Wondershare EdrawMind
MindMap Gallery Cisco
- 363
- 2
Cisco
This is a mind map that contains information about the cisco.
Edited at 2020-10-08 03:51:39
- Recommended to you
- Outline
Cisco
CCNA
- ICND
- ICND 1 v.2
- exam 100/101 requirements
- Operation of IP Data Networks
- Recognize the purpose and functions of various network devices
such as Routers, Switches, Bridges and Hubs
- Select the components required to meet a given network specification
- Identify common applications and their impact on the network
- Describe the purpose and basic operation of the protocols in
the OSI and TCP/IP models
- Predict the data flow between two hosts across a network
- Identify the appropiate media, cables, ports, and connectors
to connect cisco network devices to other network devices and
hosts in a LAN
- LAN Switching Technologies
- Determine the technology and media access control method for
Ethernet networks
- Identify basic concepts and the operation of Cisco Switches
- Collision Domains
- Broadcast Domains
- Types of switching
- CAM Table
- Configure and verify initial switch configuration including
remote access management.
- Cisco IOS commands to perform basic switch setup
- Verify network status and switch operation using basic utilities
such as ping, telnet and ssh.
- Describe how VLANs create logically separate networks and
the need for routing between them
- Explain network segmentation and basic traffic management
concepts
- Configure and verify VLANs
- Configure and verify trunking on Cisco switches
- DTP
- Auto negotiation
- IP addressing (IPv4 / IPv6)
- Describe the operation and necessity of using private and public
IP addresses for IPv4 addressing
- Identify the appropriate IPv6 addressing scheme to satisfy
addressing requirements in a LAN/WAN environment.
- Identify the appropriate IPv4 addressing scheme using VLSM
and summarization to satisfy addressing requirements in a LAN/WAN
environmnet
- Describe the technological requirements for running IPv6
in conjunction with IPv4 such as dual stack
- Describe IPv6 addresses
- Global unicast
- Multicast
- Unique local
- eui 64
- auto configuration
- IP Routing Technologies
- Describe basic routing concepts
- CEF
- Packet fowarding
- Router lookup process
- Configure and verify utilizing the CLI to set basic Router configuration
- Cicso IOS commands to perform basic router setup
- Configure and verify operation status of an ethernet interface
- Verify router configuration and network connectivity
- Cisco IOS commands to review basic router information and network
connectivity
- Configure and verify routing configuration for a static or
default route given specific routing requirements
- Differentiate methods of routing and routing protocols
- Static vs Dynamic
- Link state vs Distance Vector
- ip routing table
- Passive interfaces
- Configure and verify OSPF (single area)
- Benefit of single area
- Configure OSPF v2
- Configure OSPF v3
- Router ID
- Passive interface
- Configure and verify interVLAN routing (Router on a stick)
- sub interfaces
- upstream routing
- encapsulation
- Configure SVI interfaces
- IP Services
- Configure and verify DHCP (IOS Router)
- Configuring router interfaces to use DHCP
- DHCP options
- excluded addresses
- lease time
- Describe the types, features, and applications of ACLs
- Standard
- Sequence numbers
- Editing
- Extended
- Named
- Numbered
- Log option
- Configure and verify ACLs in a network environment
- Named
- Numbered
- Log option
- Identify the basic operation of NAT
- Purpose
- Pool
- Static
- 1 to 1
- Overloading
- Source addressing
- One way NAT
- Configure and verify NAT for given network requirements
- Configure and verify NTP as a client
- Network Device Security
- Configure and verify network device security features such
as:
- Device password security
- Enable secret vs enable
- Transport
- Disable telnet
- SSH
- VTYs
- Physical security
- Service password
- Describe external authentication methods
- Configure and verify Switch Port Security features such as
- Sticky MAC
- MAC address limitation
- Static / Dynamic
- Violation modes
- Err disable
- Shutdown
- Protect restrict
- Shutdown unused ports
- Err disable recovery
- Assign unused ports to an unused VLAN
- Setting native VLAN to other than VLAN1
- Configure and verify ACLs to filter network trafic
- Configure and verify an ACLs to limit telnet and SSH access to
the router
- Troubleshooting
- Troubleshoot and correct common problems associate with IP
addressing and host configurations.
- Troubleshoot and Resolve VLAN problems
- identify that VLANs are configured
- port membership correct
- IP address configured
- Troubleshoot and Resolve trunking problems on Cisco switches
- Correct trunk states
- correct encapsulation configured
- correct vlans allowed
- Troubleshoot and Resolve ACL issues
- Statistics
- Permited networks
- Direction
- Interface
- Troubleshoot and Resolve Layer 1 problems
- Framing
- CRC
- Runts
- Giants
- Dropped packets
- Late collision
- Input /Output errors
- Oficial ICND1 v2 Cert Guide
- 1. Networking Fundamentals
- 01. The TCP/IP and OSI Networking Models
- TCP/IP
- defines a large collection of protocols
- Protocol
- a set of logical rules that devices must follow to communicate
- uses documents called RFC - Requests for Comments
- Networking model also called networking architecture or networking
blueprint
- Layers
- Application
- Protocols
- HTTP
- POP3
- SMTP
- provide services to the application software running on a computer
- provide an interface between software running on an computer
and the network itself
- Transport
- Protocols
- TCP - Transport Control Protocol
- provide services to the application layer protocols that reside
one layer higher in the TCP/IP protocol
- Error recovery basics
- to recover from errors, TCP uses the concept of acknowledgments.
- UDP - User Datagram Protocol
- functions
- Adjacent-layer interaction on the same computer
- Same-layer interaction on different computers
- Encapsulation
- uses segments
- Network
- Protocols
- IPv4, IPv6
- Addressing
- Routing
- Encapsulation
- uses packets (IP packets)
- Data Link
- Protocols
- Ethernet, Point to Point Protocol (PPP), T1
- Encapsulation
- uses frames
- LH - Link Header
- LT - Link Trailer
- Addressing
- Physical
- Protocols
- Bit Transmission
- Encapsulation
- refers to the process of putting headers(and sometimes trailers)
around some data
- The process of sending data over network - 5 Steps
- step.1 Create and encapsulate the application data with any
required application layer headers
- step. 2 Encapsulate the data supplied by the application layer
inside a transport layer header.
- step. 3 Encapsulate the data supplied by the transport layer
inside a network layer (IP) header
- step. 4 Encapsulate the data supplied by the network layer inside
a data link layer header and trailer
- step 5 Transmit the bits
- OSI
- a standardized architecture defining network communication
- Protocols and specifications
- Application layer 08 - HTTP
- Transport layer 04 port - 80
- Transport layer 04 protocol - TCP
- Network Layer protocol - IP
- Data Link layer protocol
- Wire
- Ethernet
- Serial
- Other
- Fiber
- Ethernet
- ATM
- Other
- Wireless
- Ethernet
- Other
- Application layer 08 - HTTPS
- Transport layer 04 port - 440
- Transport layer 04 protocol - TCP
- Network Layer protocol - IP
- Data Link layer protocol
- Wire
- Ethernet
- Serial
- Other
- Fiber
- Ethernet
- ATM
- Other
- Wireless
- Ethernet
- Other
- Application layer 08 - Telnet
- Transport layer 04 port - 23
- Transport layer 04 protocol - TCP
- Network Layer protocol - IP
- Data Link layer protocol
- Wire
- Ethernet
- Serial
- Other
- Fiber
- Ethernet
- ATM
- Other
- Wireless
- Ethernet
- Other
- Application layer 08 - SSH
- Transport layer 04 port - 22
- Transport layer 04 protocol - TCP
- Network Layer protocol - IP
- Data Link layer protocol
- Wire
- Ethernet
- Serial
- Other
- Fiber
- Ethernet
- ATM
- Other
- Wireless
- Ethernet
- Other
- Application layer 08 - FTP
- Transport layer 04 port - 20,21
- Transport layer 04 protocol - TCP
- Network Layer protocol - IP
- Data Link layer protocol
- Wire
- Ethernet
- Serial
- Other
- Fiber
- Ethernet
- ATM
- Other
- Wireless
- Ethernet
- Other
- Application layer 08 - SFTP
- Transport layer 04 port - 22
- Transport layer 04 protocol - TCP
- Network Layer protocol - IP
- Data Link layer protocol
- Wire
- Ethernet
- Serial
- Other
- Fiber
- Ethernet
- ATM
- Other
- Wireless
- Ethernet
- Other
- Application layer 08 - IMAP
- Transport layer 04 port - 143
- Transport layer 04 protocol - TCP
- Network Layer protocol - IP
- Data Link layer protocol
- Wire
- Ethernet
- Serial
- Other
- Fiber
- Ethernet
- ATM
- Other
- Wireless
- Ethernet
- Other
- Application layer 08 - POP3
- Transport layer 04 port - 110
- Transport layer 04 protocol - TCP
- Network Layer protocol - IP
- Data Link layer protocol
- Wire
- Ethernet
- Serial
- Other
- Fiber
- Ethernet
- ATM
- Other
- Wireless
- Ethernet
- Other
- Application layer 08 - SMTP
- Transport layer 04 port - 25
- Transport layer 04 protocol - TCP
- Network Layer protocol - IP
- Data Link layer protocol
- Wire
- Ethernet
- Serial
- Other
- Fiber
- Ethernet
- ATM
- Other
- Wireless
- Ethernet
- Other
- Application layer 08 - DNS
- Transport layer 04 port - 53
- Transport layer 04 protocol - TCP
- Network Layer protocol - IP
- Data Link layer protocol
- Wire
- Ethernet
- Serial
- Other
- Fiber
- Ethernet
- ATM
- Other
- Wireless
- Ethernet
- Other
- Transport layer 04 protocol - UDP
- Network Layer protocol - IP
- Data Link layer protocol
- Wire
- Ethernet
- Serial
- Other
- Fiber
- Ethernet
- ATM
- Other
- Wireless
- Ethernet
- Other
- Application layer 08 - TFTP
- Transport layer 04 port - 69
- Transport layer 04 protocol - UDP
- Network Layer protocol - IP
- Data Link layer protocol
- Wire
- Ethernet
- Serial
- Other
- Fiber
- Ethernet
- ATM
- Other
- Wireless
- Ethernet
- Other
- Layers.
- 07. Application
- description
- this layer provides an interface between the communications
software and any applications that need to communicate outside the computer
on wich the application resides
- defines processes for user authentication
- protocols that require the end user to enter a request are Application
layer protocols
- Protocols and specifications
- SMTP
- POP3
- IMAP
- HTTP
- FTP/SFTP
- TFTP
- Devices
- Hosts
- Firewall
- 06. Presentation
- description
- the main purpose is to define and negotiate data formats suh
as ASCII text, EBCDIC text, binary, BCD, JPEG and etc.
- answers a simple question "How should this data be presented?"
- Encryption is defined by OSI as a presentation layer service
- Protocols and specifications
- AFP
- NCP
- Telnet
- Primary tasks
- Compatibility with the operating system
- Proper encapsulation of data for network transmission
- Data formating (ascii, binary)
- Data encryption, compression and translation
- Devices
- Hosts
- Firewall
- 05. Session
- description
- Defines how to start, control and end conversations (called
sessions). This includes the control and management of multiple bidirectional
messages so that the application can be notified if only some of a series
of messages are completed. This allows the presentation layer
to have a seamless view of an incoming stream of data.
- Different from Layer 4 protocols, in that Layer 4 is concerned
with the flow of data and Layer 5 is concerned with the applications
using those data flows
- Manages communications between two distinct endpoints (hosts)
- Protocols and specifications
- NetBIOS (Network Basic Input/Output System)
- PAP
- PPTP
- Devices
- Hosts
- Firewall
- 04. Transport
- description
- focuses on issues related to data delivery to another computer
- error recovery
- flow control
- Protocols and specifications
- TCP
- reliable
- Connection-oriented
- UDP
- unreliable
- connectionless
- Devices
- Hosts
- Firewall
- Encapsulation
- Datagram
- segment
- Transport layer header
- Source port
- Destination port
- other info
- 03. Network
- description
- main features
- logical addressing
- defines how each device can have an address that can be used by
the routing process.
- routing (fowarding)
- defines how devices (typically routers) forward packets to
their final destination.
- path determination
- refers to the work done by routing protocols to learn all possible
routes and choose the best route.
- Protocols and specifications
- IP
- ICMP
- RIP
- Devices
- Router
- Encapsulation
- Datagram
- packet
- Network layer header
- Source IP address
- Destination IP address
- Other info
- Routing
- the routing layer
- two question process
- What valid paths exist from the local router to a given destination
?
- What is the best path (the "optimal path") to take
to get there ?
- 02. Data Llink
- description
- defines the rules that determine when a device can send data
over a particular medium
- also define the format of a header and trailer that allows devices
attached to the medium to successfully send and receive data
- Protocols and specifications
- Ethernet (IEEE 802.3)
- HDLC (High-Level Data Link Control)
- SDLC (Synchronous Data Link Control)
- PPP (Point to Point Protocol)
- PPPoE (Point to Point over Ethernet)
- CDP (Cisco Discovery Protocol)
- Frame Relay
- Devices
- LAN switch
- wireless access point
- cable modem
- DSL modem
- Encapsulation
- Datagram
- frame
- Data link layer header
- Destination MAC address
- Source MAC address
- Other info
- Switches
- two sub-layers
- LLC (Logical Link Control)
- MAC (Media Access Control)
- performs error detection
- FCS (Frame Check Sequence)
- 01. Physical
- description
- typically refers to standards from other organizations. These
standards deal with the physical characteristics of the transmission
medium, including connectors, pins, use of pins, electrical currents,
encoding, light modulation, and the rules for how to activate and deactivate
the use of physical medium.
- Protocols and specifications
- RJ-45,
- Ethernet (IEEE 80.3)
- Devices
- LAN hub
- LAN repeater
- cables
- Encapsulation terminology
- refers to the process of putting headers(and sometimes trailers)
around some data
- PDU (Protocol Data Unit)
- represents the bits that include the header and trailer fo that
layer, as well as the encapsulated data.
- Deencapsulation
- the process in wich the device interprets the lower-layer headers
and, when finished with each header, removes the header, revealing
the next higher layer PDU
- Benefits of layerd protocol specifications
- Less complex
- compared to not using a layered model, network models break
the concepts into smaller parts
- Standard interfaces
- allow multiple vendors to create products that fill a particular
role, with all the benefits of open competition
- Easier to learn
- it much easier to discuss and learn about the many details of
a protocol specification
- Easier to develop
- reduced complexity allows easier program changes and faster
product development
- Multivendor interoperability
- creating products to meet the same networking standards means
that computers and networking gear from multiple vendors can work
in the same network
- Modular engineering
- one vendor can write software that implements higher layers
and another vendor can write software that implements the lower
layers
- 02. Fundamentals of Ethernet LANs
- Ethernet
- description
- Refers to a family of LAN standards that together define the
physical and data link layers of the world's most popular wired
LAN technology. The standards, defined by the IEEE (Institute
of Electrical and Electronics Engineers), defines the cabling,
the connectrors on the ends of the cables, the protocol rules, and
everything else required to create an Ethernet LAN.
- SOHO (Small Office / Home Office )
- Standards
- Ethernet
- Speed
- 10 Mbps
- Imformal IEEE Standard Name
- 10BASE-T
- Formal IEEE Standard Name
- 802.3
- Cable Type
- Copper
- Maximum Length
- 100 m
- Fast Ethernet
- Speed
- 100 Mbps
- Imformal IEEE Standard Name
- 100 BASE-T
- Formal IEEE Standard Name
- 802.3u
- Cable Type
- Copper
- Maximum Length
- 100 m
- Gigabit Ethernet
- Speed
- 1000 Mbps
- Imformal IEEE Standard Name
- 1000BASE-LX
- Formal IEEE Standard Name
- 802.3z
- Cable Type
- Fiber
- Maximum Length
- 5000 m
- Gigabit Ethernet
- Speed
- 1000 Mbps
- Imformal IEEE Standard Name
- 1000BASE-T
- Formal IEEE Standard Name
- 802.3ab
- Cable Type
- Copper
- Maximum Length
- 100 m
- 10 Gig Ethernet
- Speed
- 10 Gbps
- Imformal IEEE Standard Name
- 10GBASE-T
- Formal IEEE Standard Name
- 802.3am
- Cable Type
- Copper
- Maximum Length
- 100 m
- Cables
- UTP (Unshielded Twisted Pair)
- suffix "T"
- Optical fibers
- suffix "X"
- Fiber-optic cabling contains long thin strands of fiberglass.
The attached Ethernet nodes send light over the glass fiber in the
cable, encoding the bits as changes in the light
- Conventions
- 10BASE-T
- two pairs
- Straight-Through Cable pinout
- pc -> switch
- 1 transmitter -> 2 receiver
- 3 transmitter -> 6 receiver
- the pins look identical on both ends
- devices that transmit pins 1 and 2
- PC NIC
- Routers
- Wireless Access Point (Ethernet interface)
- it the endpoints transmit on the same pin pair
- Crossover Cable Pinout
- switch -> switch
- 1 transmitter -> 3 receiver
- 2 transmitter -> 6 receiver
- devices that transmit on pins 3 and 6
- Hubs
- Switches
- if the endpoints transmit on different pin pairs
- cisco switches have a feature auto-mdix that notices when the
wrong cable is used and automatically changes its logic to make the
link work
- 1000BASE-T
- four wire pairs
- straight-through cable pinout
- 1 transmitter -> 2 receiver
- 3 transmitter -> 6 receiver
- 4 transmitter -> 5 receiver
- 7 transmitter -> 8 receiver
- the pins look identical on both ends
- Crossover Cable Pinout
- 1 transmitter -> 3 receiver
- 2 transmitter -> 6 receiver
- 4 transmitter -> 7 receiver
- 5 transmitter -> 8 receiver
- rules
- NIC (Network Interface Card)
- NIC transmitters use the pair connected to pins 1 and 2
- NIC receivers use a pair the pair connected to pins 3 and 6
- LAN Switches because of the NIC behavior does the opposite
- Switch receivers use the pair at pins 1 and 2
- Switch transmitters use the pair at pins 3 and 6
- GBIC (Gigabit Interface Converter)
- SFP (Small Form-factor Pluggables)
- Ethernet Header and Trailer Fields
- Preamble
- 7 Bytes
- Synchronization
- SFD (Start Frame Delimiter)
- 1 Byte
- Signifies that the next byte begins the Destination MAC Address
field
- Destination MAC Address
- 6 Bytes
- Identifies the intended recipient of this frame
- Source MAC Address
- 6 Bytes
- Identifies the sender of this frame
- Type
- 2 Bytes
- Defines the type of protocol listed inside the frame; today
, most likely identifies IPv4 or IPv6
- Data and Pad
- Holds data from a higher layer, typically an L3PDU (usually
an IPv4 or IPv6 packet). The sender adds padding to meet the minimum
length requirement for this field (46 Bytes)
- MTU (maximum transmition unit)
- defines the maximum layer 3 packet that can be sent over a medium
- because the Layer 3 packet rests inside the data portion of an
Ethernet frame, 1500 bytes is the largest IP MTU allowed over Ethernet.
- FCS (Frame Check Sequence)
- 4 Bytes
- Provides a method for the receiving NIC to determine whether
the frame experienced transmission errors
- Ethernet Addressing
- Ethernet Addresses also called MAC (Media Access Control)
- length
- 6 byte
- 48 bits
- binary number
- 12 digit hexadecimal number
- type
- Unicast
- term that represents a single NIC or other Ethernet port
- refer to the fact that the address represents one interface
to the Ethernet LAN
- group addresses
- Broadcast
- Frames sent to this address should be delivered to all devices
on the Ethernet LAN
- value
- FFFF.FFFF.FFFF
- Multicast
- Frames sent to a multicast Ethernet address will be copied and
forwarded to a subset of the devices on the LAN that volunteers to receive
frames to a specific multicast address
- OUI (Oranizationally Unique Identifier)
- 3 byte code
- 24 bits
- 6 Hex Digits
- Ethernet Type Fields or EtherType
- sits in the Ethernet Data Link layer header
- its purpose is to directly help the network processing on routers
and hosts.
- identifies the type of network layer packet that sits inside
the Ethernet frame
- Error detection with FCS
- FCS is in the ethernet trailer
- the only field in the Ethernet trailer
- gives the receiving node a way to compare results with the sender,
to discover whether errors occurred in the fra
- The sender applies a complex math formula to the frame before
sending it, storing the result of the formula in the FCS field. The receiver
applies the same math formula to the received frame. The receiver compares
its own results with the sender's results. If the results
are the same, the frame din not change, otherwise, an error occurred
and the receiver discards the frame
- error detection does NOT also mean error recovery
- Half-Duplex
- refers to the logic in which a port sends data only when it is not
also receiving data; in other words, it cannot send and receive at
the same time.
- used for Hubs
- Full-Duplex
- the absence of the half-duplex restriction
- sends and receives data at the same time
- Wireless
- devices
- AP (Access point)
- acts like an ethernnet switch
- 03. Fundamentals of WANs
- Ethernet as a WAN Technology
- Ethernet emulation
- Ethernet over MPLS - EoMPLS (Ethernet over MultiProtocol Label
Switching)
- Point-to-Point connection between two customer services
- Behavior as if a fiber Ethernet link existed between the two
devices
- Internet Access links
- Leased Line WANs
- works a lot like an Ethernet crossover cable connecting two
routers, but with few distance limitations
- uses full-duplex
- refers to the fact the company using the leased line does not
own the line, but instead pays a monthly lease fee to use it
- is a Service Provider that provides any form of WAN connectivity,
including Internet services
- CPE (Customer premises equipment)
- router
- Serial interface card
- CSU/DSU (Channel Service Unit/Data Service Unit)
- Predefined speeds
- slower speed links run at multiples of 64 kbps
- faster speed links run at multiples of about 1,5 Mbps
- WAN link in a Lab
- two serial cables
- one serial DTE (Data Terminal Equipment) cable
- has male connector
- one serial DCE (Data Communications Equipment) cable
- has female connector
- CSU/DSU provides a function called Clocking
- in wich it tells the router when to send each bit through signaling
over the serial cable
- a router serial interface can provide clocking but the router
does not do so unless configured with the clock rate command
- Layer 1 Service
- Data link Layer Protocols
- HDLC (High-Level Data Link Control)
- exists today as a standard of the ISO (International Organization
for Standardization)
- PPP (Point-to-Point Protocol)
- DSL (Digital Subscriber Line)
- uses the same single-pair telephone line used for a typical
home phone line
- DSLAM (DSL Access Multiplexer)
- splits out the data over to the router on the lower right which
completes the connection to the internet
- also splits out the voice signals over to the voice switch on
the upper right
- uses asymmetric speeds
- Cable
- uses asymmetric speeds
- steps data takes
- 1. to send the IP packet to router R1 next, PC1 encapsulates the
IP packet in an Ethernet frame that has the destination MAC address
of R1
- 2. Router R1 deencapsulates (removes) the IP packet from the
Ethernet frame and encapsulates the packet into a new Ethernet frame,
with a new Ethernet header and trailer. The destination MAC address
is R2's G0/0 MAC address, and the source MAC address is R1's
G0/1 MAC address. R1 forwards this frame over the EoMPLS service
to R2 next.
- 3. Router R2 deencapsulates (removes) the IP packet from HDLC
frame, encapsulates the packet into an Ethernet frame that has the
destination MAC address of PC2, and forwards the Ethernet frame to PC2
- telco
- common abbreviation for telephone company
- installs a large network of cables and specialized switching
devices to create its own computer network
- creates a service that acts like a crossover cable between two
points, but the physical reality is hidden from the customer
- 04. Fundamentals of IPv4 Addressing and Routing
- IP routing
- the process of hosts and routers forwarding IP packets (Layer
3 PDUs), while relying on the underlying LANs and WANs to forward
the bits
- general process
- IP routing table lists IP address groupings
- IP networks
- IP subnets
- When a router receives a packet, it compares the packet's
destination IP address to the entries in the routing table and makes a match.
This matching entry also lists directions that tell the router where
to forward the packet next.
- uses ARP to dynamically learn the data link address of an IP host
connected to a LAN
- two main concepts
- The process of routing forwards Layer 3 packets, also called
Layer 3 PDU (Protocol Data Units), based on the destination Layer
3 address in the packet
- The routing process uses the data link layer to encapsulate
the Layer 3 packets into Layer 2 frames for transmission across
each successive data link
- IPv4 Routing
- two-step logic
- 1. If the destination IP address is in the same IP subnet as I am,
send the packet directly to that destination host.
- 2. Otherwise, send the packet to may default gateway, also known
as a default router. (This router has an interface on the same subnet
as the host)
- Router fowarding logic
- 1. Use the data link Frame Check Sequence (FCS) field to ensure
that the frame had no errors; if errors occurred, discard the frame.
- 2. Assuming that the frame was not discarded at Step 1, discard
the old data link header and trailer, leaving the IP packet.
- 3. Compare the IP packet's destination IP address to the
routing table, and find the route that best matches the destination
address. This route identifies the outgoing interface of the router,
and possibly the next-hop router IP address.
- 4. Encapsulate the IP packet inside a new data link layer header
and trailer, appropriate for the outgoing interface, and forward
the frame.
- IP addressing
- Addresses used to identify a packet's source and destination
host computer. Addressing rules also organize addresses into groups,
which greatly assists the routing process
- IP network
- means a very specific concept
- Internetwork
- refers more generally to a network made up of routers, switches,
cables and other equipment.
- IP address
- consists in a 32 bit number, usually written in DDN (Dotted Decimal
Notation)
- each byte / octet (8 bits) is shown as its decimal equivalent
separated by dots
- the range of decimal number for each octet is from 0 to 255
- each NIC has its own unique IP address
- Classes
- A - Unicast
- 1 - 126
- Private addresses
- host id size
- 24 bits
- 10.0.0.0 - 10.255.255.255
- reserved
- 127
- si reserved for loopback testing and interprocess communication
on the local computer.
- B - Unicast
- 128 - 191
- Private addresses
- host id size
- 20 bits
- 172.16.0.0 - 172.31.255.255
- C - Unicast
- 192 - 223
- Private addresses
- host id size
- 16 bits
- 192.168.0.0 - 192.168.255.255
- D - Multicast
- 224 - 239
- E - Experimental
- 240 - 255
- Classful IP network
- refers to any class A, B, C, because it is defined by class A, B,
C, rules
- Network ID = network number = network address
- IP Grouping
- IP networks
- IP subnets
- All IP addresses in the same group must not be separated from
each other by a router
- IP addresses separated by a routed must be in different groups
- Subnetting
- Def.
- defines methods of further subdividing IPv4 addresses intro
groups that are smaller then a single IP network
- defines a flexible way for anyone to take a single class A, B and
C and further subdivide it more into even smaller groups of consecutive
IP addresses.
- IP routing protocols
- A protocol that aids routers by dynamically learning about
the IP address groups so that a router knows where to route IP packets
so that they go to the right destination host.
- IPv4 Routing Protocols
- Goals
- To dynamically learn and fill the routing table with a route
to each subnet in the internetwork
- If more than one route is available, to place the best route in
the routing table
- To notice when routes in the table are no longer valid, and to
remove them from the routing table.
- If a route is removed from the routing table and another route
through another neighboring router is available, to add the route to
the routing table.
- To work quickly when adding new routes or replacing lost routes.
(The time between losing the route and finding a working replacement
route is called convergence time.)
- To prevent routing loops.
- General steps for learning routes
- 1. Each router, independent of the routing protocol, adds a
route to its routing table for each subnet directly connected to the
router
- 2. Each router's routing protocol tells its neighbors
about the routes in its routing table, including the directly connected
routes, and routes learned from other routers.
- 3. After learning a new route from a neighbor, the router's
routing protocol adds a route to its IP routing table with the next-hop
router of of that route typically being the neighbor from which the
route was learned.
- Other utilities
- DNS (Domain Name System)
- ARP (Address Resolution Protocol)
- ARP dynamically learns the data link address of an IP host connected
to a LAN
- def.
- the method by which any host or router on a LAN can dynamically
learn the MAC address of another IP host or router on the same LAN.
- ARP Request
- is a message that asks the simple request "if this is your
IP address, please reply with your MAC address"
- ARP Reply
- is a message which indeed lists both the original IP address
and the matching MAC address.
- hosts remember the ARP results, keeping the information in
their ARP cache or ARP table
- Ping (Packet Internet Groper)
- Uses ICMP (Internet Control Message Protocol) sending a message
called an ICMP echo request to another IP address.
- The computer with that IP address should reply with an ICMP echo
reply.
- Path selection
- sometimes used to refer to the routing process
- other times it refers to routing protocols, specifically how
routing protocols
- Default router
- on a router, the route that is considered to match all packets
that are not otherwise matched by some more specific route
- also referred as the "default gateway"
- 05. Fundamentals of TCP/IP Transport and Applications
- Layer 4 protocols
- TCP (Transmision Control Protocol)
- provides a variety of services to applications, whereas UDP
does not.
- provides error recovery
- to do so it consumes more bandwidth and uses more processing
cycles.
- TCP header fields
- Source port (16 bits)
- identifies the sending port
- Destination port (16 bits)
- identifies the receiving port
- Sequence number (32 bits)
- dual role
- if the SYN flag is set (1), then this is the initial sequence number.
The sequence number of the actual first data byte and the acknowledged
number in corresponding ACK are then this number plus 1.
- if the SYN flag is clear (0), then this is the accumulated sequence
number of the first data byte of this segment for the current session.
- the sequence number field is used to set a number on each TCP packet
so that the TCP stream can be properly sequenced. The sequence
number is then returned in the ACK field to acknowledge that the packet
was properly received
- Acknowledgment number (32 bits)
- if the ACK flag is set then the value of this field is the next sequence
number that the receiver is expecting. This acknowledges receipt
of all prior bytes (if any). The firs ACK sent by each end acknowledges
the other end's initial sequence number itself, but no data.
- Data Offset (4 bits)
- specifies the size of the TCP header in 32-bit words.
- Reserved (3bits)
- for future use and should be set to zero
- Frag bits aka Control bits (9 bits)
- Window size (16 bits)
- the size of the receive window, which specifies the number of
window size units that the sender of this segment is currently willing
to receive.
- Checksum (16 bits)
- the 16 bit checksum field is used for error checking of the header
and data
- Urgent pointer (16 bits)
- if the URG flag is set then this 16 bit field is an offset from the
sequence number indicating the las urgent data byte.
- TCP connection establishment
- occurs before any of the other TCP features can begin their work.
- refers to the process of initializing sequence and acknowledgment
fields and agreeing on the port numbers used.
- three-way connection establishment flow (three-way handshake)
must complete before data transfer can begin.
- SYN (synchronize the sequence numbers)
- The fist host initiates a connection by sending a packet with
the initial sequence number "X" and the syncronize
/start "SYN" bit set to indicate a connection request
- SYN-ACK
- The second host (host B) receives the SYN, records the sequence
number X, and replies by acknowledging ACK the SYN (with an ACK=X+1).
Host B includes its own initial sequence number (SEQ=Y). an ACK=20
means that the host has received 0 through 19 and expects byte 20 next.
This technique is called forward acknowledgment.
- ACK
- Host A acknowledges all bytes that host B has sent with a forward
acknowledgment indicating the next byte Host A expects to receive (ACK=Y+1).
Data transfer can then begin.
- FIN
- uses an additional flag for sequence termination
- Connection-oriented protocol
- A protocol that requires an exchange of messages before data
transfer begins, or that has a required preestablished correlation
between two endpoints.
- UDP (User Datagram Protocol)
- by providing fewer services, UDP needs fewer bytes in its header
compared to TCP, resulting in fewer bytes of overhead in the network.
- UDP software does not slow down data transfer in cases where
TCP can purposefully slow down.
- UDP data transfer differs from TCP data transfer in that no reordering
or recovery is accomplished
- UDP header fields
- Source port (16 bits)
- Destination port (16 bits)
- Length (16 bits)
- Checksum (16 bits)
- the UDP header has only 8 Bytes in comparison to the 20 byte TCP
header
- Connectionless protocol
- A protocol that does not require an exchange of messages and
that does not require a preestablished correlation between two
endpoints.
- Layer 4 Functions
- Multiplexing using ports
- Function that allows receiving hosts to chose the correct application
for which the data is destined, based on the port number.
- relies on a concept called a socket
- An IP address
- A transport protocol
- A port number
- Error recovery (reliability)
- Process of numbering and acknowledging data with Sequence
and Acknowledgment header fields.
- Flow control using windowing
- Process that uses window sizes to protect buffer space and routing
devices from being overloaded with traffic.
- Connection establishment and termination
- Process used to initialize port number and Sequence and Acknowledgment
fields.
- Ordered data transfer and data segmentation
- Continuous stream of bytes from an upper-layer process that
is "segmented" for transmission and delivered to
upper-layer processes at the receiving device, with the bytes in the same
order.
- TCP/IP Applications
- QoS (Quality of Service)
- in general defines the quality of the data transfer between
two applications and in the network as a whole
- characteristics
- Bandwidth
- The volume of bits pers second needed for the application to
work well; it can be biased with more volume in one direction, or balanced.
- Delay
- The amount of time it takes one IP packet to flow from sender to
receiver
- Jitter
- The variation in delay
- Loss
- The percentage of packets discarded by the network before they
reach the destination, which when using TCP, requires a retransmission.
- general categories
- Interactive
- usually have a user at one end of the flow and the IP packets must
flow in both directions for meaningful work to happen
- Batch
- focus more on the bandwidth between two software processes.
- often do not even have a human user in the picture
- Real-Time
- audio and video calls over LAN
- WWW (Worl Wide Web)
- consists of all the internet-connected web servers in the world,
plus all internet-connected hosts with web browsers.
- web servers
- web browsers
- URL (Uniform Resource Locator) - web address
- Review.
- Weak
- Strong
- 2. Ethernet LANs and Switches
- 06. Building Ethernet LANs with Switches
- Equipment
- hub
- bridge
- separated devices into groups called collision domains
- reduced the number of collisions that occurred in the network,
because frames inside one collision domain did not collide with frames
in another collision domain.
- increased bandwidth by giving each collision domain its own
separate bandwidth, with one sender at a time per collision domain.
- Switch
- the role of a LAN switch is to forward Ethernet frames.
- Learning MAC addresses
- build the address table by listening to incoming frames and
examining the source MAC address in the frame
- Inactivity timer
- forwarding (Forward-versus-filter decision)
- frame types
- unicast frames
- have a unicast address as a destination
- these addresses represent a single device
- broadcast frames
- has a destination MAC address of FFFF.FFFF.FFFF
- this frame should be delivered to all devices on the LAN
- multicast frames
- are ignored.
- flooding frames
- flooding
- switches flood unknown unicast frames
- the switch forwards copies of the frame out all ports, except
the port on which the frame was received.
- also forward broadcast frames
- steps
- 1. Deciding when to forward a frame or when to filter a frame,
based on the destination MAC address.
- 1.1. If the destination address is a broadcast, multicast,
or unknown destination unicast, the switch floods the frame
- 1.2. If the destination is a known unicast address
- 1.2.1. If the outgoing interface listed in the MAC address table
is different from the interface in which the frame was received,
the switch forwards the frame out the outgoing interface.
- 1.2.2. If the outgoing interface is the same as the interface
in which the frame was received, the switch filters the frame,
meaning that the switch simply ignores the frame and does not forward
it.
- 2. Learning MAC addresses by examining the source MAC address
of each frame received by the switch
- 2.1. For each received frame examine the source MAC address
and note the interface from which the frame was received
- 2.2. If it is not already in the table, add the MAC address and
interface it was learned on, setting the inactivity timer to 0
- 2.3. If it is already in the table, reset the inactivity timer
for the entry to 0.
- 3. Creating a (Layer 2) loop-free environment with other bridges
by using STP (Spanning Tree Protocol)
- loop prevention
- using STP (Spanning Tree Protocol)
- STP blocks some ports from forwarding frames so that only one
active path exists between any pair of LAN segments.
- STP behaves identically for a transparent bridge and a switch.
- without STP, any flooded frames woul loop for an indefinite
period of time in the Ethernet networks with physically redundant
links.
- internal processing methods
- store and forward processing
- the switch must receive the entire frame before forwarding
the first bit of the frame. This allows the switch to check the FCS
before forwarding the frame.
- cut through
- The switch forwards the frame as soon as it can. This reduces
latency but does not allow the switch to discard frames that fail the
FCS check.
- fragment free
- The switch forwards the frame after receiving the first 64 bytes
of the frame, thereby avoiding forwarding frames that were errored
because of a collision.
- benefits
- switch ports connected to a single device microsegment the
LAN, providing dedicated bandwitdth to that single device.
- allow multiple simultaneous conversations between devices
on different ports.
- switch ports connected to a single device support full-duplex,
in effect doubling the amount of bandwidth available to the device.
- support rate adaptation, which means that devices that use
different Ethernet speeds can communicate through the switch
- Design choices in Ethernet LANs
- Collision domains
- def.
- A set of network interface cards (NIC) for wich a frame sent by
one NIC could result in a collision with a frame sent by any other
NIC in the same collision domain.
- an Ethernet concept of all ports whose transmitted frames would
cause a collision with frames sent by other devices in the collision
domain.
- For a single collision domain:
- The devices share the available bandwidth.
- The devices might inefficiently use the bandwidth because
of the effects of collisions, particularly under higher utilization.
- Broadcast domains
- def.
- is the set of devices to which the broadcast is delivered.
- is a set of NICs for which a broadcast frame sent by one NIC is received
by all other NICs in the same broadcast domain.
- Only routers separate the LAN intro multiple broadcast domains.
- using smaller broadcast domains can also improve security,
because of limiting broadcasts and because of robust security features
in routers.
- VLANs
- Campus design terminology
- switch roles
- Access
- connect directly to end users, providing user device access
to the LAN
- Provides a connection point (access) for end-user devices.
Does not forward frames between two other access switches under
normal circumstances.
- Distribution
- most designs us at least two uplinks to two different distribution
switches for redundancy
- Provides an aggregation point for access switches, forwarding
frames between switches, but not connecting directly to end user devices.
- Core
- the largest campus LANs often use core switches to forward traffic
between distribution switches.
- Aggregates distribution switches in very large campus LANs,
providing very high forwarding rates.
- Ethernet LAN media and Cable lengths
- most common types of Ethernet used today
- 10BASE-T
- CAT3
- 100 m
- 100BASE-T
- CAT5
- 100 m
- 1000BASE-T
- CAT5e
- 100 m
- CAT6
- optical cable
- 1000BASE-SX
- multimode fiber
- 550 m for 50 micron fiber
- 1000BASE-LX
- multimode fiber
- 550 m for 50 micron fiber and 62 micron fiber
- 1000BASE-LX
- 9 micron single mode fiber
- 5 km
- Autonegotiation
- relies on the fact that the IEEE uses the same wiring pinouts
for 10BASE-T and 100BASE-T, and that 1000BASE-T simply adds to
those pinouts, adding two pair.
- rules
- Speed
- use your slowest supported speed
- Duplex
- if your speed = 10 or 100, use half-duplex, otherwise use full-duplex
- hubs do not react to autonegotiation messages and do not forward
the messages.
- 07. Installing and Operating Cisco LAN Switches
- CLI (Command Line Interface)
- access methods
- the console
- telnet
- port 23
- SSH (Secure Shell)
- port 22
- commands
- password configuration
- console
- Telnet
- general
- ?
- help for all commands available in this mode
- help
- text describing how to get help. No actual command help is given.
- Command ?
- text help describing all the first parameter options for the
command
- com?
- a list of all commands that start with com.
- command parm?
- this style of help lists all parameters beginning with the parameter
typed so far. (there is no space between parm and the ?)
- command parm<Tab>
- If you press the Tab key midword the CLI either spells the rest
of this parameter at the command line or does nothing. If the CLI
does nothing, it means that this string of characters represents
more than one possible next parameter, so the CLI does not know wich
one to spell out.
- command parm1 ?
- if a space is inserted before the question mark, the CLI lists
all the next parameters and gives a brief explanation of each.
- show
- shows what's true at a single point in time, and it takes
less effort
- Cisco IOS sends the output of show commands to the user that issued
the show command, and no other users.
- Cisco IOS treats the show command as a very short lived event
- debug
- shows what's true over time, but it requires more effort.
As a result, the debug command requires more CPU cycles, but it
lets you watch what is happening in a switch while it its happening.
- Cisco IOS reacts to debug commands by creating log messages
related to that debug command's options. Any user logged in can
choose to view the log messages, just by using the terminal monitor
command from enable mode.
- Cisco treats the debug command as an ongoing task.
- the options enabled by a single debug command are not disabled
until the user takes action or until the switch is reloaded.
- reload
- disables all currently enabled debug options
- reinitialization of the software
- modes
- user mode (user EXEC mode)
- mostly for read only
- if the command prompt lists the hostname followed by a ">"
- enable mode (privileged mode or privileged EXEC mode)
- privileged commands can be executed in this mode
- if the command prompt lists the hostname followed by the "#"
- EXEC commands
- reload
- Global configuration mode
- accepts configuration commands that tell the switch the details
of what to do and how to do it
- Interface configuration
- ROM monitor
- Cisco switches
- Catalist switches
- 2960 switches
- full-featured
- low-cost wiring closet switches for enterprises
- mostly used as access switches
- main types of memory
- RAM
- used by the switch just as it is used by any other computer, for
working storage. The running (active) configuration file is stored
here.
- WORKING MEMORY AND RUNNING CONFIGURATION
- ROM
- stores a bootstrap (or boothelper) program that is loaded when
the switch first powers on. This bootstrap program then finds the
full Cisco IOS image and manages the process of loading Cisco IOS
into RAM, at which point Cisco IOS takes over operation switch.
- BOOTSTRAP PROGRAM
- Flash memory
- either a chip inside the switch or a removable memory card, flash
memory stores fully functional Cisco IOS images and is the default
location where the switch gets its Cisco IOS at boot time. Flash memory
also can be used to store any other files, including backup copies
of configuration files.
- CISCO IOS SOFTWARE
- NVRAM (Nonvolatile RAM)
- stores the initial or startup configuration file that is used
when the switch is first powered on and when the switch is reloaded.
- STARTUP CONFIGURATION
- Configuration files
- Startup config
- Stores the initial configuration used anytime the switch reloads
Cisco IOS
- NVRAM
- Running config
- Stores the currently used configuration commands. This file
changes dynamically when someone enters commands in configuration
mode
- RAM
- 08. Configuring Ethernet Switching
- securing the switch CLI
- enable passwords
- user mode
- the console
- console line configuration mode
- Telnet
- vty password
- vty line configuration mode
- SSH
- Configuring
- 1. Configure the vty lines to use usernames, with either locally
configured usernames using the "login local" command or a AAA
server.
- 2. If using locally defined usernames, add one or more "username"
global configuration commands to configure username/password pairs.
- 3. Configure the switch to generate a matched public and private
key pair to use for encryption:
- 3.1. As a prerequisite for the next command, configure a DNS
domain name with the "ip domain-name" name global configuration
command
- 3.2. Create the encryption keys using the "crypto key
generate rsa" global configuration command
- 4. Enable SSH Version 2 using the "ip ssh version 2"
global command for enhanced security
- limitations
- the switch suports RSA authentication
- SSH supports only the execution-shell application
- The SSH server and SSH client are supported only on DES (56 bit)
and 3DES (168 bit) data encryption software
- the switch does not support the AES symmetric encryption algorithm.
- enable mode
- Password encryption
- Access
- Local Usernames and Passwords
- External Authentication Servers
- AAA server (Authentication, Authorization and Accounting)
- RADIUS
- TACACS+
- Ex. Configuring basic passwords and a Host Name
- Resulting running config file on switch emma
- commands
- user EXEC mode
- Privileged EXEC (enable) mode
- show
- ip ssh
- lists status information about the SSH server itself
- ssh
- lists information about each SSH client currently connected
to the switch
- the "|" at the end of a "show" command
- sends (pipes) the output of the command to another function
like
- begin
- section
- history
- lists the commands currently held in history buffer
- interfaces vlan 1
- shows the interface status of the VLAN 1 interface
- lists the interface's IP address
- transport input
- all (telnet ssh)
- supports both telnet and ssh
- none
- support neither
- telnet
- support only telnet
- SSH
- support only SSH
- Global configuration mode
- service password-encryption
- global configuration command that affects IOS stores passwords
for the password command, in both console and vty modes and the username
password global command.
- the encryption type used by the "service password-encryption"
command, as noted with the "7" in the password commands, is
weak.
- rules
- At the moment that the "service password-encryption"
command is configured, IOS immediately encrypts all existing password
commands
- While the "service password-encryption" command
remains in the configuration, IOS encrypts these same passwords if
their values are changed.
- At the moment the "no service password-encryption command
is used, disabling password encryption, IOS does nothing to the
existing passwords, leaving them all as encrypted.
- From that point forward, while the "service password-encryption"
command is no longer in the configuration, IOS stores any changed password
values for these commands as clear text.
- baner
- MOTD (message of the day)
- shown before the login prompt.
- Used for temporary messages that can change from time to time
- ex. "Router down for maintenance at midnight"
- login
- shown before the login prompt but after the MOTD banner.
- used for permanent messages.
- ex. "Unauthorized Access Prohibited"
- Exec
- shown after the login prompt.
- used to supply information that should be hidden from unauthorized
users
- no logging
- disables the display of log messages
- logging console
- enables the display of log messages
- logging synchronous
- the switch can be configured to display syslog messages only
t more convenient times, such as at the end of output from a show
command
- Interface configuration
- Enabling IP for remote access
- SVI (Switched Virtual Interface) or VLAN interface
- NIC-like concept that acts like the switch's own NIC for
connecting into a LAN to send IP packets
- like a host the switch configuration assigns IP settings, like
an IP address to this VLAN interface.
- steps
- static ip
- 1. Enter VLAN 1 configuration mode using the "interface
vlan 1" global configuration command
- 2. Assign an IP address and mask using the "ip address ip-address
mask interface" subcommand
- 3. If not already enabled, enable the VLAN 1 interface using
the "no shutdown interface" subcommand
- 4. Add the "ip default-gateway ip-address" global
command to configure the default gateway
- 5. (Optional) Add the ip name-server ip-address1 ip-address2
... global command to configure the switch to use DNS to resolve
names into their matching IP address.
- DHCP
- 1. Enter VLAN 1 configuration mode using the "interface
vlan 1" global configuration command, and enable the interface
using the "no shutdown" command as necessary
- 2. Assign an IP address and mask using the "ip address dhcp"
interface command
- Verifying DHCP-learned Information on a switch
- Configuring switch interfaces
- subcommands
- duplex
- speed
- description
- port security
- basic common ideas
- define a maximum number of source MAC addresses allowed for
all frames coming in the interface
- watch all incoming frames, and keep a list of all source MAC addresses,
plus a counter of the number of different source MAC addresses
- when adding a new source MAC address to the list, if the number
of MAC addresses pushes past the configured maximum, a port security
violation has occurred. The switch takes action (the default action is
to shutdown the interface)
- useful features
- sticky secure MAC addresses
- port security learns the MAC addresses off each port and stores
those in the port security configuration (in the running-config
file)
- reduces the big effort of finding out the MAC address of each
device
- Configuring
- disable of a feature ???
- steps
- 1. make the switch interface either a static access or trunk
interface, using the "switchport mode access" or the "switchport
mode trunk" interface commands, respectively
- 2. enable port security using the "switchport port-security"
interface command.
- 3. (Optional) Override the default maximum number of allowed
MAC addresses associated with the interface (1) by using the "switchport
port-security maximum number" interface subcommand
- 4. (Optional) Override the default action to take upon a security
violation (shutdown) using the "switchport port-security violation
{protect | restrict | shutdown) interface subcommand.
- 5. (Optional) Predefine any allowed source MAC address(es)
for this interface, using the "switchport port-security
mac-address mac-address" command. Use the command multiple times
to define more than one MAC address.
- 6. (Optional) Tell the switch to sticky learn dynamically learned
MAC addresses with the "switch port-security mac-address
sticky" interface subcommand.
- port security does not save the configuration of the sticky
addresses
- actions when violation occurs
- switchport port-security violation
- protect
- Discards offending traffic
- restrict
- Discards offending traffic
- Sends log and SNMP messages
- shutdown
- Discards offending traffic
- Sends log and SNMP messages
- Disables the interface, discarding all traffic
- Cisco security recommendations to override the default interface
settings
- Administratively disable the interface using the shutdown
interface command
- Prevent VLAN trunking by making the port a nontrunking interface
using the switchport mode access interface subcommand
- Assign the port to an unused VLAN using the switchport access
vlan number interface subcommand
- Set the native VLAN to not be VLAN 1, but to instead be an unused
VLAN, using the switchport trunk native vlan vlan-id interface subcommand.
- Basic switch configuration
- 1. Hostname
- the name needs to help you identify the switch
- 2. Negating commands
- 3. Passwords
- for the passwords to be enabled you need to use the login command
- global configuration
- enable password
- enable secret
- connection modes
- Console
- Telnet
- SSH
- 4. Management VLAN IP address
- 5. Default gateway
- 6. Shutdown command
- 7. Logon banner
- 8. Saving configuration (backup)
- 09. Implementing Ethernet Virtual LANs
- concepts
- Def.
- LAN
- includes all devices in the same broadcast domain.
- VLAN
- a switch can configure some interfaces into one broadcast domain
and some into another, creating multiple broadcast domains. These
individual broadcast domains created by the switch are called virtual
LANs (VLAN)
- reasons for choosing to create smaller broadcast domains (VLANs)
- to reduce CPU overhead on each device by reducing the number
of devices that receive each broadcast frame
- to reduce security risks by reducing the number of hosts that
receive copies of frames that the switches flood
- broadcast
- multicast
- unknown unicasts
- to improve security for hosts that send sensitive data by keeping
those hosts on a separate VLAN
- to create more flexible designs that group users by department
or by groups that work together, instead of by physical location
- to solve problems more quickly, because the failure domain
for many problems is the same set of devices as those in the same broadcast
domain
- to reduce the workload for the STP (Spanning Tree Protocol)
by limiting a VLAN to a single access switch.
- VLAN trunking
- VLAN tagging
- def.
- the sending switch adds another header to the frame before sending
it over the trunk
- this extra trunking header includes a VLAN identifier (VLAN
ID) field so that the sending switch can associate the frame with
a particular VLAN ID, and the receiving switch can then know in
what VLAN each frame belongs.
- Concepts
- Trunking Protocols
- 802.1Q
- the more popular
- inserts an extra 4 bytes
- theoretical supports maximum 4096 VLANs
- in practice supports maximum 4094
- has to reserved values 0 and 4095
- ranges
- normal
- 1-1005
- extended
- 1005-4094
- only some switches can use extended-range
- native format
- when the cisco switches are connected to switches that do not
know VLAN trunking
- ISL (Inter-Switch Link)
- VLAN Trunking Protocol (VTP)
- is a Cisco-proprietary tool on Cisco switches that advertises
each VLAN configured in one switch (with the vlan number command)
so that all the other switches in the campus learn about that VLAN.
- modes
- server
- client
- transparent
- router on a stick
- routing packets between VLANs
- routing Layer 3 packets between Layer 3 subnets, with those
subnets each mapping to a different Layer 2 VLAN
- Configuration
- creating VLANs
- steps
- 1. From configuration mode, use the vlan vlan-id configuration
command to create the VLAN and to move the user into VLAN configuration
mode.
- 2. (Optional) Use the name name VLAN subcommand to list a name
for the VLAN. If not configured, the VLAN name is VLANZZZZ, where
ZZZZ is the 4-digit decimal VLAN ID.
- assigning VLANs to an interface
- steps
- 1. Use the interface command to move into interface configuration
mode for each desired interface.
- 2. Use the switchport access vlan id-number interface subcommand
to specify the VLAN number associated with that interface
- 3. (Optional) To disable trunking on that same interface, so
that the interface does not negotiate to become a trunk, use the switchport
mode access interface subcommand.
- Full VLAN configuration example.
- Shorter VLAN configuration example
- Trunking Administrative Mode options with the switchport
mode command
- access
- Always act as an access (nontrunk) port
- trunk
- always act as a trunk port
- dynamic desirable
- initiates negotiation messages and responds to negotiation
messages to dynamically choose whether to start using trunking
- dynamic auto
- passively waits to receive trunk negotiation messages, at
which point the switch will respond and negotiate whether to use trunking
- reasons to prevent a particular VLAN's traffic from crossing
a trunk
- A VLAN
- has been removed from the trunk's allowed VLAN list
- does not exist in the switch's configuration
- does exist, but has been administratively disabled (shutdown)
- has been automatically pruned by VTP
- STP instance has placed the trunk interface into a blocking
state.
- configuration
- 10. Troubleshooting Ethernet LANs
- Organized troubleshooting processes
- Analyzing/predicting normal operation
- Predict the details of what should happen if the network is working
correctly, based on documentation, configuration and show and debug command
output
- Problem isolation
- Determine how far along the expected path the frame/packet
goes before it cannot be forwarded any further, again based on documentation,
configuration, and show and debug command output
- Root cause analysis
- Identify the underlying causes of the problems identified
in the preceding step-specifically, the causes that have a specific
action with which the problem can be fixed.
- Analyizing LAN Topology Using CDP (Cisco Discovery Protocol)
- CDP (Cisco Discovery Protocol)
- Used to confirm the documentation, and learn about the network
topology to predict normal operation of the network.
- discovers basic information about neighboring routers and
switches without needing to know the passwords for the neighboring devices.
- CDP information
- Device identifier
- typically the host name
- Address list
- Network and data link addresses
- Port identifier
- The interface on the remote router or switch on the other end
of the link that sent the CDP advertisement.
- Capabilities list
- Information on what type of device it is (fo example, a router
or a switch)
- Platform
- The model and OS level running on the device
- Commands
- show cdp neighbors "type number"
- show cdp neighbors detail
- show cdp entry "name"
- show cdp
- show cdp interface "type number"
- show cdp traffic
- Analyzing Switch Interface Status
- Interfaces must be in working state before a switch will forward
frames on the interface. You must determine whether an interface is
working, as well as determine the potential root causes for a failed switch
interface.
- interface status codes
- LAN switch interfaces typically show an interface with both
codes with the same value, either "up" or "down"
- Any interface state other than "connected" or "up/up"
means that the switch will not forward or receive frames on the interface.
- Types
- line status
- generally refer to whether Layer 1 is working
- protocol status
- generally refer to whether Layer 2 is working
- interface status
- this single interface status code corresponds to different
combinations of the traditional two-code interface status codes and can
be easily correlated to those codes.
- Typical status codes root cause
- The interface is configured with the shutdown command
- Line status
- Administratively down
- Protocol status
- down
- Interface status
- disabled
- No cable, bad cable, wrong cable pinouts; the speeds are mismatched
on the two connected devices; the device on the other end of the
cable is powerd off, shutdown or error disabled.
- Line status
- down
- Protocol status
- down
- Interface status
- notconnect
- An interface up/down state is not expected on LAN switch physical
interfaces
- Line status
- up
- Protocol status
- down
- Interface status
- notconnect
- Port security has disabled the interface
- Line status
- down
- Protocol status
- down (err-disabled)
- Interface status
- err-disabled
- The interface is working
- Line status
- up
- Protocol status
- up
- Interface status
- connected
- interface speed and duplex issues
- Default duplex
- if the speed is not known through any means, use 10 Mbps, half-duplex.
- if the switch successfully senses the speed without IEEE autonegotiation,
by just looking at the signal on the cable
- if the speed is 10 or 100 Mbps, default to use half-duplex
- if the speed is 11.000 Mbps, default to use full-duplex
- Ethernet interfaces using speeds faster than 1 Gbps always
use full-duplex.
- duplex mismatch
- On opposite ends of any Ethernet link, the condition in wich
one of the two devices uses full-duplex logic and the other uses
half-duplex logic, resulting in unnecessary frame discards and retransmissions
on the link.
- Predicting Where Switches Will Forward Frames
- You must know how to analyze a switch's MAC address table
and how to then predict how a switch will forward a particular frame.
- Switch forwarding logic
- 1. Process functions on the incoming interface, if the interface
is currently in an up/up (connected) state
- 1.1. If configured, apply port security logic to filter the
frame as appropriate
- 1.2. If the port is an access port, determine the interface's
access VLAN.
- 1.3. If the port is a trunk, determine the frame's tagged
VLAN
- 2. Make a forwarding decision. Look for the frame's destination
MAC address in the MAC address table, but only for entries in the
VLAN identified in step 1. If the destination MAC is:
- 2.1. Found (unicast)
- forward the frame out the only interface listed in the matched
address table entry
- 2.2. Not Found (unicast)
- flood the frame out all other access ports (except the incoming
port) in that same VLAN, plus out trunks that have not restricted the
VLAN from that trunk (as related to the "show interfaces trunk
command")
- 2.3. Broadcast
- flood the frame, with the same rules as the previous step.
- Port security and filtering
- Filtering
- ACL (Access Control List)
- filters based on the source and destination MAC address, discarding
some frames.
- IP ACLs
- Analyzing VLAN's and VLAN Trunks
- looks at what can go wrong with VLANs and VLAN trunks
- VLAN trunking issues
- 1. Identify all access interfaces and their assigned access
VLANs and reassign into the correct VLANs as needed
- 2. Determine whether the VLANs both exist (configured or learned
with VTP) and are active on each switch. If not, configure and activate
the VLANs to resolve problems as needed.
- 3. Check the allowed VLAN lists, on the switches on both ends
of the trunk, and ensure that the lists of allowed VLANs are the
same
- 4. Ensure that for any links that should use trunking, one switch
does not think it is trunking, while the other switch does not think
is is trunking because of an unfortunate choice of configuration
settings.
- VLAN' s can be defined
- using the "vlan number" global configuration command
- it can be learned from another switch using VTP.
- Review.
- 3. IP version 4 Addressing and Subnetting
- 11. Perspectives on IPv4 Subnetting
- 12. Analyzing Classful IPv4 Networks
- 13. Analyzing Subnet Masks
- 14. Analyzing Existing Subnets
- Review.
- 4. Implementing IP version 4
- 15. Operating Cisco Routers
- 16. Configuring IPv4 Addresses and Routes
- 17. Learning IPv4 Routes with OSPFv2
- 18. Configuring and Verifying Host Connectivity
- Review.
- 5. Advanced IPv4 Addressing Concepts
- 19. Subnet Design
- 20. Variable-Length Subnet Masks
- 21. Route Summarization
- Review.
- 6. IPv4 Services
- 22. Basic IPv4 Access Control Lists
- 23. Advanced IPv4 ACLs and Device Security
- 24. Network Address Translation
- Review.
- 7. IP Version 6
- 25. Fundamentals of IP Version 6
- 26. IPv6 Addressing and Subnetting
- 27. Implementing IPv6 Addressing on Routers
- 28. Implementing IPv6 Addressing on Hosts
- 29. Implementing IPv6 Routing
- Review
- 8. Final Review
- 30. Final Review.
- ICND 2 v.2
- Cisco exam 200/201 requirements
- LAN Switching Technologies
- IP Routing Technologies
- IP Services
- Troubleshooting
- WAN Technologies
- Oficial ICND2 v2 Cert Guide
- 1. LAN Switching
- 01. Spanning Tree Protocol Concepts
- all steps a LAN switch takes to forward a frame
- 1. Determine the VLAN in which the frame should be forwarded:
- 1.1. If the frame arrives on an access interface, use the interface's
access VLAN.
- 1.2. If the frame arrives on a trunk interface, use the VLAN listed
in the frame's trunking header.
- 2. Add the source MAC address to the MAC address table, with incoming
interface and VLAN ID.
- 3. Look fo the destination MAC address of the frame in the MAC
address table, but only for entries in the VLAN identified at step 1.
Follow one of the next steps depending on whether the destination MAC
is found:
- 3.1. Found
- forward the frame out the only interface listed in the matched
address table entry
- 3.2. Not Found
- Flood the frame out all other access ports in that same VLAN and
out all trunk ports that list this VLAN as fully supported (active,
in the allowed list, not pruned, STP forwarding)
- Problems caused by not using STP in redundant LANs
- Broadcast storms
- the forwarding of a frame repeatedly on the same links, consuming
significant parts of the links capacities
- MAC table instability
- the continual updating of a switch's MAC address table
with incorrect entries, in reaction to looping frames, resulting
in frames being sent to the wrong locations
- Multiple frame transmission
- a side effect of looping frames in which multiple copies of one
frame are delivered to the intended host, confusing the host.
- STP limits where a switch chooses to forward frames, for the
purpose of preventing problems with loops
- STP strikes a balance, allowing frames to be delivered to each
device, without causing the problems that occur when frames loop through
the network over and over again
- STP prevents looping frames by adding an additional check on
each interface before a switch uses it to send or receive user traffic
- if the port is in STP forwarding state, use it as normal
- if the port is in STP blocking state, however, block all user
traffic and do not send or receive user traffic on that interface
- STP prevents loops by placing each switch port in either a forwarding
state or a blocking state.
- STP convergence
- refers to the process by which the switches collectively realize
that something has changed in the LAN topology and so the switches
might need to change which ports block and which ports forward.
- STA (Spanning-Tree Algorithm)
- the process used by STP to chose the interfaces that should be
placed into a forwarding state.
- for any interfaces not chosen to be in a forwarding state, STP
places the interfaces in blocking state.
- the STP algorithm creates a spanning tree of interfaces that
forward frames
- STP uses three criteria to choose whether to put an interface
in forwarding state:
- 1. STP elects a root switch. STP puts all working interfaces
on the root switch in forwarding state
- 2. Each nonroot switch considers one of its ports to have the
least administrative cost between itself and the root switch. The
cost is called that switch's root cost. STP places its port
that is part of the least root cost path, called that swith's
root port (RP), in forwarding state.
- 3. Many switches can attach to the same Ethernet segment, but
in modern networks, normally two switches connect to each link.
The switch with the lowest root cost, as compared with the other
switches attached to the same link, is placed in forwarding state. That
switch is the designated switch (also called designated bridge),
and that switch's interface, attached to that segment, is
called the designated port (DP)
- STP: Reasons for forwarding or blocking
- Forwarding
- all the root switch's ports
- the root switch is always the designated switch on all connected
segments
- each nonroot switch's root port
- the port through which the switch has the least cost to reach
the root switch (lowest root cost)
- each LANS's designated port
- the switch forwarding the hello on to the segment, with the lowest
root cost, is the designated switch for that segment.
- Blocking
- all other working ports
- the port is not used for forwarding user frames, nor are any frames
received on these interfaces considered for forwarding.
- STP goals for blocking ports
- All devices in a VLAN can send frames to all other devices. In
other words, STP does not block too many ports, cutting off some parts
of the LAN from other parts.
- Frames have a short life and do not loop around the network indefinitely
- STP messages identifier
- STP bridge ID (BID) is an 8 byte value unique to each switch
- consists of a 2 byte priority field and a 6 byte system ID
- BPDU (Bridge Protocol Data Units)
- switches use to exchange information with each other.
- hello BPDU
- details in BPDU
- Root bridge ID
- the bridge ID of the switch the sender of this hello currently
believes to be the root switch
- Sender's bridge ID
- the bridge ID of the switch sending this hello BPDU
- Sender's root cost
- the STP cost between this switch and the current root
- Timer values on the root switch
- includes the hello timer, MaxAge timer, and forward delay timer.
- types
- superior hello
- the listed root's BID is better (numerically lower)
- inferior hello
- the listed root's BID is worse (numerically higher)
- STP process main steps
- 1. Electing the root switch
- switches elect a root switch based on the BIDs in the BPDUs
- the lowest bridge ID
- if that ties, the lowest switch MAC address
- the root switch is the switch with the lowest numeric value for
the BID
- 2. Choosing each switch's root port
- picks the port on which the frames have the least cost path to
the root switch
- add their local interface STP cost to the root cost listed in
each received hello BPDU
- 3. Choosing the designated port on each LAN segment
- Default port costs defined by IEEE
- 100
- 10 Mbps
- 19
- 100 Mbps
- 4
- 1 Gbps
- 2
- 10 Gbps
- Reacting to state changes that affect the STP topology
- nothing is changing in the STP topology
- 1. The root creates and sends a hello BPDU, with a root cost of
0, out all its working interfaces (those in a forwarding state)
- 2. The nonroot switches receive the hello on their root ports.
After changing the hello to list their own BID as the sender's
BID, and listing that switch's root cost, the switch forwards
the hello out all designated ports.
- 3. Step 1 and step 2 repeat until something changes.
- something is changing in the STP topology
- the convergence process requires the use of three timers
- timers
- hello
- default value
- 2 seconds
- The time period between hellos created by the root
- MaxAge
- default value
- 10 times hello
- How long any switch should wait, after ceasing to hear hellos,
before trying to change the STP topology
- Forward delay
- default value
- 10 seconds
- Delay that affects the process that occurs when an interface
changes from blocking state to forwarding state. A port stays in an interim
listening state, and then an interim learning state, for the number of
seconds defined by the forward delay timer.
- Changing interface states with STP
- Temporary states that help prevent temporary loops
- Listening
- Like the blocking state, the interface does not forward frames.
The switch removes old states (unused) MAC table entries for which
no frames are received from each MAC address during this period.
These MAC table entries could be the cause of the temporary loops.
- Learning
- interfaces in this state still do not forward frames, but the
switch begins to learn the MAC addresses of frames received on the interface.
- STP moves an interface from blocking to listening, then to learning,
and then to forwarding state.
- Optional STP features
- EtherChannel
- combines multiple parallel segments of equal speed (up to eight)
between the same pair of switches, bundled into an EtherChannel
- PortFast
- allows a switch to immediately transition from blocking to
forwarding, bypassing listening and learning states.
- the only ports on which you can safely enable PortFast are ports
on which you know that no bridges, switches, or other STP-speaking
devices are connected, otherwise using PortFast risks crating loops.
- BPDU Guard
- helps to prevent several different types of possible security
exposures
- an attacker could connect a switch to one of these ports, one
with low STP priority value, and become the root switch. The new STP
topology could have worse performance than the desired topology.
- the attacker could plug into multiple ports, into multiple
switches, become root, and actually forward much of the traffic in the
LAN. Without the networking staff realizing it, the attacker could
use a LAN analyzer to copy large numbers of data frames sent through
the LAN.
- users could innocently harm the LAN when they connect an inexpensive
consumer LAN switch (one that does not use STP). Such a switch, without
any STP function, would not choose to block any ports and would likely
cause a loop
- RSTP (Rapid STP)
- improves network convergence when topology changes occur,
usually converging within a few seconds, or in poor conditions, in about
10 seconds
- 02. Spanning Tree Protocol Implementation
- STP modes
- PVST+/PVSTP (Per-VLAN Spanning Tree Plus/ Per-VLAN Spanning
Tree Protocol)
- creates a different STP topology per VLAN
- introduced PortFast
- STP configuration
- BID priority
- Default
- Base:32,768
- Command to change default
- spanning-tree vlan "vlan-id" root {primary | secondary}
- spanning-tree vlan "vlan-id" priority "pritority"
- Cisco switches use a default base priority of 32,768, this command
chooses the base priority as follows:
- If the current root has a base priority higher than 24,576, the
local switch uses a base priority of 24,576.
- If the current root’s base priority if 24,576 or lower, the local
switch sets its base priority to the highest multiple of 4096 that still
results in the local switch becoming root.
- Interface cost
- Default
- 100 for 10 Mbps
- 19 for 100 Mbps
- 4 for 1 Gbps
- 2 fro 10 Gbps
- Command to change default
- spanning-tree vlan "vlan-id" cost "cost"
- spanning-tree "vlan x" "cost x"
- PortFast
- Default
- not enabled
- Command to change default
- spanning-tree portfast
- BPDU Guard
- Default
- not enabled
- Command to change default
- spanning-tree bpduguard enable
- EtherChannel
- two neighboring switches can treat multiple parallel links
between each other as a single logical link called an EtherChannel.
- configuration steps
- 1. Add the channel-group number mode on interface subcommand
under each physical interface that should be in the channerl
- 2. Use the same number for all commands on the same switch, but
the channel-group number on the neighboring switch cand differ.
- Dynamic EtherChannels
- protocols
- PAgP (Port Aggregation Protocol)
- channel-group 1 desirable
- channel-group 1 auto
- IEEE standard LACP (Link Aggregation Control Protocol
- channel-group 1 active
- channel-group 1 passive
- STP Troubleshooting
- Determining the root switch
- BID lowest value
- first priority
- if there is a tie than the switch MAC
- STP does not have nor need a tiebreaker for electing the root
switch
- Strategy to choose the right answer
- 1. Begin with a list or diagram of switches, and consider all
as possible root switches.
- 2. Rule out any switches that have an RP because root switches
do not have an RP (Root Port)
- show spanning-tree
- show spanning-tree root
- 3. Always try the show spanning-tree, because it identifies
the local switch as root directly: "This switch is the root"
on the fifth line of output.
- 4. Always try the show spanning-tree root, because it identifies
the local switch as root indirectly: The RP column is empty if the
local switch is the root.
- 5. When using a sim, rather than try switches randomly, chase
the RPs. For example, if starting with SW1, and SW!'s G0/1
is an RP, next try the switch on the other end of SW1's G0/1
port.
- 6. When using a Sim, using show spanning-tree vlan x on a few switches,
and recording the root switch, RP, and DP ports can quickly show
you most STP fact. Use this strategy is available.
- Determining the root port on nonroot switches
- each nonroot switch has only one RP for a VLAN.
- the switch calculates the lowest root cost from the hello BPDU's
BID
- Tiebreakers
- 1. Chose based on the lowest neighbor bridge ID
- 2. Chose based on the lowest neighbor port priority
- 3. Chose based on the lowest neighbor internal port number
- Strategy to choose the right answer
- 1. If available look at the show spanning-tree and show spanning-tree
root commands. These both list the root port, and the first of these
also lists the root cost
- 2. the show spanning-tree command list cost in two places:
- the root cost at the top, in the section about the root switch
- THIS IS THE INTERFACE COST, at the bottom, in the per-interface
section NOT THE ROOT COST
- 3. For problems where you have to calculate a switch's
root cost
- 3.1. Memorize the default values
- 100
- 100 Mbps
- 19
- 10 Mbps
- 4
- 1 Gbps
- 2
- 10 Gbps
- 3.2. Look for any evidence of the spanning-tree cost configuration
command on an interface, because it overrides the default cost. Do not
assume default costs are used
- 3.3. When you know a default cost is used, if you can, check the
current actual speed as well. Cisco switches choose STP cost defaults
based on CURRENT SPEED, not maximum speed.
- Determining the DP (Designated Port) on each LAN segment
- steps
- 1. For switches connected to the same LAN segment, the switch
with the lowest cost to reach the root, as advertised in the hello
they send onto the link, becomes the DP on that link.
- 2. In the case of a tie, among the switches that tied on cost, the
switch with the lowest BID becomes the DP
- STP Convergence
- Rules
- For interfaces that stay in the same STP state, nothing needs
to change.
- For interfaces that need to move from a forwarding state to a
blocking state, the switch immediately changes the state to blocking.
- For interfaces that need to move from blocking state to a forwarding
state, the switch first moves the interface to listening state, then
learning state, each for the time specified by the forward delay timer
(default 15 seconds). Only then is the interface placed into forwarding
state.
- EtherChannel
- Rules
- 1. On the local switch, all the channel-group commands for all
the physical interfaces must use the same channel-group number
- 2. The channel-group number can be different on the neighbouring
switches.
- 3. If using the on keyword, you must use it on the corresponding
interfaces on both switches.
- 4. If you use the desirable keyword on one switch, the switch
uses PAgP; the other switch must use either desirable or auto
- 5. If you use the active keyword on one switch, the switch uses
LACP; the other switch must use either active or passive.
- Incorrect options on the channel-group command
- Configuration checks before adding interfaces to etherchannels
- speed
- duplex
- operational access or trunking state (all must be access, or
all must be trunks)
- if an access port, the access VLAN
- if a trunk port, the allowed VLAN list (per the switchport trunk
allowed command)
- if a trunk port, the native VLAN
- STP interface settings
- settings on neighboring switches
- PAgP
- LACP
- CDP
- 03. Troubleshooting LAN Switching
- Generalized troubleshooting methodologies
- Analyzing / predicting normal operation
- answers to the question -
- What should happen in this network?
- results in a description and prediction of the details of what
should happen if the network is working correctly, based on documentation,
configuration, and show and debug command output
- terms
- data plane
- refers to actions devices take to forward data.
- analysis starts with Layer 3 then layer 2 and layer 1
- control plane
- refers to overhead processes that control the work done by the
network device, but does not directly impact the forwarding of individual
frames or packets.
- processes
- STP
- IP routing protocol
- CDP
- analysis
- the control plane processes differ too much to allow generalized
troubleshooting
- each control plane process must be examined separately
- summary
- 1. Examine the data plane:
- 1.1. Determine the major Layer 3 steps - including origin host
to default router, each router to the next router, and last router
to the destination host - in both directions
- 1.2. For each Layer 2 network between a host and router or between
two routers, analyze the forwarding logic for each device.
- 2. Examine the control plane:
- 1. Identify the control plane protocols that are used and vital
to the forwarding process.
- 2. Examine each vital control plane protocol for proper operation;
the details of this analysis differ for each protocol.
- 3. Defer any analysis of control plane protocols that do not
affect the data plane's correct operation until you clearly
see a need for the protocol to answer that question (for example
CDP)
- Problem isolation
- answers to the question -
- What specifically is not working ?
- when some problem might be occurring, find the components that
do not work correctly as compared to the predicted behavior. Then
find out what might be causing that problem and so on, based on documentation,
configuration, and show and debug command output.
- refers to the process of starting with a general idea, and getting
more and more specific.
- states
- Before problem isolation
- I have no idea, except for some general symptoms
- After problem isolation
- I have an idea of what is not working, a comparison to how it should
be working, and I know on which devices it should be working differently.
- summary
- 1. Begin by examining the layer 3 data plane (IP forwarding),
comparing the results to the expected normal behavior until you identify
the first major routing step that fails.
- 2. Further isolate the problem to as few components as possible
- 2.1. Examine functions at all layers, but focusing on layers
1, 2 and 3.
- 2.2. Examine both data plane and control plane functions.
- Root cause analysis
- answers to the question -
- What can we fix that solves the problem ?
- identifies the underlying causes of the problems identified
in the previous step, specifically the causes that have a specific
action with which the problem can be fixed.
- summary
- 1. Continue isolating the problem until you identify the true
root cause, which in turn has an obvious solution
- 2. If you cannot reduce the problem to its true root cause, isolate
the problem as much as possible and change something in the network,
which may change the symptoms and help you identify the root cause.
- Troubleshooting the LAN switching data plane
- 1. Confirm the network diagrams using CDP
- Verify the accuracy of and complete the information listed
in the network diagram using CDP
- 2. Isolate interface problems
- Check for interface problems as follows:
- 1. Determine interface status code(s) for each required interface,
and if not in a connected or up/up state, resolve the problems until
the interface reaches the connected or up/up state.
- 2. For interfaces in a connected up/up state, also check for
two other problems:
- duplex mismatch
- some variations of port security purposefully dropping frames.
- identify duplex mismatch problems
- use commands like show interface on each end of the link to confirm
the duplex setting on each end.
- watch for increases to certain counters on half duplex interfaces.
The counters-runts, collisions, and late collisions-occur when
other devices uses full duplex.
- 3. Isolate filtering and port security problems.
- port security features
- limit which specific MAC addresses can send and receive frames
on a switch interface, discarding frames to/from other MAC addresses
- limit the number of MAC addresses using the interface, discarding
frames to/from MAC addresses learned after the maximum limit is reached
- a combination of the previous two points.
- Check for port security problems as follows:
- 1. Identify all interfaces on which port security is enabled
- show running-config
- show port-security
- 2. Determine whether a security violation is currently occurring
based in part on the violation mode of the interface's port security
configuration:
- violation modes
- 2.1. shutdown
- the interface will be in an err-disabled state
- Discards offending traffic
- Disables the interface, discarding all traffic
- Increments violation counter for each violating frame
- 2.2. restrict
- the interface will be in a connected state, but the show port-security
interface command will show an incrementing violations counter.
- Discards offending traffic
- Increments violation counter for each violating frame
- 2.3. protect
- the interface will be in a connected state, and the show port-security
interface command will not show an incrementing violations counter.
- Discards offending traffic
- 3. In all cases, compare the port security configuration to
the diagram and to the last source address field in the output of
the show port-security interface command
- 4. Isolate VLANs and trunking problems.
- Check VLANs and VLAN trunks as follows
- 1. Identify all access interfaces and their assigned access
VLANs and reassign into the correct VLANs as needed
- determine the assigned access VLANs on each interface and compare
the information to the documentation.
- 2. Determine whether the VLANs both exist (configured or learned
with VTP) and are active on each switch. If not, configure and activate
the VLANs to resolve problems as needed.
- 3. Identify the operationally trunking interfaces on each
switch and determine the VLANs that can be forwarded over each trunk.
- problems with the details of how an operational trunk works
- show interfaces trunk output
- three lists show a progression of reasons why a VLAN is not forwarded
over a trunk
- 1. VLANs allowed
- VLAN 1-4094,minus those removed by the switchport trunk allowed
command
- 2. VLANs allowed and active ...
- The first list, minus those either not defined to the local switch
or those in shutdown mode
- 3. VLANs in spanning tree
- The second list, minus STP blocking and VTP pruned interfaces.
- problems caused when an interface that should trunk does not
trunk
- the most likely cause of this problem is a misconfiguration
of trunking on the opposite ends of the link
- Troubleshooting examples and exercises
- Review.
- Weak
- Strong
- 2. IP Version 4 Routing
- 04. Troubleshooting IPv4 Routing Part I
- 05. Troubleshooting IPv4 Routing Part II
- 06. Creating Redundant First-Hop Routers
- 07. Virtual Private Networks
- Review.
- Weak
- Strong
- 3. Version 4 Routing Protocols
- 08. Implementing OSPF for IPv4
- 09. Understanding EIGRP Concepts
- 10. Implementing EIGRP for IPv4
- 11. Troubleshooting IPv4 Routing Protocols
- Review.
- Weak
- Strong
- 4. Wide Area Networks
- 12. Implementing Point-to-Point WANs
- 13. Understanding Frame Relay Concepts
- 14. Implementing Frame Relay
- 15. Identifying Other Types of WANs
- Review.
- Weak
- Strong
- 5. IP Version 6
- 16. Troubleshooting IPv6 Routing
- 17. Implementing OSPF for IPv6
- 18. Implementing EIGRP for IPv6
- Review.
- Weak
- Strong
- 6. Network Management
- 19. Managing Network Devices
- 20. Managing IOS Files
- 21. Managing IOS Licensing
- Review.
- Weak
- Strong
- Final Review
- 22. Review.
- Weak
- Strong
- CLI commands
- VTY
- SSH
- switch IPv4 support,
- port security
- privileged exec mode
- show port-security interface
- interface
- switchport port-security violation violation-mode
- switchport mode
- VLANs
- privileged exec mode
- show vlan
- show vlan brief
- show vlan id
- VLAN trunks
- privileged exec mode
- show interfaces trunk
- interface
- switchport trunk encapsulation
- CDP
- privileged exec mode
- show cdp neighbors "number"
- show cdp neighbors detail
- show cdp entry name
- other switch admin
- STP
- PVST+
- global
- spanning-tree mode pvst
- spanning-tree mode rapid-pvst
- spanning-tree mode mst
- configuration
- spanning-tree vlan "vlan-id" priority "x"
- privileged exec mode
- show mac address-table
- show spanning-tree
- debug spanning-tree events
- EtherChannel
- show etherchannel summary
- configuration
- channel-group
- interface
- spanning-tree portfast disable
- spanning-tree bpduguard disable
- other interface admin
- privileged exec mode
- show interface status
- any mode
- the "do" command can be used from any mode to execute
a command
CCNA
- Operation of IP Data Networks
- LAN Switching Technologies
- IP addressing (IPv4 / IPv6)
- IP Routing Technologies
- IP Services
- Network Device Security
- Troubleshooting
- WAN Technologies
IIN (Inteligent Information Network)
- SONA (Service Oriented Network Architecture)
- Cisco description
- standardization
- on a single vendor
- virtualization
- (allows sharing of resources via use of virtual servers, virtual
firewalls, etc.)
- Comercial Architecture
- Consumer Architectrure
- Service Provider Architecture
Floating