Académique Documents
Professionnel Documents
Culture Documents
Cheaper than leased line, heavily encrypted & secured, many to may communications
Types of VPN:
1.
2.
Remote access-its like they are connected in office as long as they are using VPN SSL VPN or WEB VPNit install mini
VPN client for that session from webpage.
IPSec- the security protocol of VPN- works with TCP/IP- contains or made up of many protocols like TCP/IP
1.
2.
Authentication: make sure data is intact or unchanged over network MD5, SHA1
3.
4.
Type of Encryption:
Symmetric- use the same shared key(to encrypt & decrpt) on both side i.e sender/receiver, low processor overhead e.g
DES.3DES
Asymmetric- use private and public key high on processor (Defy helm)
Only use to encrypt shared key and once it is shared, then router use the shared key to encrypt data
PPP/HDLC (leased line protocols) WAN language
No mac address, use DLCI instead; Data link changes to Frame Relay ATM, PP, HDLC ; Physical changes to serial link
PPP- Industry standard, featureriffic(like authentication, data compression, callback, multilink-combine multiple serial link
bandwidth into one), moderate overhead
HDLC- Cisco proprietary, low overhead, no features
Type of PPP authentication:
1.
PAP (password authentication protocol): credentials is send in clear text: not used nowadays
2.
CHAP(challenge handshake authentication protocols): password is send in hash form and should be same on all router
costefficient data transmission for intermittent traffic between local area networks (LANs) and between endpoints in
wide area networks .
FRAME RELAY- standardized WAN technology that specifies physical & data link using Packet switching g methodology or
CIR- Committed information rate minimum bandwidth allowed for a connection- logical speed
LAR- Local access rate- how fast local connection can go-physical speed
LMI- local management interface language bw ISP and u/router- signaling protocol/send DLCI
DLCI- data link connection identifier locally significant to identify connection
PVC- permanent virtual circuit- can get different pvc for different region- one serial connection can have many connection
DLCI Locally significant (act as mac address for data link layer in WAN) receiving end knows which information connection a frame
belongs to.
Frame Relay PVC design
1.
HUB and Spoke: low on cost but got single point of failure and delay problems for VoIP
2.
3.
Multipoint Design: all routers are on subnet, multiple DLCI numbers mapped to interface, causes problem with Split horizon
2.
Point to Point design: all routers on different subnets, p2p sub interface for each peer, no problem with split horizon
ACL
List of permit and deny statement used to identify network traffic on both way; Used for Access control, NAT, QoS etc
ACl read from top to bottom, invisible implicit DENY ALL at bottom and applied to in/out bound interface
Types of ACLs
Standard: matches on based source IP address, lower on processor <1-99, 1300-1999>
Extended: based on source/destination IP, port, , protocol; higher processor<100-199,2000-2699>
Dynamic: username/password is setup to provide access to some specific user
Established (Reflexive): allows return traffic for internal router;
Time-based: ACL active for specific time
Context-based access control (CBAC): turn firewall feature on which filter TCP/UDP packets based on application layer protocol session
information.
<deny/permit/remark>
<x.x.x.x/host/any>
<wildcard bits>
<>
<in/out>
Config-line)# access-class
<>
Reflexive ACL
Dynamic NAT: one to one translations(used in overlapping network work with DNS)
NAT overload/PAT: allows many internal host to share same public address by using port numbers(0-65535), one to
many
Static NAT: for hosting internal servers in ur network, combine with PAT and map server address for internal access
enable NAT- > config-if)# ip nat inside/ouside source list <ACL> interface fas 0/0 overload
Config)# ip nat inside source static tcp <inside local IP address> <source port:80> interface f0/0 <port number:80>
Easy to configure
Loops
No loops
Hybrid- best of both world but proprietary (easy to configure & sill got lots of features) e.g EIGRP
Maximum distance: 16 hops in case of RIP, after 16 hops, route is declare dead/down
2.
Route Poisoning: combine with maximum and set/poision that route for Network to maximum distance
3.
Triggered updates : combine with both above and ask to send triggered updates immediately negating update timer
and tell that this network is down
4.
Split Horizon: tells router do not send update back in same direction you receive them on networks that are being
advertise
5.
Hold down timers: tells not to believe/send/receive to any updates for x amount of time(used for flapping interface)
Link State Routing Protocol: forms neighbor relationship rather than broadcast and after initial routing table
exchanged, routers sends small event-based updates call HELLO packet
Advantages of link state routing protocol:
No looping issue
Technical complexity
Note: Larger routing table =slower routers; So we use Route summarization: - to make routing table small
Area Design & terms in OSPF
ABR: Area Border Router: only one able to summarize & connect two area , having more processing power
All routers in an Area have same topology table but different routing table
2.
Hello and Dead timer*: how often they say HELLO and after how soon until they believe that router is down
3.
Network mask; Area ID*; Neighbors; Router priority ; DR/BDR IP address; Authentication password*
OSPF Configuration:
Confi)# router ospf <process ID> (Process ID: does not have to same on all routers )
Config-router)#network x.x.x.x 0.0.0.255 area 0 (Area 0 is to be configured first)
Only protocol remember backup routes which result in fast convergence (DUAL- diffused updates algorithm)
2.
Easy to configure
3.
4.
5.
Neighbor Table
2.
3.
Configuring EIGRP:
Config) # router eigrp <Autonomous number> (autonomous number shd be same)
Config-router) #network x.x.x.x 0.0.0.255
# show ip eigrp neighbor (HOLD uptime- how long I believe its neighbor is dead ;default= 10 sec) SRTT- source trip timer- for what
time it will wait for HOLD
Config-router)# no auto-summary (use for classless network) (Note: Do auto summary for contiguous network)
Go to interface where you want to send summarize: config-if)# ip summary-address eigrp <autonomous number> <IP address>
<subnet mask>
Static Routing: Static routing is what we as an administrator tells router where to forward packets, (manually managed)
Purpose of Router: to stop broadcast & move packets from one network to another; Router uses routing table to see where to forward
packets.
Config)# ip route <destination network> <destination subnet mask> <next/forwarding routers address>
Use of Static routing: Configuring default route that tells router to send anything which router doesnt know how to reach. -
Config)# ip route 0.0.0.0 0.0.0.0 <ISP address> (gateway of last resort is ISP address)
Config)# ip name-server 4.2.2.2 (use DNS server to resolve name, can directly ping domain instead of IP)
Dynamic Routing: Routing protocols: tells your friend what you know (networks) & build paths automatically.
RIPv2
Classful version
Classless version
No VLSM
Supports VLSM
No authentication
adds authentication
Uses Broadcast
uses multicast
Note [RIP has 120 administrative distance (how good/believable a route is/network is)/1-metric (how far away is that network)]
Configuring RIP version 2 Config)# router rip
Config-router) #version 2
Config-router) # network <X.X.X.X>
Config)# show ip route (shows all network connected)
Config-router)# no auto-summary (To turn on classless feature)
TELNET, SSH & CDP (Note:Ping router before you do telnet/ssh)
Managing Telnet & SSH sessions
Cisco discovery protocol (CDP) (proprietary) Allows u to see information of directly connected cisco devices like routers,
switches; Useful to build accurate network design
#show cdp neighbors: (show neighbors info like Device ID, local int, platform/model, port id)
#show CDP entry (show cdp neighbor detail) : <name of cdp neighbor/all:*> : full information about neighbor
#no cdp enable: (disable CDP on specific on interface/direction)
# no cdp run: (disable cdp on whole router)
File Management:COPY command:- allows us to move files between components like
Logically groups users, Segments Broadcast domains, Subnet correlation: (vlan=broadcast domain= subnet)
2.
Normal Switching one subnet per lan, limited access control, broadcast sent to all ports, one collision domain per port
Flexibility of VlansWhy to use Vlans?
-
Segmentation of users without routers ;No longer limited to physical location (scalability ); Tighter control of broadcast
Server (default mode): modify vlans, save vlans config, sends/receive vlan updates
2.
3.
Transparent: can change/save vlans config, forwards vtp updates, does not listen to vtp advertisement
Vlan Pruning: Keeps unnecessary broadcast traffic from closing trunk links (only works on vtp server)
Configuring Vlans & VTP: (maximum vlans= 1-4096)
remote)
Dynamic desirable: either become access or trunk depend on what device connected on other end
Access (for end devices like PC, server) & trunk mode (for switches)
1.
(If switch is old/ or above command gives an error then config-if)# swichport trunk encapsulation dot1q)
Set rest of access port once you have set trunk port config)# interface range fast <X> - <Y> (X,Y=0-24)
Config-if) switchport mode access
2.
Configure VTP
a.
Domain Name: config)# vtp domain <word> ( first time, you just need to set on one & will pass on others)
b.
c.
#Show vtp status (show vtp info like vtp version, mode,revision no, pruning mode, no of vlans)
(*Note: other 4 vlans are extended vlans for different networks like token ring)
3.
Configure Vlans vlans <number/word> (number=1-4096; can work only on server or transparent)
Config-vlan)# name <word> (vlan name)
Commandshow interfaces fast <X> switchport (X= interface no.; shows administrative/operational mode)
Config)# vtp pruning (turn on prunning)
Config)# show interfaces (trunk/access)
4.
Assign ports to Vlans:- go to interfaceconfig-if)# switchport mode access vlan <X> (vlan number)
Separate port to each port: its not used anymore becoz we will get short of interfaces
2.
Router on-a-stick: set trunk between router and switch, use sub interfaces concept (hv minimum fast interface)
Create sub interfaces interface fastethernet 0/0.<X> (X=0-4294967295)
Tells to accept which vlans info Config-subif)# encapsulation dot1q <vlan number> , assign ip address then
Configure trunk link between switch &router
3.
Layer 3 switching: router inside switch & use virtual interface concept
Create vlan interface config)# interface vlan <X>
Assign ip address:config-if)ip address x.x.x.x x.x.x.x
Config)#ip routing (turn on routing capability on switch)
STP: spanning tree protocol (802.1d ) industry standard- is a network protocol that ensures a loop-free topology for
any bridged Ethernet local area network.
Ether channel: provide more bandwidth on key link ;Redundant link eliminate single point of failure
STP is used to prevent loops by finding best way/path to reach the root bridge then block all redundant links
BPDU: Bridge protocol data units: Switches send probes into the network to discover loops and help to elect the core switch of
network call Root Bridge
1.
2.
Cost
10/100 Mbps
100/19
1/10 Gbps
4/2
Configuring STP:#Show spanning tree (shows root ID, Bridge ID & running STP info)
Config)# spanning-tree vlan 1 root <primary (to make root bridge)/secondary(to make backup )
Config)# spanning-tree vlan 1 priority <0-61440>( increment of 4096)
STP goes through following phases/transitions
Listening- initial 15 sec for listening, sends/receives BPDU to discover loops
Learning- 15 sec for learning mac address & populate switch cam table
Forwarding: Port is forwarding traffic
Blocking- 20 sec wait time before moving into listening phase
Problem 1:- Modern PC boo faster than 30 sec
Solution: Portfast (disable spanning tree on port, applied on access port) --- command config-if)# spanning-tee portfast
Problem: 50 sec if downtime causes big problem to uplink port(connecting to switch port)
Solution: Rapid spanning tree
PVST+ : Per Vlan spanning tree
Runs an instance a STP per Vlan which allows different root bridge per vlan.
Config)# spanning-tree vlan 1,2,10 root primary (to make root bridge for all vlan)
Rapid spanning Tree: (802.1w)
Remember backup/blocked root and backward compatible with STP, but recommended to use everywhere
PORT TYPE:>
Root port: to reach root bridge
Designated port: forwarding port, one per link
Alternate port: discarding port, backup path to root
Configuring RSTP
Config)# spanning-tree mode <pvst/rapid-pvst> (by default cisco router run pVSTP)
Config-if)# spanning-tree portfast (enable on single connected device)
Troubleshooting & securing switches: Absolutely have an accurate network diagram & Work logically from bottom-up (OSI)
Common troubleshooting Issue:-
1.
2.
Spanning Tree issue (light blinking like hell) (upto 7 switches, STP work fine)
-Immediate solution- disconnect redundant links
-ensure all links are reflected on network diagram
-ensure root bridge section is appropriate
-make sure all switches are running RSTP
3.
4.
VTP issues
-verify trunks
-verify vtp info like name, password, version, modes
-last resort: delete flash:|vlan.dat
Switch security checklist
Physical security; Set password and logon banners ;Disable the web server, so that no one can access thru web
interface
Limit remote access subnet , use ACls ;Use SSH instead of telnet wherever possible
Wireless Networking:
Types of Wireless Networks:Personal Area Network (PAN) e.g Bluetooth, wireless mouse, few feet radius
LAN: e.g access point
Metropolitan Area Network (MAN) : point to point bridges
Wide Area Network (WAN) : e.g cellular technology
Wireless access Point (WAP) communicate like hub, shared signal and half duplex
a.
Uses unlicensed band of radio frequency (RF) ; Wireless is a physical & data link standard
b.
Unlicensed Frequencies: (lower the frequency, further the range, lesser the bandwidth)
a.
b.
c.
5 GHz Range
Organiza
tion that
manage/control
the wireless world:
1.
International
Telecommunication Union radiocommunication sector (ITU-R)- Regulate/control RF used for Wireless transmission.
2.
Institute of electrical and electronic engineering (IEEE): maintain 802.11 wireless standard like (802.11a,b,g,n)
3.
Intrusion Prevention System (IPS): it detect rogue access point/wireless network and then it shut down or notify you
2.
3.
WPA and 802.1x authentication(username/password saved in router /server and when user put that, it generat encryption
key for that session)
4.
Service set Identifier (SSID) uniquely identifies and separately wireless networks (name of wireless network); Can have
many SSID like private and public
When a Wireless client is enabled
1.
2.
3.
4.
Connect WAP
OSI- open system interconnection:-hierarchal model to break down network function into layers
2.
3.
4.
5.
The 127.0.0.0 network is reserved for loopback testing. Routers or local machines can use this address to send packets back to
themselves. Therefore, this number cannot be assigned to a network
Public & Private addresses:
Public address: usable on internet and intranet
Private address: usable on internal networks
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
169.254.0.0-169.254.255.255 for Automatic Private IP Addressing (APIPA)- These addresses are only valid on the link, such as a
local network segment or point-to-point connection, that a host is connected to. These addresses are not routable and like private
addresses cannot be the source or destination of packets traversing the Internet.
TCP and UDP communication
TCP
UDP
Connection oriented
Connectionless (real-time)
Sequence number/acknowledgments/windowing
Reliable
Unreliable
2.
3.
Windowing:- The amount of octets that can be transmitted without receiving an acknowledgement from the other side".
PORT Numbers (0-65535)
Combine with TCP/UDP, a port number is part of the addressing information used to identify the senders and receivers of message
X.X.X.X:Y (Y is port number)
Well known port number: range from 0 to 1023 is the well-known ports or system ports. They are used by system processes that
provide widely used types of network services
Registered port number: range of port numbers from 1024 to 49151 are the registered ports. They are assigned by IANA for
specific service upon application by a requesting entity. [1] On most systems, registered ports can be used by ordinary users.
TCP 21- ftp
22-ssh
23-telnet
25-smtp
80-HTTP
110-POP3
69-TFTP
Ethernet- L2 Layer- (802.3)- industry standard :- Data Link: Ethernet is divided into 2 layers
-Logical link control (LLC) : in what direction it will go with network layer
-Media access control (Mac) : define the addressing Ethernet uses
CSMA/CD: Set Of Rules governing how you communicate/talk on Ethernet network
443-HTTPS
Category 5 unshielded twisted pair (UTP): 100 meters mas distance, connection- RJ45
2.
3.
Cabling standard:
T568A and T568B (A+A=B+B= straight through; A+B= crossover cable)
Straight thru cable: unlike devices; Crossover cable: like devices
Collision domain: a section network where data packet can collide with one another on a shared medium. Collision occurs when two
device send data at same time, this collision are resolved by CSMA/CD.
Broadcast domain: a section of network where all the nodes can be reached via broadcast at the datalink layer.
HUB
(Plug Console cable into console port ) use to connect switch directly to pc/laptop
2.
3.
Data bits:8
Parity:none
Stop bits:1
Flow control:None
PORT SECURITY way to lock down/control how many or which devices can connect to switch.
#show mac address-table
Go to interface Config)# inter fas 0/X config-if)#switchport mode access (connect to end device not switch)
config-if)# switchport port-security (enable port security) config-if)# switchport port- security maximum <1-5120>
conig-if) swichport port-security violation <protect(ignore)/restrict (ignore and log)/shutdown(by default)>
config-if) switchport port-security mac-address <mac address/sticky> (what mac address are allowed)
To view port security #show port-security (for all interface )interface fast 0/X (for specific interface)
Optimizing & troubleshooting:
Configuring Speed & Duplex config-if)# speed 10/100 or duplex half/full
Config-line)#logging synchoronous ; Config-line)# exec-timeout X X ; Config)# no ip domain-lookup
Condif)# alias exec(mode) (new command) (old command)
IPv6 128 bit, 8 octets with 4 hexadecimal characters each
Colons (:) instead of dot Rules to make it short or eliminate zeroes
1.
Eliminate groups of consective zeroes with (::) double colon but can only use once.
2.
IPv6 provide simpler header & Type of communication in IPv6: Unicast; Multicast; Any cast(one to closest)
Type of IPv6 address--1.
Link Local scope address: use to communicate in Layer 2 domain (local communication if connected to same switch)
Begin wih FE80(first 10 bits 1111 1110 10) followed by 54 bits of zero
2.
First 8 bits wouldd be FD00::/8; second 40 bits is global ID; next 16 bits is subnet ID; last 64 bits is interface ID
3.
3.
1.
Dual Stack Router- Router can run both IPv4 and IPv6
2.