface's higher level of stability and availability results in fewer
SPF recalculations, which results in a more stable network overall.
Oddly enough, an interface does not have to be OSPF-enabled to have its IP address used as
the OSPF RID — it just has to be "up" if it's a loopback, and physically "up" if it's a physical
interface.
12.13.7 How to make particular routers DR & BDR?
It is possible by manually changing the priority of a router interface.
Krishna [email protected] 972-7506874
88
12.14 OSPF timers
Hello timer defines how often OSPF Hello packets will be multicast to 224.0.0.5, while the
Dead timer is how long an OSPF router will wait to hear a Hello from an existing neighbor.
When the Dead timer expires, the adjacency is dropped.
The default dead time for OSPF is four times the hello time, which makes it 40 seconds for
Ethernet links and 120 seconds for non-broadcast links.
The OSPF dead time adjusts dynamically if the hello time is changed. If you change the hello
time to 15 seconds on an Ethernet interface, the dead time will then be 60 seconds.
12.14.1 How to change ospf timers on a link?
12.15 OSPF cost
If you have both Fast and Gig Ethernet interfaces in your OSPF network, you don’t want those
interfaces to have the same cost when one is much faster than the other.
You can change the “Reference Bandwidth” part of the formula with the auto-cost
reference-bandwidth command.
If you have Gig Ethernet interfaces (or faster) in your network, you should use the auto-cost
command to set the reference bandwidth at least as high as the bandwidth of the fastest
interface in your OSPF network. (And probably higher)
12.15.1 How to change reference bandwidth in OSPF?
Krishna [email protected] 972-7506874
89
12.15.2 How to change cost of a link in OSPF?
Area types
Area Restriction
Normal None
Stub No Type 5 AS-external LSA allowed
Totally Stub No Type 3, 4 or 5 LSAs allowed except the default summary route
NSSA No Type 5 AS-external LSAs allowed, but Type 7 LSAs that convert to
Type 5 at the NSSA ABR can traverse
LSA types
Type Description
LSA Type 1: Router LSA.
LSA Type 2: Network LSA.
LSA Type 3: Summary LSA.
LSA Type 4: Summary ASBR LSA.
LSA Type 5: Autonomous system external LSA.
LSA Type 6: Multicast OSPF LSA.
LSA Type 7: Not-so-stubby area LSA.
LSA Type 8: External attribute LSA for BGP
Krishna [email protected] 972-7506874
90
13. IP services
13.1 Need scenarios
These are the services that run on underlying IP networks.
It means, first we have devices connected in the network and then we have the connectivity
between them using static or dynamic routing depending on the type and size of the
network.
Then these IP services run on top of that IP network.
Each service serves a different purpose. Like:
- DHCP provide dynamic IP address assignment
- NAT does the public to private and private to public IP conversion
- ACL provides access security, and
- FHRP provides redundancy in the network.
13.2 Types of IP services
Following are some of the IP services discussed in this chapter:
1. DHCP: Dynamic Host Configuration Protocol
- Same network
- Different network (DHCP relay)
2. NAT: Network Address Translation
- Static
- Dynamic
- PAT
3. ACL: Access Control List
- Standard
- Extended
4. FHRP: First Hop Redundancy Protocol
- HSRP
- VRRP
- GLBP
5. NTP: Network Time Protocol
Krishna [email protected] 972-7506874
91
- Configuration
- Stratum levels
6. SNMP: Simple Network Management Protocol
- Concept
- Versions
7. Syslog: System Logging
- Concept
- Configuration
8. QoS: Quality of Service
- Concept
- Types
9. SSH: Secure Shell
- Already discussed in earlier videos with full explanation and configuration labs
10. FTP/TFTP: File Transfer Protocol/Trivial FTP
- Already discussed in earlier videos with full explanation and configuration labs
13.3 DHCP
Dynamic Host-Configuration Protocol (DHCP):
- It is a Dynamic/Automatic method to assign IP Addresses
- And it provide not only IP Addresses, but:
- Subnet Masks
- Gateways, and
- DNS
- Now, what is a DNS?
- Domain Name Server: resolve a URL (website name) to an IP Address and vice-versa
- Works on UDP port 53
13.3.1 DHCP DORA process
To achieve DHCP Service, some negotiation will happen:
Krishna [email protected] 972-7506874
92
13.3.2 DHCP configuration
Krishna [email protected] 972-7506874
93
13.3.3 DHCP relay process
- What if the first router (Gateway) wasn't a DHCP Server?
- There will be a "Helper-Address" known as "DHCP Relay"
- It help redirecting the broadcast message from the first Gateway to the Correct
DHCP Server.
13.3.4 DHCP relay configuration
13.2 FHRP (HSRP, VRRP & GLBP)
13.2.1 Network design scenarios
Normal network designs
Krishna [email protected] 972-7506874
94
Network design with redundancy
13.2.2 Introduction to FHRP
First Hop Redundancy Protocol (FHRP)
- What if the gateway went down?
- A redundant gateway must be there
- But how to redirect the requests from one to another?
- How many back-ups can there be?
- What protocols will do this?
13.2.3 Hot-Standby Redundancy Protocol (HSRP)
- Cisco Only
- 2 Gateways
- No Load-Balancing
Krishna [email protected] 972-7506874
95
13.2.4 HSRP configuration
R1(config)# interface fa0/0
R1(config-if)# standby ip 192.168.10.111
R1(config-if)# standby priority 200
R1(config-if)# standby preempt
Run the same commands on both of the routers.
13.2.5 Introduction to VRRP & GLBP
Virtual-Router Redundancy Protocol (VRRP):
- Open Standard - 2 Gateways - No Load-Balancing
Gateway Load-Balancing Protocol (GLBP):
- Cisco Only - 4 Gateways - Load-Balancing
13.3 NAT
13.3.1 Introduction
- Private IP Addresses don't carry Internet
- Public IP Addresses can't be assigned to private devices
- NAT will translate Private to Public and vice-versa
Note that: NAT is done ONLY by Routers, no Switches, no Multi-layer switches.
13.3.2 NAT types
1. Static
One to one translating
2. Dynamic
Group to Group Translating - also, this did not solve everything, IP exhaustion still there - so
here comes:
3. PAT (Port Address Translation) - or NAT Overload
PAT will do a one to 65535 Translation
13.3.3 NAT terminology
Inside – client side (our side)
Outside – server side (their side)
Local – private (of LAN)
Krishna [email protected] 972-7506874
96
Global – public (of WAN)
Inside local – private ip address of client side
Inside global – public ip address of client side
Outside local – private ip address of server side
Outside global – public ip address of server side
13.3.4 NAT configuration
Static nat configuration
It is simple 1 step process: Assign a public IP to each private server (or any device that you
want to make public)
Router(config)# ip nat inside source static (private ip address) (public ip address)
Router(config)# ip nat inside source static 192.168.10.10 171.23.19.3
Router(config)# ip nat inside source static 192.168.10.20 171.23.19.4
How to verify NAT operations?
Use the following command:
#show ip nat translations
Dynamic nat configuration
It is a 4 step process:
Step 1:
Assign the interfaces in/out status.
Krishna [email protected] 972-7506874
97
Router(config)# interface fa0/0
Router(config)# ip nat inside
Router(config)# interface se2/0
Router(config)# ip nat outside
Step 2:
Create an ACL and allow all internal private networks.
Router(config)# access-list 10 permit 10.0.0.0 0.255.255.255
Router(config)# access-list 10 permit 192.168.10.0 0.0.0.255
Step 3:
Create a NAT pool of all available public ip addresses.
Router(config)# ip nat pool testnat 171.23.19.5 171.23.19.254 netmask 255.255.255.0
Step 4:
Run the commands of dynamic NAT.
Router(config)# ip nat inside source list 10 pool testnat
Dynamic overload/pat configuration
It is a 3 step process:
Step 1:
Assign the interfaces in/out status.
Router(config)# interface fa0/0
Router(config)# ip nat inside
Router(config)# interface se2/0
Router(config)# ip nat outside
Step 2:
Create an ACL and allow all internal private networks.
Router(config)# access-list 10 permit 10.0.0.0 0.255.255.255
Router(config)# access-list 10 permit 192.168.10.0 0.0.0.255
Step 3:
Run the commands of dynamic overload/PAT
Router(config)# ip nat inside source list 10 interface se2/0 overload
Krishna [email protected] 972-7506874
98
13.4 NTP
13.4.1 Introduction
NTP is used to synchronize date and time settings on all the devices in the network.
- We have to stay synchronized
- Give a precise information, with real timing and date
- Either by setting an inner clock manually, or
- Asking someone to inform us about timing
- Uses UDP = 123
13.4.2 Stratum levels
Each network device can either be a Server or a Client.
- Stratum is needed:
- How preferred and accurate this source is
- Starts from 0 up to 15
- The closest, the better
- By default: a cisco router = 8
The NTP Stratum model is a representation of the hierarchy of time servers in an NTP
network, where the Stratum level (0-15) indicates the device's distance to the reference
clock.
For example:
Stratum 0 serves as a reference clock and is the most accurate and highest precision time
server (e.g., atomic clocks, GPS clocks, and radio clocks.)
Stratum 1 servers take their time from Stratum 0 servers and so on up to Stratum 15.
Stratum 16 clocks are not synchronized to any source.
The upper limit for stratum is 15; stratum 16 is used to indicate that a device is
unsynchronized.
13.4.3 Configuration
R1(config)#ntp server (ip address of ntp server)
13.5 SNMP
13.5.1 Introduction
SNMP is used to monitor all the devices in a network from a central point of surveillance.
Krishna [email protected] 972-7506874
99
- Monitor Networks from a single point of view
- Server/Agent Relationship
- Uses UDP 161
- The server is the requester (and recorder)
At the agent side:
- MIB Object (The Factory)
- Agent (The Messenger)
13.5.2 SNMP versions
- V1: obsolete
- V2: enhanced
- V3: supports Authentication & Encryption
13.6 Syslog
13.6.1 Introduction
Syslog server is used to store all the messages generated by all the devices in the network at
a centralized location.
- It is aware of "everything" happening in the network
- Know all what's happening behind the scenes (or even in front of)
- Starts from the obvious information up to "Emergency"
- Server/Client Relationship
13.6.2 Syslog server types
- Server can be a Normal Server that collects all the loggings
- Server can use the "Syslog" or "Splunk" or “Kiwi” software
- Client is the networking device that generates logs
Quote: "Every Awesome Cisco Engineer Will Need Ice-Cream Daily"
13.6.3 Syslog message types
Syslog messages starts from 0 to 7
- 0 means most critical, need immediate action
- 7 means least critical, just information messages
- 0 – Emergency
Krishna [email protected] 972-7506874
100
- 1 – Alert
- 2 – Critical
- 3 – Error
- 4 – Warning
- 5 – Notifications
- 6 – Information
- 7 – Debugging
- "Every Awesome Cisco Engineer Will Need Ice-Cream Daily"
13.7 QoS
13.7.1 Introduction
Quality of Service i.e. QoS is used to prefer one type of traffic over another. It is also knowns
as “traffic engineering”.
- If traffic was more than bandwidth?
- If congestion WILL happen:
Can some traffic be more preferred than another?
Generally, UDP will be preferred over TCP (TCP will automatically do A retransmission)
QoS will prefer based on Variety of Factors, some are: Classification, Marking, Queuing
Shaping, and Policing.
13.7.2 Classification and marking
Classifying the traffic according to its importance (Very High, High, Med, Low)
13.7.3 Queuing
Giving a specific priority to every type of packet (Giving the priority of "very high" to the
"UDP" traffic)
Dividing the Transmission capacity with respect to the priority (Giving 40% to the very high,
20% to the high, etc.)
13.7.4 Policing and shaping
- Policing is counting the traffic before transmitting it, and limiting it (limit the FTP
traffic to be transmitted at maximum of only 2Mbps)
*counting the desired traffic, and dropping alt that exceeds
- Shaping limits the Queued traffic to a certain amount of traffic, and what EXCEEDS,
wait at the queue.
Krishna [email protected] 972-7506874
101
14. Working of a switch
14.1 Introduction
First were called "Bridges" and had Bridge Tables
Then Switches came and have MAC Tables
- Have MAC Learning based on the Device port
- Forwards Frames based on the MAC Table
- Have a Look-up Engine
- Look-up one frame only at a time (How fast?)
- Do Schedule Frame forwarding
14.2 MAC address table – MAT
All switches have a hardware chip, known as ASIC
ASIC – Application Specific Integrated Chip
It stores all the MAC addresses learned by a switch.
(One of the differences between bridge and switch)
- Filled (learned) based on the Source MAC The Dynamic Entry
- Decision is taken, based on the Destination MAC
14.3 Aging time
How often – 300 seconds
What will happen if Destination MAC is unknown? "FLOODING"
14.4 Working of a switch
When switch receives a frame for a particular destination, it will check for the destination
network-id.
There can be 2 possible scenarios:
- Destination network-id is same as the source network-id. Or
- It is different.
In case, the source and destination network-ids are same, Switch will check for the entry of
destination MAC address in its MAC address table.
Krishna [email protected] 972-7506874
102
In such case also, there are 2 possible scenarios:
- Switch has the entry of the destination MAC address in its MAC address table. Or
- It doesn’t.
According to scenario 1, when the entry of destination MAC address is found in its MAC
address table, then:
- The frame is simply forwarded out of the interface at which that MAC address is
stored (the port at which that particular destination device is connected).
But according to scenario 2, if the destination MAC address is not found in the MAC address
table of the switch, then:
The incoming frame will be having the following MAC address as its destination MAC
address: ffff.ffff.ffff - destination MAC address of the unknown frame
When switch will see this destination MAC address, it will flood that frame out of all the
switch interfaces except the one where it came from. Then the device with destination ip
address will reply to the switch with its own MAC address which will be received and stored
by the switch for all further communication. Next time, there will be no flooding, only
unicast.
When the destination network-id is different than the source network-id, then switch will
check whether the default gateway address is configured or not.
Again, there are 2 possible scenarios.
- Default gateway is configured. Or,
- It is not.
If default gateway is configured, then:
The frame will be forwarded out to the respective port which is connected to the gateway
device (by default a router) and router will handle all further communications.
If default gateway is not configured, then: The frame will be simply dropped. This is basically
how a switch works.
14.5 Functions of a switch
Following are the 3 main functions of a switch:
1. Address learning
2. Frame forwarding
3. Loop prevention
Krishna [email protected] 972-7506874
103
15. Vlan – virtual local area network
Approach to learn vlan concept
- Why use VLAN?
- What is VLAN?
- How to configure VLAN?
15.1 Broadcast domain
What is a broadcast domain?
- An area where all of the devices receive the same information at the same time.
Larger is the size of the broadcast domain, more will be broadcast traffic.
- Broadcast traffic is always a challenge for all the switched (L2) networks.
- The reason is wastage of bandwidth and uncontrolled/unmanaged traffic.
15.2 Why use VLAN?
Now; the question is:
- How to reduce the size of broadcast domain?
- How to reduce broadcasting traffic?
The answer to all of these questions is:
VLANs – virtual local area networks
15.3 What is VLAN?
It is a collection of same of type of:
- Devices
- Traffic, or
- Departments
VLANs are represented by a number which is known as VLAN ID.
Each VLAN is assigned a different/unique ID.
15.4 VLAN id
VLAN is 12 bit ID.
It means total 4096 VLANs can be created in a switch.
0 = Not used
4096 = Not used
Krishna [email protected] 972-7506874
104
1 – 4094 = Usable VLANs
# show vlan
# show vlan brief
15.5 Types of VLAN
Default VLAN –
VLAN 1
- This is the VLAN which comes with every switch when it is purchased as a feather of
its iOS.
- This is known as default VLAN because all switch ports are in this VLAN by default.
Normal VLANs –
VLANs from 1 to 1001
They are also known as Data VLANs.
Reserved VLANs –
VLANs from 1002 to 1005
These are also known as legacy VLANs.
Extended VLANs –
VLANs from 1006 to 4094
They are configured under VTP mode transparent.
Voice VLAN –
A dedicated VLAN for voice and video traffic.
It is a separate VLAN dedicated to the UDP traffic like voice and video calling.
It can be any VLAN ID.
Native VLAN –
VLAN 1 (By default)
It is a VLAN which requires no tagging.
By default, native VLAN is VLAN 1 but it can be changed on a trunk link.
15.6 How to configure VLANs
Switch(config)# vlan (vlan id) – ID is compulsory to assign
Switch(config-vlan)# name (name of the vlan) – it is optional
Switch(config)# vlan 10
Krishna [email protected] 972-7506874
105
Switch(config-vlan)# name HR
Remember:
Single VLAN – Single Network
Same VLAN – Same Network
Different VLAN – Different Network
How to add ports in a vlan?
For a single port:
Switch(config)# interface fa0/1
Switch(config-if)# switchport access vlan 10
For a range of ports:
Switch(config)# interface range fa0/2-5
Switch(config-if-range)# switchport access vlan 10
Lab – default vlan communication in a single switch
Lab – default vlan communication across switches
Krishna [email protected] 972-7506874
106
Lab – multiple vlan communication in a single switch
Lab – multiple vlan communication across switches
Lab – without default vlan configuration in a single switch
Krishna [email protected] 972-7506874
107
Lab – without default vlan configuration across switches
15.7 Types of switch ports
There are 2 types of ports a switch can have for VLANs:
- Access port
- Trunk port
1. Access port
- A port which is used to connect end devices like PC, Printer, Server etc.
- It is designated to carry the data of a single VLAN only.
- No tags will cross access ports.
2. Trunk port
- It is used to connect one switch with another switch using uplink ports.
- It is designated to carry the data of multiple VLANs over a single link.
Note:
Uplink port is a high speed port which is used for the interconnection of switches in a
network.
15.8 Trunking/Tagging concept
Trunking/tagging is used to add tags with all the frames passing through a switch.
- It is helpful in identifying different type of traffic.
- Each VLAN has its own tag which is attached to its frame.
- This process of adding tags with frames is knowns as Tagging.
- Technically it is known as Encapsulation.
Krishna [email protected] 972-7506874
108
Encapsulation/tagging types
- ISL : Inter Switch Link
CISCO proprietary
Obsolete
- DOT1Q
Open source protocol
Popularly used in industry, even by CISCO.
How to check/verify a trunk port
Note that a trunk port will not be shown in the “show vlan” or “show vlan brief” command.
The reason is it is not part of a single VLAN but part of multiple VLANs.
So, use the following commands to verify the configurations of a trunk link:
#show interface trunk
#show interfaces gig0/1 switchport
15.9 Operations on native VLAN
How to change native vlan of a trunk link
Switch(config)# interface gig0/1
Switch(config-if)# switchport trunk native vlan 50
Note: This same command should be run on both side of the link.
15.10 Operations on trunk links
How to permit/deny vlan on a trunk link
Switch(config)# interface gig0/1
Switch(config-if)# switchport trunk allowed vlan ?
WORD VLAN IDs of the allowed VLANs
add add VLANs to the current list
all all VLANs
except all VLANs except the following
none no VLANs
remove remove VLANs from the current list
#show interface trunk
Krishna [email protected] 972-7506874
109
16. VTP – vlan trunking protocol
16.1 Introduction
What is VTP?
• Suppose you are working in a large enterprise switched network where you are using
hundreds of switches.
• For each type of traffic, you will need separate VLANs.
• Now, these VLANs need to be created on all of the switches.
• Which is a really time consuming task for the network admins.
• So, CISCO came up with this solution: VTP – VLAN Trunking Protocol
What VTP does basically, is that it copy VLAN database from one switch (Switch with higher
configuration revision number – will be discussed in coming slides) and will paste it across
all other switches in the network.
16.2 VTP conditions
There are 2 conditions that need to be satisfied to configure VTP:
1. All switch must be the part of same VTP domain
Switch1(config)# vtp domain cisco
Switch2(config)# vtp domain cisco
Switch3(config)# vtp domain cisco
2. All links between switches must be trunk links
#show vtp status
16.3 VTP configurations
Krishna [email protected] 972-7506874
110
16.4 VTP modes
VTP can be configured in 3 different modes:
1. Server mode
2. Client mode
3. Transparent mode
Vtp mode server
1. Server mode
• VLANs can be created, deleted and modified in this mode.
• All switches are by default configured in VTP mode server.
• They synchronize their VLAN database with the switch of highest configuration
revision number.
SW1(config)# vtp mode server
Vtp mode client
1. Client mode
• VLANs cannot be created, deleted or modified in this mode.
• They synchronize their VLAN database with the switch of highest configuration
revision number.
SW1(config)# vtp mode client
Vtp mode transparent
1. Transparent mode
• VLANs can be created, deleted and modified in this mode but VLAN database of this
switch is not shared with any other switch in the network.
• It is only local to the switch on which it is configured.
• It doesn’t send or receive VLAN database but it can pass the VLAN database to other
switches connected to it through trunk links.
SW1(config)# vtp mode transparent
Krishna [email protected] 972-7506874
111
17. Inter-VLAN routing
What is the concept of inter-vlan?
• As we know that 2 different VLANs don’t communicate with each other directly.
• The reason is they use 2 separate networks and a switch by default has no capacity
to inter-connect different networks.
So, Inter-VLAN is a concept of making the communication possible between 2 different
networks using a layer 3 device, either router or a layer 3 switch.
Inter-VLAN is recommended to be done by using a router and the method is known as
“Router on a Stick” method.
(Why it is called “Router on a Stick” will be discussed in coming slides)
17.1 Inter-VLAN routing using a router
How to configure Inter vlan routing using a router?
• Create one link for each VLAN between router and the switch.
• In this way, we will need as many links between router and switch as many VLANs
we have.
• It means, if we need to inter-communicate 3 different VLANs, we will need 3 links
between router and the switch.
In the given diagram,
For VLAN 10 – use network 192.168.10.0
For VLAN 20 – use network 192.168.20.0
Router(config)# interface gig0/0
Krishna [email protected] 972-7506874
112
ip address 192.168.10.1 255.255.255.0
no shutdown
Router(config)# interface gig0/1
ip address 192.168.20.1 255.255.255.0
no shutdown
Now, use these ip addresses as gateway in the end devices for respective VLANs.
Inter vlan routing using a router – disadvantage
• We need one link per VLAN which is not a practical solution.
• Because we already have lesser no. of ports on a router.
• And we can’t afford to waste router ports on these type of connectivity.
So, we have developed better inter-vlan routing solutions, which are:
- Inter VLAN routing using “Router on a Stick” method, and
- Inter VLAN routing using “Switched Virtual Interface” using L3 switches.
17.2 Inter-VLAN using Router on a stick
The reason it is called “Router on a Stick” is because a single router is used to inter-connect
multiple VLANs.
It seems like router is standing on a stick, or something like that.
How to configure inter vlan routing using “router on a stick” method?
SW1 configurations:
- Configure respective VLANs like 10, 20 and all.
Krishna [email protected] 972-7506874
113
- Add desired ports into respective VLANs.
- Configure the link between switch and the router as a trunk link.
vlan 10
name HR
vlan 20
name Sales
exit
interface fa0/1
switchport access vlan 10
interface fa0/2
switchport access vlan 20
exit
interface gig0/1
switchport mode trunk
exit
Router Configurations:
- No shut the interface connected to the switch.
- Create multiple sub-interfaces in the router’s physical interface, one per VLAN.
- Configure the encapsulation as “dot1q” and assign ip address of different network
on each VLAN.
- These ip addresses will now act as the default gateways for the devices in those
VLANs.
interface gig0/0
no shutdown
exit
Krishna [email protected] 972-7506874
114
interface gig0/0.1
encapsulation dot1q 10
ip address 192.168.10.1 255.255.255.0
interface gig0/0.2
encapsulation dot1q 20
ip address 192.168.20.1 255.255.255.0
17.3 SVI – switched virtual interface
Krishna [email protected] 972-7506874
115
How to configure inter vlan routing using “svi – switch virtual interface”?
L2 Switch Configuration:
- Configure respective VLANs like 10, 20 and all.
- Add desired ports into respective VLANs.
- Configure the link between L2 switch and the L3 switch as a trunk link.
vlan 10
name HR
vlan 20
name Sales
exit
interface fa0/1
switchport access vlan 10
interface fa0/2
switchport access vlan 20
exit
interface gig0/1
switchport mode trunk
exit
L3 Switch Configuration:
- Configure desired VLANs like 10, 20 and all.
- Assign ip address on each VLAN of different network using VLANs as interfaces.
- These ip addresses will now act as the default gateways for the devices in those
VLANs.
- Make the link between L3 switch and L2 switch as trunk link.
- Run the following command to make the L3 switch work as a Router:
ip routing
Krishna [email protected] 972-7506874
116
vlan 10
name HR
vlan 20
name Sales
exit
interface vlan 10
ip address 192.168.10.1 255.255.255.0
interface vlan 20
ip address 192.168.20.1 255.255.255.0
exit
Try this one!
Krishna [email protected] 972-7506874
117
18. STP
18.1 STP & loop conditions
It is a layer 2 protocol which was designed to prevent Switching Loops/broadcast Storm.
It is enabled by default in CISCO switches.
IEEE standard – 802.1d
18.1.1 What is a Loop in networking?
It is a phenomenon when a packet neither arrives at its destination nor it get dropped along
the path. It keep on travelling in the network until it consumes all network resources and
bring the network down.
How loop occurs in switched networks?
When switches are connected to each other in a linear way, then there is no concern of loop
formation because a frame has only one path to reach from source to destination in the
switched network.
But, when switches are connected to each other in a ring so that we could have
backup/redundant links (as we know it is must from network design point of view – because
redundancy is a prime factor to be considered while designing a network), there will exist
multiple paths to reach from source to destination.
It will create loop in the switched network.
18.1.2 Loop conditions
- Switches connected in ring for redundancy
- Bad cabling (a cable in the 2 ports of a same switch)
- Switches connected in ring for redundancy
- Bad cabling (a cable in the 2 ports of a same switch)
Krishna [email protected] 972-7506874
118
18.2 Function of STP
STP has one simple function in all the switches:
- Put the ports in blocking or forwarding states.
In case, there are multiple links to the same destination, it blocks some ports based on the
network topology, so that no more than one path exist to reach to the destination.
It block enough ports so that:
- There is no loop, and
- There is no loss of connectivity
18.2.1 Why use STP?
To prevent loops in layer 2 switched networks
To stop broadcast storms
To control MAC table instability
18.2.2 STP convergence
As we know, a switch takes some time to bring its ports up. This phenomenon or behavior of
switch is defined by the term “STP convergence.”
It means STP takes a certain amount of time to understand the complete network topology
and to decide which ports to be put in blocking and which ports to be put in forwarding
state.
This is known as “STP Convergence Time.”
Krishna [email protected] 972-7506874
119
This time is typically from 30 to 50 seconds, depending upon the values of STP timers. (Will
discuss later)
18.2.3 Working of STP
STP works by selecting one of the switches as a main switch, which is known as “Root
Bridge”. What happens as a result that now all of the frames in the network will only pass
through the “Root Bridge”. And all redundant/backup paths will be put in blocking state.
So, there will be only one path reach from source to destination.
Hence, there will be no loop. Simple, isn’t it.
18.2.4 Broadcast storm
SW1(config)# no spanning-tree vlan 1
To see the effect of broadcast storm, run this command on all 3 switches to disable
spanning-tree protocol.
18.3 Root Bridge election process
A Root Bridge is elected on the basis of following 2 parameters:
1. Priority
2. Mac address
Priority is the default parameter for the election of “Root Bridge”. But, by default, the
priority value of all the switches is same, which is 32768. (Actually it is 32768 + VLAN-ID)
So, here comes mac address in the picture. Now, the switch with the lowest mac-address
will be the “Root Bridge”
18.3.1 BPDU, B-ID & R-ID
As we know that STP is an automatic process. We need not to do anything regarding it. STP
is enabled by default and will keep doing its function continuously.
Krishna [email protected] 972-7506874
120
As routing protocols used hello packets for their automatic route learning process, STP uses
BPDUs as their hello packets to send and receive its information regarding “Root Bridge”
election and Port Type decision etc.
So, BPDUs are the hello packets of STP which is sent after every 2 seconds. Root Bridge is
elected by the exchange of BPDUs.
Bridge-ID: (B-ID)
It is the combination of: Priority + Mac-Address
It is an 8 byte value: 2 Byte Priority + 6 Byte Mac address
Root-ID: (R-ID)
It is the Bridge-ID of Root Bridge.
Krishna [email protected] 972-7506874
121
Lab Verification
#show spanning-tree
18.3.2 STP operations
The following steps summarize the steady-state operation when nothing is currently
changing in the STP topology:
Step 1. The root creates and sends a Hello BPDU, with a root cost of 0, out all its working
interfaces (those in a forwarding state).
Step 2. The non-root switches receive the Hello on their root ports.
After changing the Hello to list their own BID as the sender’s BID and listing that switch’s
root cost, the switch forwards the Hello out all designated ports.
Step 3. Steps 1 and 2 repeat until something changes.
Each switch relies on these periodically received Hellos from the root as a way to know that
its path to the root is still working.
When a switch fails to receive a Hello, it knows a problem might be occurring in the
network.
When a switch ceases to receive the Hellos, or receives a Hello that lists different details,
something has failed, so the switch reacts and starts the process of changing the spanning-
tree topology.
Krishna [email protected] 972-7506874
122
18.4 STP port roles
# show spanning-tree
There are 3 types of ports in STP:
STP port roles selection – DP
1. Designated Port – is elected on the basis of lower mac-address.
Note: All the ports of a “Root Bridge” are designated ports.
Or, we can say that: A switch with ports other than designated, can never be a “Root Bridge”
STP port roles selection – RP
2. Root Port – is elected on the basis of minimum cost of links.
A port with link of minimum cost, is elected as a Root Port.
Note: There will be only 1 Root Port per Switch.
Link Type Cost
Ethernet 100
Fast Ethernet 19
Gigabit Ethernet 4
10 Gig 2
In case of cost-tie, a port towards the switch with lowest mac-address is elected as the RP.
18.4.1 STP cost
- The cost is the sum of the costs of all the switch ports the frame would exit if it
flowed over that path.
- The switches also look at their neighbor’s root cost, as announced in Hello BPDUs
received from each neighbor.
Note that: The default cost values of links are based on the operating speed of the link, not
the maximum speed.
For example: If a 10/100/1000 port runs at 10 Mbps for some reason, its default STP cost on
a Cisco switch is 100, the default cost for an interface running at 10 Mbps.
STP cost – in case of tie breaker
Switches need a tiebreaker to use in case the best root cost ties for two or more paths.
Krishna [email protected] 972-7506874
123
If a tie occurs, the switch applies these three tiebreakers to the paths that tie, in order, as
follows:
1. Choose based on the Lowest neighbor Bridge ID
2. Choose based on the Lowest neighbor Port Priority
3. Choose based on the Lowest neighbor internal Port Number
NOTE: Two additional tiebreakers are needed in some cases, (although these would be
unlikely today).
A single switch can connect two or more interfaces to the same collision domain by
connecting to a hub.
So, if a switch ties with itself, two additional tiebreakers are used:
- The lowest interface STP/RSTP priority and, if that ties,
- The lowest internal interface number.
STP port types selection – altn
3. Blocking Port – is elected on the basis of higher mac-address on a link.
As we have studied that, all redundant/backup links are put in blocking state by STP. This is
because one side of all the backup links is elected as blocking port. When one of the
main/functioning links is down, then it brings up and take responsibility of data transfer.
18.5 STP states
STP is known to have 4 states:
1. Disabled – No STP, Port down
2. Blocking – Port connected to a device
3. Listening – Flushing all old/stale MAC entries to prevent temporary loops
4. Learning – Updating its MAC table with new learned mac addresses
5. Forwarding – Unicast/Broadcast/Flood the frame to other devices
State Forward data frames? Learn MAC based on Transitory state or
received frames? Stable state
Blocking No No Stable
Listening No No Transitory
Learning No Yes Transitory
Forwarding Yes Yes Stable
Disabled No No Stable
18.6 STP timers
#show spanning-tree
Krishna [email protected] 972-7506874
124
As we have discussed earlier, STP timers are the reason why a switch takes 30 to 50 seconds
to bring its links up.
STP timers – hello
It is the time period between hellos created by the root bridge.
Timer value – 2 seconds (By default, can be changed by Root Bridge)
STP timers – max age
How long any switch should wait, after ceasing to hear hellos, before trying to change the
STP topology.
Timer value - 20 seconds (10 times the default Hello timer)
So, a switch would go 20 seconds without hearing a Hello before reacting.
After MaxAge expires, the switch makes all its STP choices again, based on Hellos it receives
from other switches. It re-evaluates which switch should be the root switch. If the local
switch is not the root, it chooses its RP. And it determines whether it is DP on each of its
other links.
STP timers – forward delay
It is the delay that affects the process that occurs when an interface changes from blocking
state to forwarding state. A port stays in a listening state and then in a learning state for a
certain time period defined by the forward delay timer.
Timer value – 15 seconds
18.6.1 STP timers & convergence
Depending upon the values of these timers, we can say that STP converges typically in the
time from 30 to 50 seconds.
- Listening to learning: 15 seconds
- Learning to forwarding: 15 seconds
As a result, a convergence event that causes an interface to change from blocking to
forwarding requires 30 seconds.
In addition, a switch might have to wait MaxAge seconds (default 20 seconds) before even
choosing to move an interface from blocking to forwarding state.
Max age (if no hello from neighbor switch): 20 seconds
18.7 How to manually make a switch as “Root Bridge?”
Krishna [email protected] 972-7506874
125
It can be made by changing the priority of a particular VLAN by using the following
command:
Switch1(config)# spanning-tree vlan 1 priority 4096
Note: Priority of a switch is a value multiple of 4096.
18.8 Root Bridge: Primary, Secondary
By using this concept, one switch is made as “Root Bridge” and another as “Backup Root
Bridge”.
To make primary Root Bridge:
Switch1(config)# spanning-tree vlan 1 root primary
To make secondary Root Bridge:
Switch2(config)# spanning-tree vlan 1 root secondary
18.9 PVSTP
The original Spanning Tree protocol (802.1d) is quite outdated by today’s standards and only
worked on a single VLAN or a single switch that does not support VLAN’s. Cisco saw the
need for Spanning Tree on all VLAN’s and create the proprietary PVST and PVST+ protocols
which enable spanning-tree on a per vlan instance. So in this case every single vlan on each
switch has its own STP process running to detect and eliminate loops in a layer two
switching network.
So, In CISCO switches, “Root Bridge” can be elected on per VLAN basis.
How to configure pvst?
Switch1(config)# spanning-tree mode pvst
Switch2(config)# spanning-tree mode pvst
Switch3(config)# spanning-tree mode pvst
To make Switch3 as Root Bridge for VLAN10:
Switch3(config)# spanning-tree vlan 10 priority 0
To make Switch2 as Root Bridge for VLAN20:
Switch2(config)# spanning-tree vlan 20 priority 0
18.9.1 Loop prevention v/s slow convergence STP advanced
• STP as we know it, keeps the network loop free but at what cost?
• The exact cost to you and I is 50 seconds! That is a long time in networking terms.
Krishna [email protected] 972-7506874
126
For almost a minute data cannot flow across the network. In most cases this is a critical
issue, especially for important network services. (Some services get timeout in this time
period.)
To deal with this issue, Cisco added the following features to STP implementation on its
switches:
- PortFast, BPDUGuard and BPDUFilter
- UplinkFast, BackboneFast etc.
18.10 Portfast
If you have a laptop or a server connected to a switchport then you know that:
- It will not need to listen to BPDUs because it is not a layer 2 device
- It will not create loops because it has a single link to the layer 2 network.
Therefore, you can safely disable Spanning Tree on such ports.
- It is very important to ensure that such ports never have a STP enabled layer 2
device connected on them else a loop or a breakdown of the network is quite
possible.
- You will even get a warning message on certain switches stating this when you
enable portfast on a switchport.
18.10.1 How to configure port fast?
When you configure a switchport as portfast, STP will be disabled on that port and it will
transition to forwarding state when it comes up and will never be blocked.
Switch(config)# interface fa0/1
Switch(config-if)#spanning-tree portfast
18.11 BPDU guard
As we learned, Portfast disables STP on a switchport but an important fact is that a Portfast
switchport will keep listening for BDPUs. If someone adds a switch to a port which has been
configured as Portfast, the consequences will be unpredictable and is some cases disastrous.
To guard against this situation, Cisco provides the BPDUGuard and BPDUFilter features.
If a switch is plugged into a switchport configured as Portfast, it could change the STP
topology without the administrator knowing and could even bring down the network.
To prevent this, BPDUGuard can be configured on the switchport.
BPDU Guard feature protects the port from receiving STP BPDUs, however the port can
transmit STP BPDUs. When an STP BPDU is received on a BPDU Guard enabled port, the port
is shutdown and the state of the port changes to ErrDis (Error-Disable) state and an
administrator will have to bring the port up.
Krishna [email protected] 972-7506874
127
18.11.1 How to configure bpdu guard?
Switch(config)# interface fa0/1
Switch(config-if)#spanning-tree portfast
Switch(config-if)#spanning-tree bpduguard enable
18.12 BPDU filter
When BPDUFilter is configured on a switchport which has been configured as Portfast, it will
cause the port to lose the Portfast status if a BPDU is received on it.
This will force the port to participate in STP convergence. This is unlike the behavior seen
with BPDUGuard where the port is put into an error disabled mode.
18.12.1 How to configure BPDU filter?
Switch(config)# interface fa0/1
Switch(config-if)#spanning-tree portfast
Switch(config-if)#spanning-tree bpdufilter enable
18.13 Root guard
Configured on primary & secondary root switches. Prevents a port from becoming Root Port
or Blocked Port.
If a port configured for root guard receives a superior BPDU, the port immediately goes to
the root-inconsistent (blocked) state.
18.13.1 How to configure root guard?
Switch(config)# interface gig0/1
Switch(config-if)# spanning-tree guard root
18.14 Loop guard
When enabled globally, the loop guard applies to all point-to-point ports on the system.
Loop guard detects root ports and blocked ports and ensures that they keep receiving
BPDUs from their designated port on the segment.
If a loop guard enabled root or blocked port stop a receiving BPDUs from its designated
port, it transitions to the loop-inconsistent blocking state, assuming there is a physical link
error on this port.
The port recovers from this loop-inconsistent state as soon as it receives a BPDU.
18.14.1 How to configure loop guard?
Switch(config)# interface gig0/1
Switch(config-if)# spanning-tree guard loop
Krishna [email protected] 972-7506874
128
18.15 RSTP – rapid spanning tree protocol
The convergence time for legacy Spanning Tree Protocol (STP) IEEE 802.1D standard is 30 to
50 seconds.
When the network is converging on a topology change, no traffic is forwarded to or from
any of the network bridges and switches.
In modern networks this Spanning Tree Protocol (STP) convergence time gap is not
acceptable
Cisco enhanced the original Spanning Tree Protocol (STP) IEEE 802.1D specification with
features such as PortFast, UplinkFast and BackboneFast to speed up the Spanning Tree
Protocol (STP) convergence time, But these were proprietary enhancements.
The Rapid Spanning Tree Protocol (RSTP) IEEE standard is available to address the Spanning
Tree Protocol (STP) convergence time gap issue.
Rapid Spanning Tree Protocol (RSTP) enables STP Root Ports and STP Designated Ports to
change from the blocking to forwarding port state in a few seconds.
In order to speed things up:
Rapid STP: NO Listening, NO Blocking,
Only 3 States: Discarding, Learning and Forwarding
Then delay will become = 3 + 3 = 6 Seconds
18.15.1 How to configure rstp?
Switch(config)# spanning-tree mode rapid-pvst
Krishna [email protected] 972-7506874
129
19. RSTP and MSTP
19.1 RSTP standards – clear the confusion
802.1w was actually an amendment to the 802.1D standard. The IEEE first published 802.1D
(STP) in 1990, and anew in 1998. After the 1998 version of 802.1D, the IEEE published the
802.1w (RSTP) amendment to 802.1D in 2001, which first standardized RSTP. IEEE replaced
STP with RSTP in the revised 802.1D standard in 2004. In another move, in 2011 the IEEE
moved all the RSTP details into a revised 802.1Q standard. As of today, RSTP actually lies in
the 802.1Q standards document. Many people refer to RSTP as 802.1w because that was
the first IEEE document to define it. They are right based on timing and context. However,
we are focusing on the concepts of STP and RSTP rather than the IEEE standard numbers.
STP & RSTP differences
In STP, the root switch creates a Hello with all other switches, updating and forwarding the
Hello. With RSTP, each switch independently generates its own Hellos. Additionally, RSTP
allows for queries between neighbors, rather than waiting on timers to expire, as a means
to avoid waiting to learn information. So, RSTP lowers waiting times for cases in which RSTP
must wait for a timer.
19.2 RSTP timers
STP requires a switch to wait for MaxAge seconds, which STP defines based on 10 times the
Hello timer, or 20 seconds, by default. RSTP shortens this timer, defining MaxAge as three
times the Hello timer. Additionally, RSTP can send messages to the neighboring switch to
inquire whether a problem has occurred rather than wait for timers. The best way to get a
sense for these mechanisms is to see how the RSTP alternate port and the backup port both
work. RSTP uses the term Alternate Port to refer to a switch’s other ports that could be used
as the Root Port in the case of root port failure. The Backup Port concept provides a backup
port on the local switch for a Designated Port. Note that: Backup ports apply only to designs
that use hubs, so they are unlikely to be useful today.
19.3 RSTP port roles
Function Port Role
Port that begins a non-root switch’s best path to the root bridge Root Port
Port that replaces the root port when the root port fails Alternate Port
Port designated to forward into a collision domain Designated Port
Port that replaces a designated port when a designated port fails Backup Port
Port which is administratively disabled Disabled Port
Krishna [email protected] 972-7506874
130
RSTP alternate port
Whichever port is not the root port meets the criteria to be an alternate port. An alternate
port basically works like the second-best option for the root port. The alternate port can
take over for the former root port, often very rapidly, without requiring a wait in other
interim RSTP states.
When the root port fails, or when Hellos stop arriving on the original root port, the switch
changes the former root port’s role and state:
(a) The role from root port to a disabled port, and
(b) The state from forwarding to discarding
(The equivalent of STP’s blocking state).
Then, without waiting on any timers, the switch changes roles and state for the alternate
port: its role changes to be the root port, with a forwarding state.
19.3.1 STP state
RSTP have only 3 states:
1. Discarding
2. Learning
3. Forwarding
19.3.2 STP & RSTP transitioning
STP waits for a time (forward delay) in both listening and learning states. The reason for this
delay in STP is that, at the same time, the switches have all been told to time out their MAC
table entries. When the topology changes, the existing MAC table entries may actually cause
a loop.
With STP, the switches all tell each other (with BPDU messages) that the topology has
changed and to time out any MAC table entries using the forward delay timer. This removes
the entries, which is good, but it causes the need to wait in both listening and learning state
for forward delay time (default 15 seconds each).
RSTP, to converge more quickly, avoids relying on timers. RSTP switches tell each other
(using messages) that the topology has changed. Those messages also direct neighboring
switches to flush the contents of their MAC tables in a way that removes all the potentially
loop-causing entries, without a wait.
As a result, in RSTP, a port can immediately transition to a forwarding state, without waiting,
and without using the learning state.
RSTP backup port
RSTP backup port role creates a way for RSTP to quickly replace a switch’s designated port.
The need for the backup port role only happens in designs that are a little unlikely today.
Krishna [email protected] 972-7506874
131
The reason is that a design must use hubs, which then allows the possibility that one switch
connects more than one port to the same collision domain.
With a backup port, if the current designated port fails, SW4 can start using the backup port
with rapid convergence.
RSTP port types
RSTP defines the term shared to describe ports connected to a hub.
The term shared comes from the fact that hubs create a shared Ethernet; hubs also force
the attached switch port to use half-duplex logic.
RSTP assumes that all half-duplex ports may be connected to hubs, treating ports that use
half duplex as shared ports.
RSTP converges more slowly on shared ports as compared to all point-to-point ports.
Krishna [email protected] 972-7506874
132
19.4 RSTP advanced operations
19.4.1 Ether-channel & Rstp convergence
With each pair of Ethernet links configured as an EtherChannel, STP treats each
EtherChannel as a single link.
In other words, both links to the same switch must fail for a switch to need to cause STP
convergence.
Without EtherChannel, if you have multiple parallel links between two switches, STP blocks
all the links except one.
With EtherChannel, all the parallel links can be up and working at the same time, while
reducing the number of times STP must converge, which in turn makes the network more
available.
19.4.2 RSTP & portfast
PortFast allows a switch to immediately transition from blocking to forwarding, bypassing
listening and learning states.
However, the only ports on which you can safely enable PortFast are ports on which you
know that no bridges, switches, or other STP-speaking devices are connected.
Otherwise, using PortFast risks creating loops, the very thing that the listening and learning
states are intended to avoid.
PortFast is most appropriate for connections to end-user devices.
19.4.3 RSTP & bpduguard
STP and RSTP open up the LAN to several different types of possible security exposures. For
example:
1. An attacker could connect a switch to one of these ports, one with a low STP/RSTP
priority value, and become the root switch.
The new STP/RSTP topology could have worse performance than the desired topology.
2. The attacker could plug into multiple ports, into multiple switches, become root, and
actually forward much of the traffic in the LAN.
Without the networking staff realizing it, the attacker could use a LAN analyzer to copy large
numbers of data frames sent through the LAN.
STP and RSTP open up the LAN to several different types of possible security exposures. For
example:
3. Users could innocently harm the LAN when they buy and connect an inexpensive
consumer LAN switch (one that does not use STP/RSTP).
Krishna [email protected] 972-7506874
133
Such a switch, without any STP/RSTP function, would not choose to block any ports and
could cause a loop.
The Cisco BPDU Guard feature helps defeat these kinds of problems by disabling a port if
any BPDUs are received on the port.
So, this feature is particularly useful on ports that should be used only as an access port and
never connected to another switch.
In addition, the BPDU Guard feature helps prevent problems with PortFast.
PortFast should be enabled only on access ports that connect to user devices, not to other
LAN switches.
Using BPDU Guard on these same ports makes sense because if another switch connects to
such a port, the local switch can disable the port before a loop is created.
19.6 Introduction to MSTP
• IEEE standard – 802.1s
• Multiple VLANs can have a common “Root Bridge”.
• Originally designed for vendors having lesser hardware capabilities than CISCO.
19.7 How to detect switching loops?
Network will be up for a while and then it will slowly start to get slow down and finally it will
be down.
This will keep happening until the problem is resolved.
Question: What is the fastest way to remove a switching loop?
Answer: Unplug all the devices.
Krishna [email protected] 972-7506874
134
20. CDP & LLDP
20.1 Concept of CDP
Layer 2, CISCO proprietary protocol.
Do discovery negotiations between devices and provide the detailed information of all
directly connected CISCO devices.
Information like:
- My port that is connected to it
- Its port that is connected to me
- The IP Address of the neighbor device
- The MAC Address of the neighbor device
- Port description of the neighbor
20.2 CDP configuration
Enable CDP globally:
Switch(config)# cdp run
Disable CDP globally:
Switch(config)# no cdp run
Enable CDP on an interface:
Switch(config)# interface fa0/1
Switch(config-if)# cdp enable
Disable CDP on an interface:
Switch(config)# interface fa0/1
Switch(config-if)# no cdp enable
CDP verification
Switch# show cdp neighbors
Switch# show cdp neighbors detail
20.2 Concept of LLDP
If it wasn't a Cisco Device, then can I still know who my neighbor is?
Yes!
Krishna [email protected] 972-7506874
135
Using LLDP
- It is also a layer 2 protocol for the same task but it is open source.
- It is useful for devices of other vendors then CISCO like Juniper and Huawei etc.
20.4 LLDP configuration
Enable LLDP globally:
Switch(config)# lldp run
Disable LLDP globally:
Switch(config)# no lldp run
Enable LLDP on an interface:
Switch(config)# interface fa0/1
Switch(config-if)# lldp enable
Disable LLDP on an interface:
Switch(config)# interface fa0/1
Switch(config-if)# no lldp enable
Remember:
CDP and LLDP are very useful in troubleshooting of network issues but they are also a threat
to the network integrity.
If taken advantage of by the attackers, these protocols can be used to steal important
network information which can be further used for privilege escalation.
So, some security experts advise to turn them off and use some other methods for the same
purpose.
LLDP verification
Switch# show lldp
Switch# show lldp neighbors
Switch# show lldp neighbors detail
Krishna [email protected] 972-7506874
136
21. Ether channel using LACP
21.1 Concept
What if the bandwidth of an interface is not enough? This technology can Aggregate/Bundle
multiple interfaces into a new single interface. Ether-Channel is a port link aggregation
technology or port-channel architecture used primarily on Cisco switches. It allows grouping
of several physical Ethernet links to create one logical Ethernet link for the purpose of:
- Providing fault-tolerance, and
- High-speed links between devices in the network.
21.2 What is LACP?
Done by negotiating between the two devices using the LACP protocol and Device Role.
LACP has 2 states: Active and Passive. Watch out for both devices, at least one of them must
be ACTIVE. LACP can be done on both Layer2 (Switches) and L3 (Routers) devices. In L3, no
need for Negotiating and Device Roles.
21.3 Switch LACP configuration
Switch1(config)# interface range fa0/1-2
Switch1(config-if-range)#channel-group 1 mode ?
active Enable LACP unconditionally
auto Enable PAgP only if a PAgP device is detected
desirable Enable PAgP unconditionally
on Enable Ether-channel only
passive Enable LACP only if a LACP device is detected
How to verify lacp on a switch?
Switch1# show spanning-tree
Switch1# show etherchannel port-channel
Switch1# show etherchannel summary
21.4 Router LACP configuration
Router1(config)# interface port-channel 1
Router1(config)# interface range gigabitEthernet 0/0/0-1
Router1(config-if-range)# channel-group 1
How to verify lacp on a router?
Router1# show interfaces port-channel 1
Krishna [email protected] 972-7506874
137
22. 802.3 Ethernet standards
22.1 LAN revised concept
LANs typically connect nearby devices: devices in the same room, in the same building, or in
a campus of buildings.
LANs can be classified on the following 2 basis:
1. Technology based LANs, and
- Ethernet LANs, and
- Wireless LANs.
2. Scale/Size based LANs
- SOHO LANs, and
- Enterprise LANs.
22.2 Ethernet LANs
It is a combination of user devices, LAN switches, and different kinds of cabling. Each link
can use different types of cables, at different speeds.
However, they all work together to deliver Ethernet frames from the one device on the LAN
to some other device.
• Ethernet LANs happen to use cables for the links between nodes, and because many
types of cables use copper wires, Ethernet LANs are often called wired LANs.
• Ethernet LANs also make use of fiber-optic cabling, which includes a fiberglass core
that devices use to send data using light.
In comparison to Ethernet, wireless LANs do not use wires or cables, instead using radio
waves for the links between nodes.
22.3 Ethernet links
The term Ethernet link refers to any physical cable between two Ethernet nodes:
- The cable itself,
- The connectors on the ends of the cable, and
- The matching ports on the devices into which the connectors will be inserted.
The cable holds some copper wires, grouped as twisted pairs to prevent crosstalk.
Crosstalk – EMI (Electromagnetic Interference) between pair of cables of same wire is called
crosstalk.
The 10BASE-T and 100BASE-T standards require two pairs of wires (one for each direction).
Krishna [email protected] 972-7506874
138
But the 1000BASE-T standard requires four pairs (to allow both ends to transmit and receive
simultaneously on each wire pair).
22.4 Cabling architecture
To understand the wiring of the cable—which wires need to be in which pin positions on
both ends of the cable—you need to first understand how the NICs and switches work.
- As a rule, Ethernet NIC transmitters use the pair connected to pins 1 and 2; the NIC
receivers use a pair of wires at pin positions 3 and 6.
- LAN switches, knowing those facts about what Ethernet NICs do, do the opposite:
Their receivers use the wire pair at pins 1 and 2, and their transmitters use the wire
pair at pins 3 and 6.
22.5 Ethernet family of standards
• The term Ethernet refers to a family of LAN standards that together define the
physical and data-link layers of the world’s most popular wired LAN technology.
• The standards, defined by the Institute of Electrical and Electronics Engineers (IEEE),
define the cabling, the connectors on the ends of the cables, the protocol rules, and
everything else required to create an Ethernet LAN.
• One of the most significant strengths of the Ethernet family of protocols is that these
protocols use the same data-link standard.
www.EthernetAlliance.org – to check all the latest developments of Ethernet.
The term Ethernet refers to an entire family of standards.
Some standards define the specifics of how to send data over a particular type of cabling,
and at a particular speed.
Other standards define protocols, or rules, that the Ethernet nodes must follow to be a part
of an Ethernet LAN.
All these Ethernet standards come from the IEEE and include the number 802.3 as the
beginning part of the standard name.
Although Ethernet includes many physical layer standards, Ethernet acts like a single LAN
technology because it uses the same data-link layer standard over all types of Ethernet
physical links.
That standard defines a common Ethernet header and trailer. (As a reminder, the header
and trailer are bytes of overhead data that Ethernet uses to do its job of sending data over a
LAN.)
No matter whether the data flows over a UTP cable or any kind of fiber cable, and no matter
the speed, the data-link header and trailer use the same format.
Krishna [email protected] 972-7506874
139
Ethernet standards – twisted pair
Speed Common name Informal IEEE Formal IEEE Cable type &
standard name standard name Maximum length
10 Mbps Ethernet 10Base-T 802.3 Copper, 100 m
100 Mbps Fast Ethernet 100Base-T 802.3u Copper, 100 m
1000 Mbps Gigabit Ethernet 1000Base-LX 802.3z Fiber, 5000 m
1000 Mbps Gigabit Ethernet 1000Base-T 802.3ab Copper, 100 m
10 Gbps 10 Gig Ethernet 10GBase-T 802.3an Copper, 100 m
Ethernet standards – fiber optics
Standard Cable type Max distance
10Gbase-S Multi-mode 400 m
10Gbase-LX4 Multi-mode 300 m
10Gbase-LR Single-mode 10 km
10Gbase-E Single mode 30 km
Twisted pair v/s fiber optics
Parameter UTP Multi-mode Single-mode
Relative cost of cabling Low Medium Medium
Relative cost of a switch port Low Medium High
Approximate max distance 100 m 500 m 40 km
Relative susceptibility to Some None None
interference
Relative risk of copying from Some None None
cable emissions
Krishna [email protected] 972-7506874
140
22.6 What is Ethernet frame?
The Ethernet data-link protocol defines the Ethernet frame as:
An Ethernet header at the front, the encapsulated data in the middle, and an Ethernet
trailer at the end.
Following is the commonly used frame structure:
Ethernet frame explained
22.7 Ethernet frame structure
Terms & types of Ethernet frames
Padding – A process of adding more bits to make the frame of minimum transferrable size
(46 bytes) if it is less than that.
Fragmentation – A process of breaking a frame into maximum transferrable sizes (1500
bytes) if it is more than that.
Runt Frame – a frame of size less than 46 bytes
Jumbo Frame – a frame of size more than 1500 bytes
Maximum Transmission Unit (MTU) – Size of the maximum Layer 3 packet that can be sent
over a medium.
Because the Layer 3 packet rests inside the data portion of an Ethernet frame, 1500 bytes is
the largest IP MTU allowed over an Ethernet.
Note: Errors in frame are checked at the receiving side not on the sending side itself.
Krishna [email protected] 972-7506874
141
23. IPv6 addressing
23.1 IPv4 limitations
• The RFC 791 for IPv4 was published in 1981.
• Initial design of IPv4 did not anticipate the growth of internet.
• This created many issues, which proved IPv4 need to be changed.
- Scarcity of IPv4 Addresses
- Security Related Issues
- Quality of service (QoS)
23.2 IPv6 features
• New Packet Format and Header
• Large Address Space
• Stateful and Stateless IPv6 address configuration
• Integrated Internet Protocol Security (IPsec)
• Multicast
• Neighbour Discovery Protocol (no ARP)
• Simplified Headers than IPv4
23.3 Introduction to IPv6
• 128 bit long, hexadecimal notation.
• Have Prefix Notations in comparison to the subnet mask in IPv4.
• Complete 128 address is divided in 8 parts, each of 16 bits.
XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX
where each x is a hexadecimal digit representing 4 Bits or a Nibble.
• IPv6 addresses range from:
0000:0000:0000:0000:0000:0000:0000:0000
to
FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
23.4 How to compress IPv6 address?
Let’s understand this by an example:
2001:0db8:0000:000b:0000:0000:0000:001A
Krishna [email protected] 972-7506874
142
1. Omit leading zeros
2001:db8:0:b:0:0:0:1a
2. Compress consecutive fields of zeros using Double colon
2001:db8:0:b::1a
Note:
Compressing and shortening a series of consecutive fields of hexadecimal zeros in an IPv6
Address is possible ONLY once.
23.5 Types of IPv6 addresses
IPv6 is of three types:
1. Unicast
- Global Unicast
- Unique Local
- Link Local
2. Multicast
3. Anycast
Note:
There is no broadcasting in IPv6.
23.5.1 Global Unicast IPv6 Addresses
Used to identify a single interface on public network.
They are standard globally unique unicast addresses.
(like public IPv4 addresses)
They are internet routable and start with 2.
Example: 2001:db8:0:b::1A
Krishna [email protected] 972-7506874
143
Global Unicast Address prefixes
The prefix is the part of the IPv6 address that indicates the network.
Consider an IPv6 example. 21DA:D3::/48
- First three fixed bits 001 and remaining 45 bits, 45+3 = 48 bits) is a Route Prefix and
21DA:D3:0:2F3B::/64 is a Subnet Prefix.
- The fourth part of the IPv6 address "2F3B" is the Subnet Part.
It means that, currently first 48 bits of an IPv6 address are used to identify the network
globally, and the next 16 bits are used for Subnetting. (which makes 48+16=64 bits, network
part).
The remaining 64 bits are used for identifying the hosts. (host part)
Global Unicast IPv6 Addresses range
Since the leftmost three bits are reserved as "001" for Global unicast IPv6 addresses, the
range of Global Unicast Addresses available now are from 2000 to 3FFF, as shown below:
Value for left most part In Binaries In Hexadecimals
Global Unicast Addresses
Minimum possible 0010000000000000 2000
Maximum possible 0011111111111111 3FFF
23.5.2 Site/Unique Local IPv6 Address
Used to identify a single interface on private network.
These are local unique addresses. (like IPv4 private addresses)
They are reserved with a range of FC00::/7
IPv6 Unique Local addresses are not expected to be routable on the Internet, they are only
routable inside of a company's multiple sites.
Unique Local IPv6 addresses can be viewed as globally unique "private routable" IPv6
addresses, which are typically used inside an organization.
A range of FC00::/7 means that IPv6 Unique Local addresses begin with 7 bits with exact
binary pattern as 1111 110L
So, we can have two Unique Local IPv6 Unicast Address prefixes.
1111 1100 (FC in hexadecimals) and 1111 1101 (FD in hexadecimals)
23.5.3 Link Local IPv6 Addresses
Allow communications between devices on a local link.
They start with FE80::/10
Krishna [email protected] 972-7506874
144
These addresses are auto-configured (or auto-generated plug-and-play) addresses (Stateless
addresses) similar to IPv4 APIPA address (169.254/16)
Typically, getting an APIPA IPv4 address in an IPv4 network is because of some network
error, but a Link local addresses are IPv6 addresses which can be used for local
communication.
A link-local address is for use on a single link and should never be routed.
23.5.4 Multicast Addresses
• IPv6 multicast addresses Start with FF
• Following are the important IPv6 multicast addresses:
FF02::1 - All nodes on the local network segment
FF02::2 - All routers on the local network segment
The loopback addresses (both in IPv4 and IPv6) is an address which represents the same
interface of a computer.
Used by a node to send an IPv6 packet to itself for link testing.
An IPv6 loopback address functions the same as an IPv4 loopback address.
The IPv6 loopback address is:
0000:0000:0000:0000:0000:0000:0000:0001/128
Or ::1/128
23.5.5 Unspecified Addresses
Unspecified address is used by an Operating System, before an IPv4 address or IPv6 address
is configured on it.
Unspecified address in IPv6 is the IPv6 address with all binary bits set to "0“
Address Type IPv4 IPv6
Loopback address 127.0.0.0/8 ::1/128
Unspecified address 0.0.0.0/0 ::0/0
23.5.6 IPv6 Special Addresses & well known prefixes
IPv6 Address Description
0000:0000:0000:0000:0000:0000:0000:0000/0 Known as IPv6 unspecified address
(Simplified into ::0/0)
0000:0000:0000:0000:0000:0000:0000:0001/128 IPv6 loopback address
(Simplified into ::1/128)
IPv6 address between prefixes 2000::/3 and Global unicast addresses
3FFF::/3
IPv6 addresses with prefixes FE80::/10 Link local IPv6 addresses
Krishna [email protected] 972-7506874
145
IPv6 addresses with prefixes FC00::/7 and Unique local IPv6 addresses
FD00::/8
IPv6 addresses with prefixes FF00::/8 Multicast IPv6 addresses
IPv6 addresses with prefixes 2001:0DB8::/32 and Reserved for documentation
3FFF:FFFF::/32
23.6 IPv6 address assignment
Methods to assign a Global Unicast Address
• Stateful DHCPv6
• Stateless Auto-configuration (SLAAC)
• Static IPv6 Global Unicast Address Configuration
23.6.1 Using Stateless Auto configuration – SLAAC
IPv6 uses the Router Solicitation (RS) & Router Advertisement (RA) messages to learn the
IPv6 Network Prefix, IPv6 Prefix Length, default router IPv6 address from network routers.
After obtaining the IPv6 Network Prefix, IPv6 Prefix Length, default router IPv6 address from
network routers, IPv6 network interfaces can automatically derive a Global Unicast IPv6
Address using EUI-64 method.
IPv6 can use Stateless DHCPv6 to learn the DNS Server IPv6 addresses.
23.6.2 Static IPv6 Address Configuration
There are two methods for Static IPv6 Global Unicast Address Configuration:
1. You can type-in the entire 128-bit IPv6 address for the network interface.
2. You can configure 64 bit IPv6 Global Unicast Address network prefix & then use EUI-64
method to derive the remaining 64 host part bits.
How to configure Static Global Unicast IPv6 Address?
R1(config)# interface fa 0/0
R1(config-if)# ipv6 address 2001:db8:aaaa:1::1/64
R1(config-if)# no shutdown
R1# Show ipv6 interface brief
EUI-64 based Global Unicast IPv6 address
• The EUI-64 method of generating an Global Unicast IPv6 Address involves selecting
the 6 byte (48 bit) interface MAC address and the and then generating a Global
Unicast IPv6 Address by expanding it into a 64 bit interface part. (host part)
Krishna [email protected] 972-7506874
146
• To make a Global Unicast IPv6 Address unique, IPv6 insert 2 bytes (16 bits) into the
middle of the MAC address.
The 48 bit MAC address is divided into two 3 byte parts and then a binary number
1111111111111110 (FFFE in hexadecimals) is inserted in between them to make complete
64 bits.
• Also the 7th bit (from left) in the MAC address is flipped. Which means, if the 7th bit
in the MAC address (from left) is 1, change it to 0 or if the 7th bit (from left) in the
MAC address is 0, change it to 1.
• The 7th bit (from left) in the MAC address is called as Universal/Local (U/L) bit.
Universal/Local (U/L) bit is used to indicate whether the address is universally assigned or
locally assigned.
The Universal/Local (U/L) bit set to 0 means that it is IEEE assigned MAC address.
The Universal/Local (U/L) bit set to 1, means that the MAC address is locally assigned mac-
address.
How to configure EUI-64 based global Unicast IPv6 Address?
R1(config)# interface fa 0/0
R1(config-if)# ipv6 address 2001:db8:aaaa:1::/64 eui-64
R1(config-if)# no shutdown
R1# Show ipv6 interface brief
FastEthernet0/0
FE80::C800:CFF:FEF0:8
2001:DB8:AAAA:1:C800:CFF:FEF0:8
The MAC address of the interface is "ca00.0cf0.0008“
Calculate yourself how the IPv6 address 2001:DB8:AAAA:1:C800:CFF:FEF0:8 is auto-
configured
Points to remember:
()# ipv6 unicast-routing
To enable router to work as a router in the network, otherwise it is just like a client in ipv6
environment.
()# int fa0/0
()# ipv6 enable
To enable auto-configuration ipv6 addressing on the interface. It can be using link-local or
static ipv6 addressing using SLAAC.
Krishna [email protected] 972-7506874
147
Configure IPv6 Global Unicast Address
R3()# ipv6 unicast-routing
R3()# int fa0/0
R3(config-if)# ipv6 address 2001:db8:0:1::1/64
R3(config-if)# no shut
23.7 Routing in IPv6
• IPv6 Static routing
• IPv6 Default routing
• Dynamic routing protocols:
The most widely accepted IPv6 Interior Gateway Protocols (IGP) routing protocol is OSPFv3.
23.7.1 IPv6 Static Routing
R1(config)# ipv6 route 2001:db8:0:3::/64 2001:db8:0:4::2
23.7.2 IPv6 default Routing
R1(config)#ipv6 route ::/0 2001:db8:c::9f:35
23.7.3 How to Configure OSPFv3
R1(config)#ipv6 router ospf 1
R1(config-rtr)#router-id 1.1.1.1
R1(config-rtr)#exit
R1(config)#interface serial 1/0
R1(config-if)#ipv6 ospf 1 area 0
IPv4 IPv6
IPv4 addresses are 32 bit length IPv6 addresses are 128 bit length.
IPv4 addresses are binary numbers IPv6 addresses are binary numbers
represented in decimals. represented in hexadecimals.
IPSec support is only optional. Inbuilt IPSec support.
Fragmentation is done by sender and Fragmentation is done only by sender.
forwarding routers.
No packet flow identification. Packet flow identification is available within
the IPv6 header using the Flow Label field.
Krishna [email protected] 972-7506874
148
Checksum field is available in IPv4 header No checksum field in IPv6 header.
Options fields are available in IPv4 header. No option fields, but IPv6 Extension
headers are available.
Address Resolution Protocol (ARP) is Address Resolution Protocol (ARP) is
available to map IPv4 addresses to MAC replaced with a function of Neighbor
addresses. Discovery Protocol (NDP).
Internet Group Management Protocol IGMP is replaced with Multicast Listener
(IGMP) is used to manage multicast group Discovery (MLD) messages.
membership.
Broadcast messages are available. Broadcast messages are not available.
Instead a link-local scope "All nodes"
multicast IPv6 address (FF02::1) is used for
broadcast similar functionality.
Manual configuration (Static) of IPv4 Auto-configuration of addresses is
addresses or DHCP (Dynamic configuration) available.
is required to configure IPv4 addresses.
24. Cisco wireless
24.1 Fundamentals of wireless
What is wireless?
As per the name, a wireless network means a network without wires. It removes the need
to be connected to a wire or cable.
Wired networks have some shortcomings.
- When a device is connected by a wire, it cannot move around very easily or very far.
Krishna [email protected] 972-7506874
149
- As devices get smaller and more mobile, it just is not practical to connect them to a
wire.
What wireless is about?
Wireless networking is not about having a complete wireless network but to have a solution
for the part of the network where you cannot have the cables extended.
More than 80% of your network is still wired. Routers are still there, switches are still there.
Some new devices and protocols are added to provide the wireless connectivity.
Which devices wireless adds?
A wireless network add some extra devices in the infrastructure, like:
- Access Point (AP) and Wireless Controller (WLC)
What wireless offers?
In comparison to a wired network, a wireless network offers:
- Mobility and Convenience
Wireless LAN – shared and half duplexed
This remind you of something? Yes – The traditional, non-switched, shared, half duplexed,
hub networks. Why so?
To avoid colliding with other transmissions already in progress. The side effect – No host can
transmit and receive at the same time on a shared medium. A wireless LAN is similar.
IEEE 802.11 WLANs are always half duplex because transmissions between stations use the
same frequency or channel. Only one station can transmit at any time; otherwise, collisions
occur.
Wireless LAN – full duplexed?
To achieve full-duplex mode, one station’s transmission would have to occur on one
frequency while it receives over a different frequency—much like full-duplex Ethernet links
Krishna [email protected] 972-7506874
150
work. Although this is certainly possible and practical, the 802.11 standard does not permit
full-duplex operation.
24.1.1 Common wireless terms
BSS – Basic Service Set
There should be a way to control:
- Which devices are allowed to use the wireless medium, and
- The methods that are used to secure the wireless transmissions.
The solution is to make every wireless service area a closed group of mobile devices that
forms around a fixed device; before a device can participate, it must advertise its
capabilities and then be granted permission to join. The 802.11 standard calls this a BSS –
Basic Service Set.
- At the heart of every BSS is a wireless AP – Access Point.
- The AP also establishes its BSS over a single wireless channel.
- The AP and the members of the BSS must all use the same channel to communicate
properly.
Basic service area – BSA
It is the area where the signal of AP is usable. It is also known as a “Cell.” The cell is
represented as a simple shaded circular area that centers the AP itself.
BSS identifier – BSSID
The AP serves as a single point of contact for every device that wants to use the BSS. It
advertises the existence of the BSS so that devices can find it and try to join. To do that, the
AP uses a unique BSS identifier (BSSID) that is based on the AP’s own radio MAC address.
NOTE: Recall that wired Ethernet devices each have a unique MAC address to send frames
from a source to a destination over a Layer 2 network. Wireless devices must also have
unique MAC addresses to send wireless frames at Layer 2 over the air.
Service set identifier – SSID
Krishna [email protected] 972-7506874
151
It is a text string containing a logical name for the network connectivity provided by the AP.
Tip to remember:
BSSID – Machine Readable, unique name that identify the BSS (AP)
SSID – Human Readable, non-unique name that identifies the wireless service.
BSS association
Membership with the BSS is called an association. A wireless device must send an
association request to the AP and the AP must either grant or deny the request.
Once associated, a device becomes a client, or a station (STA), of the BSS. What then?
- As long as a wireless client remains associated with a BSS, most communications
to and from the client must pass through the AP.
- By using the BSSID as a source or destination address, data frames can be relayed
to or from the AP.
Distribution system – DS
As we know that a BSS has a single AP and no connection to a regular Ethernet network. In
this way, the AP and its associated clients make up a standalone network. But sooner or
later, wireless clients will need to communicate with other devices that are not members of
the BSS. Fortunately, an AP can also uplink into an Ethernet network because it has both
wireless and wired capabilities. The upstream wired Ethernet network is known as the -
Distribution System (DS) for the wireless BSS, shown in the following figure.
Distribution System can be extended so that multiple VLANs are mapped to multiple SSIDs.
To do this, the AP must be connected to the switch by a trunk link that carries the VLANs.
The AP uses the 802.1Q tagging to map the VLAN numbers to the appropriate SSIDs.
For example:
VLAN 10 – mapped to SSID “Network1”
VLAN 20 – mapped to SSID “Network2” and
VLAN 30 – mapped to SSID “Guest.”
Krishna [email protected] 972-7506874
152
In effect, when an AP uses multiple SSIDs, it is trunking VLANs over the air, and over the
same channel, to wireless clients. The clients must use the appropriate SSID that has been
mapped to the respective VLAN when the AP was configured.
The AP then appears as multiple logical APs – One per BSS – With a unique BSSID for each.
Even though an AP can advertise and support multiple logical wireless networks, each of the
SSIDs covers the same geographic area. The reason is that the AP uses the same transmitter,
receiver, antennas, and channel for every SSID that it supports.
Extended service set – ESS
Normally, one AP cannot cover the entire area where clients might be located. A campus
infrastructure for example. To cover more area than a single AP’s cell can cover, you simply
need to add more APs and spread them out geographically. When APs are placed at
different geographic locations, they can all be interconnected by a switched infrastructure.
The 802.11 standard calls this an extended service set (ESS), as shown in the following
figure.
Independent Basic Service Set – Ibss – ad hoc
It is when two or more wireless clients to communicate directly with each other, with no
other means of network connectivity. This is known as an ad hoc wireless network, or an
independent basic service set (IBSS).
24.1.2 Wireless topologies
Wireless APs can be configured to operate in non-infrastructure modes when a normal BSS
cannot provide the functionality that is needed.
Following are the most common modes:
- Repeater
- Outdoor bridge
Krishna [email protected] 972-7506874
153
- Mesh network
Repeater
Normally, each AP in a wireless network has a wired connection to the switched network. To
extend wireless coverage beyond a normal AP’s cell, additional APs can be connected to the
switches using Ethernet wires.
But in some scenarios, it is not possible to run a wired connection to a new AP from the
switch because the cable distance is too great to support Ethernet communication.
In that case, you can add an additional AP that is configured for repeater mode. A wireless
repeater takes the signal it receives and repeats or retransmits it in a new cell area around
the repeater.
If the repeater has a single pair of transmitter and receiver, it must operate on the same
channel that the AP is using. Some repeaters can use two pairs of transmitters and receivers
to keep the original and repeated signals isolated on different channels.
One transmitter and receiver pair is dedicated to signals in the AP’s cell, while the other pair
is dedicated to signals in the repeater’s own cell.
Outdoor bridge – point to point connection
Outdoor bridged links are commonly used for connectivity between buildings or between
cities. A point-to-point bridged link allows to connect 2 locations to be bridged.
One AP configured in bridge mode is needed on each end of the wireless link. To maximize
the link distance, Special purpose antennas are normally used with the bridges to focus their
signals in one direction – toward the antenna of the AP at the far end of the link.
Krishna [email protected] 972-7506874
154
Outdoor bridge – point to multipoint connection
A point-to-multipoint bridged link allows a central site to be bridged to several other sites.
The central site bridge is connected to an omnidirectional antenna, such that its signal is
transmitted equally in all directions so that it can reach the other sites simultaneously. The
bridges at each of the other sites can be connected to a uni-directional antenna aimed at
the central site.
Mesh network
To provide wireless coverage over a very large area, it is not always practical to run Ethernet
cabling to every AP that would be needed. Instead, you could use multiple APs configured in
mesh mode.
In a mesh topology, wireless traffic is bridged from AP to AP, in a daisy-chain fashion, using
another wireless channel. (Just like switches) Mesh APs can leverage dual radios – One using
a channel in one range of frequencies and one a different range.
Each mesh AP usually maintains a BSS on one channel, with which wireless clients can
associate. Client traffic is then usually bridged from AP to AP over other channels as a
backhaul network. At the edge of the mesh network, the backhaul traffic is bridged to the
wired LAN infrastructure.
With Cisco APs, you can build a mesh network indoors or outdoors. The mesh network runs
its own dynamic routing protocol to work out the best path for backhaul traffic to take
across the mesh APs.
24.1.3 RF overview
The sender – A transmitter sends an alternating current into a section of wire (an antenna),
which sets up moving electric and magnetic fields that propagate out and away as traveling
waves. The electric and magnetic fields travel along together at right angles. The signal must
keep alternating, by cycling up and down, to keep the electric and magnetic fields pushing
outward.
Note that the electromagnetic waves do not travel in a straight line, instead, they travel by
expanding in all directions away from the antenna. The waves begin small, expand outward
in all three dimensions and are replaced by new waves.
Krishna [email protected] 972-7506874
155
It is something similar when you through a stone in the pool of water and waves start
expending in the outward directions, finishes after some length and replaced by new waves.
The whole process is reversed at the receiving end of a wireless link. As the electromagnetic
waves reach the receiver’s antenna, they induce an electrical signal. If everything works
right, the received signal will be a copy of the original transmitted signal.
Frequency & cycle
Frequency – Is the fundamental property of the wave.
Cycle – the process of the signal to start from 0, go to higher end and then coming to 0, then
going to higher in negative direction and coming back to 0 again.
Frequency – the number of times the signal makes one complete up and down cycle in 1
second. Or it can be defined as the number of cycles per second.
Hertz (Hz) is the most commonly used frequency unit. (Hz, KHz, MHz, GHz etc.)
1 Hertz – Total number of cycles per second.
24.1.8 Wireless bands & channels
Wireless bands:
Take reference of google for: Frequency Spectrum. You will find that a range of frequencies
might be used for the same purpose. These ranges of frequencies as a whole is referred to
as the – Frequency Bands.
One of the two main frequency ranges used for wireless LAN communication lies between
2.400 and 2.4835 GHz. This is usually called the 2.4-GHz band. The other wireless LAN range
lies between 5.150 and 5.825 GHz and is called the 5-GHz band.
Krishna [email protected] 972-7506874
156
The 5-GHz band actually contains the following four separate and distinct bands:
5.150 to 5.250 GHz; 5.250 to 5.350 GHz
5.470 to 5.725 GHz; 5.725 to 5.825 GHz
Do not worry about memorizing the band names or exact frequency ranges; just be aware
of the two main bands at 2.4 and 5 GHz.
Wireless channels:
To maintain things in order, bands are divided into a number of different channels. Each
channel is represented by a channel number and a specific frequency is assigned to each
channel. As long as the channels are defined by some standards body, they can be used
consistently everywhere.
Wireless Channels overlapping
An AP should use a channel number different than the channel number used by neighbor
APs. Now, each channel should have a range of unique frequencies so that they don’t
overlap each other.
In the 5-GHz band, this is possible. Each channel is allocated a frequency range that does not
overlap the frequencies allocated for any other channel. In other words, the 5-GHz band
consists of non-overlapping channels.
The same is not true of the 2.4-GHz band. Each of its channels is much too wide to avoid
overlapping the next lower or upper channel number.
In fact, each channel covers the frequency range that is allocated to more than four
consecutive channels! The only way to avoid any overlap between adjacent channels is to
configure APs to use only channels 1, 6, and 11.
24.1.9 Wireless generations
Remember that: Wireless devices and APs should all be capable of operating on the same
band. For example, a 5-GHz wireless phone can communicate only with an AP that offers
Wi-Fi service on 5-GHz channels. A device that supports 802.11b/g will support both
802.11b and 802.11g.
Standard 2.4 GHz 5 GHz Data Rates Note
802.11 Yes No 2 Mbps The improved std.
of original 802.11
802.11b Yes No 11 Mbps
802.11g Yes No 54 Mbps
802.11a No Yes 54 Mbps
802.11n Yes Yes 600 Mbps HT (High
Throughput) 2009
Krishna [email protected] 972-7506874
157
802.11ac No Yes 6.93 Gbps VHT (Very High
Throughput) 2013
802.11ax Yes Yes 4 * 802.11ac High Efficiency
Wireless, Wi-Fi 6
24.1.10 Channel assignment
As we have studied, a device can operate on both bands, how does it decide which band to
use? APs can operate on both bands simultaneously to support clients that may be present
on each band. However, wireless clients associate with an AP on one band at a time, while
scanning for other APs on both bands. The band used to connect to an AP is chosen
depending upon several factors like operating system and wireless adapter driver etc.
A wireless client can have an association with one AP on one band and then can switch to
the other band if it found that the signal conditions are better on that band. Cisco APs have
dual radios to support BSSs on one 2.4-GHz channel and other BSSs on one 5-GHz channel
simultaneously.
One AP – One Radio – One Channel – One BSS
Some models also have two 5-GHz radios that can be configured to operate BSSs on two
different channels at the same time, to provide wireless coverage to more number of users
in a condensed area. You can configure a Cisco AP to operate on a specific channel number.
But as the number of APs grows, manual channel assignment becomes a difficult task. Cisco
wireless architectures can automatically assign each AP to an appropriate channel.
2.4 GHz v/s 5 GHz
On the 2.4-GHz band, RF signals reach further than on the 5-GHz band and also penetrate
walls and objects easier.
However, the 2.4-GHz band is commonly more crowded with more number of wireless
devices as most of the devices are configured to use 2.4 GHz band as a default setting.
Remember that only three non-overlapping channels are available, so the chances of other
neighboring APs using the same channels is greater.
5-GHz band has many more channels available to use, making channels less crowded and
experiencing less interference.
24.2 Cisco wireless architectures
Autonomous – Access point individual management
Lightweight – Access point management using wireless LAN controller
In autonomous architecture, we can have 2 configuration options:
- Local AP management – Using management ports (individually)
Krishna [email protected] 972-7506874
158
- Cloud based AP management – Using Cisco Meraki solution (complete enterprise)
So, in total, we have 3 AP architectures available:
1. Local AP architecture (Autonomous)
2. Cloud based AP architecture (Autonomous)
3. Split Mac architecture (Lightweight)
24.2.1 Autonomous AP
Autonomous APs offer one or more fully functional, standalone basic service sets (BSSs).
They are also an extension of the switched network which connects wireless service set
identifiers (SSIDs) to wired virtual LANs (VLANs) at the access layer.
A typical enterprise network could consist thousands of APs.
An autonomous AP offers a simple path for data to travel between the wireless and wired
networks where data has to travel only through the AP to reach the network on the other
side.
Two wireless users that are associated to the same autonomous AP can reach each other
through the AP without having to pass up into the wired network. But remember that no
two devices can communicate directly.
An autonomous AP must also be configured with a management IP address so that it can be
managed remotely to configure: SSIDs, VLANs, and Many RF parameters like: the channel
and transmit power to be used.
Because SSIDs and their VLANs must be extended at Layer 2, you should consider how they
are extended throughout the switched network. As the wireless network expands, the
infrastructure becomes more difficult to configure correctly and becomes less efficient.
Krishna [email protected] 972-7506874
159
24.2.2 Cloud-based AP Architecture – cisco meraki
To manage thousands of autonomous APS altogether, as the wireless network grows, you
could use an AP management platform such as Cisco Prime Infrastructure or Cisco DNA
Center in the enterprise.
But the things is that such management platform would need to be purchased, configured,
and maintained. A simpler approach is a cloud-based AP architecture, where the AP
management function is not local in the enterprise but placed in the cloud, on the internet.
Cisco Meraki is cloud-based and offers centralized management of wireless, switched, and
security networks built from Meraki products.
Cisco Meraki APs can be deployed automatically, once you register with the Meraki cloud.
Each AP will contact the cloud when it powers up and will self-configure. From that point on,
you can manage the AP through the Meraki cloud dashboard.
Through the cloud networking service, you can:
- Configure APs
- Manage APs
- Monitor your wireless network, and
- Generate reports etc.
Remember that the network is arranged similar to the previous one of the autonomous AP
network.
The reason is: APs in a cloud-based network are all autonomous, too. The difference lies in
the fact that all of the APs are managed, controlled, and monitored centrally from the cloud
location.
Krishna [email protected] 972-7506874
160
Cisco Meraki features
It adds the intelligence – to automatically guide each AP on which channel and what
transmit power level to use. It can gather information from all of the APs about – RF
interference and wireless usage statistics.
24.2.3 Split-MAC architecture (Lightweight AP)
To overcome the limitations create by distributed autonomous Aps, the functions of
autonomous APs needed to be shifted to some central location.
Some of such issues includes:
- Management of RF operations, and
- Wireless network security.
The activities of an autonomous AP are divided into:
- Management functions (on the top), and
- Real-time processes (on the bottom).
In such scenario, the AP becomes totally dependent on the WLC for its functions.
The lightweight AP-WLC separation is known as a split-MAC architecture, where the normal
MAC operations are divided into two different operations being managed from different
locations and by different devices.
This occurs for every AP in the network; each one must boot and connect itself to a WLC to
support wireless clients.
The WLC becomes the central hub that supports and coordinates a number of APs spanned
across the wireless network.
Krishna [email protected] 972-7506874
161
Split-MAC Architecture – capwap
How does a lightweight AP bind with a WLC to form a complete working access point?
• The two devices (AP and WLC) need to use a tunneling protocol between them, to
carry 802.11-related messages and also client data.
• AP and WLC can be located on the same VLAN, but they do not have to be. They can
be on two different IP subnets in two different locations.
• CAPWAP – Control and Provisioning of Wireless Access Points tunneling protocol
makes this possible by encapsulating the data between the LAP and WLC in new IP
packets. The tunneled data can then be switched or routed across the campus
network.
CAPWAP relationship using two separate tunnels:
1. CAPWAP control messages: (UDP 5246)
Carries exchanges that are used to configure the AP and manage its operation. The control
messages are authenticated and encrypted,.
2. CAPWAP data: (UDP 5247)
Used for packets traveling to and from wireless clients that are associated with the AP. Data
packets are transported over the data tunnel but are not encrypted by default.
Krishna [email protected] 972-7506874
162
Note: CAPWAP – Is based on the Lightweight Access Point Protocol (LWAPP) – a legacy Cisco
proprietary protocol.
The tunnel exists between the IP address of the WLC and the IP address of the AP, which
allows all of the tunneled packets to be routed at Layer 3. The traffic to and from clients
associated with SSID 100 is transported across the network infrastructure encapsulated
inside the CAPWAP data tunnel.
Now the AP will be having only a single IP address: 10.10.10.10 and it can use one IP address
for both management and tunneling. Also remember that no trunk link is needed because
all of the VLANs it supports are encapsulated and tunneled as Layer 3 IP packets, not as
Layer 2 frames.
Each AP has a control and a data tunnel back to the centralized WLC. Like:
AP1 to WLC – 1st CAPWAP tunnel
AP2 to WLC – 2nd CAPWAP tunnel
AP3 to WLC – 3rd CAPWAP tunnel, and so on.
As the wireless network grows, the WLC simply builds more CAPWAP tunnels to reach more
APs. SSID 100 can exist on every AP, and VLAN 100 can reach every AP through the network
of tunnels.
24.2.4 WLC functions
Following are some of the important functions of a Cisco Wireless LAN Controller:
Dynamic channel assignment
Transmit power optimization
Self-healing wireless coverage
Dynamic client load balancing
Security management
Dynamic channel assignment:
Based on other active access points in the area, WLC can automatically choose and
configure the RF channel used by each AP.
Transmit power optimization:
The WLC can automatically set the transmit power of each AP based on the coverage area
needed.
Self-healing wireless coverage:
If the radio of one AP dies, the coverage gap can be cured by turning up the transmit power
of surrounding APs automatically.
Krishna [email protected] 972-7506874
163
Dynamic client load balancing:
To distribute the client load across the APs when two or more APs are used to cover the
same geographic area, the WLC can associate clients with the least used AP.
Security management:
It can authenticate clients from a central service like AAA server and can require wireless
clients to obtain an IP address from a trusted DHCP server before allowing them to access
the wireless network.
24.2.5 WLC deployment models
Where should you put the WLC? The split-MAC concept can be applied to several different
network architectures. Each architecture places the WLC in a different location in the
network. It is also a choice that affects how many WLCs might be needed to support the
number of APs required.
Possible positioning scenarios:
Unified or centralized WLC deployment
Cloud-based WLC deployment
Embedded WLC deployment
Cisco Mobility Express WLC deployment
1. Unified or centralized WLC deployment
Locate the WLC in a central location. By using this approach, you can maximize the number
of APs joined to it. This is usually called a unified or centralized WLC deployment. A
centralized WLC also provides a convenient place to enforce security policies that affect all
wireless users. Typical unified WLCs can support a maximum of 6000 APs.
Krishna [email protected] 972-7506874
164
2. Cloud-based WLC deployment
In a cloud-based WLC deployment, the WLC exists as a virtual machine rather than a
physical device, inside a data center in a private cloud. Such a controller can typically
support up to 3000 APs. If your network grows beyond that, additional WLCs can be added
as more virtual machines.
3. Embedded WLC deployment
In an embedded WLC deployment, no separate hardware is required to work as a WLC.
Some Cisco switches support the embedded functionality of a wireless LAN controller. It
means, the controller is embedded within the switching hardware. In such case, you will just
need separate licenses for the WLC. For small campuses or distributed branch locations,
where the number of APs is small, it is an ideal solution. Typical Cisco embedded WLCs can
support up to 200 APs.
The APs do not necessarily have to be connected to the switches that host the WLC; APs
connected to other switches in other locations can join the embedded WLC too. As the
number of APs grows, additional WLCs can be added by embedding them in other switch
stacks at the site.
Krishna [email protected] 972-7506874
165
4. Cisco Mobility Express WLC deployment
In small networks, you might not want to invest in WLCs at all. In such cases, the WLC
function can be co-located with an AP that is installed at the branch site. This is known as a
Cisco Mobility Express WLC deployment. The AP that hosts the WLC forms a CAPWAP tunnel
with the WLC (the AP itself), along with any other APs at the same location. A Mobility
Express WLC can support up to 100 APs.
Summary of WLC Deployment Models
Deployment WLC Location APs Supported Clients Typical Use
Model Supported
Unified Central 6000 64000 Large Enterprise
Cloud Data Center 3000 32000 Private Cloud
Embedded Switch 200 4000 Small Campus
Mobility Express AP 100 2000 Branch Location
Autonomous N/A N/A N/A N/A
24.2.6 Cisco AP modes
Cisco APs can operate in either autonomous or lightweight mode. It depends on which code
image is loaded and run. But using a WLC, a lightweight AP (LAP) can be configured to be
operated in one of the following special-purpose modes:
Local
Flex connect
Rogue detector
Bridge
Krishna [email protected] 972-7506874
166
Local:
This mode is the default mode on all the Cisco APs. If not configured in any other mode, an
AP will be configured in this mode. It offers one or more functioning BSSs on a specific
channel.
FlexConnect:
An AP at a remote site can locally switch traffic between an SSID and a VLAN if its CAPWAP
tunnel to the WLC is down and if it is configured to do so.
Rogue detector:
An AP dedicates itself to detecting rogue devices by correlating MAC addresses heard on the
wired network with those heard over the air. Rogue devices are those that appear on both
networks.
Bridge:
An AP becomes a dedicated bridge (point-to-point or point-to-multipoint) between two
networks. Two APs in bridge mode can be used to link two locations separated by a
distance. Multiple APs in bridge mode can form an indoor or outdoor mesh network.
Note:
Remember that a lightweight AP is normally in local mode when it is providing BSSs and
allowing client devices to associate to wireless LANs. When an AP is configured to operate in
one of the other modes, local mode (and the BSSs) is disabled. Other modes will be
activated (according to configuration) along with the ESS.
24.3 Building a wireless LAN
The summary so far:
• The AP maps each VLAN to a WLAN and BSS.
• The autonomous AP has a single Ethernet interface and uses a trunk link to be
connected to the switched network to carry multiple VLANs.
• A lightweight AP also has a single Ethernet interface; and it to be fully functional, it
must be connected to a WLC.
• VLANs that terminate at the WLC are mapped to WLANs that emerge at the AP.
• Multiple VLANs being extended from the WLC to the lightweight AP, are all carried
over using the CAPWAP tunnels.
• That means the AP doesn’t need a trunk link but an access link to be connected to
the switched network.
Krishna [email protected] 972-7506874
167
24.3.1 Connecting a Cisco AP
Connecting and configuring an AP:
You can connect a serial console cable from your PC to the console port on the AP to
configure and manage Cisco APs. Once the AP is operational and has an IP address, you can
also use Telnet or SSH to connect to its CLI over the wired network.
Autonomous APs support browser-based management sessions via HTTP and HTTPS
Lightweight APs can also be managed from a browser session from the WLC.
Connecting and configuring a WLC:
To connect and configure a WLC, you will need to open a web browser to the WLC’s
management address. This can be done only after the WLC has an initial configuration and a
management IP address assigned to its management interface.
The web-based GUI provides an effective way to monitor, configure, and troubleshoot a
wireless network. You can also connect to a WLC with an SSH session, where you can use its
CLI to monitor, configure, and debug activity.
But Cisco expects you to configure the WLC by using GUI.
24.3.2 Accessing a Cisco WLC
When you are logged in, the WLC will display a monitoring dashboard. Click on the
“Advanced” link in the upper-right corner to make further configurations.
This will bring up the full WLC GUI.
Krishna [email protected] 972-7506874
168
You can select categories of functions from the following:
- Monitor
- WLANs
- Controller
- Wireless
- Security, and so on.
24.3.3 Types of ports & interfaces
Cisco wireless controllers are different from other devices like switches and routers in case
of port and interface. In WLC, ports and interfaces refer to different concepts.
Ports – are physical connections made to an external wired or switched network.
Interfaces – are logical connections made internally within the controller.
Ports: (External)
- Service Port: for out-of-bound management traffic
- Distribution System Port: to connect to the switched network
- Console Port: to take physical access
- Redundancy Port: to connect another WLC
Interfaces: (Internal)
- Management Interface: to support CAPWAP tunnel traffic
- Redundancy Management: Interface for another WLC
- Virtual Interface: to support client requests like DHCP & AAA
- Service Port Interface: to support out-of-band management traffic
- Dynamic interface: Used to connect a VLAN to a WLAN.
Krishna [email protected] 972-7506874
169
24.3.4 Connecting a Cisco WLC
Connecting a Cisco WLC – distribution ports
Controllers have multiple distribution system ports that you must connect to the network.
These ports can operate independently, each one transporting multiple VLANs to a unique
group of internal controller interfaces.
The CAPWAP tunnels also pass through the distribution system ports which extend to a
controller’s APs. Client data also passes from wireless LANs to wired VLANs over the ports.
In-band management traffic using a web browser, SSH, Simple Network Management
Protocol (SNMP), Trivial File Transfer Protocol (TFTP), etc. reaches the controller using these
ports.
Distribution system ports can be configured in redundant pairs. One port is primarily used; if
it fails, a backup port is used.
Remember that even though the LAG (link aggregation) acts as a traditional EtherChannel,
Cisco WLCs do not support any link aggregation negotiation protocol, like LACP or PAgP.
Therefore, you must configure the switch ports as an unconditional (always-on
EtherChannel).
Connecting a Cisco WLC – service port
Controllers can have a single service port that must be connected to a switched network.
The service port is assigned to a management VLAN so that you can access the controller
with SSH or a web browser to perform initial configuration or for maintenance.
Remember that the service port supports only a single VLAN, so the corresponding switch
port must be configured for access mode only.
24.3.5 Using WLC interfaces
As we know that a controller can connect to multiple VLANs on the switched network using
distribution system ports. Now, the controller must somehow map those external wired
VLANs to equivalent internal logical wireless networks. It means WLC should know that how
many and which VLANs are there in the network that it has to provide the wireless
connectivity to.
For example, VLAN 20 is set aside for wireless users in the “Training” division of a company.
That VLAN must be connected to a unique wireless LAN that exists on a controller and it’s
associated APs. The wireless LAN must then be extended to every client that associates with
the Service Set Identifier (SSID) “Training.”
Cisco wireless controllers provide the necessary connectivity through internal logical
interfaces, which must be configured with an IP address, subnet mask, default gateway, and
a Dynamic Host Configuration Protocol (DHCP) server.
Each interface is then assigned to a physical port and a VLAN ID.
Krishna [email protected] 972-7506874
170
Cisco controllers support the following interface types:
- Management Interface
- Redundancy Management
- Virtual Interface
- Service Port Interface
Management Interface:
Used for normal management traffic, such as:
- RADIUS
- Web-based/SSH sessions
- SNMP/NTP/Syslog, etc.
Redundancy Management:
The management IP address of a redundant WLC that is part of a high availability pair of
controllers. The active WLC uses the management interface address, while the standby WLC
uses the redundancy management address.
Virtual Interface:
IP address facing wireless clients when the controller is:
- Relaying client DHCP requests
- Performing client web authentication, and
- Supporting client mobility.
Service Port Interface:
Bound to the service port and used for out-of-band management.
Dynamic interface:
Used to connect a VLAN to a WLAN.
Krishna [email protected] 972-7506874
171
24.3.6 WLAN configuration
As we have studied so far that, a wireless LAN controller and an access point work together
to provide network connectivity to wireless clients. Now, from a wireless perspective: The
AP advertises a Service Set Identifier (SSID) for the client to join. And from a wired
perspective: The controller connects to a virtual LAN (VLAN) through one of its dynamic
interfaces. So, to complete the path between the SSID and the VLAN, you must first define a
WLAN on the controller.
[Two of the CCNA exam objectives involve configuring a WLAN for client connectivity with
WPA2 and a PSK using only the controller GUI.]
The controller bind one WLAN to one of its dynamic interfaces and then push the WLAN
configuration out to all of its APs by default. Then, wireless clients will be able to learn about
the new WLAN by receiving its beacons and will be able to probe and join the new BSS.
Similar to the concept of VLANs, you can use WLANs to separate wireless users and their
traffic into logical networks. Users associated with one WLAN cannot cross over into
another one unless their traffic is bridged or routed from one VLAN to another through the
wired network infrastructure.
But don’t be just tempted to use a new WLAN for every occasion, just to keep groups of
users isolated from each other or to support different types of devices. It is usually wise to
plan your wireless network first.
Let’s discuss two limitations here:
- Cisco controllers support a maximum of 512 WLANs, but only 16 of them can be
actively configured on an AP.
- Advertising each WLAN to wireless clients use airtime.
Every AP broadcast beacon management frames at regular intervals to advertise the
existence of a BSS. And as each WLAN is bound to a BSS, each WLAN must be advertised
with its own beacons. Beacons are normally sent 10 times per second.
If you create too many WLANs, a channel can be starved of any usable airtime and the
clients will have a hard time transmitting their own data because the channel is overly busy
with beacon transmissions coming from the AP.
So, it’s better to limit the number of WLANs to five or fewer. A maximum of three WLANs is
the best. Remember that by default, no WLANs are defined on a controller.
Before you create a new WLAN, think about the following parameters it will need to have:
- SSID string
- Controller interface and VLAN number
- Type of wireless security needed
Krishna [email protected] 972-7506874
172
First you will create the appropriate dynamic controller interface to support the new WLAN;
then you will enter the necessary WLAN parameters. Each configuration step is performed
using a web browser session that is connected to the WLC’s management IP address.
WLAN configuration steps
Step 1. Configure a RADIUS Server
Step 2. Create a Dynamic Interface
Step 3. Create a New WLAN
Step 4: Configure WLAN Security
Step 5: Configure WLAN QoS
Step 6: Configure Advanced WLAN Settings
Step 1. Configure a RADIUS Server
Security > AAA > RADIUS > Authentication
• Click New to create a new server.
• Next, enter the server’s IP address, shared secret key, and port number.
• Be sure to set the server status to enable so that the controller can begin using it.
• Click Apply to complete the server configuration.
Step 2. Create a Dynamic Interface
Controller > Interfaces > New
• Next, enter the IP address, subnet mask, and gateway address for the interface.
• You should also define DHCP server addresses that the controller will use when it
relays DHCP requests from clients that are bound to the interface.
• Click the Apply button to complete the interface configuration and return to the list
of interfaces.
Step 3. Create a New WLAN
Create a New WLAN – wlan id
The ID number are useful when you use templates for automated configurations on multiple
controllers simultaneously.
• Click the Apply button to create the new WLAN.
Create a New WLAN – radio selection
You can control whether the WLAN is enabled or disabled with the Status check box.
By default, the WLAN will be offered on all radios that are joined with the controller.
Krishna [email protected] 972-7506874
173
You can select a more specific policy with 802.11a only, 802.11a/g only, 802.11g only, or
802.11b/g only. For example, if you are creating a new WLAN for devices that have only a
2.4-GHz radio, it probably does not make sense to advertise the WLAN on both 2.4- and 5-
GHz AP radios.
Create a New WLAN – hiding SSID
Use the Broadcast SSID check box to select whether the APs should broadcast the SSID
name in the beacons they transmit. Broadcasting SSIDs is convenient for users because their
devices can learn and display the SSID names automatically. Most devices need the SSID in
the beacons to understand that the AP is still available for that SSID. Hiding the SSID, is of no
notable use. It just prevents user devices from discovering an SSID and trying to use it as a
default network.
Step 4: Configuring WLAN Security
Use the Security tab to configure the security settings. Layer 2 Security tab is selected by
default. From there select the appropriate security scheme to use.
Step 5: Configuring WLAN QoS
The controller will consider all frames in the WLAN to be normal data by default and will
handle them in a “best effort” way. This setting can be changed in one of the following
ways:
- Platinum (voice)
- Gold (video)
- Silver (best effort)
- Bronze (background)
Step 6: Configuring Advanced WLAN Settings
- Coverage hole detection
- Peer-to-peer blocking
- Client exclusion and Client load limits, etc.
Note that, by default, a controller will not allow management traffic that is initiated from a
WLAN. That means you cannot access the controller GUI or CLI from a wireless device that is
associated with the WLAN. Instead, you can access the controller through its wired
interfaces.
Finalizing WLAN Configuration
When you are satisfied with the settings in each of the WLAN configuration tabs, click the
Apply button in the upper-right corner of the WLAN Edit screen. The WLAN will be created
and added to the controller configuration.
Krishna [email protected] 972-7506874
174
24.4 Securing wireless networks
As long as all clients and APs conform to the 802.11 standard, they can all coexist on the
same channel. But, not every 802.11 device is friendly and trustworthy. The convenience of
wireless communication makes it easy for transmissions to be overheard and exploited by
malicious users.
If data is sent through open space, how can it be secured so that it stays private and intact?
The 802.11 standard offers a framework of wireless security mechanisms that can be used
to add trust, privacy, and integrity to a wireless network.
24.4.1 Authentication
Some common attacks focus on a malicious user pretending to be an AP. The fake AP can
send beacons, answer probes, and associate clients just like the real AP it is impersonating.
Once a client associates with the fake AP, the attacker can easily intercept all
communication to and from the client from its central position.
To prevent this type of man-in-the-middle attack, the client should authenticate the AP
before the client itself is authenticated.
Rogue clients – Unknown devices that happen to be within range of your network.
Potential clients must identify themselves by presenting some form of credentials to the
APs. Following figure shows the basic client authentication process.
24.4.2 Encryption
The client’s relationship with the AP might become much more trusted, but data passing to
and from the client is still available to eavesdroppers on the same channel.
To protect data privacy on a wireless network, the data should be encrypted for its journey
through free space.
This is accomplished by encrypting the data payload in each wireless frame just prior to
being transmitted, then decrypting it as it is received.
Krishna [email protected] 972-7506874
175
Message Integrity
The intended recipient should be able to decrypt the message and recover the original
contents, but what if someone managed to alter the contents along the way?
A message integrity check (MIC) is a security tool that can protect against data tampering.
It is like a secret stamp inside the encrypted data frame. The stamp is based on the contents
of the data bits to be transmitted. Once the recipient decrypts the frame, it can compare the
secret stamp to its own idea of what the stamp should be, based on the data bits that were
received. If the two stamps are identical, the recipient can safely assume that the data has
not been tampered with.
Following figure shows the MIC process:
24.4.3 Authentication methods
The original 802.11 standard offered only two choices to authenticate a client:
1. Open Authentication, and
2. WEP – Wired Equivalent Privacy
Open Authentication
Open authentication as shown by its name; offers open access to a WLAN.
The only requirement is that a client must use an 802.11 authentication request before it
attempts to associate with an AP. No other credentials are needed.
The whole purpose of open authentication – to validate that a client is a valid 802.11 device
by authenticating the wireless hardware and the protocol. Authenticating the user’s identity
is handled as a true security process through other means.
You have probably seen a WLAN with open authentication when you have visited a public
location like hotels and restaurants.
Krishna [email protected] 972-7506874
176
If any client screening is used at all, it comes in the form of web authentication. A client can
associate right away but must open a web browser to see and accept the terms for use and
enter basic credentials. From that point, network access is opened up for the client.
Client operating systems would flag such networks to warn you that your wireless data will
not be secured if you join.
Wired Equivalent Privacy – WEP
WEP uses the RC4 cipher algorithm. The same algorithm encrypts data at the sender and
decrypts it at the receiver. The algorithm uses a string of bits as a key, commonly called a
WEP key, to derive other encryption keys – one per wireless frame.
WEP is known as a shared-key security method. A client can associate with an AP only if it
have a correct WEP key. WEP keys can be either 40 or 104 bits long, represented by a string
of 10 or 26 hex digits. WEP was defined in the original 802.11 standard in 1999. In 2001, a
number of weaknesses were discovered and revealed, so work began to find better wireless
security methods.
WEP encryption and WEP shared-key, both authentication methods are weak methods to
secure a wireless LAN. As a result, by 2004, WEP was officially deprecated.
802.1x/EAP – Extensible Authentication Protocol
As its name implies (Able to be extended or stretched – extendable – designed to allow the
addition of new capabilities and functionality), EAP is extensible and does not consist of any
one particular authentication method.
Instead, EAP defines a set of common functions that actual authentication methods can use
to authenticate users. Each method is unique and different, but each one follows the EAP
framework.
EAP has another interesting quality:
A wireless client might be able to associate with an AP but will not be able to pass data to
any other part of the network until it successfully authenticates.
For the functionality of EAP – AAA server is required.
The following figure shows the three-step 802.1x process used by AAA server:
Krishna [email protected] 972-7506874
177
With open and WEP authentication, wireless clients are authenticated locally at the AP
without further intervention. But with 802.1x; the client uses open authentication to
associate with the AP, and then the actual client authentication process occurs at an
authentication server.
Supplicant:
The client device that is requesting access
Authenticator:
The network device that provides access to the network (usually a wireless LAN controller
[WLC])
Authentication Server (AS):
The device which has the pre-configured database of user credentials and permits or denies
network access based on that database. This device is usually a RADIUS server.
The wireless LAN controller becomes a middleman in the authentication process between
the client and the AAA server. When you configure user authentication on a wireless LAN,
you will not have to select a specific method. Instead, you select 802.1x on the WLC which
can further use any one or more than one from the given EAP methods. It is then up to the
client and the authentication server to use a compatible method.
Following are some of the EAP-based authentication methods:
LEAP – Lightweight Extensible Authentication Protocol
EAP FAST – Eap flexible authentication by secure tunnelling
PEAP – Protected eap
EAP TLS – Eap transport layer security
Lightweight Extensible Authentication Protocol – LEAP
Cisco proprietary wireless authentication method. Was developed as an early improvement
to the weaker WEP method. Instead of a static key, LEAP attempted to overcome WEP
weaknesses by using dynamic WEP keys that changed frequently. Even though wireless
clients and controllers still offer LEAP, you should not use it.
EAP flexible authentication by secure tunnelling – EAP FAST
A more secure method developed by Cisco.
In this method, authentication credentials are protected by using a protected access
credential (PAC) between the AS and the supplicant. The PAC is a form of shared secret that
is generated by the AS and used for mutual authentication.
EAP-FAST is a process of three phases:
Phase 0: The PAC is generated and installed on the client.
Krishna [email protected] 972-7506874
178
Phase 1: After the supplicant and AS have authenticated each other, they negotiate a
Transport Layer Security (TLS) tunnel.
Phase 2: The end user can then be authenticated through the TLS tunnel for additional
security.
Protected EAP – PEAP
The AS uses a digital certificate with the Supplicant for authentication.
Once the identity of the supplicant is approved by the AS, the two will build a TLS tunnel to
be used for the client authentication and encryption key exchange. The digital certificate of
the AS consists of data in a standard format that identifies the owner and is
signed/validated by a third party. The third party is known as a certificate authority (CA) and
is known and trusted by both the AS and the supplicants.
Note: Digital certificate is only used at the AS.
EAP transport layer security – EAP TLS
In PEAP, it was easy to install a certificate on a single server, but the clients are left to
identify themselves through other means. EAP Transport Layer Security (EAPTLS) goes one
step further by requiring certificates on the AS and on every client device.
It is considered to be the most secure wireless authentication method available; however,
implementing it can be complex.
24.4.4 Encryption methods
Wireless Privacy and Integrity Methods
We have discussed various authentication methods so far. Now comes the encryption part.
As WEP has been compromised and deprecated. Then what other options are available to
encrypt data and protect its integrity through free space?
Wireless Privacy and Integrity PROTOCOLS
Following are some of the protocols which are used in various encryption methods:
TKIP – Temporal Key Integrity Protocol
CCMP – Counter/CBC-MAC Protocol
GCMP – Galois/Counter Mode Protocol
Temporal Key Integrity Protocol – TKIP
TKIP is used in WPA wireless certifications.
TKIP adds the following security features using legacy hardware and the underlying WEP
encryption:
Krishna [email protected] 972-7506874
179
MIC: We have studied in previous slides.
Time stamp: to prevent replay attacks that attempt to reuse or replay frames that have
already been sent.
Sender’s MAC address: The MIC also includes the sender’s MAC address as evidence of the
frame source.
TKIP sequence counter: This feature provides a record of frames sent by a unique MAC
address, to prevent frames from being replayed as an attack.
TKIP was deprecated in the 802.11-2012 standard.
Counter/CBC-MAC Protocol – CCMP
A more secure method than TKIP.
CCMP consists of two algorithms:
- AES counter mode encryption
- Cipher Block Chaining Message Authentication Code (CBC-MAC) used as a message
integrity check (MIC)
CCMP is used in WPA2 (described in later pages)
The Advanced Encryption Standard (AES) – is the current encryption algorithm adopted by
U.S. National Institute of Standards and Technology (NIST) and the U.S. government, and
widely used around the world. AES is open, publicly accessible, and represents the most
secure encryption method available today.
If you want to use CCMP can be to secure a wireless network, the client devices and APs
must support the AES counter mode and CBC-MAC in hardware because CCMP cannot be
used on legacy devices that support only WEP or TKIP.
How can you know if a device supports CCMP? Look for the WPA2 designation, which is
described in the following slides.
Galois/Counter Mode Protocol – GCMP
A more efficient method than CCMP.
GCMP consists of two algorithms:
- AES counter mode encryption
- Galois Message Authentication Code (GMAC) used as a message integrity check
GCMP is used in WPA3, which is described in the following section.
24.4.5 WPA protocols & versions
WPA, WPA2, and WPA3
Krishna [email protected] 972-7506874
180
The Wi-Fi Alliance (http://wi-fLorg), which is a nonprofit wireless industry association, has
worked out ways of Message Integrity through its Wi-Fi Protected Access (WPA) industry
certifications.
To date, there are three different versions:
- WPA (TKIP)
- WPA2 (CCMP) and
- WPA3 (GCMP)
As long as the Wi-Fi Alliance certify – a wireless client device – an AP and its associated –
WLC for the same WPA version, all three devices should be compatible with each other and
should offer the same security components.
WPA2 was a replacement of WPA and used superior AES CCMP algorithms rather than
deprecated TKIP which was used in WPA. (It is WPA not WPA1)
In 2018, WPA Version 3 (WPA3) was introduced as a future replacement for WPA2. WPA3
uses stronger encryption by AES with the Galois/Counter Mode Protocol (GCMP).
Each successive version is meant to replace prior versions by offering better security
features.
Summary of all authentication and encryption methods:
Authentication & Encryption Support WPA WPA2 WPA3
Authentication with Pre-Shared Keys? Yes Yes Yes
Authentication with 802.1x? Yes Yes Yes
Encryption & MIC with TKIP? Yes No No
Encryption & MIC with AES & CCMP? Yes Yes No
Encryption & MIC with AES & GCMP? No No Yes
24.4.6 Security types
Personal & enterprise mode of wpa versions
All three WPA versions support two client authentication modes:
- A pre-shared key (PSK) [Personal – preferred for smaller networks]
- 802.1x [Enterprise – recommended to be deployed in enterprise networks]
Based on the size of the network. These are also known as personal mode and enterprise
mode, respectively.
Krishna [email protected] 972-7506874
181
25. Cisco security
25.1 Security fundamentals
Why security is such a big concern?
In modern networks, security must be implemented in depth. The reason is simple:
- Networks can be compromised from outside the network means from the WAN side.
- An internal unsatisfied employee can also cause the serious damage to the network
resources and reachability. Means networks can be broken from inside the network
i.e. from LAN side or from outside i.e. from WAN side.
So, security must be implemented at every part of the network.
Major concerns and what should be done!
The security architecture of a network should use:
- Firewalls and intrusion prevention systems (IPS), at the network boundaries and
- Hosts should use antivirus and antimalware tools
- Routers, (at the edge between LAN & WAN) with access lists to filter packets
- LAN with tools like port security, DHCP snooping and Dynamic ARP inspection.
Additionally, an infected mobile device (like a HDD or pen drive/USB) can be used a security
threat if connected to the internal network.
A typical enterprise network
Why it’s hard to maintain network security?
Remember that no enterprise uses a limited, closed environment where it rely only on its
private network and internal users. An enterprise network will need to be connected to the
public Internet and maybe to some of its other corporate partners.
Krishna [email protected] 972-7506874
182
Sometimes it also need to allow its workers to carry laptops and smartphones. And the
enterprise might want to provide network access to the occasionally visiting guests.
Additionally, the enterprise may provide wireless connectivity to its employees (and guests),
offering its wireless access to people who are within range.
So, you can see, as the network and its connectivity expand, the enterprise will have more
difficulty maintaining its network boundaries.
25.1.1 Common security terms
- Vulnerability
- Exploit
- Threat
Vulnerability
As you know that there is no door which can’t be penetrated. It means the hardest kind of
security can be broken if you can find its weakness. In security terms, this weakness is called
a vulnerability. In other words:
- Anything that can be considered to be a weakness
- That can be used to compromise the security of something else, such as: the
integrity of data, or how a system performs
Is called a vulnerability.
Exploit
The tool used to break the system using a vulnerability is called an exploit. Like a wire piece
used to open a lock. An exploit is effective only if it is used against the targeted weakness or
vulnerability. Otherwise an exploit is of no use.
Threat
Technically speaking, an exploit such as the wire piece is not effective at all by itself.
Someone must use it to break the lock. Now there exist an actual potential to break in,
destroy and steal. This potential to break the system is known as a threat.
There are many different vulnerabilities and exploits that can be leveraged by malicious
users to become threats to an organization and its data.
Such as: Systems and Applications, etc.
Mitigation techniques
These are the techniques that can be used to prevent the malicious activities and to protect
the network from possible attacks.
Krishna [email protected] 972-7506874
183
25.1.2 Common security threats
Spoofing
Spoofing attacks usually take place by replacing expected values with spoofed (fake) values.
- Address spoofing – One address value is substituted for another. (like MAC address
and IP address)
Examples of spoofing attacks:
- DoS and DDoS
- Reflection and Amplification
- Man in the Middle
Remember that the attacker’s goal is – to disguise his identity and fool other systems in a
malicious way.
Denial-of-Service Attacks
When an attacker consume all of a system resources like CPU and RAM, services and
systems become unavailable or crash. This is called a denial-of-service (DoS) attack because
it denies service to legitimate users. DoS attacks can involve something as simple as ICMP
echo (ping) packets, and TCP connections, like TCP SYN flood attack.
The DoS idea can be carried even further by using many other systems to participate. This is
called a distributed denial-of-service (DDoS) attack because the attack is distributed across a
large number of bots, all attacking the same target.
Reflection attacks
In case of spoofing and DoS attacks, the server is targeted with some unwanted traffic. But
in attacks like reflection, a particular host is overwhelmed with the unexpected traffic. To
the host, the traffic will look like trusted because it is coming from a trusted server. But it is
not trusted at all because actually the traffic is being sent towards the host by using its
address as a spoofed address by an attacker to fool the server to send traffic toward it. The
server in this case is known as a “Reflector.” The impact of the attack can be enhanced by
using multiple reflectors.
Krishna [email protected] 972-7506874
184
Amplification Attacks
The impact of a reflection attack is limited. The reason is only a single host is the victim and
the amount of traffic being reflected to the target is small. In amplification attacks, the
effect of the attack is amplified by using some protocol or service to generate a large
amount of traffic towards the target host.
As a result, large amounts of network bandwidth can be consumed forwarding the amplified
traffic toward the target, especially if many reflectors are involved.
Man-in-the-Middle Attacks
A type of attack used to eavesdrop on data passing from one machine to another, avoiding
detection.
The process shown in the above figure, poisons the ARP table entry in any system which
receives the spoofed ARP reply. From that point on, a poisoned system will blindly forward
traffic to the attacker’s MAC address, which is now representing the destination.
The attacker is able to know the real destination’s MAC address because he received an
earlier ARP reply from the destination host. This process can be repeated to poison the ARP
entries on multiple hosts and then forwarding traffic between them without detection.
Once an attacker is between two hosts, he can passively eavesdrop on and inspect all traffic
passing between them. The attacker might also take an active role and modify the data
passing through.
Krishna [email protected] 972-7506874
185
A summary of spoofing attacks:
Purpose Dos/DDoS Reflection Amplification Man in the
Middle
Crash the target Yes No No No
Trick a host to send No Yes Yes No
traffic to target
Traffic eavesdropping No No No Yes
Traffic modification No No No Yes
Reconnaissance Attacks
As they say: “It is always good to know about the strengths and weaknesses of an enemy.”
• In terms of security, to make the attack focused and more effective, it is always
better to get to know the details of a target.
• These details can reveal some vulnerabilities that can be used to execute the attack.
• Such attacks are known as Reconnaissance Attacks.
This type of attacks are useful in discovering more details about the target and its systems
before an actual attack.
If an attacker knows the domain name of a business, “nslookup” can reveal the owner of the
domain and the IP address space registered to it.
Krishna [email protected] 972-7506874
186
The “whois” and “dig” commands are tools that can query DNS information to reveal
detailed information about domain owners, contact information, mail servers, authoritative
name servers, etc.
Then the attacker can progress to using ping sweeps to send pings to each IP address in the
target range. Hosts that answer the ping sweep then become live targets. Port scanning
tools can then sweep through a range of UDP and TCP ports to see if a target host answers
on any port numbers. Any replies indicate that a corresponding service is running on the
target host.
Keep in mind that a reconnaissance attack is not a true attack because nothing is exploited
as a result. It is used for gathering information about target systems and services so that
vulnerabilities can be discovered and exploited using other types of attacks.
Buffer Overflow Attacks
Operating systems and applications normally read and write data temporary memory space
known as buffers. All processes should work normally as long as the memory space is
maintained properly and data is placed within the correct buffer locations.
If a buffer is filled above its limit, the incoming data might be stored in unexpected memory
locations. An attacker can exploit this condition by sending data that is larger than expected.
The target system might store that data, overflowing its buffer into another area of
memory, eventually crashing a service or the entire system. The attacker might also be able
to craft the large message by inserting malicious code in it. If the target system stores that
data as a result of a buffer overflow, then it can run that code without realizing.
Malware – Trojan horse
Some types of security threats can come in the form of malicious software or malware.
(Malicious + Software = Malware)
A “Trojan horse” for example, is a malicious software that is hidden and packaged inside
other software that looks normal and legitimate. If a user decides to install it, the “Trojan
horse” software is silently installed too.
Then the malware can run attacks of its own on the local system or against other systems.
Trojan horse malware can spread from one computer to another only through user
interaction such as:
- Opening email attachments
- Downloading software from the Internet, and
- Inserting a USB drive into a computer
Malware – virus
Viruses are malware that can propagate between systems more readily. One thing, a virus
can’t spread on itself.
Krishna [email protected] 972-7506874
187
To spread, virus software must inject itself into another application, then rely on users to
transport the infected application software to other victims.
Malware – worm
There is another type of malware which is able to propagate to and infect other systems on
its own. An attacker develops worm software and deposits it on a system by any means.
From that point on, the worm replicates itself and spreads to other systems through their
vulnerabilities, then replicates and spreads again and again.
Summary of malware types
Characteristic Trojan Horse Virus Worm
Packaged inside other software Yes No No
Self-injected into other software No Yes No
Propagated automatically No No Yes
25.1.3 Human vulnerabilities
Type of Attack Purpose
Social engineering Exploits human trust and social behavior
Phishing Disguises a malicious invitation as something legitimate
Spear phishing Targets group of similar users
Whaling Targets high-profile people
Vishing Uses voice calls
Smishing Uses SMS
Pharming Uses legitimate services to send users to a compromised site
Watering hole Targets specific victims who visit a compromised site
25.1.4 Password vulnerabilities
Admin
Password
Pa$$w0rd
Password123
Krishna [email protected] 972-7506874
188
123456789
Sounds familiar!
One of these can be the password of many of you use for your different logins.
Right?
If I can guess it, so can an experienced and bad intentioned attacker while trying to log in
into your accounts online or offline.
Type of password attacks
Online Password Attack –
By actually entering each password guess as the system prompts for user credentials.
Offline Password Attack –
Occurs when the attacker is able to retrieve the encrypted or hashed passwords ahead of
time, then goes offline to an external computer and uses software there to repeatedly
attempt to recover the actual password.
Attackers can also use software to perform “Dictionary Attacks” to discover a user’s
password. The software will automatically attempt to log in with passwords taken from a
dictionary or word list. It might have to go through thousands or millions of attempts before
discovering the real password.
The software can perform a “Brute-force Attack” by trying every possible combination of
letter, number, and symbol strings. Brute-force attacks require very powerful computing
resources and a large amount of time.
Password policies
To mitigate password attacks, an enterprise should implement password policies for all
users. Such policies include guidelines that require a long password string made up of a
combination of upper- and lowercase characters along with numbers and some special
characters.
(Generally known as complex passwords – which are difficult to guess and reveal by a
password attack)
As well, password management should require all passwords to be changed periodically so
that even lengthy brute-force attacks would not be able to recover a password before it is
changed again.
(Example – Net banking passwords reset after a certain period of time)
25.1.5 Password alternatives
2 factor authentication
For example: when you enable 2 factor authentication for the access of your mail address.
Krishna [email protected] 972-7506874
189
You enter password in your mail address and get a code on your other device (like mobile
phone). You can’t enter into your mail account without entering that password received on
the mobile. This type of authentication method is known as “2 factor authentication.”
Digital certificates
A digital certificate provides information about the identity of a device. A digital certificate is
issued by a Certification Authority (CA).
Biometric
The idea behind using biometric means as authentication method is to use some physical
attribute from a user’s body to uniquely identify that person. These physical attributes are
usually unique to each individual’s body structure and cannot be easily stolen or duplicated.
For example, a user’s fingerprint can be scanned and used as an authentication factor. Other
examples include face recognition, palm prints, voice recognition, iris recognition, and
retinal scans.
Some methods are more trusted than others. Sometimes facial recognition systems can be
fooled by using photographs or masks of trusted people. (Mission Impossible)
Biometric patterns such as fingerprints, facial shapes, and iris patterns can be affected by
injuries and the aging process. So, multiple biometric credentials can be used to
authenticate users.
25.1.6 Managing user access
There are several methods to manage user activities:
Global console password
(Same password for all users – user anonymity)
Individual console password
(Login local using local username & password database – not manageable)
AAA management
(Centralized management)
25.1.7 AAA server
A centralized authentication server can contain a database of all possible users and their
passwords, as well as policies to authorize user activities.
- Authentication: Who is the user?
- Authorization: What is the user allowed to do?
- Accounting: What did the user do?
For greater security, AAA servers can also support multifactor user credentials and more.
Krishna [email protected] 972-7506874
190
AAA servers usually support the following two protocols to communicate with enterprise
resources:
1. TACACS+
2. RADIUS
TACACS+ V/S RADIUS
TACACS+:
- A Cisco proprietary protocol
- Separates each of the AAA functions
- Secure and encrypted communication
- Uses TCP port 49
RADIUS:
- A standards-based protocol
- Combines authentication and authorization into a single resource
- Uses UDP ports 1812 and 1813 (accounting)
- Not completely encrypted.
25.1.8 Security policies
Developing a Security Program to Educate Users
As we know that not all of the staff in an enterprise is technical. They don’t realize the
consequences of their own actions. Even technical people sometimes make human errors
which can cost the enterprise a fortune.
Krishna [email protected] 972-7506874
191
For example, if corporate users receive an email message that contains a message
concerning:
- A legal warrant for their arrest, or
- A threat to expose some supposed illegal behavior
They might be tempted to follow a link to a malicious site. Such an action might infect a
user’s computer and then open a back door or introduce malware or a worm that could
then impact the business operations.
This is the reason, security programs are made and advertised throughout the enterprise for
better co-ordination and sync with the IT team for the overall protection of the enterprise
network.
An effective security program should have the following basic elements:
User awareness
User training
Physical access control
User awareness
All users should be made aware of the need for data confidentiality to protect corporate
information, as well as their own credentials and personal information.
They should also be made aware of:
- Potential threats
- Schemes to mislead, and
- Proper procedures to report security incidents
Users should not include sensitive information in emails or attachments, should not keep or
transmit that information from a smartphone, or store it on cloud services or removable
storage drives.
User training
All users should be required to participate in periodic formal training so that they become
familiar with all corporate security policies.
Physical access control
Infrastructure locations, such as network closets and data centers, should remain securely
locked. Badge access to sensitive locations is a great solution, which offers the trace of
identities and when access is granted.
Krishna [email protected] 972-7506874
192
25.2 Access control lists
25.2.1 Concept
- It enables router to work as a firewall.
- It is a list of permit and deny statements.
- Router will filter the packets and will allow or block according to the permission
given.
There are 2 types of traffics in a network:
1. Inbound traffic
2. Outbound traffic
ACL can be applied on both types of traffic.
- Max. 2 acts can be applied on a single router interface. (One for inbound and other
for outbound traffic.)
- The list is read from top to bottom and first encountered statement is executed first.
There is an implicit deny at the end of every list.
25.2.2 Types of ACL
ACLs can be of 2 types: Standard and Extended.
Each list can further be of 2 types, based on how they are configured: Numbered & Named.
25.2.3 Standard numbered ACL
Krishna [email protected] 972-7506874
193
Limitations of standard acl
Standard:
1. Complete destination network is blocked for the source.
2. Block 2-way connectivity.
3. Needed to be applied on source router.
Extended:
1. Only a particular host can be blocked.
2. Block one way connectivity only.
3. Can be applied at any router.
25.2.4 Extended numbered ACL
1. How to block ping using extended acl:
R1()# access-list 111 deny icmp host 10.0.0.2 host 30.0.0.2 echo
R1()# access-list 111 permit ip any any
2. How to block telnet:
R1()# access-list 123 deny tcp host 10.0.0.3 host 20.0.0.2 telnet
R1()# access-list 123 permit ip any any
3. How to block server:
R2()# access-list 124 deny tcp host 30.0.0.3 host 10.0.0.10 eq http
R2()# access-list 124 permit ip any any
25.2.5 Standard named ACL
()#ip access-list 10 standard testlist1
(config-standard-nacl)#deny host 10.1.2.3
(config-standard-nacl)#exit
25.2.6 Extended named ACL
Krishna [email protected] 972-7506874
194
25.3 Securing network devices
25.3.1 CLI protection
Service password-encryption
As we have seen that the “service password-encryption” command encrypts passwords
immediately but the “no service password-encryption” command does not immediately
decrypt the passwords back to their clear-text state. After you enter the “no service
password-encryption” command, the passwords remain encrypted until you change a
password. Encryption is Immediate; Decryption Awaits Next Password Change.
Working of md5 hashing
Step 1. IOS computes the MD5 hash of the password in the enable secret command and
stores the hash of the password in the configuration.
Step 2. When the user types the enable command to reach enable mode, a password that
needs to be checked against that configuration command, iOS hashes the clear-text
password as typed by the user.
Step 3. IOS compares the two hashed values: if they are the same, the user-typed password
must be the same as the configured password.
25.3.2 Password attacks
Cisco iOS now supports two more alternative algorithm types – SHA 256 and Scrypt. Both of
them use an SHA-256 hash instead of MD5.
Command Type Algorithm
enable secret (pwd) 5 MD5
enable algorithm-type sha256 secret (pwd) 8 SHA-256
enable algorithm-type scrypt secret (pwd) 9 SHA-256
Krishna [email protected] 972-7506874
195
R2()# enable algorithm-type scrypt secret ccna@a123
R2# show running-config | include enable
25.3.3 VTY access control
As we know, to grant access to users via Telnet or SSH, a router uses VTY lines for that. IOS
can apply an ACL to the vty lines, filtering the addresses that can telnet or SSH into the
network device. If filtered, the user never sees a login prompt. For example, imagine that all
the network admin staff’s devices connect to subnet 172.19.0.0/24. The security policy
states that only the network admin’s staff should be allowed to telnet or SSH into any of the
Cisco devices in a network.
Vty access control using acl
R1()# access-list 10 permit 172.19.0.0 0.0.255.255
R1()# line vty 0 15
access-class 10 in
25.4 Firewalls and IPS
25.4.1 Traditional firewalls
As we had studied that access control lists enable the router to work as a firewall giving it
the role of packet filtering as an additional role.
(Remember that the dedicate role of a router is – Packet forwarding)
Normally a firewall do the same work that routers do with ACLs, but firewalls can perform
that packet-filtering function with many more options, and perform other security tasks.
Also, a router does stateless filtering whereas all effective firewalls are stateful firewalls.
Stateful – Keep state information by storing information about each packet, and make
decisions about filtering future packets based on the historical state information.
Krishna [email protected] 972-7506874
196
Firewalls use the following logic to make the choice of whether to deny or allow a packet:
- Like ACLs, match the source and destination IP addresses.
- Like ACLs, identify applications by matching their TCP and UDP port numbers.
- Observe application level flows to know what additional TCP and UDP ports are
used by a particular flow, and filter based on those ports.
25.4.2 Stateful & stateless firewall concept
Although, routers can be used as firewalls to some extent (using ACLs) but the point is
routers are dedicatedly designed for packet forwarding functions. So, routers must spend
the least time possible to process each packet so that the packets experience little delay
passing through the router.
To understand the concept of stateful firewall, let’s take the example of a simple denial of
service (DoS) attack. An attacker can attempt DoS attacks against a web server by using
some tools that can create a large number of TCP connections to the web server. Now, let’s
say normally a firewall allows the TCP connections to that server and the server typically
receive 20 new TCP connections per second.
A stateful firewall could be tracking the number of TCP connections per second – means,
recording state information based on earlier packets – Including the number of TCP
connection requests from each client IP address to each server address. The stateful firewall
could notice a large number of TCP connections, check its state information, and then notice
that the number of requests is very large from a small number of clients to that particular
server, which is typical of some kinds of DoS attacks.
The stateful firewall can filter such packets and can save the web server from crashing.
25.4.3 Security zones
Firewalls can control which hosts could initiates communications. No company wants any
random Internet user or attacker to be able to connect to their internal/private servers.
Firewalls use the concept of security zones when defining which hosts can initiate new
connections.
Krishna [email protected] 972-7506874
197
Zone logic of firewalls:
o By default, firewalls deny all traffic unless a rule specifically allows the packet.
o Allow hosts from zone inside to initiate connections to hosts in zone outside, for a
predefined set of safe well-known ports (like HTTP port 80).
o There is also a separate zone dedicated for web servers know as DMZ. These are the
servers that need to be available for use by users in the public Internet.
o By this separation of web servers using DMZ, keeping it away from the rest of the
enterprise, the enterprise can prevent Internet users from attempting to connect to
the internal devices in the inside zone, and many types of attacks can be prevented.
25.4.4 Firewalls V/S IPS
- A firewall works with a set of user-configured rules about where packets should be
allowed to flow in a network and where not.
- An intrusion prevention system – IPS is a similar kind of device, but it makes its
decisions using different logic.
Working of IPS
- The IPS has a database of exploit signatures.
- Each signature defines different header field values found in sequences of packets
used by different exploits.
- Then the IPS can examine packets, compare them to the known exploit signatures,
and notice when packets may be part of a known exploit.
- Once identified, the IPS can log the event, discard packets, or even redirect the
packets to another security application for further examination.
Krishna [email protected] 972-7506874
198
How IPS is different from a firewall?
A firewall uses the rules configured by a network admin whereas an IPS uses the signature
database defined mostly by the vendor who made the IPS device.
The signatures downloaded in an IPS looks for these kinds of attacks:
DoS
DDoS
Worms
Viruses
An IPS is as good as its signature database. So, to be good at what an IPS do, the IPS needs
to download and keep updating its signature database. Because attackers are evolving day
by day. New protocols and attack matrices are being developed to breach even the highly
secured networks and most sophisticated security devices. So, security experts need to stay
updated and work to create the signatures to prevent zero day attacks.
25.4.5 NGFW features
Cisco Next Generation Firewalls (NGFW)
An NGFW still does the traditional functions of a firewall, like:
- Stateful filtering by comparing fields in the IP, TCP, and UDP headers, and
- Using security zones when defining firewall rules.
But still, you can see attackers can find a way to send packets past the firewall.
So, what should be the solution?
A next generation firewall – A firewall that looks at the application layer data to identify the
application instead of relying on the TCP/UDP port numbers used.
Krishna [email protected] 972-7506874
199
Cisco performs their deep packet inspection (DPI) using a feature called Application Visibility
and Control (AVC). Means a next generation firewall don’t just analyze the transport layer
but application and session layers as well.
Following are some of the important features of an NGFW:
Traditional firewall:
An NGFW performs traditional firewall features, like stateful firewall filtering, NAT/PAT, and
VPN termination.
Application Visibility and Control (AVC):
This feature looks deep into the application layer data to identify the application. For
example, it can identify the application based on the data, rather than port number, to
defend against attacks that use random port numbers.
Advanced Malware Protection:
NGFW platforms run multiple security services, not just as a platform to run a separate
service, but for better integration of functions. A network-based antimalware function can
run on the firewall itself, blocking file transfers that would install malware, and saving copies
of files for later analysis.
URL Filtering:
This feature examines the URLs in each web request, categorizes the URLs, and either filters
or rate limits the traffic based on rules. The Cisco security group monitors and creates
reputation scores for each domain known in the Internet, with URL filtering being able to
use those scores in its decision to categorize, filter, or rate limit.
NGIPS:
The Cisco NGFW products can also run their NGIPS feature along with the firewall. When the
design needs both a firewall and IPS at the same location in the network, these NGFW
products can run the NGIPS feature in the same device.
25.4.6 NGIPS features
Cisco Next-Generation IPS
NGFW and NGIPS products are the same products, with the ability to run both the NGFW
and NGIPS.
Krishna [email protected] 972-7506874
200
One of the biggest issues with a traditional IPS comes with the volume of security events
logged by the IPS.
An NGIPS helps with this issue in a couple of ways.
The NGIPS will know the:
- Operating system
- Software versions and the revision levels
- Running applications
- Port numbers in use, etc.
Using this data, the NGIPS can make much better choices about what events to log instead
of logging all of the events.
Let’s say an NGIPS is placed into a network to protect a campus LAN where end users
connect, but there is no data center in that part of the network.
Also, all PCs happen to be running Windows, and possibly the same version. The signature
database includes signatures for exploits of Linux hosts, Macs, Windows version nonexistent
in that part of the network, and exploits that apply to server applications that are not
running on those hosts.
After learning these facts, an NGIPS can suggest which checks to do and which not for the
exploits, spending more time and focus on events that could occur, reducing the number of
events logged.
Following are the features of an NGIPS:
Traditional IPS:
An NGIPS performs traditional IPS features, like using exploit signatures to compare packet
flows, creating a log of events, and possibly discarding and/or redirecting packets.
Application Visibility and Control (AVC):
As with NGFWs, an NGIPS has the ability to look deep into the application layer data to
identify the application.
Contextual Awareness:
NGFW platforms gather data from hosts – OS, software version/level, patches applied,
applications running, open ports, applications currently sending data, and so on.
Reputation-Based Filtering:
Some websites are friendly and others are not. If a website is continuously reported as a red
flag in the various signature database, it is reported as a bad website. Such scores are used
by the NGIPS to check whether to open certain websites or not. An NGIPS can perform
reputation-based filtering, taking the scores into account.
Krishna [email protected] 972-7506874
201
25.5 Switch port security
25.5.1 Concept
Switches are kind of devices which are placed in open locations in the network. As end
devices needs to be connected to switches, not all of them could be placed in the server
room. So, switches are required to be provided with some extra security feature to help in
preventing physical attacks.
Some of these feature are:
- Port Security
- DHCP Snooping
- Dynamic ARP Inspection
As switches are layer 2 devices; so, to implement security at switch level, we use layer 2
addresses. It means, Port Security is implemented on the basis of the MAC address. Port
security identifies devices based on the source MAC address of Ethernet frames that the
devices send.
It means, port security defines a maximum number of unique source MAC addresses
allowed for all frames coming in the interface. The MAC addresses allowed on an interface
can be all statically configured, all dynamically learned or some configured statically and
others learned dynamically.
Then it examines frames received on the interface to determine if a violation has occurred.
If the source mac address of the received frame matches with the mac address defined on
the port, it will be processed, otherwise the frame will be discarded.
25.5.2 Configuration
Port security can be configured on both access and trunk ports, but it requires you to
statically configure the port as a trunk or an access port, rather than let the switch decide.
Configuring Port Security
interface fa0/1
switchport mode access
switchport port-security
switchport port-security maximum 1
[Default value of allowed MAC address on an interface = 1]
switchport port-security mac-address (mac-address)
[Use the command multiple times to define more than one MAC address.]
switchport port-security mac-address sticky
Krishna [email protected] 972-7506874
202
switchport port-security violation {protect | restrict | shutdown}
[Default violation mode – shutdown]
Switches can also use port security on voice ports and EtherChannels.
- For voice ports, make sure to configure the maximum MAC address to at least two
(one for the phone, or for a PC connected to the phone).
- On EtherChannels, the port security configuration should be placed on the port-
channel interface, rather than the individual physical interfaces in the channel.
Configuring Port Security – verification
#show running-config
#show port-security interface fa0/1
When port security is enabled, MAC addresses are either statically configured or
dynamically learned. So, the default switch behavior changes and MAC addresses can’t be
seen in the MAC address table with the command:
#show mac address-table
So, the commands used will be:
#show mac address-table secure
#show mac address-table secure interface fa0/1
#show mac address-table static
Port Security Shutdown Mode
When port security is enabled on a switch interface and violation mode “shutdown” has
been configured by the network admin. In such cases, if some unauthorized frame is
received on that particular interface, means port security is violated, all frame forwarding is
stopped on the interface, both in and out.
It seems like port security has shut down the port; but the port is not literally down. Instead,
port security uses the err-disabled feature.
Err-disabled state can be used by Cisco switches for many reasons, but when using port
security shutdown mode and a violation occurs, the following happens:
- The switch interface state (#show interfaces & #show interfaces status) changes to
an err-disabled state
- The switch interface port security state (#show port-security) changes to a secure-
down state
- The switch stops sending and receiving frames on the interface
Krishna [email protected] 972-7506874
203
To recover from an err-disabled state, the interface must be shut down with the shutdown
command and then enabled with the no shutdown command, manually by the network
admin.
Alternately, the switch can be configured to automatically recover from the err-disabled
state, when caused by port security, with these commands:
err-disable recovery cause psecure-violation
A global command to enable automatic recovery for interfaces in an err-disabled state
caused by port security:
err-disable recovery interval seconds
25.6 DHCP behind the scenes
25.6.1 Concept of host
Host means – any device with an IP address.
o It can be your phone, a PC, a server, a router – any device that uses IP to provide a
service or just needs an IP address to be managed.
On any type of host, 4 type of settings are required so that it could work properly:
IP address
Subnet mask
Default gateway
DNS server IP addresses
Dhcp server
As per its functions, DHCP server seem like some big, complex piece of hardware, placed in a
server room with lots of air conditioning to keep it cool. But, like most servers, the server is
actually a software, running on some server OS. You can install some third party app on your
windows PC and can use it as a DHCP server. But the thing is, this type of DHCP approach
can be used in a small office or training environment, not in the enterprises. In smaller
networks, even a router can be used as the DHCP server. But in enterprise networks, we
need separate hardware for DHCP server with a server OS and high availability features.
The DHCP service is still created by software, however.
25.6.2 DORA process
To get an IP address by DHCP, a host uses DORA process:
D – Discover
O – Offer
Krishna [email protected] 972-7506874
204
R – Request
A – Acknowledgement
For the sake of an example, let’s consider Host M wants to get an IP address from a DHCP
server.
Discover
Host M sends a Discover message, with source IP address of 0.0.0.0 because it does not
have an IP address to use yet and destination 255.255.255.255, which is sent in a LAN
broadcast frame, reaching all hosts in the subnet. The host hopes that there is a DHCP
server on the local subnet.
Why?
Because packets sent to 255.255.255.255 only go to hosts in the local subnet; router will not
forward this packet.
Offer
Now look at the Offer message sent back by the DHCP server. The server sets the
destination IP address to 255.255.255.255 again.
Why?
Host M still does not have an IP address, so the server cannot send a packet directly to the
host M. So, the server sends the packet to “all local hosts in the subnet” address
(255.255.255.255).
(The packet is also encapsulated in an Ethernet broadcast frame.)
Note that all hosts in the subnet receive the Offer message. However, the original Discover
message include a number called the client ID, which includes the host’s MAC address,
which identifies the original host M. As a result, the desired host, which is host M in our
case, knows that the Offer message is meant for it. The rest of the hosts will receive the
Offer message, but notice that the message lists another device’s DHCP client ID, so the rest
of the hosts ignore the Offer message.
25.6.3 DHCP relay
Network people have a main design choice to make while using DHCP server:
- Put a DHCP server in every LAN subnet or locate a DHCP server at a central location?
Cisco design documents suggest a centralized design as a best practice, because it allows for
centralized control and configuration of all the IPv4 addresses assigned throughout the
enterprise network.
• By using a centralized DHCP server approach, the DHCP messages that flowed only
on the local subnet somehow need to flow over the IP network to the centralized
DHCP server and back to get the IP addresses for the hosts.
Krishna [email protected] 972-7506874
205
• To make it work, the routers connected to the remote LAN subnets rely on a concept
called “DHCP Relay” and need an interface subcommand: the “ip helper-address
(server-ip)” command.
The ip helper-address (server-ip) subcommand tells the router to do the following for the
messages coming in an interface, from a DHCP client:
- Watch for incoming DHCP messages, with destination IP address 255.255.255.255.
- Change that packet’s source IP address to the router’s incoming interface IP address.
- Change that packet’s destination IP address to the address of the DHCP server (as
configured in the ip helper-address command).
- Route the packet to the DHCP server.
This feature, by which a router relays DHCP messages by changing the IP addresses in the
packet header, is called DHCP relay. Many enterprise networks use a centralized DHCP
server, so the normal router configuration includes an ip helper-address command on every
LAN interface/subinterface.
Cisco routers and switches can also act as DHCP clients, learning their IP addresses from a
DHCP server. (Use this command – “ip address dhcp” under interface sub-mode)
Dhcp server settings
- Subnet ID and subnet mask
- Reserved (excluded) addresses
- Default router(s)
- DNS IP address(es)
25.6.4 DHCP allocation modes
DHCP uses three allocation modes, based on small differences in the configuration at the
DHCP server.
- Dynamic allocation
- Automatic allocation
- Static allocation
Dynamic allocation – the default DHCP mechanisms and configuration method that we are
using so far in our discussion.
Automatic allocation – sets the DHCP lease time to infinite.
Static allocation – some addressed are reserved to be configured as static IP addresses.
Once such static IP is configured on a host, it can’t be used by any other host in the network.
Krishna [email protected] 972-7506874
206
Dhcp server settings
DHCP server can also be used to supply some other useful configuration settings like TFTP
server. For example, Cisco IP phones rely on TFTP to get several configuration files when the
phone initializes. DHCP supply the IP address of the TFTP server that the phones should use.
Dhcp configuration
Already discussed in previous chapters.
Dhcp verification
#show ip dhcp bindings (to check MAC-IP bindings)
#show ip interface gig0/0 (to see helper address ip)
#show dhcp lease (to see lease information)
#show ip default-gateway (to check gateway ip address)
25.6.5 Router as a DHCP client
In normal cases, it’s better to statically configure router interface IP address. But,
sometimes to use a router to get an address using DHCP makes more sense. For example
your home router, connected to the Internet.
A router with a link to the Internet can learn its IP address and mask with DHCP and also
learn the neighboring ISP router’s address as the default gateway.
As we know, DHCP provides a default gateway IP address to the routers also, but routers do
not normally use a default gateway setting; only hosts use. The Router turn that default
gateway IP address into a default route with ISP router’s IP address – as the next-hop IP
address.
Additionally, router R1 can distribute that default route to the rest of the routers using an
interior routing protocol like OSPF.
Configuring a router as a DHCP Client
Interface gig0/0 (interface connected to internet side)
Ip address dhcp (command to configure router as a dhcp client)
#show ip route static
S* 0.0.0.0/0 [254/0] via (ISP router IP address)
To recognize this route as a DHCP-learned default route, look to the administrative distance
value of 254. IOS uses a default administrative distance of 1 for static routes configured with
the ip route configuration command but a default of 254 for default routes added because
of DHCP.
Krishna [email protected] 972-7506874
207
25.6.6 Host IP settings
Host IP Settings on Windows
ipconfig
ipconfig /all
Host IP Settings on mac
ifconfig (Note that ifconfig does not have a /all option.)
$networksetup –getinfo Ethernet (To check default gateway settings)
$networksetup –getdnsservers Ethernet (To check dns server settings)
Host IP Settings on linux
$ifconfig wlan0
$ip address
25.7 DCHP snooping
25.7.1 DHCP snooping
As DHCP server uses certain type of messages in its DORA process, it creates some
vulnerabilities in the network. And not every end device can be trusted to be a friendly
device always because any device can happen to be a rogue device trying to attempt some
kind of attack or disrupt network services. DHCP snooping is used to prevent such attacks.
So, DHCP Snooping acts like a Firewall/ACL between end devices and DHCP servers.
DHCP snooping filters the messages coming from the end devices side. To do this, these
ports are marked as “Untrusted” ports. DHCP never filter messages from DHCP server side,
so such ports which are connected toward DHCP side, are marked as “Trusted” ports. DHCP
itself is a Layer 3 service, but DHCP Snooping is configured as a Layer 2 security because it
operates on LAN switches.
Krishna [email protected] 972-7506874
208
The rules used by the DHCP snooping will be different for different type of messages. For
example DHCP Snooping rules will be different for DHCP messages coming from client side
(Discover & Request) messages and will be different for DHCP messages coming from server
side (Offer & Ack) messages.
DHCP messages which are supposed to be sent by DHCP servers (like offer and
acknowledgement) will be discarded if they are received on an untrusted port.
DHCP messages which are supposed to be sent by DHCP clients (like discover and
request) received on an untrusted port, may be filtered if they appear to be part of
an attack.
DHCP messages received on a trusted port will be forwarded; trusted ports do not
filter (discard) any DHCP messages.
25.7.2 DHCP attacks
An example of dhcp attack – good ip but wrong default gateway
An example of dhcp attack – dhcp attack leading to man in the middle attack
Krishna [email protected] 972-7506874
209
25.7.3 Logic behind DHCP snooping
DHCP Snooping – logic of trusted ports
The switch port connected to a DHCP server, should be trusted; otherwise DHCP would not
work, because the switch would filter all DHCP messages sent by the DHCP server. So,
approve all the messages coming from DHCP server and received on trusted ports.
DHCP Snooping – logic for untrusted ports
1. Examine all incoming DHCP messages.
2. If the messages are found to be the types of messages normally sent by the DHCP servers,
discard the messages.
3. If the messages are found to be the types of messages normally sent by the DHCP clients,
filter as follows:
- For DISCOVER and REQUEST messages, check for MAC address consistency
between the Ethernet frame and the DHCP message.
- For RELEASE or DECLINE messages, check the incoming interface plus IP address
versus the DHCP Snooping binding table.
4. For messages not filtered that result in a DHCP lease, build a new entry to the DHCP
Snooping binding table.
DHCP Snooping – summary of rules
Filtering DISCOVER Messages Based on MAC
The core feature of DHCP Snooping defeats attack on untrusted ports using the MAC
address comparison of Ethernet Frames and DHCP headers – chaddr – i.e. client hardware
address.
Krishna [email protected] 972-7506874
210
It checks the Ethernet header source MAC address and compares that address to the MAC
address in the DHCP header, and if the values do not match, DHCP Snooping discards the
message.
Filtering ip address Release messages
A normal user may lease address 192.168.1.5, and at some point release the address back to
the server; however, before the client has finished with its lease, an attacker could send
DHCP RELEASE message to release that address back into the pool. The attacker could then
immediately try to lease that address, hoping the DHCP server assigns that same
192.168.1.5 address to the attacker.
DHCP snooping – defeats a dhcp release attack from another port
The figure shows the action by which the attacker off port Fa0/3 attempts to release PC1’s
address. DHCP Snooping compares the incoming message, incoming interface, and matching
table entry:
Krishna [email protected] 972-7506874
211
- The incoming message is a DHCP RELEASE message in port Fa0/3 listing address
192.168.1.5.
- The DHCP Snooping binding table lists 192.168.1.5 as being originally leased via
messages arriving on port Fa0/2.
- DHCP Snooping discards the DHCP RELEASE message.
25.7.4 DHCP snooping configuration
ip dhcp snooping
ip dhcp snooping vlan 10
no ip dhcp snooping information option
interface fa0/1
ip dhcp snooping trust
(all other ports are untrusted by default)
#show ip dhcp snooping
interface fa0/1
ip dhcp snooping limit rate 10
DHCP relay agents add new fields to DHCP requests—defined as option 82 DHCP header
fields. And the switch defaults to use ip dhcp snooping information option.
So, to make DHCP Snooping work on a switch that is not also a DHCP relay agent, disable the
option 82 feature using the no ip dhcp snooping information option global command.
Krishna [email protected] 972-7506874
212
Configure this command only on those switches which are working as a DHCP relay agent.
Limiting DHCP Message Rates
As DHCP Snooping prevents their attacks, what attackers can do in return? He may try to
attack the DHCP Snooping itself.
They know that DHCP snooping uses the general-purpose CPU in a switch.
So, they can generate large volumes of DHCP messages in an attempt to overload the DHCP
Snooping feature and the switch CPU itself.
It can be as a simple denial-of-service that may cause DHCP Snooping to fail to inspect every
message, so that other DHCP attacks may work.
To prevent this type of attacks, another optional feature is included by DHCP Snooping that
tracks the number of incoming DHCP messages.
If the number of incoming DHCP messages exceeds that limit over a one-second period, it is
considered as an attack by DHCP snooping and the port is changed into err-disabled state.
This feature can be enabled both on trusted and untrusted interfaces.
DHCP Snooping – err-disabled recovery configuration
SW1()#errdisable recovery cause dhcp-rate-limit
SW1()#errdisable recovery interval (seconds)
25.8 Dynamic ARP inspection
25.8.1 Concept
As DHCP snooping was used to protect the switch from DHCP attacks, DAI can be used to
protect the switch from ARP attacks.
DAI feature on a switch examines incoming ARP messages on untrusted ports to filter those
it consider can be part of an attack.
Using DAI, incoming ARP messages are compared with two sources of data: the DHCP
Snooping binding table and any configured ARP ACLs.
The ARP messages will be dropped if these message do not match the tables in the switch.
Let’s compare normal ARP operations with the abnormal use of ARP used in some types of
attacks, to better understand the attacks from which the DAI protects the switch.
Krishna [email protected] 972-7506874
213
25.8.2 Gratuitous ARP
In normal cases, a host uses ARP when it knows the IP address of another host and wants to
know the MAC address of that host.
But, sometimes a host might also want to inform all the hosts in the subnet about its MAC
address. That might be useful when a host changes its MAC address, for example and wants
all other hosts in its subnet to update their ARP table with the new MAC address.
Gratuitous ARP features:
- It is an ARP reply which is sent without having first received an ARP request.
- It is sent to an Ethernet destination broadcast address so that all hosts in the subnet
receive the message.
Gratuitous ARP as an Attack Vector
If a host’s MAC address is MAC 1, and it changes to MAC 2. Now to cause all the other hosts
to update their ARP tables, the host could send a gratuitous ARP that lists an origin MAC of
MAC 2.
Attackers can take advantage of gratuitous ARPs because they let the sending host make
other hosts change their ARP tables. Attackers can initiate the gratuitous ARP and cause the
ARP table of other hosts change and register their own MAC addresses as the valid MACs
which can lead to more dangerous Man in the Middle attacks.
DAI has features that can prevent these kinds of ARP attacks.
25.8.3 Inspection logic
DAI works with the idea of trusted and untrusted ports with the same general rules as DHCP
Snooping.
Krishna [email protected] 972-7506874
214
Dynamic ARP Inspection Logic – ARP acl
For ports connected to devices that use static IP addresses, DAI use statically configured
data that lists correct pairs of IP and MAC addresses using a tool called ARP ACLs.
Note: DAI looks for both the DCHP Snooping binding data and ARP ACLs.
Dynamic ARP Inspection Logic
DAI discard these messages:
- Messages with an Ethernet header source MAC address that is not equal to the ARP
origin hardware (MAC) address.
- ARP reply messages with an Ethernet header destination MAC address that is not
equal to the ARP target hardware (MAC) address.
- Messages with unexpected IP addresses in the two ARP IP address fields.
Like DHCP Snooping, DAI also limit the number of ARP messages on a port to prevent
attacks on the DAI itself.
25.8.4 Configuring DAI
Dynamic ARP Inspection configuration on L2 SW
Before configuring DAI, decide:
- Whether to rely on DHCP Snooping, or ARP ACLs, or both.
- If you choose to use DHCP Snooping, configure it and make the correct ports trusted.
- Choose the VLAN(s) on which to enable DAI.
- And then make the DAI trusted on selected ports in those VLANs.
(Typically these ports will be the same ports you trusted for DHCP Snooping.)
Krishna [email protected] 972-7506874
215
Previous dhcp snooping configuration
ip dhcp snooping
ip dhcp snooping vlan 10
no ip dhcp snooping information option
interface fa0/1
ip dhcp snooping trust
Dhcp snooping + DAI configurations added
ip dhcp snooping
ip dhcp snooping vlan 10
no ip dhcp snooping information option
ip arp inspection vlan 10
interface fa0/1
ip dhcp snooping trust
ip arp inspection trust
#show ip arp inspections (to verify arp functions)
#show ip arp inspection statistics
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause arp-inspection
errdisable recovery interval 30
!
interface fa0/2
ip dhcp snooping limit rate 10
ip arp inspection limit 8
!
interface fa0/3
ip dhcp snooping limit rate 5
ip arp inspection limit rate 5 burst interval 3
#show ip arp inspection interfaces
Krishna [email protected] 972-7506874
216
26. Network automation & programmability
26.1 Controller based networking
26.1.1 Automation concept
What is network automation?
Suppose you have 200 switches in an enterprise network which needed to be configured by
the network admin. Traditionally, you would configure all the devices one by one. You can
imagine how much time and effort it will take.
But on the other hand, if you were using a controller to do your task of configuration and
management, it would have been faster, safer, would exclude human errors and would add
machine intelligence in the system.
This type of networking where everything important is done by the controllers, is known as
“Software Defined Networking.”
SDN & Controller-Based Networks
We know how switches and routers do their frame and packet forwarding. How switches
use their mac address table and routers use their routing table to forward data.
Network programmability and Software Defined Networking (SDN):
Software defined networks take those concepts, improve them and implement with a new
fresh futuristic approach. The devices in the network still forward messages, but the how
they do this and why they do this has changed over time.
26.1.2 Processing planes
Stop and think about what networking devices do.
What does a router do?
What does a switch do?
All processes, everything that a networking device does, can be put in a particular plane. So,
in networking language, the functions of all network devices are said to be according to the
given 3 planes:
1. Data plane
2. Control plane
3. Management plane
What is Data Plane?
It refers to the tasks that a networking device does to forward a message. Means, it has
everything to do with processes like: receiving data, processing it, and forwarding the data.
Krishna [email protected] 972-7506874
217
All PDUs, whether you call that a frame, a packet, or just a message – is part of the data
plane. It is also called the forwarding plane.
Data Plane functions
- Encapsulation and de-encapsulation a packet in a data-link frame (router, L3 switch)
- Adding/removing an 802.1Q trunking header (routers and switches)
- Forwarding an Ethernet frame as per its destination MAC address by matching it to
the MAC address table (L2 switches)
- forwarding an IP packet as per its destination IP address by matching it to the IP
routing table (routers, L3 switches)
- Encryption of the data by adding a new IP header (for VPN)
- Conversion of private IP address to the public and vice-versa (for NAT)
- Allowing or discarding a message based on a filter (for ACLs and port security)
What is CONTROL Plane?
Now let’s think about the kinds of information that the data plane needs for its processing:
- Routers need routes in its routing table before it can forward packets.
- Switch need MAC address entries in its MAC table before it can forward frames.
CONTROL Plane functions
From above examples, it is clear that the information supplied to the data plane controls
what the data plane does.
Now what controls the contents of the routing table?
What controls the content of the mac address table?
The answer is: Various control plane processes.
So, control plane refers to any action that controls the data plane.
Most of these actions have to do with creating the tables used by the data plane, like:
- The IP routing table,
- IP Address Resolution Protocol (ARP) table,
- Switch MAC address table, etc.
By adding, removing, and changing entries to the tables used by the data plane, the control
plane processes control what the data plane does.
Distributed planes
Traditional IP networks use both a distributed data plane and a distributed control plane.
Krishna [email protected] 972-7506874
218
It means, each device in the network has its own data plane and control plane, and the
network distributes those functions into each device, individually.
Let’s say for example, OSPF, the control plane protocol, runs on each router. Means, it is
distributed among all the routers. Once populated with useful routes, the data plane’s IP
routing table on each router can forward incoming packets.
CONTROL Plane protocols
Routing protocols (OSPF, EIGRP, RIP, BGP), IPv4 ARP, IPv6 NDP and STP etc.
So, in short, the data plane rely on the control plane to provide useful information.
What is Management Plane?
The control plane directly impact the behavior of the data plane. The management plane
work does not directly impact the data plane. Instead, the management plane includes
protocols that allow network engineers to manage the devices.
Such management protocols includes: Telnet, SSH, SNMP and Syslog, etc.
Cisco Switch Data Plane Internals
To better understand SDN and network programmability, let’s understand the internals of
switches first. Switches need to process millions of frames per second on each port and a
switch can have at least 24 ports. So, we kind of need 24millions fps processing.
That’s why, LAN switches needed a faster data plane than a generalized CPU could process
in software (like bridges did). As a result, switches have always had specialized hardware to
perform data plane processing (ASIC). In switches, the switching logic occurs not in the CPU
with software, but in a dedicated hardware chip known as application-specific integrated
circuit (ASIC).
ASIC needs to perform table lookup in the MAC address table, so for fast table lookup, the
switch uses a specialized type of memory to store the equivalent of the MAC address table:
ternary content-addressable memory (TCAM).
So, instead of executing the loops through an algorithm, ASIC can feed the fields to be
matched, like a MAC address value, into the TCAM, and the TCAM returns the matching
table entry, without a need to run a search algorithm.
A switch still has a general-purpose CPU and RAM as well. IOS runs in the CPU and uses
RAM. Most of the control and management plane functions run in IOS. The data plane
function (and the control plane function of MAC learning) happens in the ASIC. Note that
some routers also use hardware for data plane functions, for the same kinds of reasons that
switches use hardware.
The ideas of a hardware data plane in routers are similar to those in switches: use a
purpose-built ASIC for the forwarding logic, and TCAM to store the required tables for fast
table lookup.
Krishna [email protected] 972-7506874
219
26.1.3 Concept of API, SBI & NBI
Controllers & Software-Defined Architecture
With the advancement of the programming in networking field, specific pieces of software
were built to automate the configuration and management processes of the network. These
software are named as “controllers.”
New networking concepts, which emerged around 2010, changed the location of control
plane. Traditional networks are known to use a distributed control plane. But in new
networking approaches, which are based on controllers, control plane is no more
distributed but central at a location where it is reachable by all the network devices in the IP
network.
Many of those approaches move parts of the control plane work into software that runs as a
centralized application – a controller. The degree of the control held by the controller
depends upon the SDN solution you are designing for your network.
Controllers & Centralized Control
A controller, or SDN controller, centralizes the control of the networking devices. Each of
the network devices still has a data plane; however, note that none of the devices has a
control plane. The controller directly programs the data plane entries into each device’s
tables.
The Southbound Interface
While using a controller-based network architecture, the controller needs to communicate
with the networking devices. Those network devices are at the bottom side of the
controller.
Krishna [email protected] 972-7506874
220
The controller needs an interface, a way to communicate with the network devices. This is
because all of the network devices need to get its configuration from the controller.
So, there should be a way, an interface or a protocol which could do this, which could
connect the controller with the network devices and make the communication possible
between the controller and the network devices.
This way, this interface or this protocol is known as – SBI – the South Bound Interface.
Why southbound?
Because it seems according to the north and sound direction references, as the network
devices are south to the controller.
(Interface – Software interface – that communicates between controller and networking
devices - it often includes an application programming interface (API))
API – application programming interface
An API is a method for one application (program) to exchange data with another application.
In other words, an API is an interface to access an application program.
(Will discuss later in detail)
SBI – It is an interface between a program (which is the controller) and a program (on the
networking device) which lets the two programs communicate.
The goal is – To allow the controller to program the data plane forwarding tables of the
networking device.
The Southbound Interface – examples
OpenFlow (from the ONF; www.opennetworking.org)
OpFlex (from Cisco; used with ACI)
CLI (Telnet/SSH) and SNMP (used with Cisco APIC-EM)
CLI (Telnet/SSH) and SNMP, and NETCONF (used with Cisco Software-Defined Access)
(The comparisons of SBIs go far beyond the scope of CCNA)
NBI – northbound interface
As we had discussed that a controller is responsible to configure the control plane of the
network devices. But how a controller would know what to be filled in the control plane of
the devices? It can’t know by itself. It needs another interface to get the data required for its
own processing.
In short, the controller can add entries to the networking device’s forwarding tables; but,
how does the controller know what to add?
Krishna [email protected] 972-7506874
221
The controller needs following types of information:
- A list of all the devices in the network and their capabilities
- The interfaces on each device and the current state of each port
- The topology – means which devices connect to which, using which interfaces
- Device configuration—IP addresses, VLANs, etc. as configured on the devices
The controller is a software, running on some physical server or it can be a virtual machine.
Now, we need an application software to configure the controller itself.
This application software can reside on the same server as the controller and use an NBI
(which is an API) so that two programs can communicate.
Or the application software can be on some other device in the network and both controller
and the application can communicate with each other using a RESTful API.
(Will be discussed later)
A controller can be written in Java and can have a Java-based native API.
By using that API to exchange data with the controller, the application can learn information
about the network. The application can also program flows in the network – means:
Ask the controller to add the specific match/action logic (flows) into the forwarding tables of
the networking devices.
Why northbound?
As you can see the position of the app is north to the controller.
Krishna [email protected] 972-7506874
222
26.1.4 REST based APIs
It is a type of API that allows applications to sit on different hosts, using HTTP messages to
transfer data over the API. When you see SDN architectures like above, where the
application is running on the same system as the controller, the API does not need to send
messages over a network because both programs run on the same system.
But when the application runs on a different system somewhere else in the network other
than running on the controller, the API needs a way to send the data back and forth over an
IP network, and RESTful APIs meet that need.
26.1.5 Controllers types
Network programmability and SDN provides a number of options and solutions. Let’s look at
three different options, each of which takes a different approach to network
programmability and the degree of centralized control.
Examples of Network Programmability and SDN
SDN and network programmability solutions available from Cisco:
OpenDaylight Controller (ODL)
Cisco Application Centric Infrastructure (ACI)
Cisco APIC Enterprise Module (APIC-EM)
OpenDaylight and OpenFlow
OpenSDN – One form of SDN from Open Networking Foundation (ONF)
OpenFlow – It is an SBI – which is featured by OpenSDN
OpenDaylight – Name of the controller itself
Krishna [email protected] 972-7506874
223
The ONF – A group of users (operators) and vendors to help establish SDN in the
marketplace and defines protocols, SBIs, NBIs, and anything that helps people implement
their vision of SDN.
ONF’s Open SDN model use the controller with an OpenFlow SBI.
The OpenDaylight Controller (ODL)
OpenDaylight open-source SDN controller is one of the successful SDN controller platforms
which emerged from the consolidation process in 2010s.
Many different vendors worked under OpenDaylight project, with the idea that if enough
vendors worked together on a common open-source controller, then all would benefit.
All those vendors could then use the open-source controller as the basis for their own
products, with each vendor focusing on the product differentiation part of the effort, rather
than the fundamental features.
The result was the birth of the OpenDaylight SDN controller in mid of 2010. OpenDaylight
(ODL) began as a separate project but now exists as a project managed by the Linux
Foundation.
OpenDaylight and OpenFlow
Above figure shows a generalized version of the ODL architecture.
A vendor can then take ODL, use the parts that make sense for that vendor, add its
proprietary functions to it, and create a commercial ODL controller of its own.
The Cisco Open SDN Controller – OSC
In the 2010s, Cisco offered a commercial version of the OpenDaylight controller – called the
Cisco Open SDN Controller (OSC). That controller followed the intended model for the ODL
project. But now Cisco no longer produces OSC.
Krishna [email protected] 972-7506874
224
Cisco had made a futuristic move and adopted a totally different approach to SDN by
introducing the concept of IBN - intent-based networking. That move took Cisco away from
OpenFlow-based SDN.
2 Cisco offerings that use an IBN approach to SDN:
- Application Centric Infrastructure (ACI) [Cisco’s data centre SDN product]
- Software-Defined Access (SDA) [for enterprise campus]
26.1.6 Cisco ACI
Cisco Application Centric Infrastructure – ACI
The new networking concepts which were built for data centers, were around application
architectures. Let’s understand this for a minute. Facebook.com for example is a social
media application. To store and access its data, we need data centers at the back end to
support the application functions. Same is for WhatsApp and Telegram etc. So, it’s evident
that modern data centers are built for such application, majorly.
As a result and initiative, Cisco made the network infrastructure become application centric,
hence the name of the Cisco data center SDN solution: Application Centric Infrastructure, or
ACI.
26.1.7 Spine & leaf network design
Cisco ACI uses a specific physical switch topology called spine and leaf. With ACI, the
physical network has a number of spine switches and a number of leaf switches, as shown in
the following figure.
Spine & Leaf architecture operational conditions:
- Each leaf switch must connect to every spine switch
- Each spine switch must connect to every leaf switch
- Leaf switches cannot connect to each other
- Spine switches cannot connect to each other
- Endpoints connect only to the leaf switches
Krishna [email protected] 972-7506874
225
The endpoints can be connections to devices outside the data center, like the router on the
left. By volume, most of the endpoints will be either physical servers running a native OS or
servers running virtualization software with numbers of VMs and containers as shown in the
center of the following figure.
26.1.8 Intent based networking
ACI Model with Intent-Based Networking
The model that Cisco defines for ACI uses a concept of endpoints and policies. The
endpoints are the VMs, containers, or even traditional servers with the OS running directly
on the hardware. ACI then uses the Application Policy Infrastructure Controller (APIC –
name of the controller for ACI) for policy creation and management.
To understand the working of ACI & functions of APIC, consider the application architecture
of a typical enterprise web app for a moment, Facebook.com for example.
Generally, a web application is combination of 3 different servers:
Web server:
Users from outside the data center connect to a web server, which sends web page content
to the user.
App (Application) server:
Because most web pages contain dynamic content, the app server does the processing to
build the next web page for that particular user based on the user’s profile and latest
actions and input.
DB (Database) server:
Many of the app server’s actions require data; the DB server retrieves and stores the data as
requested by the app server.
Krishna [email protected] 972-7506874
226
Now using intent-based networking (IBN) model, the controller must also be told by
network engineer or any automation program about the access policies, which define which
EPGs should be able to communicate (and which should not).
For example, the routers that connect to the network external to the data center should be
able to send packets to all web servers, but not to the app servers or DB servers.
End point groups and policies
Notice that in such network architectures, we don’t talk about the physical interfaces like
which should be assigned to which VLAN, or which ports should be added in which
EtherChannel; the discussion moves to an application-centric view of what happens in the
network.
To make it all work, ACI uses a centralized controller called the Application Policy
Infrastructure Controller (APIC). The name defines the function in this case: it is the
controller that creates application policies for the data center infrastructure.
The APIC takes the intent (EPGs, policies, and so on), which completely changes the
operational model away from configuring VLANs, trunks, EtherChannels, ACLs, and so on.
26.1.9 Cisco APIC-EM
While Cisco was defining network automation in the enterprise, they faced a challenge:
their own products being used in most of their customer’s networks.
APIC EM basics:
Cisco rejected the idea of replacing all of the previous hardware with new hardware
compatible for its enterprise-wide SDN solution. Instead, Cisco looked for ways to add the
benefits of network programmability with a centralized controller while keeping the same
traditional switches and routers in place.
Krishna [email protected] 972-7506874
227
APIC-EM does not directly program the data or control planes, but it does interact with the
management plane via Telnet, SSH, and/or SNMP. But it can ask and learn the configuration
and operational state of each device, and then it can reconfigure each device.
APIC-EM Replacement
Cisco announced the end of marketing for the APIC-EM product at the time when it
announced the new CCNA 200-301 exam in 2019.
But we have kept a small section on it because
- Many of the functions of APIC-EM have become core features of the Cisco DNA
Center (DNAC) product.
So, they are necessary to be learnt for a better understanding of DNA center products.
(Discussed in coming sections)
Openflow, aci, apic-em – comparison
Criteria OpenFlow ACI APIC-EM
Changes how the device’s control plane works Yes Yes No
v/s traditional networking
Creates a centralized point from which humans Yes Yes Yes
and automation control the network
Degree to which the architecture centralizes the Mostly Partially None
control plane
SBIs used OpenFlow OpFlex CLI, SNMP
Controllers mentioned OpenDaylight APIC APIC-EM
Organization that is the primary owner ONF Cisco Cisco
Krishna [email protected] 972-7506874
228
Comparing Traditional Versus Controller-Based Networks
- Explain how automation impacts network management
- Compare traditional networks with controller-based networking
- Compare traditional campus device management with Cisco DNA Center enabled
device management
26.1.10 Network management
There are 2 aspects of network management:
- Configurational network management
- Operational network management
Configurational network management
Configuration management refers to any feature that changes device configuration, with
automated configuration management doing so with a software control.
For example, Cisco’s ACI uses the APIC controller.
Operational network management
Operational network management includes – monitoring, gathering and reporting
operational data
Terms used to represent controller based networking
Following are some of the newer networking options that are said to be used when talking
about controllers and controllers based networking:
Software Defined Networking
Software Defined Architecture
Programmable Networks
Controller-Based Networks
26.1.11 How Automation Impacts Network Management
Let’s take the following example:
APIC-EM and DNA Center (its successor) both provide a feature – Path trace.
Path trace is used to see the path taken by a packet from source to destination, explaining
its forwarding logic used at each node.
If you can analyze these 2 approaches, one from the traditional networks (using output of
show commands) and other from automation tools like DNA center (using NBIs and SBIs).
You will find that the second option is doing like all of the work by itself, while the first
option is leaving out most of the work to be done by you and your program.
Krishna [email protected] 972-7506874
229
Now, understand that the second option is only possible because of a centralized controller.
The controller is provided with the data it use for the configuration and forwarding table
information – using NBIs. Going beyond that, Cisco controllers analyze the given data to
provide much more useful data. This is just one example. The power of these APIs is
amazing.
26.1.12 Traditional v/s controller based networks
Easier to automate networking functions in comparison to traditional networks.
It is possible to automate functions that were not easily automated without using
controllers.
Time taken to complete projects is reduced to a great extent.
- The network engineer need not to think about every command on every network
device.
These models include 3 most likely to be seen models from Cisco used in its different types
of networks:
1. Software-Defined Access (SDA) – for Campuses
2. Software Defined WAN (SD-WAN), - for WAN solutions
3. Application Centric Infrastructure (ACI) – for Data Centers
This new concept of intent-based networking was only possible through the controller
based architectures. New operational models allow the configuration of the network rather
than per-device configuration. The automation features enabled by the controller’s
northbound APIs – allows third-party applications – to automatically configure the network.
26.2 Software defined access – SDA
SDA uses SDN approach to build a converged wired and wireless campus LAN.
Access – Means the end devices that access the network
Software-Defined – Means use of many software-defined architectural features which we
discussed in earlier sections.
Those features include a centralized controller—DNA Center—with southbound and
northbound protocols and APIs.
It also includes a completely different operational model inside SDA, with a network fabric
composed of an underlay network and an overlay network.
In 2010s, Cisco re-invented their campus networking model – and SDA was the result.
It still uses a physical network with switches and routers, cables, and different endpoints.
DNA Center is the controller for SDA networks.
Krishna [email protected] 972-7506874
230
SDA is one implementation of Cisco DNA which is useful in Campus Area Networks and uses
the DNA Center controller to configure and operate SDA.
26.2.1 SDA – fabric, overlay & underlay
The southbound side of the controller contains the fabric, underlay, and overlay.
Overlay:
The mechanisms to create VXLAN tunnels between SDA switches, which are then used to
transport traffic from one fabric endpoint to another over the fabric.
Underlay:
The underlay network looks like a more traditional network architectures, with several
devices and links.
Fabric:
Both concepts (underlay and overlay) together create the SDA fabric.
SDA – Underlay
In simple words, the underlay exists as multilayer switches and their links, with IP
connectivity. The underlay supports some new concepts with a tunneling method called
VXLAN. Traffic sent by the endpoint devices flows through VXLAN tunnels in the overlay—a
completely different process than traditional LAN switching and IP routing.
Krishna [email protected] 972-7506874
231
For example, think about the idea of sending packets from hosts on the left of a network,
over SDA, to hosts on the right.
To build an SDA underlay network, companies have two choices:
1. Use their existing campus network and add new configuration to create an underlay
network, while still supporting their existing production traffic with traditional
routing and switching.
2. Or, purchase some new switches and build the SDA network without concern for
harming existing traffic, and migrate endpoints to the new SDA network over time.
The issues with using existing hardware includes:
- Existing hardware & software must be compatible with new SDA architectures.
- Because of the possibility of harming the existing production configuration, DNA
Center should not be used to configure the devices already being used in the
production networks.
DNA Center will be used to configure only the new hardware.
How to check device compatibility with SDA?
You can look for the hardware compatibility list from www.cisco.com/go/sda
You will see different lists of supported hardware and software depending on the device
roles.
The SDA Underlay – device roles
Fabric edge node:
A switch that connects to endpoint devices. (Similar to traditional access switches)
Krishna [email protected] 972-7506874
232
Fabric border node
A switch that connects to devices outside SDA’s control, for example, switches that connect
to the WAN routers or to an ACI data center.
Fabric control node
A switch that performs special control plane functions for the underlay which requires more
device resources like CPU and RAM.
For example, according to Cisco’s compatibility list:
Many Catalyst 9300, 9400, and 9500 switches, and also some smaller Catalyst 3850 and
3650 switches, can work as fabric edge nodes. But not the Catalyst 2960X or 2960XR.
While beginning an SDA project:
- Look at the existing hardware and software.
- Decide whether the existing campus is a good choice to build the fabric with existing
devices, or
- Upgrade the hardware when building the new campus LAN.
26.2.2 Routed access layer design
Traditional access layer design:
Layer 3 Switches – as the default gateway used by hosts, and
HSRP – for better availability
STP/RSTP – to prevent loops in switched network
There are more than one uplink from the access to distribution layer switches, with Layer 2
EtherChannels, for redundancy.
Krishna [email protected] 972-7506874
233
On the other hand, SDA fabric uses a routed access layer design. SDA makes good use of the
routed access layer design, and it works very well for the underlay with its goal to support
VXLAN tunnels in the overlay network.
Routed access layer design:
It means that all the LAN switches are Layer 3 switches, with routing enabled, so all the links
between switches operate as Layer 3 links. Greenfield SDA deployment – Means using all
new devices. DNA Center will configure the devices’ underlay configuration to use a routed
access layer. All new devices can be configured using DNA Center with the best underlay
configuration to support SDA.
Features of Routed access layer design
All switches act as Layer 3 switches. (Even on access layer) All links between switches (single,
or EtherChannels) are routed Layer 3 links (not Layer 2 links).
The switches use the IS-IS routing protocol. (For IP connectivity) So, STP/RSTP is not needed,
because routing protocol chooses which links to use based on the IP routing tables.
The equivalent of a traditional access layer switch – an SDA edge node – acts as the default
gateway for the endpoint devices, not the distribution switches. So, HSRP (or any FHRP) is
no longer needed.
Benefits of SDA fabric with layer 3 access
The SDA Overlay
The following process takes place, when an endpoint sends a frame to be delivered across
the SDA network.
Krishna [email protected] 972-7506874
234
The first SDA node which receives the frame – will encapsulates the frame in a new message
– using a tunneling method called VXLAN – and forwards the frame into SDA fabric. Now,
other SDA nodes will forward the frame based on the VXLAN tunnel details. Finally, the last
SDA node removes the VXLAN details – and forwards the original frame toward the
destination endpoint.
All of the work happens in the ASIC of each switch. So, there is no performance delay for the
switches to perform this extra work. (It is one of the conditions described for the SDA
hardware compatibility list: the switches must have ASICs that can perform the work.)
The use of VXLAN tunnels opened up the possibilities for a number of new networking
features that did not exist without VXLAN.
26.2.3 Concept of VXLAN tunnel
VXLAN Tunnels in the Overlay (Data Plane)
The VXLAN encapsulation supply header fields that SDA needs for its features, so the
tunneling protocol is flexible and extensible, still supported by the switch ASICs.
It encapsulate the entire data link frame instead of encapsulating the IP packet.
It allows SDA to support Layer 2 forwarding features as well as Layer 3 forwarding
features.
26.2.4 Data center & SDA
Cisco DNA Center with SBI and NBI
Krishna [email protected] 972-7506874
235
Cisco DNA Center can serve 2 important roles:
1. As the controller in a network that uses Cisco SDA
2. As a network management platform for traditional (non-SDA) network devices
Cisco DNA Center comes as a software application which is delivered by Cisco pre-installed
on a Cisco DNA Center device. DNA Center can also be used to manage traditional network
devices.
DNA Center and SDA Operation
Cisco DNA Center includes a Northbound REST API along with a multiple Southbound APIs.
But for us, the northbound API matters most, because as the user of SDA networks, we
interact with SDA using Cisco DNA Center’s northbound REST API or the GUI interface.
There are two categories of protocols used:
1. Protocols to support traditional networking devices/software versions: Telnet, SSH,
SNMP (to support the older Cisco devices and iOS versions)
2. Protocols to support more recent networking devices/software versions: NETCONF,
RESTCONF
Cisco DNA Center and Scalable Groups
There are many support features provided by Cisco DNA Center in comparison with the
traditional network models. Let’s understand the operational model of Cisco DNA Center by
taking one particular example of “Scalable Groups.”
Issues with Traditional IP-Based Security
Working as a network engineer, when you are given the task of configuring the ACLs on a
router, you encounter multiple senior persons (Bosses, Managers etc.) and different
situations each demanding different ACL entries – known as ACE – Access list Entry.
Suppose you left the job and the company and some new engineer is hired to do your work.
Now, by looking at the configuration file you had left, no engineer could tell from looking at
the ACL whether any lines in the ACL could be safely removed. He or she never know if an
ACE was useful for one requirement or for many.
If a requirement was removed, and they were even told which old project caused the
original requirement so that you could look at your notes, you would not know if removing
the ACEs would harm other requirements.
In short, ACL management suffers with issues like:
- Dependence of one ACE on other
- Difficulty in implementing new ACEs, and
- Troubleshooting the problems with existing ACLs
Krishna [email protected] 972-7506874
236
26.2.5 Example of automation policies
SDA Security Based on User Groups
Now, just imagine if you could implement security on router without even thinking about
ACLs. Imagine that over time, there was need for 5 different security requirements. Each
time, the engineer would define the policy with DNA Center, a different one every time.
DNA center – northbound ip security policies – to simplify operations
26.2.6 IBN concept
The previous figure helps us to understand the concept of IBN.
IBN – Intent-based networking.
Intent – Desired outcome from the network
In this case, the intent is – a set of security policies.
Problems solved by SDA & DNA center
Each new security requirement can be considered and configured separately, without
analyzing an existing (lengthy) ACL.
Each policy can be removed later without fear of impacting the logic of the other policies.
(Because all policies are independent of each other.)
SDA Security Based on User Groups
This goal is achieved by tying security policies to the groups of users.
These groups of users are called “Scalable Groups.”
Each group is assigned a different “Scalable Group Tag (SGT).”
Krishna [email protected] 972-7506874
237
Look at the following grid of configuration designed by a network engineer and try to
identify which SGTs can send packets to which other SGTs.
Access table for SDA scalable group access
Source\Destination A B C
A Permit Deny Permit
B N/A Permit Deny
C Permit Permit Permit
Understanding DNA center forwarding logic
Remember the example when an endpoint tried to send it’s a packet to another endpoint.
The ingress SDA node starts a process by sending messages to DNA Center. DNA Center then
works with security tools in the network, like Cisco’s Identity Services Engine (ISE), to
identify the users and then match them to their respective SGTs.
Then DNA Center checks the logic according to the previously designed grid.
If DNA Center sees a permit action between the source/destination pair of SGTs, DNA
Center directs the edge nodes to create the VXLAN tunnel, as shown in the following figure.
If the security policies find that the two SGTs should not be allowed to communicate, DNA
Center would not direct the fabric to create the tunnel, and the packets do not flow.
Vxlan header with source & destination SGTs
Krishna [email protected] 972-7506874
238
The above figure indicates why SDA use VXLAN encapsulation for its data plane, rather than
performing traditional Layer 2 switching or Layer 3 routing.
So, this single example of using SGTs, make it evident that Cisco DNA Center is more than a
management platform, and instead acts as a controller of the activities in the network,
providing much more powerful set of features and capabilities.
26.2.7 Network management platform
In this part, we will discuss Cisco’s traditional enterprise network management platform,
known as: Cisco Prime Infrastructure (PI) and also the newer network management solution
by Cisco: Digital Networking Architecture or DNA center.
We will discuss the features of each and then we will compare both of them. For many
years, Cisco Prime Infrastructure has been Cisco’s primary network management product
for the enterprise.
26.2.8 Cisco prime infrastructure as network management platform
Cisco PI as a Network Management Platform
It provides:
Single control for all functions
Discovery, inventory, and topology of network devices
Support for all kinds of networks
Manage all functions of a device (Lifecycle Management)
Application visibility
Converged wired and wireless networks
Plug-and-Play:
26.2.9 Cisco DNA center as network management platform
DNA Center as a Network Management Platform
Cisco PI runs as an application on a server platform with GUI access via a web browser. The
PI server can be purchased from Cisco as a software package to be installed and run on your
servers, or as a physical appliance. After getting to know the features of Cisco PI, let’s
compare and contrast DNA Center to traditional management tools like PI.
Traditional Management v/s DNA center
Google: DNA center topology map using cisco sandbox
DNA Center can work with PI, using the data already discovered by PI rather than
performing the discovery work again.
Krishna [email protected] 972-7506874
239
The biggest difference which really stand out Cisco DNA Center:
Cisco DNA Center supports SDA, whereas other management apps do not.
On the other hand, Cisco PI still has some traditional management features which are not
found in Cisco DNA Center. Cisco DNA Center have many of those features (not all), with
main focus on future features like SDA support.
Cisco is dedicated to continue to update Cisco DNA Center’s traditional network
management features to make it equivalent to Cisco PI, to the point that one day DNA
Center could replace PI.
Cisco is focusing their development of Cisco DNA Center features towards:
- Simplifying the work done by enterprises
- With resulting reduced costs, and
- Faster deployment of changes.
Cisco DNA Center help:
- To make initial installation easier
- To simplify the work to implement features that traditionally have challenging
configuration (like QoS), and
- To use tools to help you notice issues more quickly.
Some of the features unique to Cisco DNA Center includes:
EasyQoS:
Encrypted traffic analysis:
Device 360 & Client 360:
Network time travel:
Path trace:
By providing Digital Network Architecture (DNA – as a set of all the tools), Cisco is
committed to help their customers to achieve some of their big goals, which includes:
- Reduced costs & risks
- Better security
- Faster deployment of services through automation and simplified processes
- And the list goes on
Cisco DNA Center represents the future of network management for Cisco enterprises.
Krishna [email protected] 972-7506874
240
26.3 Understanding REST and JSON
26.3.1 Understanding APIs
Software are not smart. They are dumb. They only do what we tell them to do. One
software can do its own work only. It has no idea by itself how to connect and work with
another software.
And as we know, today’s world is the world of interconnectivity. Literally everything is
connected to every other thing. If you open “amazon.com” for example, you will find
thousands of hyperlinks interconnected. They are not all of Amazon’s but interconnected
with Amazon somehow.
Now, how is that possible? How 2 software pieces interconnect with each other? How does
data gets from here to there – from source to destination – as a request – and then back to
the source – as a reply? How does different devices and applications connect with each
other to allow to make a reservation, to place an order or book a flight?
It is all possible using Application Programming Interfaces – APIs. But, exactly, what is an
API? API – is the unsung hero of the programming world.
It is a messenger that takes requests from your side and tells the computer what you want
to do and then return the response back to you. It’s like a waiter in a restaurant where you
have placed an order for something and the chef (computer or system) is there back in the
kitchen waiting for the waiter to place your order. Now the chef/system will prepare only
what order you have placed according to the instructions of the waiter/API.
Applications use application programming interfaces (APIs) to communicate with each
other. APIs allow programs running on different computers to work cooperatively,
exchanging data to achieve some goal.
Krishna [email protected] 972-7506874
241
Software developers add APIs to their software so other application software can make use
of the features of the first application. To write an application, the developer will write
some code, but most of the time the developer try to find an API that can provide the data
and functions, reducing the amount of new code that he or she has to write.
A number of APIs exist out there – each with a different set of features – to meet a different
set of needs. Modern software development approach – Use prebuilt software to
accomplish tasks rather than writing everything from scratch.
The CCNA blueprint mentions one type of API – REpresentational State Transfer (REST) –
because of its popularity as a type of API in networking automation applications.
26.3.2 RESTful APIs
REST APIs make use of the 3 variables mainly
Client/server architecture
Stateless operation
Clear statement of cacheable/un-cacheable
Client/Server Architecture
1. The REST client executes a REST API call, which generates a message which is then sent to
the REST server.
2. The REST server has API code that considers the request and decides how to reply.
3. Finally, the REST server sends back the reply message with the suitable data variables in
its reply message.
Many REST APIs use HTTP, but the use of HTTP is not a must for an API to be considered
RESTful.
Krishna [email protected] 972-7506874
242
Stateless Operation
REST does not record and use information about one API exchange for the purpose of the
processing of another exchange. Each API request and reply does not use any other past
history considered when processing the request. It means all API requests are independent
of one another.
Cacheable (or Not)
Cacheable means – saving some constant necessary information at the time of first time
processing – so that it can save time and resources on next login.
Let’s understand it by taking the example of opening of a webpage.
First time all of the data like images, logos and text etc. is loaded from scratch from the
server itself. But some of its data is stored on the client itself for the fast processing the next
time. This is caching.
Now some data is cacheable – like company name and logo etc. – but some data is not – like
product and price lists etc.
26.3.3 Basics of programming
To understand the upcoming topics – it’s better to have some introductory understanding of
some of the basic concepts of programming and programming languages – especially data
and variables.
Variables
All applications needs data to be processed. Now this data is provided as an input to the
application in form of variables. Then this data provided as input by using variables, is
processed by the program. There are simple variables and complex variables.
It is required for:
- Making comparisons
- Making decisions, and
- Performing mathematical formulas to analyze the data.
So, in simple words:
A variable is a name or label that has a value assigned to it.
This value can be:
- Unsigned integers (X = 7)
- Assigned integers (Y = -9)
- Floating point numbers (Z = 1.234)
- Text (Output = “And the winner is “)
Krishna [email protected] 972-7506874
243
These are examples of a simple variable.
Simple variable: One value assigned to one variable name.
All logics use variables. For example:
If the router’s G0/0 interface has a configuration setting of switchport mode dynamic auto,
then multiple variables are needed to gather more data to ensure that interface currently
operates as a trunk rather than as an access port.
Complex variables & Data structures
Data structure – A related set of variables and values.
These related set of values are used as complex variables.
For example: List variable and Dictionary variable.
List Variables
List variables means one variable name is assigned a value which is not a single value but a
list of values.
If you are writing a network automation program, you would want to have some lists, like:
- List of network devices being managed
- List of interfaces on a device, and
- List of configuration settings on an interface etc.
For example:
list1 = ["gig0/0/0", "gig0/0/1", "gig0/0/2"]
You can see that the list here is not a single value but the set of 3 text values.
Dictionary Variables
Similar to list, python also support another data structure called a “Dictionary.”
As we know, dictionary have a series of paired objects – a term and its definition.
Dictionary data structures works in the same way listing Key Value pairs.
Key Value
Speed Auto
Duplex Auto
IP 192.168.1.1
Krishna [email protected] 972-7506874
244
26.3.4 HTTP and REST APIs
APIs are used so that two programs can exchange data with each other. Some APIs are
designed as an interface between programs running on the same computer – so the
communication between programs happens within a single operating system. Means client
and server are on a single computer.
Other APIs need to be available to programs that run on other computers. Means client and
server are on two different computers. In such cases, API must define the type of
networking protocols supported by the API – so that it could transfer data - and many REST-
based APIs use the HTTP protocol.
Why HTTP?
Because HTTP uses the same principles as REST:
- It operates with a client/server model
- It uses a stateless operational model; and
- It includes headers that clearly mark objects as cacheable or not cacheable
26.3.5 CRUD actions of software
The software industry uses a memorable acronym—CRUD—for the four primary actions
performed by an application.
Create:
Allows the client to create some new instances of variables and data structures at the server
and initialize their values as kept at the server.
Read:
Allows the client to retrieve (read) the current value of variables that exist at the server,
storing a copy of the variables, structures, and values at the client.
Update:
Allows the client to change (update) the value of variables that exist at the server.
Delete:
Allows the client to delete from the server different instances of data variables.
26.3.6 HTTP verbs
HTTP uses verbs that mirror CRUD actions. HTTP defines the concept of an HTTP request and
reply – with the client sending a request and with the server answering back with a reply.
Each request/reply lists an action verb in the HTTP request header, which defines the HTTP
action.
Krishna [email protected] 972-7506874
245
In simple words, HTTP verbs in HTTP header tells a server what to do with the request and
what kind of reply to give back to the client. The HTTP messages also include a URI, which
identifies the resource that the client is trying to access.
HTTP request header including verbs & URI
To understand HTTP, ignore REST for a while.
Whenever you open a web browser and click a link, your browser generates an HTTP GET
request message. The message includes an HTTP header with the GET verb and the URI. The
resources returned in the reply are the components of a web page, like text files, image
files, and video files.
Software CRUD Actions & HTTP Verbs
Action CRUD term REST (HTTP) verb
Create new data structures & variables Create POST
Read variable names, structures & values Read GET
Update/Replace values of some variables Update PUT
Delete some variables & data structures Delete DELETE
26.3.7 Serialization languages
Need of serialization languages
As, REST server and REST clients use different programs written in different programming
languages.
Server – a Java application
Client – a Python application
So, it is a challenge to copy variables from one device to another because the REST client
programs may not store variables in the same ways as the REST server does.
Krishna [email protected] 972-7506874
246
In simple words, it is difficult for the REST clients to understand and interpret data
transferred by the REST server and vice-versa.
Exchange of internal representation of variables – incorrect concept
Data serialization languages
Then some kind of language is needed so that this data can be interpreted successfully at
both client and server ends. Data serialization languages provide that function. Each data
serialization language provides methods of using text to describe variables, with a goal of
being able to send that text over a network or to store that text in a file.
Data serialization languages give us a way to represent variables with text rather than in the
internal representation used by any particular programming language. Each data
serialization language enables API servers to return data so that the API client can replicate
the same variable names as well as data structures as found on the API server.
Exchange of internal representation of variables – correct concept
Krishna [email protected] 972-7506874
247
At the end of the process, the REST client application now has equivalent variables to the
ones it requested from the server in the API call. Note that the final step—to convert from
the data serialization language to the native format—can be as little as a single line of code!
Remember that applications can also store data in JSON format.
(Current CCNA mentions only JSON)
But there are more such languages: like XML and YAML
26.3.8 Interpreting JSON output
JSON – java script object notation
JSON provides a balance between human and machine readability. Once familiar with a few
necessary JSON rules, most humans can read JSON data.
Comparing data modelling languages
Acronym Name Main Purpose Common Use
JSON JavaScript Object Notation Data Modeling & Data REST APIs
Serialization
XML extensible Markup Language Data focused text markup REST APIs
that allows data modeling
YAML YAML isn’t Markup Language General Data Modeling Ansible
Understanding and Interpreting JSON
Router’s Interfaces listed using JSON:
{
"R1": ["GigabitEthernet0/0", "GigabitEthernet0/1", "GigabitEthernet0/2/0"],
"R2": ["GigabitEthernet1/0", "GigabitEthernet1/1", "GigabitEthernet0/3/0"]
}
It seems simple, right?
But to analyze the JSON data to find the data structures, including objects, lists, and key:
value pairs, you need to know a bit more about JSON syntax.
Key value pairs
Key-Value Pair:
Each and every colon identifies one key: value pair, with the key before the colon and the
value after the colon.
Krishna [email protected] 972-7506874
248
o Key:
Text, inside double quotes, before the colon, used as the name that references a value.
o Value:
The item after the colon that represents the value of the key, which can be:
- Text: Listed in double quotes.
- Numeric: Listed without quotes.
- Array: A special value (more details later).
- Object: A special value (more details later)
Multiple Pairs:
When listing multiple key: value pairs, separate the pairs with a comma at the end of each
pair (except the last pair).
One JSON Object (Dictionary) with Three Key: Value Pairs
{
“Rank1": “CEO",
“Rank2": “GM",
“Rank3": “AM"
}
Key – Rank1, Rank2, Rank3
Value – CEO, GM, AM
Commas and the curly brackets – Special characters
One pair of curly brackets – One JSON object
JSON files, and JSON data exchanged over an API, exist first as a JSON object, with an
opening (left) and closing (right) curly bracket.
Objects and Arrays
JSON uses JSON objects and JSON arrays to communicate data structures beyond a simple
key: value pair.
Objects can be flexible, but in most uses, they act like a dictionary.
Arrays list a series of values.
For general conversation, many people refer to the JSON structures as dictionaries and lists
rather than as objects and arrays.
Krishna [email protected] 972-7506874
249
How to interpret the syntax for JSON objects and arrays:
{ } - Object:
A series of key: value pairs enclosed in a matched pair of curly brackets, with an opening left
curly bracket and its matching right curly bracket.
[ ] - Array:
A series of values (not key: value pairs) enclosed in a matched pair of square brackets, with
an opening left square bracket and its matching right square bracket.
Key-value pairs inside objects:
All key-value pairs inside an object conform to the earlier rules for key-value pairs.
Values inside arrays:
All values conform to the earlier rules for formatting values (for example, double quotes
around text, and no quotes around numbers).
Arrays
[
“Manav",
“Deep",
“Manavdeep"
]
JSON Object with Two Key: Value Pairs
{
“Team_1": [
“Himansh",
“Himanshi",
],
“Team_2": [
“Spyder",
“Serena",
]
}
Krishna [email protected] 972-7506874
250
Objects & arrays
{
“My_Favorites": {
“Singer": “Diljeet",
“State": “Punjab",
},
"interface_config": {
"ip_address": "192.168.1.1",
"ip_mask": "255.255.255.0",
"speed": 1000
}
}
Minified and Beautified JSON
For humans, reading JSON can be a lot easier with the text organized with space and
aligned.
{
“Rank1": “CEO",
“Rank2": “GM",
“Rank3": “AM"
}
When stored in a file or sent in a network, JSON does not use whitespace.
{“Rank1": “CEO", " Rank2": “GM", " Rank3": “AM"}
Most of the tools you might use when working with JSON will let you toggle from a pretty
format (good for humans) to a raw format (good for computers).
You might see the pretty version literally called pretty, or beautified, or spaced, while the
version with no extra whitespace might be called minified or raw.
26.4 Configuration automation tools
26.4.1 Network Device Configuration – The challenges and the solutions
Traditionally, CCNA teaches us:
Krishna [email protected] 972-7506874
251
- How to configure one device using global mode commands and how to save the
running-config file to the startup-config file.
But it doesn’t answers the following questions like:
- Can one engineer change the running-config of a device in a way that others don’t
know about it?
- Can the responsible people know if the configuration file was changed?
- Who changed the file?
- What was changed?
So on and on…
Not all of the companies need to deal with the configuration management due to its size.
Small sized companies can be managed by a small networking staff and monitoring
everything manually. But as a company grows, it adds a number of devices and networking
staff. It results into higher rates of configuration changes and manual management becomes
a problem in such scenarios. So, it takes more than good practices and people to deal with
device configuration management.
Configuration drift
It is the changes in the configuration file of a network device (a router for example) from the
desired configuration. For example, the hostname of a router is supposed to be: BR1. But
somebody changed it to Branch1. This change is the example of configuration drift.
26.4.2 Central configuration management
Why central configuration management?
A company has hundreds or thousands of network devices and many network engineers. As
a result, per-device manual configuration model does not work as well for such larger
networks. So, medium to large enterprises store configurations in a central location along
with the startup-config files in the devices. The files are placed in a shared folder accessible
to the entire network team.
Krishna [email protected] 972-7506874
252
26.4.3 Configuration monitoring
Above given challenges can be best solved by using an automated configuration
management tools. These automation tools can be used to monitor the configurations of
the devices, means who changed what on which device and when.
The configuration management tool can then be directed to copy or apply the configuration
to the device. Once the process completes, the central config file and the device’s running-
config (and startup-config) should be same.
26.4.4 Configuration provisioning
Pushing centralized configuration to a remote device
By using the above, so perfectly looking solution – there are still dangers.
What if someone directly changes the configuration of network devices by using console
connections? It means - some configuration drift can still occur.
As a solution:
The Configuration Management Tools can monitor device configurations to discover when
the device configuration differs from the intended ideal configuration, and then:
- Either reconfigure the device, or
- Notify the network engineering staff to make the change.
Krishna [email protected] 972-7506874
253
Configuration Provisioning
Provisioning – means – how to copy the changed configuration file from the configuration
management system to the network devices.
26.4.5 Features of a configuration management tool
Implement automated configuration changes in devices.
These management tool can store the logical steps in a file, can provide the schedules for
execution, so that the changes can be implemented by the automation tool without the
presence of the engineer.
26.4.6 Templates & variables
In enterprise networks, there are a large number of devices which are assigned the same
kind of work so they use almost identical configurations except some standard changes.
These tools can represent configuration files as templates and variables so that devices with
similar roles can use the same template but with different values.
These management tools can divide the total configuration components into 2 parts:
• Fixed Part (common to all devices – known as template)
• Changeable Part (unique to one device – known as variable)
Network engineers can then edit both the files (template and variable) as separate files
according to the requirements of the devices. The configuration management tool can then
process the template and variables to create the ideal configuration file for each device.
Each configuration management tool use different type of language for each type of file.
(Means a different language for template writing and a different language for variable
writing)
For example Ansible uses:
- Jinja2 language for templates and YAML for variables
Krishna [email protected] 972-7506874
254
Files That Control Configuration Automation
The interesting thing about these tools and network automation is: A lot of the logic can be
done without knowing how to program.
Each tool uses a different language to define the action steps (often – a domain-specific
language) but are normally easier to learn than the programming languages.
These configuration management tools can also be configured with additional feature by
using programming languages like Python.
Due to its richness of features, Python is widely used across the globe for many purposes
including network automation and programmability.
Important files used by configuration management tools
Ansible, Puppet, and Chef Basics
Ansible, Puppet, and Chef are – Software packages.
Each tool can be purchased with a variations of features.
All also have free options that you can download and learn about the tools.
Some of the tools do not run in a Windows OS, so you need to run a Linux guest.
26.4.7 Ansible
Following are the files created and used by Ansible:
Inventory: Provide device hostnames along with other information like device roles
Templates: Use Jinja2 language
Variables: Use YAML
Playbooks: Provide actions and logic about what Ansible should do.
Krishna [email protected] 972-7506874
255
For example:
Action – change the router-id of OSPF router R7
Logic – change the router-id of OSPF router R7 on the weekend (date)
Ansible uses an agentless architecture. Means it does not rely on any code (agent) running
on the network device. Instead, Ansible relies on features typical in network devices, namely
SSH and/or NETCONF, to make changes and extract information.
When using SSH, the Ansible control node actually makes changes to the device like any
other SSH user would do, but doing the work with Ansible code, rather than with a human.
Ansible can be described as using a push model, rather than a pull model (like Puppet and
Chef).
After installing Ansible, an engineer needs to create and edit all the various Ansible files,
including an Ansible playbook. Then the engineer runs the playbook, which tells Ansible to
perform the steps.
Ansible push model
Like all other configuration management tools, Ansible can do both configuration
provisioning (configuring devices after changes are made in the files) and configuration
monitoring (checking to find out whether the device config matches the ideal configuration
on the control node).
However, Ansible’s architecture more naturally fits with configuration provisioning, as seen
in the above figure.
Krishna [email protected] 972-7506874
256
26.4.8 Puppet
Puppet master – a linux server where Puppet is installed to be used in production networks.
There are free versions with limited feature sets and there are paid versions with enhanced
functionalities.
Files create and used by Puppet:
Manifest: A human-readable text file on the Puppet master
Resource, Class, Module: Components of the manifest [Largest component –
Module; composed of – Classes; Composed – Resources.]
Templates:
Ansible playbooks use an imperative language, whereas Puppet’s manifests uses a
declarative language.
Imperative (Ansible) configure all OSPF internal routers in these locations, and if errors
occur for any device, do these extra tasks for that device.
Declarative (Puppet) these OSPF internal routers should have the configuration in this file
(Manifest) by the end of the process.
Puppet can use agent-based or agentless architecture for network device support
depending upon whether the network device support Puppet agents or not.
[Puppet agent – a feature that can be configured on the network devices]
If network device support Puppet agent, Puppet will use agent-based approach otherwise
agentless approach will be used.
Agentless operation:
Not every Cisco OS supports Puppet agents, so a proxy agent is used which runs on some
external host. The external agent then uses SSH to communicate with the network device.
Agent based & agentless operation for Puppet
Krishna [email protected] 972-7506874
257
Puppet uses a pull model to make that configuration appear in the device.
Step 1.
The engineer creates the files on the Puppet server. (Puppet master)
Step 2.
The engineer configures and enables the on-device agent or a proxy agent for each device.
Step 3.
The agent pulls manifest details from the server, which tells the agent what its configuration
should be.
Step 4.
If the agent device’s configuration should be updated, the Puppet agent performs additional
pulls to get all required detail, with the agent updating the device configuration.
Pull model with Puppet
26.4.9 Chef
Chef automate – or simply Chef.
Files created and used by Chef:
Resource:
Just like the ingredients of a recipe in a cookbook. (The configuration objects)
Recipe:
The Chef logic applied to resources to determine when and how to act against the resources
– just like a recipe in a cookbook.
Krishna [email protected] 972-7506874
258
Cookbooks:
Just like a set of recipes about the same kinds of work, grouped together for better
management.
Runlist:
Just like an ordered list of recipes to be run against a particular device.
Chef and Puppet use the same architecture where each device (a Chef node/client) runs an
agent.
The Chef client pulls recipes and resources from the Chef server and then adjusts its
configuration to stay in sync with the details in those recipes and runlists.
Remember: Chef requires on-device Chef Client code.
As many Cisco devices do not support a Chef client, so you will likely see more use of Ansible
and Puppet for Cisco device configuration management.
Summary of Configuration Management Tools
All configuration management tools have their unique strengths, use scenarios and
limitations.
Among all three, Ansible appears to have the most interest, then Puppet, and Chef.
Ansible provides support for a wide range of Cisco devices due to its agentless architecture
and its use of SSH.
Puppet’s agentless model also provide wide support for Cisco devices.
Action Ansible Puppet Chef
Term for the file that lists action Playbook Manifest Recipe, Runlist
Protocol to network device SSH, NetConf HTTP (REST) HTTP (REST)
Uses agent or agentless model Agentless Agent Agent
Working model Push Pull Pull
THANK YOU
&
ALL THE BEST
Krishna [email protected] 972-7506874
You might also like
- Welcome To Network For You IP Addressing: Networkforyou100% (1)Welcome To Network For You IP Addressing: Networkforyou7 pages
- 6 - 50 Days CCNA Journey - Networking ProjectsNo ratings yet6 - 50 Days CCNA Journey - Networking Projects9 pages
- CCNA (200-120) Quick Notes Before Exam - Sysnet Notes100% (1)CCNA (200-120) Quick Notes Before Exam - Sysnet Notes17 pages
- CCNP Interview Questions Answers Guide PDF100% (2)CCNP Interview Questions Answers Guide PDF14 pages
- My Best Questions For An Interview of Network EngineerNo ratings yetMy Best Questions For An Interview of Network Engineer3 pages
- JN0-363 Exam - Free Actual Q&as, Page 1 - ExamTopicsNo ratings yetJN0-363 Exam - Free Actual Q&as, Page 1 - ExamTopics44 pages
- 200 Networking Interview Questions and Answers - Networking Faq PDF67% (3)200 Networking Interview Questions and Answers - Networking Faq PDF15 pages
- Interview Guide - TOP 300+ CCNA Interview Questions - Netorks0% (2)Interview Guide - TOP 300+ CCNA Interview Questions - Netorks19 pages
- Ccie - R&S - Note From Experience by Robert Webbert100% (2)Ccie - R&S - Note From Experience by Robert Webbert179 pages
- 16th August - Presentation - Basic PS CoreNo ratings yet16th August - Presentation - Basic PS Core108 pages
- Number: 200-301 Passing Score: 800 Time Limit: 120 Min File Version: 0No ratings yetNumber: 200-301 Passing Score: 800 Time Limit: 120 Min File Version: 011 pages
- Kemal Haydar YILDIRIM (28337914 - Totaljobs)No ratings yetKemal Haydar YILDIRIM (28337914 - Totaljobs)4 pages
- P2p Concepts: Georgios John Fakas JXTA: P2p ComputingNo ratings yetP2p Concepts: Georgios John Fakas JXTA: P2p Computing24 pages
- Chapter 8 Reviewer - Security Technology Access Controls, Firewalls, and VPNsNo ratings yetChapter 8 Reviewer - Security Technology Access Controls, Firewalls, and VPNs3 pages
- CCNA Routing & Switching Lab Workbook - Free CCNA Workbook0% (1)CCNA Routing & Switching Lab Workbook - Free CCNA Workbook3 pages
- QoS Issues and Evolved 3G and Next Generation Network - v.1.010 TOCNo ratings yetQoS Issues and Evolved 3G and Next Generation Network - v.1.010 TOC7 pages
- DCM750 IPTV Gateway IP Protocol Conversion ScenariosNo ratings yetDCM750 IPTV Gateway IP Protocol Conversion Scenarios3 pages
- Cisco Unified Communications Manager 8: Expert Administration CookbookFrom EverandCisco Unified Communications Manager 8: Expert Administration CookbookNo ratings yet
- CCNA Routing and Switching Complete Study Guide: Exam 100-105, Exam 200-105, Exam 200-125From EverandCCNA Routing and Switching Complete Study Guide: Exam 100-105, Exam 200-105, Exam 200-1254/5 (4)
- IP Routing Protocols All-in-one: OSPF EIGRP IS-IS BGP Hands-on LabsFrom EverandIP Routing Protocols All-in-one: OSPF EIGRP IS-IS BGP Hands-on LabsNo ratings yet
- Dial Plan and Call Routing Demystified On Cisco Collaboration Technologies: Cisco Unified Communication ManagerFrom EverandDial Plan and Call Routing Demystified On Cisco Collaboration Technologies: Cisco Unified Communication ManagerNo ratings yet
- CCNA Routing and Switching Complete Review Guide: Exam 100-105, Exam 200-105, Exam 200-125From EverandCCNA Routing and Switching Complete Review Guide: Exam 100-105, Exam 200-105, Exam 200-125No ratings yet
- Next-Generation switching OS configuration and management: Troubleshooting NX-OS in Enterprise EnvironmentsFrom EverandNext-Generation switching OS configuration and management: Troubleshooting NX-OS in Enterprise EnvironmentsNo ratings yet
- Network Security All-in-one: ASA Firepower WSA Umbrella VPN ISE Layer 2 SecurityFrom EverandNetwork Security All-in-one: ASA Firepower WSA Umbrella VPN ISE Layer 2 SecurityNo ratings yet
- CISCO PACKET TRACER LABS: Best practice of configuring or troubleshooting NetworkFrom EverandCISCO PACKET TRACER LABS: Best practice of configuring or troubleshooting NetworkNo ratings yet
- Cisco Network Administration Interview Questions: CISCO CCNA Certification ReviewFrom EverandCisco Network Administration Interview Questions: CISCO CCNA Certification Review4.5/5 (6)
- Cisco CCNA Command Guide: An Introductory Guide for CCNA & Computer Networking Beginners: Computer Networking, #3From EverandCisco CCNA Command Guide: An Introductory Guide for CCNA & Computer Networking Beginners: Computer Networking, #34.5/5 (2)
- WAN TECHNOLOGY FRAME-RELAY: An Expert's Handbook of Navigating Frame Relay NetworksFrom EverandWAN TECHNOLOGY FRAME-RELAY: An Expert's Handbook of Navigating Frame Relay NetworksNo ratings yet
