CATATAN CISCO

Chapter OPEN STANDARD

1. The Internet Society (ISOC) is responsible for promoting open development, evolution, and
Internet use throughout the world. ISOC facilitates the open development of standards and
protocols for the technical infrastructure of the Internet, including the oversight of the Internet
Architecture Board (IAB).
2. The Internet Architecture Board (IAB) is responsible for the overall management and
development of Internet standards. The IAB provides oversight of the architecture for protocols
and procedures used by the Internet. The IAB consists of 13 members, including the chair of the
Internet Engineering Task Force (IETF). IAB members serve as individuals and not
representatives of any company, agency, or other organization.
3. The IETFs mission is to develop, update, and maintain Internet and TCP/IP technologies. One of
the key responsibilities of the IETF is to produce Request for Comments (RFC) documents, which
are a memorandum describing protocols, processes, and technologies for the Internet. The IETF
consists of working groups (WGs), the primary mechanism for developing IETF specifications and
guidelines. WGs are short term, and after the objectives of the group are met, the WG is
terminated. The Internet Engineering Steering Group (IESG) is responsible for the technical
management of the IETF and the Internet standards process.

Standard Remark
802.1D MAC Bridges
802.1Q VLAN
802.1X Port Based Network Access Control/Authentication
802.1AB Station and Media Access Control Connectivity Discovery (LLDP)
802.1W RSTP
 Chapter IOS
After a Cisco switch is powered on, it goes through the following boot sequence:

1. First, the switch loads a power-on self-test (POST) program stored in ROM. POST checks the CPU
subsystem. It tests the CPU, DRAM, and the portion of the flash device that makes up the flash file
system.

2. Next, the switch loads the boot loader software. The boot loader is a small program stored in ROM and
is run immediately after POST successfully completes.

3. The boot loader performs low-level CPU initialization. It initializes the CPU registers, which control
where physical memory is mapped, the quantity of memory, and its speed.

4. The boot loader initializes the flash file system on the system board.

5. Finally, the boot loader locates and loads a default IOS operating system software image into memory
and hands control of the switch over to the IOS.

Tempatnya/Store :

POST Program dan Boot loader => ROM

Random Access Memory (RAM) - Provides temporary storage for various applications and
processes including the running IOS, the running configuration file, various tables (i.e., IP routing
table, Ethernet ARP table) and buffers for packet processing. RAM is referred to as volatile because
it loses its contents when power is turned off.

Read-Only Memory (ROM) - Provides permanent storage for bootup instructions, basic diagnostic
software and a limited IOS in case the router cannot load the full featured IOS. ROM is firmware and
referred to as non-volatile because it does not lose its contents when power is turned off.

Non-Volatile Random Access Memory (NVRAM) - Provides permanent storage for the startup
configuration file (startup-config). NVRAM is non-volatile and does not lose its contents when power
is turned off.

Flash - Provides permanent storage for the IOS and other system-related files. The IOS is copied
from flash into RAM during the bootup process. Flash is non-volatile and does not lose its contents
when power is turned off.
Router Bootup Process

There are three major phases to the bootup process that is shown in Figure 1:

1. Perform the POST and load the bootstrap program.

2. Locate and load the Cisco IOS software.

3. Locate and load the startup configuration file or enter setup mode.

1. Performing POST and Load Bootstrap Program (Figure 2)

The Power-On Self Test (POST) is a common process that occurs on almost every computer during
bootup. The POST process is used to test the router hardware. When the router is powered on, software
on the ROM chip conducts the POST. During this self-test, the router executes diagnostics from ROM on
several hardware components, including the CPU, RAM, and NVRAM. After the POST has been
completed, the router executes the bootstrap program.

After the POST, the bootstrap program is copied from ROM into RAM. Once in RAM, the CPU executes
the instructions in the bootstrap program. The main task of the bootstrap program is to locate the Cisco
IOS and load it into RAM.

Note: At this point, if you have a console connection to the router, you begin to see output on the screen.

2. Locating and Loading Cisco IOS (Figure 3)

The IOS is typically stored in flash memory and is copied into RAM for execution by the CPU. During self-
decompression of the IOS image file, a string of pounds signs (#) will be displayed.

If the IOS image is not located in flash, then the router may look for it using a TFTP server. If a full IOS
image cannot be located, a scaled-down version of the IOS is copied from ROM into RAM. This version of
IOS is used to help diagnose any problems and can be used to load a complete version of the IOS into
RAM.

3. Locating and Loading the Configuration File (Figure 4)

The bootstrap program then searches for the startup configuration file (also known as startup-config), in
NVRAM. This file has the previously saved configuration commands and parameters. If it exists, then it is
copied into RAM as the running configuration file, running-config. The running-config file contains
interface addresses, starts routing processes, configures router passwords, and defines other
characteristics of the router.

IMAGE IOS
An example of an IOS 12.4 software image name is shown in Figure 2.

Image Name (c2800nm) - Identifies the platform on which the image runs. In this example, the
platform is a Cisco 2800 router with a network module.

advipservicesk9 - Specifies the feature set. In this example, advipservicesk9 refers to the
advanced IP services feature set which includes both the advanced security and service provider
packages, along with IPv6.

mz - Indicates where the image runs and if the file is compressed. In this example, mz indicates that
the file runs from RAM (m) and is compressed (z).

124-6.T - The filename format for image 12.4(6)T. This is the train number, maintenance release
number, and the train identifier.

bin - The file extension. This extension indicates that this file is a binary executable file.

Another location

f - flash

m - RAM

r - ROM

l - relocatable
Figure 3 illustrates the different parts of an IOS 15 system image file on an ISR G2 device:

Image Name (c1900) - Identifies the platform on which the image runs. In this example, the platform
is a Cisco 1900 router.

universalk9 - Specifies the image designation. The two designations for an ISR G2 are universalk9
and universalk9_npe. Universalk9_npe does not contain strong encryption and is meant for
countries with encryption restrictions. Features are controlled by licensing and can be divided into
four technology packages. These are IP Base, Security, Unified Communications, and Data.

mz - Indicates where the image runs and if the file is compressed. In this example, mz indicates that
the file runs from RAM (m) and is compressed (z).

SPA - Designates that file is digitally signed by Cisco.

152-4.M3 - Specifies the filename format for the image 15.2(4)M3. This is the version of IOS, which
includes the major release, minor release, maintenance release, and maintenance rebuild numbers.
The M indicates this is an extended maintenance release.

CHAPTER ETHERNET

LLC Sublayer : handles the communication between the upper layers and the lower layers

MAC Sublayer : Handle Data Encapsulation & Media Access control

Ethernet Frame : minimal 64 byte (lebih kecil disebut runt akan di discarded)
 Preamble and Start Frame Delimiter Fields: The Preamble (7 bytes) and Start Frame Delimiter
(SFD), also called the Start of Frame (1 byte), fields are used for synchronization between the
sending and receiving devices. These first eight bytes of the frame are used to get the attention of
the receiving nodes. Essentially, the first few bytes tell the receivers to get ready to receive a new
frame.

Destination MAC Address Field: This 6-byte field is the identifier for the intended recipient. As you
will recall, this address is used by Layer 2 to assist devices in determining if a frame is addressed to
them. The address in the frame is compared to the MAC address in the device. If there is a match,
the device accepts the frame.

Source MAC Address Field: This 6-byte field identifies the frame's originating NIC or interface.

Length Field: the Length field defines the exact length of the frame's data field. This is used later as
part of the FCS to ensure that the message was received properly.
Data Field: This field (46 - 1500 bytes) contains the encapsulated data from a higher layer, which is
a generic Layer 3 PDU, or more commonly, an IPv4 packet. All frames must be at least 64 bytes
long. If a small packet is encapsulated, additional bits called a pad are used to increase the size of
the frame to this minimum size.

Frame Check Sequence Field: The Frame Check Sequence (FCS) field (4 bytes) is used to detect
errors in a frame. It uses a cyclic redundancy check (CRC). The sending device includes the results
of a CRC in the FCS field of the frame. The receiving device receives the frame and generates a
CRC to look for errors. If the calculations match, no error occurred. Calculations that do not match
are an indication that the data has changed; therefore, the frame is dropped. A change in the data
could be the result of a disruption of the electrical signals that represent the bits.
 Chapter SWITCH NETWORK
Secure MAC Address Types

There are a number of ways to configure port security. The type of secure address is based on the
configuration and includes:

Static secure MAC addresses - MAC addresses that are manually configured on a port by using
the switchport port-security mac-address mac-address interface configuration mode
command. MAC addresses configured in this way are stored in the address table and are added to
the running configuration on the switch.

Dynamic secure MAC addresses - MAC addresses that are dynamically learned and stored only
in the address table. MAC addresses configured in this way are removed when the switch restarts.

Sticky secure MAC addresses - MAC addresses that can be dynamically learned or manually
configured, then stored in the address table and added to the running configuration.

When configuring port security violation modes, note the following information:
 protectDrops packets with unknown source addresses until you remove a sufficient number of
secure MAC addresses to drop below the maximum value. No Notification security violation

restrictDrops packets with unknown source addresses until you remove a sufficient number of
secure MAC addresses to drop below the maximum value and causes the Security Violation counter to
increment (add notification)

shutdownPuts the interface into the error-disabled state immediately and sends an SNMP trap
notification.

Router# configure terminal

Router(config)# interface fastethernet 3/12

Router(config-if)# switchport port-security violation protect

Router(config-if)# do show port-security interface fastethernet 5/12 | include Protect

Violation Mode : Protect

 Sticky configuration :

S1 (config-if)# switchport port-security mac-address sticky(MAC address)

Jika setalah command stick tidak diisi mac address nya, maka port security akan dynamic learn.
Jika diisi akan jadi static.

Chapter IP Address

Classfull IP Address

Class A addresses begin with 0 - Intended for large organizations; includes all addresses from
0.0.0.0 (00000000) to 127.255.255.255 (01111111). The 0.0.0.0 address is reserved for default
routing and the 127.0.0.0 address is reserved for loopback testing.

Class B addresses begin with 10 - Intended for medium-to-large organizations; includes all
addresses from 128.0.0.0 (10000000) to 191.255.255.255 (10111111).

Class C addresses begin with 110 - Intended for small-to-medium organizations; includes all
addresses from 192.0.0.0 (11000000) to 223.255.255.255 (11011111).
 Class D Multicast addresses begin with 1110 - Multicast addresses are used to identify a group
of hosts that are part of a multicast group. This helps reduce the amount of packet processing that is
done by hosts, particularly on broadcast media (i.e., Ethernet LANs). Routing protocols, such as
RIPv2, EIGRP, and OSPF use designated multicast addresses (RIP = 224.0.0.9, EIGRP =
224.0.0.10, OSPF 224.0.0.5, and 224.0.0.6).

Class E Reserved IP addresses begin with 1111 - These addresses were reserved for
experimental and future use.

Private Ipv4 Address

The Internet Assigned Numbers Authority (IANA) has reserved the following
three blocks of the IP address space for private internets:

10.0.0.0 - 10.255.255.255 (10/8 prefix)

172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

Advantages Using Private Address Space

1. to conserve the globally unique address space
2. benefits for enterprise hey gain a lot of flexibility in
network design by having more address space at their disposal than
they could obtain from the globally unique pool

Disadvantages Using Private :

1. reduce an enterprise's flexibility to access the Internet
2. it may require renumbering when merging several private internets into
a single private internet

COLLISION DOMAIN and Broadcast Domain

Switch : setiap koneksi baik ke pc, ke router atau ke hub = 1 collision domain

Switch connect ke 2 pc dan 1 router = 3 collision domain

Hub : semua koneksi baik ke pc, router atau ke switch dihitung hanya 1 collision domain
Router : setiap koneksi baik ke switch atau ke hub = 1 broadcast domain

Router connect ke 1 switch dan 1 hub = 2 broadcast domain

 Chapter VLAN
Benefits :

Security - Groups that have sensitive data are separated from the rest of the network, decreasing
the chances of confidential information breaches.

Cost reduction - Cost savings result from reduced need for expensive network upgrades and more
efficient use of existing bandwidth and uplinks.

Better performance - Dividing flat Layer 2 networks into multiple logical workgroups (broadcast
domains) reduces unnecessary traffic on the network and boosts performance.

Shrink broadcast domains - Dividing a network into VLANs reduces the number of devices in the
broadcast domain. As shown in the figure, there are six computers on this network but there are
three broadcast domains: Faculty, Student, and Guest.

Improved IT staff efficiency - VLANs make it easier to manage the network because users with
similar network requirements share the same VLAN. When a new switch is provisioned, all the
policies and procedures already configured for the particular VLAN are implemented when the ports
are assigned. It is also easy for the IT staff to identify the function of a VLAN by giving it an
appropriate name. In the figure, for easy identification VLAN 10 has been named Faculty, VLAN 20
is named Student, and VLAN 30 Guest.

Simpler project and application management - VLANs aggregate users and network devices to
support business or geographic requirements. Having separate functions makes managing a project
or working with a specialized application easier; an example of such an application is an e-learning
development platform for faculty.

VLAN

- (IF) Increase the number of broadcast domains while decreasing the size of the broadcast
domains which increase the utilization of the links
- (IF) increases the size of broadcast domains but does not decrease the number of collision
domains
- VLAN the number and size of collision domains remain the same
Normal Range VLANs

Identified by a VLAN ID between 1 and 1005.

IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs.

IDs 1 and 1002 to 1005 are automatically created and cannot be removed.

Configurations are stored within a VLAN database file, called vlan.dat. The vlan.dat file is located in
the flash memory of the switch.

The VLAN Trunking Protocol (VTP), which helps manage VLAN configurations between switches,
can only learn and store normal range VLANs.

Extended Range VLANs

Are identified by a VLAN ID between 1006 and 4094.

Configurations are not written to the vlan.dat file.

Support fewer VLAN features than normal range VLANs.

Are, by default, saved in the running configuration file.

VTP does not learn extended range VLANs.

VLAN Tag Field Details

The VLAN tag field consists of a Type field, a Priority field, a Canonical Format Identifier field, and VLAN
ID field:

Type - A 2-byte value called the tag protocol ID (TPID) value. For Ethernet, it is set to hexadecimal
0x8100.

User priority - A 3-bit value that supports level or service implementation.

Canonical Format Identifier (CFI) - A 1-bit identifier that enables Token Ring frames to be carried
across Ethernet links.

VLAN ID (VID) - A 12-bit VLAN identification number that supports up to 4096 VLAN IDs.

DELETING VLANS
no vlan vlan-id

Alternatively, the entire vlan.dat file can be deleted using the delete flash:vlan.dat

VLAN Trunks

To configure a switch port on one end of a trunk link, use the switchport mode trunk command.
With this command, the interface changes to permanent trunking mode.

Always configure both ends of a trunk link with the same native VLAN. If 802.1Q trunk configuration is not
the same on both ends, Cisco IOS Software reports errors.
Verify trunk

Show interfaces f0/1 switchport

Native VLAN

Rules :

1. Jika suatu Switch menerima sebuah frame dimana frame tsb tidak ada vlan information (vlan
id), maka diasumsikan bahwa frame tsb dimiliki oleh native VLAN
2. Switch tidak akan mentag frames yang dimiliki oleh native VLAN

Contoh :

- Native VLAN di int trunk F0/18 SW1 dan F0/18 SW2 di set VLAN 5
- PC1 ingin send ke PC2, dimana int F0/1 SW1 diset dengan VLAN 5, maka ketika frame PC1 sampai di
SW1, akan dilihat bahwa frame tsb punya VLAN yang sama dengan native VLAN (sama-sama VLAN5),
jadi sesuai Rules no.2 , switch tidak ada mentag frame yang dimiliki oleh Native VLAN.
- Sehingga SW1 akan forward frame tsb melalui int trunk F0/18 tanpa VLAN ID.
- Ketika frame sampai di SW2, akan dicek, frame ini tidak ada VLAN ID (NO vlan Information), maka
akan diasumsikan , bahwa frame tsb dimiliki oleh Native VLAN (rules no 1), dimana int F0/18 SW2
men set native VLAN = Vlan 5. Maka frame tsb memiliki VLAN ID = Native Vlan = Vlan 5
- Karena frame tsb memiliki vlan 5, maka bisa forward ke PC 2 melalui int F0/2 SW2 yang memiliki
VLAN ID 5 juga

Configure native Vlan

Config di interface global config

switchport trunk native vlan vlan_ID

no switchport trunk native vlan

Chapter Dynamic Trunking Protocol (DTP)

The default DTP configuration for Cisco Catalyst 2960 and 3560 switches is dynamic auto

To enable trunking from a Cisco switch to a device that does not support DTP, use the switchport
mode trunk and switchport nonegotiate interface configuration mode commands

PRAKTEK VLAN TRUNK

Notes : Semua Switch harus diassign VLAN yang sama untuk dikenali

S100, S102 assign VLAN 10, dan 99. Begitu juga Switch S101 harus assign VLAN 10 dan 99, Meskipun
di S101 hanya untuk trunking saja.

Port F0/1 dan F0/2 menjadi Trunking.

Sebaiknya kedua port dibuat trunk Mode ON = Switchport mode trunk

S100(config-if)#do sh int tr
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 99

Port Vlans allowed on trunk

Fa0/1 1-1005

Port Vlans allowed and active in management domain

Fa0/1 1,10,99

Port Vlans in spanning tree forwarding state and not pruned

Fa0/1 1,10,99

S101#sh int tr
Port Mode Encapsulation Status Native vlan
Fa0/1 auto n-802.1q trunking 1
Fa0/2 auto n-802.1q trunking 1

Port Vlans allowed on trunk

Fa0/1 1-1005
Fa0/2 1-1005

Port Vlans allowed and active in management domain

Fa0/1 1
Fa0/2 1 => tidak sama, karena belum diassign VLAN nya
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1
Fa0/2 1
 Chapter ROUTING PROTOCOL
Administrative Distance

Untuk menentukan best path dari satu routing protocol (misal hanya RIP saja, atau OSPF saja), maka
ditentukan lewat cost. Cost yang paling kecil, yang akan paling dipilih pertama. Cost ditentukan lewat
metric. Masing-masing routing protocol punya perhitungan berbeda-beda dalam menentukan nilai
metric. Misal RIP metric ditentukan oleh hop yang paling sedikit, sedangkan OSPF metric ditentukan
bandwidth paling besar

LINK-STATE Routing Protocol

Cirinya :

1. create a complete view or topology of the network by gathering information from all of the other
routers.
2. Link-state routing protocols do not use periodic updates (to neigbours). After the network has
converged, a link-state update is only sent when there is a change in the topology
3. All link-state routing protocols apply Dijkstras algorithm to calculate the best (shortest) path route
4. (tambahan) Each router learns about its own links and its own directly connected networks

DISTANCE VECTOR ROUTING PROTOCOL

Distance vector means that routes are advertised by providing two characteristics:

Distance - Identifies how far it is to the destination network and is based on a metric such as the
hop count, cost, bandwidth, delay, and more.

Vector - Specifies the direction of the next-hop router or exit interface to reach the destination.
Ciri Distance Vector routing protocol

1. Some distance vector routing protocols send periodic updates (RIP saja, EIGRP tidak)
2. Algoritma digunakan untuk menentukan Best path , RIP menggunakan Bellman-Ford, EIGRP
menggunakan DUAL Algoritma

EIGRP

Cirinya :

3. Unlike RIP, EIGRP does not send periodic updates and route entries do not age out. EIGRP sends
Update packets to propagate routing information. Update packets are sent only when necessary.
EIGRP updates contain only the routing information needed and are sent only to those routers that
require it.Uses Reliable Transport Protocol (RTP) for the delivery and reception of EIGRP packets
4. has the capability for routing several different protocols including IPv4 and IPv6 using protocol-
dependent modules (PDMs)
5. EIGRP routers discover neighbors and establish adjacencies with neighbor routers using the Hello
packet
6. Tambahan EIGRP uses small Hello packets to discover other EIGRP-enabled routers on directly
connected links
7. Tambahan EIGRP routers discover neighbors and establish adjacencies with neighbor routers using
the Hello packet. On most networks, EIGRP Hello packets are sent as multicast packets every five
seconds
8. T uses the router eigrp autonomous-system command to enable the EIGRP process, All routers within
the EIGRP routing domain must use the same autonomous system number. (kalo di OSPF namanya
prosses-id

two EIGRP routers must use the same EIGRP metric parameters and both must be configured using
the same autonomous system number.
9. T The EIGRP router ID is used to uniquely identify each router in the EIGRP routing domain. Seperti
OSPF, Router ID harus berbeda-beda dalam network EIGRP
10.network command bisa digunakan classfull IP address => dengan cara summary route atau classless
IP address => dengan cara wild card mask
11.verify show ip eigrp neighbors, show ip protocols, show ip route

Configure EIGRP Ipv4 (semua di configuration terminal)

1. AS
 2. Router ID

3. Network

4. Passive Interface

Configure EIGRP Ipv6

1. Config IP address di interface (bisa ditambah IP add link-local)

2. Configure Ipv6 routing enable dan AS EIGRP + No Shutdown karena defaultnya Ipv6 shutdown
 3. Enable EIGRP Ipv6 di Interface (tidak perlu pake command network)

Chapter RIP

In 1993, RIPv1 was updated to a classless routing protocol known as RIP version 2 (RIPv2). RIPv2
included the following improvements:

Classless routing protocol - It supports VLSM and CIDR, because it includes the subnet mask in
the routing updates.

Increased efficiency - It forwards updates to multicast address 224.0.0.9, instead of the broadcast
address 255.255.255.255.

Reduced routing entries - It supports manual route summarization on any interface.

Secure - It supports an authentication mechanism to secure routing table updates between

neighbors.
Enabling RIPv2

5. Router RIP => v1

6. Version 2 => v2
7. Disable Auto Summarization => agar menjadi classless IP
8. Configure Passive Interfacce
9. Propagate Default Route => buat Router yang di Stub Network (connect ISP)
 Chapter IP MULTICAST
Multicast Address selalu dimulai dengan 1110 = 224 dan FF02 untuk IPv6

Keterangan IPv4 IPv6

Hello Packet OSPF 224.0.0.5 FF02::5
Hello Packet OSPF DR/BDR 224.0.0.6 FF02::6
RIP 224.0.0.9
EIGRP 224.0.0.10 FF02::A
DHCPv6 SLAAC RS (kirim) FF02::2 (ke all router)
HSRPv1 224.0.0.2
HSRPv2 224.0.0.102
DHCPv6 SLAAC RA (respond) FF02::1 (ke all node)
DHCPv6 Solicit message dari
client FF02::1:2
Reserved Link Local Addresses 224.0.0.0/24 FF02::1

Globally Scoped Addresses 224.0.1.0 to 238.255.255.255

Source Specific Multicast 232.0.0.0/8

GLOP Addresses 233.0.0.0/8
PIM Routers FF02::D
All Routers (Site Local) FF05::2
Limited Scope Addresses 239.0.0.0/8

Example IP link Local Addresses

224.0.0.1 All systems on this subnet

224.0.0.2 All routers on this subnet
Dynamic Host Configuration
224.0.0.12 Protocol (DHCP) server/relay
agent
 Chapter ACL

Port Number

SSH ACL itu Standar ACL, SSH biasanya digunakan untuk remote Router. Jadi menggunakan inbound ACL,
(packet difilter sebelum di route)

DALAM melakukan Filter, ACL akan melakukan filter pada Host dulu sebagai 1st ACE (access control
entry)
ACE : urutan entry yang akan difilter dalam ACL

The clear access-list counters command is used to reset all numbers relating to ACE match
conditions that have been made within a particular ACE. The command is useful when
troubleshooting an ACL that has recently been deployed.

Chapter DHCP

IP Helper-address diletakkan di interface tempat CLIENT dengan IP address dari directly (interface)
DHCP Server

DHCP Discover : the client IPv4 address (CIADDR), default gateway address (GIADDR), and subnet
mask are all marked to indicate that the address 0.0.0.0 is used Clone MAC Address

DHCP Offer : contains initial configuration information for the client, including the IPv4 address that the
server offers, the subnet mask, the lease duration. The frame is constructed using the client hardware
address (CHADDR) and sent to the requesting client.

Saat instalasi pertama kali, ISP hanya mendaftarkan MAC Address pada PC kita, karena ISP tidak
mengijinkan untuk mendaftar MAC address router wifi. Maka agar router wifi bisa connect dengan
Modem, dibutlah clone Mac Address yaitu meng clone MAC Address PC yang didaftarkan ke MAC
Address WAN router wifi

DHCP Client Digunakan biasanya untuk Router yang connect dengan ISP

DHCP Manual Binding

An address binding is a mapping between the IP address and MAC address of a client. The IP
address of a client can be assigned manually by an administrator or assigned automatically from a
pool by a DHCP server.
All DHCP clients send a client identifier (DHCP option 61) in the DHCP packet. To configure manual
bindings, you must enter the client-identifier DHCP pool configuration command with the
appropriate hexadecimal values identifying the DHCP client.

Purpose
Com
mand

Step 1 Router(config)# ip dhcp Creates a name for the a DHCP Server address pool and places
pool name you in DHCP pool configuration modeidentified by the (dhcp-
config)# prompt.

Step 2 Router(dhcp-
config)# host
address [mask |/prefix-length]
Specifies the IP address and subnet mask of the client.
The prefix length specifies the number of bits that comprise the
address prefix. The prefix is an alternative way of specifying the
network mask of the client. The prefix length must be preceded
by a forward slash (/).

Step 3 Router(dhcp-
config)# client-
identifier unique-identifier
Specifies the unique identifier for DHCP clients. This command
is used for DHCP requests.
DHCP clients require client identifiers. The unique
identification of the client is specified in dotted hexadecimal
notation, for example, 01b7.0813.8811.66, where 01 represents
the Ethernet media type.

Step 4 Router(dhcp- (Optional) Specifies a hardware address for the client. This
config)# hardware- command is used for BOOTP requests.
address hardware-address type

ip dhcp pool Mars

host 172.16.2.254
client identifier 0100.0c00.001d.df
hardware-address 02c7.f800.0422 ieee802
client-name Mars

Verify DHCP

Router#show ip dhcp binding => cek list ip yang sudah dipake dan mac address nya

IP address Client-ID/ Lease expiration Type

Hardware address
192.168.10.22 00E0.8F6D.0E7E -- Automatic
192.168.10.21 0060.3E00.0C65 -- Automatic
192.168.10.23 0040.0BB6.41B9 -- Automatic
192.168.10.24 0001.6441.6BD0 -- Automatic
Router#show ip dhcp pool

Router#show ip dhcp pool => cek configurasi assignment, range ip nya, excludenya

Pool CCNA1 :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 4
Excluded addresses : 2
Pending event : none

1 subnet is currently in the pool

Current index IP address range Leased/Excluded/Total
192.168.10.1 192.168.10.1 - 192.168.10.254 4 / 2 / 254
Router#

DHCPv6

Ketika Ipv6 di enable (command ipv6 unicast routing) maka secara otomatis akan mengaktifkan
SLAAC, Stateless DHCPv6 atau Stateful DHCPv6

SLAAC : tidak menggunakan Server, tapi Ipv6 melalui protokol ICMPv6 secara otomatis akan
mengirimkan RS (dari client) dan RA (dari Router) untuk proses request Ipv6 otomatis

Stateless DHCPv6 : Metode menggunakan SLAAC dan DHCPv6

Stateful DHCPv6 : DHCPv6 only

Awalnya secara otomatis ketika Ipv6 enable (ipv6 unicast routing) maka akan terjadi SLAAC
operation. (IP otomatis tanpa DHCP server) => Gambar 1 bawah. Tapi biasanya ketika ada DHCP
server, SLAAC operation diabaikan, maka RA message nya include stateless atau statefull DHCP.
Maka akan dimulai DHCP operation (gambar 2 bawah)
Step 5 : DHCPv6 request message dari Statefull

DHCPv6 information request message dari stateless

Chapter SINGLE OSPF

Down state : Prepare (No Hello Packet)
Init Sate : Send Hello Packet
Two Way State : Ketika Router penerima hello packet sudah membuat list database Router ID &
Neigbours juga (Termasuk memilih DR/BDR)
Exstart State : Memulai exchange DBD packet (menentukan Master dan Slave)
Exchange State : Melalukan exchange/pertukaran DBD antara Master dan Slave
Loading State : Jika masih membutuhkan tambahan informasi dari Slave ke Master (SPF Algoritm)

COST METRIC OSPF

Standard/Default reference bandwidth adalah 1MBps (1000000 bps)
Jadi command berikut :
Auto-cost reference-bandwidth 1000 => 1000x1MBps = 1Gbps
Semua interface dibagi 1 Gbps, paling kecil tetap 1 cost nya, tidak ada 0,1 atau 0,01 dst
Misal GB ethernet 1 Gbps ,cost = 1Gbps : 1Gbps = 1
10 GB = 1Gbps : 10 Gbps = 0,1 = 1
100 Mbps = 1 Gbps : 100 Mbps = 10
Dst
Tabel diatas reference bandwidth di set => auto-cost reference-bandwidth 100 , maka = 100 Mbps

Time Interval OSPF default :

Hello packet : 10s
Dead Interval : 4xHello = 40s

Full State : Done Synchronize (routers converged)

- OSPF Process ID bisa berbeda-beda tiap router. (Tapi EIGRP, AS nya harus sama)
- OSPF Router ID harus berbeda (uniques) tiap router.
Router ID bisa ditentukan melalui :
1. Configure router Router-ID
2. Jika router ID tidak diconfig, maka ditentukan highest IP address loopback
3. Jika tidak ada IP Loopback, ditentukan Highest IP address dari physical interface router
DR/BDR
- Ditentukan melalui, priority, Highest Priority adalah DR, 2nd highest priority jadi BDR, 3rd priority jadi
standby BDR dst
- Jika tidak ada priority, maka ditentukan Highest Router-ID (ditentukan oleh ketentuan diatas)

CHANGE ROUTER ID

clear ip ospf process

Chapter NAT

INSIDE NETWORK : Network yang IP address nya di translate kan. Biasanya Network ini selalu
punya IP address yang tetap seperti web server.
OUTSIDE NETWORK : Network Destination

Static NAT
R2 akan mentranslate dari IP Source yang diterima inside interface (S0/0/0) yaitu 192.168.10.254
menjadi 209.165.201.5 ke interface outside S0/1/0.

Dan Sebaliknya R2 akan mentranslate IP destination dari outside interface S0/1/0 menjadi
192.168.10.254 ke interface inside S0/0/0,

Maka dari itu penting untuk menentukan mana Inside Interface dan Outside interface.

Saat ingin kirim message, Destination Address selalu TETAP.

Saat respond message, Destination Address akan menjadi Source Address, dan IP address nya
selalu Tetap

Chapter SPANNING TREE PROTOCOL (STP)

BID

Path cost
BID terdiri dari Priority dan VLAN ID (12 bit nya = 4096), 4 bit menentukan kelipatan dari 4096

PORT ROLES

1. The port that receives the best BPDU on a bridge is the root port
2. A port is designated if it can send the best BPDU on the segment to which it is connected
3. These two port roles correspond to the blocking state of 802.1D

Setelah tau mana switch ROOT Bridge, maka STP akan menentukan port roles. Menentukan Port roles
adalah dengan Path cost , kalo masih sama, dengan BID. Misal Fast Ethernet mempunya path cost = 19

Setiap switch ROOT BRIDGE (S1), port-portnya akan menjadi Designated Port.
Root Port adalah Port pada trunk link yang dekat dengan Root Bridge. Setiap Switch yang bukan Root
bridge, akan mempunyai satu Root Port. (S2, S3, S4 punya satu root port). F0/3 S4 dan F0/1 S3 dekat
(langsung connect) dengan Root Bridge, maka itu adalah Root Port. S2 punya F0/2 dan F0/1 , dan
keduanya (misalnya) punya cost yang nilanya sama. Maka ditentukan BID switch tetangga (S3 dan S4)
mana yang nilanya lebih kecil. Misal S3 BID nya 24577.5555.5555.5555 dan S4 BID nya
24577.1111.1111.1111, maka S4 lebih kecil, maka F0/1 yang menjadi Root Port.

Designated Port , diconfigure di semua LAN. Designated Port ditentukan oleh nilai path cost (dan BID)
yang lebih kecil ke arah Root bridge. S3 F0/2 dan S4 F0/1 = Designated Port karena punya path cost
lebih kecil (bandingkan S2 F0/2 path cost nya butuh 2 kali trunk link).

Maka Sisa yang belum di assign adalah S2 F0/2 yang akan menjadi Alternate Port

Menentukan Root Bridge

BPDU itu terdiri dari BID dan Root ID. Setiap Switch akan broadcast BPDU ke semua port. Pada saat
belum tau mana Root Bridge, semua switch akan merasa bahwa dirinya adalah Root Bridge. ROOT ID
adalah BID dari Root Bridge.

Kemudian, Misal S2 forward BPDU ke S1 dan S3. Maka S3 akan lihat frame dari S2, ternyata BPDU tsb
punya Root ID lebih kecil dari BPDU local (S3), maka Root ID nya akan diupdate/dirubah menjadi Root ID
punya S2. Begitu juga S1 , saat terima frame BPDU dari S2, ternyata Root ID yang diterima tsb lebih
besar dari root ID local (S1), maka Root ID nya tidak diupdate.

S1 punya Root ID lebih kecil dari semua, maka saat S1 forward frame BPDU ke semua port dan juga
sekalian menginfokan bahwa S1 adalah Root bridge, S2 akan melihat Root ID frame tsb lebih kecil dari
Root ID local, maka Root ID nya di update. Begitu juga S3
Root ID bisa berubah rubah, tergantung mana yang lebih kecil setiap menerima message
broadcast, Bridge ID tetap nilainya
Switch 2960 Default Config for STP

STP : 802.1D dan CPU & Memory minim

RSTP : 802.1W dan CPU & Memory max

PVST+ = Upgrade dari STP (CST) 802.1D per VLAN basis,

Rapid PVST+ = Upgrade dari RSTP dan PVST maka 802.1W per VLAN basis

STP (CST) : NO Load sharing, and CPU & Memory minimum

RAPID PVST : Port transition to forwarding state without TIMER, Port Roles nya : Root, Designated,
Alternate, Edge, Backup.
PVST : Port transition dari blocking ke forwarding state butuh waktu, karena ada port role Listening dan
Learning

PRIORITY
The default priority value for all Cisco switches is 32768. The range is 0 to 61440 in increments of
4096. Valid priority values are 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864,
40960, 45056, 49152, 53248, 57344, and 61440

Kenapa Priority kelipatan 4096?

Karena extended system ID 12 bits menentukan Vlan ID (vlan berapa) + 2 pangkat 12 = 4096
Bridge Priority 4 Bits, menentukan kelipatan 4096 sampai 15 kali karena bit 1111 = 15
Jadi misalnya bridge priority vlan 10 di set 8192 maka saat di verify, Prioroty = 8192 + 10 (vlan id)
= 8202
Config PVST+
Buat Root Bridge, ada 2 metode :
Metode 1 : (primary dan secondary)
Spanning-tree VLAN 1 root primary
Spanning-tree VLAN 1 root secondary
Metode 2: set priority yang paling kecil
Spanning-tree VLAN 1 priority 24576

Note : Priority 0 sudah pasti paling kecil dibandingkan primary

Aktifkan Port Fast

Config RAPID PVST

Adalah spanning-tree mode rapid-pvst

RSTP Port States:

There are only three port states left in RSTP that correspond to the three possible operational states.
The 802.1D disabled, blocking, and listening states are merged into the 802.1w discarding state.

* Discarding the port does not forward frames, process received frames, or learn MAC addresses
but it does listen for BPDUs (like the STP blocking state)
* Learning receives and transmits BPDUs and learns MAC addresses but does not yet forward
frames (same as STP).
* Forwarding receives and sends data, normal operation, learns MAC address, receives and
transmits BPDUs (same as STP).
 STP State (802.1d) RSTP State (802.1w)

Blocking Discarding

Listening Discarding

Learning Learning

Forwarding Forwarding

Disabled Discarding

Although the learning state is also used in RSTP but it only takes place for a short time as compared
to STP. RSTP converges with all ports either in forwarding state or discarding state.

RSTP Quick Summary:

RSTP provides faster convergence than 802.1D STP when topology changes occur.
* RSTP defines three port states: discarding, learning, and forwarding.
* RSTP defines five port roles: root, designated, alternate, backup, and disabled.

Note: RSTP is backward compatible with legacy STP 802.1D. If a RSTP enabled port receives a
(legacy) 802.1d BPDU, it will automatically configure itself to behave like a legacy port. It sends and
receives 802.1d BPDUs only.

HSRP

In HSRP version 1, millisecond timer values are not advertised or learned. HSRP version 2 advertises
and learns millisecond timer values. This change ensures stability of the HSRP groups in all cases.
In HSRP version 1, group numbers are restricted to the range from 0 to 255. HSRP version 2 expands
the group number range from 0 to 4095.
HSRP version 2 provides improved management and troubleshooting. With HSRPversion 1, you cannot
use HSRP active hello messages to identify which physical device sent the message because the source

Chapter LINK ANGGREGATION (ETHER CHANNEL)

PAGP
LACP
S1
spanning-tree mode pvst
spanning-tree vlan 1 priority 24576
!
interface Port-channel 1
switchport mode trunk
!
interface Port-channel 2
interface FastEthernet0/21
switchport mode trunk
channel-group 1 mode desirable
!
interface FastEthernet0/22
switchport mode trunk
channel-group 1 mode desirable
!
interface GigabitEthernet0/1
switchport mode trunk
channel-group 2 mode active
!
interface GigabitEthernet0/2
switchport mode trunk
channel-group 2 mode active
S2
interface Port-channel 2
switchport mode trunk
!
interface Port-channel 3
switchport mode trunk

interface FastEthernet0/23
switchport mode trunk
channel-group 3 mode passive
!
interface FastEthernet0/24
switchport mode trunk
channel-group 3 mode passive
!
interface GigabitEthernet0/1
switchport mode trunk
channel-group 2 mode active
!
interface GigabitEthernet0/2
switchport mode trunk
channel-group 2 mode active

SOAL-SOAL ETHER CHANNEL

1.

Kalo Mode ON, Protocol nya kosong (tidak menggunakan Protocol PagP atau LACP)

2. What is a requirement to configure a trunking EtherChannel between two switches?

Pilihan 1, assign same vlan or as trunk

Configure Either Channel :

12. Speed harus sama
13. Duplex Harus sama
14. Trunk Encapsulation sama
15. VLAN sama, range vlan sama

Feature Default Setting

Channel groups None assigned.
Port-channel logical None defined.
interface
PAgP mode No default.
PAgP learn method Aggregate-port learning on all ports.
PAgP priority 128 on all ports.
 LACP mode No default.
LACP learn method Aggregate-port learning on all ports.
LACP port priority 32768 on all ports.
LACP system priority 32768.
LACP system ID LACP system priority and the switch or switch stack MAC address.
Load balancing Load distribution on the switch is based on the source-MAC address of the
incoming packet.
Table 1-3 Default EtherChannel Configuration

Chapter PPPoE

PPPoE is composed of two main phases:

Active Discovery PhaseIn this phase, the PPPoE client locates a PPPoE server, called an access
concentrator. During this phase, a Session ID is assigned and the PPPoE layer is established.
PPP Session PhaseIn this phase, PPP options are negotiated and authentication is performed. Once
the link setup is completed, PPPoE functions as a Layer 2 encapsulation method, allowing data to be
transferred over the PPP link within PPPoE headers.

Configuring the PPPoE Client Username and Password

To configure the username and password used to authenticate the ASA to the access concentrator,
use the vpdn command. To use the vpdn command, you first define a VPDN group and then create
individual users within the group.
To configure a PPPoE username and password, perform the following steps:

Step 1 Define the VPDN group to be used for PPPoE using the following command:
hostname(config)# vpdn group group_name request dialout pppoe

In this command, replace group_name with a descriptive name for the group, such as pppoe-sbc.
Step 2 If your ISP requires authentication, select an authentication protocol by entering the following
command:
hostname(config)# vpdn group group_name ppp authentication {chap | mschap | pap}

Replace group_name with the same group name you defined in the previous step. Enter the
appropriate keyword for the type of authentication used by your ISP:
CHAPChallenge Handshake Authentication Protocol
MS-CHAPMicrosoft Challenge Handshake Authentication Protocol Version 1
PAPPassword Authentication Protocol
Prerequisites for PPPoE on Ethernet

Before you can configure the PPPoE on Ethernet feature, you need to configure a
virtual private dialup network (VPDN) group using the accept dialin command, enable
PPPoE, and specify a virtual template for PPPoE sessions.

Chapter NETWORK LAYER (INTERNET PROTOCOL/IP)

Ipv4

Ipv4 Packet Header :

Version - Contains a 4-bit binary value identifying the IP packet version. For IPv4 packets, this field
is always set to 0100.

Differentiated Services (DS) - Formerly called the Type of Service (ToS) field, the DS field is an 8-
bit field used to determine the priority of each packet. The first 6 bits identify the Differentiated
Services Code Point (DSCP) value that is used by a quality of service (QoS) mechanism. The last 2
bits identify the explicit congestion notification (ECN) value that can be used to prevent dropped
packets during times of network congestion.

Time-to-Live (TTL) - Contains an 8-bit binary value that is used to limit the lifetime of a packet. It is
specified in seconds but is commonly referred to as hop count. The packet sender sets the initial
time-to-live (TTL) value and is decreased by one each time the packet is processed by a router, or
hop. If the TTL field decrements to zero, the router discards the packet and sends an Internet
Control Message Protocol (ICMP) Time Exceeded message to the source IP address.
The traceroute command uses this field to identify the routers used between the source and
destination.

Protocol - This 8-bit binary value indicates the data payload type that the packet is carrying, which
enables the network layer to pass the data to the appropriate upper-layer protocol. Common values
include ICMP (1), TCP (6), and UDP (17).

Source IP Address - Contains a 32-bit binary value that represents the source IP address of the
packet.

Destination IP Address - Contains a 32-bit binary value that represents the destination IP address
of the packet.
Ipv6

A global unicast address has three parts:

Global routing prefix

Subnet ID

Interface ID

Global Routing Prefix

The global routing prefix is the prefix, or network, portion of the address that is assigned by the provider,
such as an ISP, to a customer or site. Currently, RIRs assign a /48 global routing prefix to customers.
This includes everyone from enterprise business networks to individual households. This is more than
enough address space for most customers.
Figure 2 shows the structure of a global unicast address using a /48 global routing prefix.

For example, the IPv6 address 2001:0DB8:ACAD::/48 has a prefix that indicates that the first 48 bits (3
hextets) (2001:0DB8:ACAD) is the prefix or network portion of the address. The double colon (::) prior to
the /48 prefix length means the rest of the address contains all 0s.

Subnet ID

The Subnet ID is used by an organization to identify subnets within its site.

Interface ID

The IPv6 Interface ID is equivalent to the host portion of an IPv4 address. The term Interface ID is used
because a single host may have multiple interfaces, each having one or more IPv6 addresses.

Note: Unlike IPv4, in IPv6, the all-0s and all-1s host addresses can be assigned to a device. The all-1s
address can be used due to the fact that broadcast addresses are not used within IPv6. The all-0s
address can also be used but is reserved as a Subnet-Router anycast address, and should be assigned
only to routers.

An easy way to read most IPv6 addresses is to count the number of hextets. As shown in Figure 3, in a
/64 global unicast address the first four hextets are for the network portion of the address, with the fourth
hextet indicating the Subnet ID.
 1 2 3 4 5 6 7 8

Hextet ke 1,2,3 = Global routing prefix

Hextet ke 4 = Subnet ID

Hextet ke 5,6,7,8 = Interface ID

Ipc6 use Address

Unique Local Address/ Private Address FC00::/7
Link-Local FE80::/10
Loop-Back Address ::1/128
Multicast FF00::/8
Site local scopped FEC0::/10

Ipv6 Packet Header

The fields in the IPv6 packet header include:

Version - This field contains a 4-bit binary value identifying the IP packet version. For IPv6 packets,
this field is always set to 0110.

Traffic Class - This 8-bit field is equivalent to the IPv4 Differentiated Services (DS) field. It also
contains a 6-bit Differentiated Services Code Point (DSCP) value used to classify packets and a 2-
bit Explicit Congestion Notification (ECN) used for traffic congestion control.

Flow Label - This 20-bit field provides a special service for real-time applications. It can be used to
inform routers and switches to maintain the same path for the packet flow so that packets are not
reordered.

Payload Length - This 16-bit field is equivalent to the Total Length field in the IPv4 header. It
defines the entire packet (fragment) size, including header and optional extensions.
 Next Header - This 8-bit field is equivalent to the IPv4 Protocol field. It indicates the data payload
type that the packet is carrying, enabling the network layer to pass the data to the appropriate
upper-layer protocol. This field is also used if there are optional extension headers added to the
IPv6 packet.

Hop Limit: - This 8-bit field replaces the IPv4 TTL field. This value is decremented by one by each
router that forwards the packet. When the counter reaches 0 the packet is discarded and an ICMPv6
message is forwarded to the sending host, indicating that the packet did not reach its destination.

Source Address - This 128-bit field identifies the IPv6 address of the sending host.

Destination Address - This 128-bit field identifies the IPv6 address of the receiving host

Chapter Wireless WLAN

Security :

Two types of authentication were introduced with the original 802.11 standard:

Open system authentication - Any wireless client should easily be able to connect, and should
only be used in situations where security is of no concern, such as in locations providing free
Internet access like cafes, hotels, and in remote areas.

Shared key authentication - Provides mechanisms, such as WEP, WPA, or WPA2 to authenticate
and encrypt data between a wireless client and AP. However, the password must be pre-shared
between both parties to connect.

3 shared key authentication techniques available:

Wired Equivalent Privacy (WEP) - Original 802.11 specification designed to provide privacy similar
to connecting to a network using a wired connection. The data is secured using the RC4 encryption
method with a static key. However, the key never changes when exchanging packets making it easy
to hack.

Wi-Fi Protected Access (WPA) - A Wi-Fi Alliance standard that uses WEP, but secures the data
with the much stronger Temporal Key Integrity Protocol (TKIP) encryption algorithm. TKIP changes
the key for each packet making it much more difficult to hack.

IEEE 802.11i/WPA2 - IEEE 802.11i is the industry standard for securing wireless networks. The Wi-
Fi alliance version is called WPA2. 802.11i and WPA2; both use the Advanced Encryption Standard
(AES) for encryption. AES is currently considered the strongest encryption protocol.

#Encryption Methods

Temporal Key Integrity Protocol (TKIP) - TKIP is the encryption method used by WPA. It provides
support for legacy WLAN equipment by addressing the original flaws associated with the 802.11
WEP encryption method. It makes use of WEP, but encrypts the Layer 2 payload using TKIP, and
carries out a Message Integrity Check (MIC) in the encrypted packet to ensure the message has not
been tampered with.
 Advanced Encryption Standard (AES) - AES is the encryption method used by WPA2. It is the
preferred method because it aligns with the industry standard IEEE 802.11i. AES performs the same
functions as TKIP, but it is a far stronger method of encryption. It uses the Counter Cipher Mode
with Block Chaining Message Authentication Code Protocol (CCMP) that allows destination hosts to
recognize if the encrypted and non-encrypted bits have been tampered with.

WPA and WPA2 support two types of authentication:

Personal - Intended for home or small office networks, users authenticate using a pre-shared key
(PSK). Wireless clients authenticate with the AP using a pre-shared password. No special
authentication server is required.

Enterprise - Intended for enterprise networks but requires a Remote Authentication Dial-In User
Service (RADIUS) authentication server. Although more complicated to set up, it provides additional
security. The device must be authenticated by the RADIUS server and then users must authenticate
using 802.1X standard, which uses the Extensible Authentication Protocol (EAP) for authentication.

Chapter Secure Site to Site Connectivity

VPN
Ada 2 tipe VPN :
1. Site to Site VPN (contoh GRE tunnel)
2. Remote Access VPN (Contoh IP Sec)

Site to Site VPN

A site-to-site VPN is created when devices on both sides of the VPN connection are aware of the VPN
configuration in advance, as shown in the figure. The VPN remains static, and internal hosts have no
knowledge that a VPN exists. In a site-to-site VPN, end hosts send and receive normal TCP/IP traffic
through a VPN gateway. The VPN gateway is responsible for encapsulating and encrypting outbound
traffic for all traffic from a particular site. The VPN gateway then sends it through a VPN tunnel over the
Internet to a peer VPN gateway at the target site. Upon receipt, the peer VPN gateway strips the headers,
decrypts the content, and relays the packet toward the target host inside its private network.
Remote-access VPNs

Where a site-to-site VPN is used to connect entire networks, a remote-access VPN supports the needs of
telecommuters, mobile users, and extranet, consumer-to-business traffic. A remote-access VPN is
created when VPN information is not statically set up, but instead allows for dynamically changing
information, and can be enabled and disabled. Remote-access VPNs support a client/server architecture,
where the VPN client (remote host) gains secure access to the enterprise network via a VPN server
device at the network edge.

IPSec

IPsec is not bound to any specific encryption, authentication, security algorithms, or keying technology.
Rather, IPsec relies on existing algorithms to implement secure communications. IPsec allows newer and
better algorithms to be implemented without amending the existing IPsec standards.

IPsec works at the network layer, protecting and authenticating IP packets between participating IPsec
devices, also known as peers.

IPsec is a framework of open standards that is algorithm-independent.

IPsec provides data confidentiality, data integrity, and origin authentication.

IPsec acts at the network layer, protecting and authenticating IP packets.

Critical Function : CIAA

1. Confedentiality
2. Data Integrity
3. Authetication
4. Anti-reply protection

Here is a synopsis for symmetric algorithms:

Uses symmetric key cryptography

 Encryption and decryption use the same key

Typically used to encrypt the content of the message

Examples: DES, 3DES, and AES

Here is a synopsis for asymmetric algorithms:

Uses public key cryptography

Encryption and decryption use a different key

Typically used in digital certification and key management

Examples: RSA

7.3.2.4 Integrity with Hash Algorithms

A hash, also called a message digest, is a number that is generated from a string of text. The
hash is smaller than the text itself. It is generated by using a formula in such a way that it is
extremely unlikely that some other text will produce the same hash value.
Hash itu text diubah menjadi angka bit.

There are two common HMAC algorithms:

MD5 - Uses a 128-bit shared secret key. (1 karakter = 128 bit) The variable-length message and
128-bit shared secret key are combined and run through the HMAC-MD5 hash algorithm. The
output is a 128-bit hash. The hash is appended to the original message and forwarded to the remote
end.

SHA - SHA-1 uses a 160-bit secret key. The variable-length message and the 160-bit shared secret
key are combined and run through the HMAC-SHA1 hash algorithm. The output is a 160-bit hash.
The hash is appended to the original message and forwarded to the remote end.

Note: Cisco IOS also supports, 256-bit, 384-bit, and 512-bit SHA implementations

There are two peer authentication methods:

PSK - A secret key that is shared between the two parties using a secure channel before it needs to
be used. Pre-shared keys (PSKs) use symmetric key cryptographic algorithms. A PSK is entered
into each peer manually and is used to authenticate the peer. At each end, the PSK is combined
with other information to form the authentication key.

RSA signatures - Digital certificates are exchanged to authenticate peers. The local device derives
a hash and encrypts it with its private key. The encrypted hash, or digital signature, is attached to
the message and forwarded to the remote end. At the remote end, the encrypted hash is decrypted
using the public key of the local end. If the decrypted hash matches the recomputed hash, the
signature is genuine.
 Chapter Monitoring Network

SYSLOG
Syslog uses UDP port 514 to send event notification messages across

Syslog cirinya :
1. Syslog Message store in internal memory then sent to SNMP server
2. Syslog Message erase when the device reboot
3. Syslog message enable by default

Feature Default Setting

System message logging to the

console Enabled

Debugging (and numerically lower levels;

Console severity see Table 3)

Logging buffer size 4096 bytes

Logging history size 1 message

Time stamps Disabled

Synchronous logging Disabled

Logging server Disabled

Syslog server IP address None configured

 Server facility Local7 (see Table 4)

Informational (and numerically lower levels;

Server severity see Table 3)

SNMP
SNMPv2c
- SNMPv2c is the community string-based administrative framework for SNMPv2
- type of password, which is transmitted in cleartext
- The community of SNMP managers that are able to access the agent MIB is defined by an IP
address access control list (ACL) and password
- Default values do not exist for authentication or privacy algorithms
- The minimum length for a password is one character, although we recommend that you use at
least eight characters for security
- You can specify either a plain text password or a localized Message Digest 5 (MD5) digest.
- before you configure remote users for a particular agent, configure the SNMP engine ID by using
the snmp-server engineID command for the remote agent. The SNMP engine ID of the remote
agent is required to compute the authentication or privacy digests for the SNMP password.

Configure :
1. enable
2. show snmp group
3. show snmp user [username]
4. show snmp engineID

Verify SNMPv2c
Show snmp group => Displays information about each SNMP group in the network.
Show snmp user => Displays information about configured characteristics of an SNMP user.

Show snmp engineID

SNMPv3
Hampir sama seperti SNMPv2, hanya passwordnya encryption
The security features provided in SNMPv3 are as follows:
Message integrityEnsures that a packet has not been tampered with during transit.
AuthenticationDetermines that the message is from a valid source.
EncryptionScrambles the content of a packet to prevent it from being learned by an unauthorized
source.

Configure SNMPv3
Device(config)# snmp-server group group1 v3 noauth
Device(config)# snmp-server user remoteuser1 group1 remote 10.12.8.4
Device(config)# snmp-server host 10.12.8.4 informs version 3 noauth remoteuser config
 Chapter IOS QoS
Traffic Shaping and Policing

Policers and shapers usually identify traffic descriptor violations in an identical manner. They usually
differ, however, in the way they respond to violations, for example:

A policer typically drops traffic. (For example, the CAR rate-limiting policer will either drop the packet
or rewrite its IP precedence, resetting the type of service bits in the packet header.)

A shaper typically delays excess traffic using a buffer, or queueing mechanism, to hold packets and
shape the flow when the data rate of the source is higher than expected. (For example, GTS and Class-
Based Shaping use a weighted fair queue to delay packets in order to shape the flow, and DTS and FRTS
use either a priority queue, a custom queue, or a FIFO queue for the same, depending on how you
configure it.)

Chapter Network Virtualization

Cisco Network Virtualization Architecture

The concept of virtualization is not new and has been employed since the days of mainframe computers.
It has been widely deployed as part of data center network designs and is seeing increasing adoption in
campus networks. Network services virtualization within the campus helps IT focus on providing a
unique set of policies to different network segments without having to deploy dedicated service nodes.
Network virtualization architecture has three main components (Figure 2):

Network access control and segmentation of classes of users: Users are authenticated and either
allowed or denied into a logical partition. Users are segmented into employees, contractors and
consultants, and guests, with respective access to IT assets. This component identifies users who are
authorized to access the network and then places them into the appropriate logical partition.

Path isolation: Network isolation is preserved across the entire enterprise: from the edge to the
campus to the WAN and back again. This component maintains traffic partitioned over a routed
infrastructure and transports traffic over and between isolated partitions. The function of mapping
isolated paths to VLANs and to virtual services is also performed in component.

Network Services virtualization: This component provides access to shared or dedicated network
services such as security, quality of service (QoS), and address management (Dynamic Host
Configuration Protocol [DHCP] and Domain Name System [DNS]). It also applies policy per partition and
isolates application environments, if required.

CHAPTER WAN

The following are short descriptions of each type of WAN protocol:

HDLC - The default encapsulation type on point-to-point connections, dedicated links, and circuit-
switched connections when the link uses two Cisco devices. HDLC is now the basis for synchronous
PPP used by many servers to connect to a WAN, most commonly the Internet.

PPP - Provides router-to-router and host-to-network connections over synchronous and

asynchronous circuits. PPP works with several network layer protocols, such as IPv4 and IPv6. PPP
uses the HDLC encapsulation protocol, but also has built-in security mechanisms such as PAP and
CHAP.

Serial Line Internet Protocol (SLIP) - A standard protocol for point-to-point serial connections
using TCP/IP. SLIP has been largely displaced by PPP.

X.25/Link Access Procedure, Balanced (LAPB) - An ITU-T standard that defines how connections
between a DTE and DCE are maintained for remote terminal access and computer communications
 in public data networks. X.25 specifies LAPB, a data link layer protocol. X.25 is a predecessor to
Frame Relay.

Frame Relay - An industry standard, switched, data link layer protocol that handles multiple virtual
circuits. Frame Relay is a next generation protocol after X.25. Frame Relay eliminates some of the
time-consuming processes (such as error correction and flow control) employed in X.25.

ATM - The international standard for cell relay in which devices send multiple service types, such as
voice, video, or data, in fixed-length (53-byte) cells. Fixed-length cells allow processing to occur in
hardware; thereby, reducing transit delays. ATM takes advantage of high-speed transmission media
such as E3, SONET, and T3.

3.1.1.8 DTE-DCE

From the point of view of connecting to the WAN, a serial connection has a DTE device at one end of the
connection and a DCE device at the other end. The connection between the two DCE devices is the WAN
service provider transmission network, as shown in the figure. In this example:

The DTE could also be a terminal, computer, printer, or fax machine if they connect directly to the
service provider network atau router yang dipelanggan

The DCE, commonly a modem or CSU/DSU, is the device used to convert the user data from the
DTE into a form acceptable to the WAN service provider transmission link. This signal is received at
the remote DCE, which decodes the signal back into a sequence of bits. The remote DCE then
signals this sequence to the remote DTE.

- CSU/DSU convert digital ke link transmisi service provider

- Modem convert digital ke pelanggan

HDLC Encapsulation (High-Level Data Link Control)

- HDLC layer 2 protocol untuk serial dan merupakan standar encapsulation serial link cisco, jadi jika
connect antar perangkat cisco, tidak perlu ppp karena ppp standar encapsulation nya adalah HDLC
- HDLC is actually the default protocol on all Cisco serial interfaces. If you do a show running-config on
a Cisco router, your serial interfaces (by default) wont have any encapsulation. This is because they
are configured to the default of HDLC. If you do a show interface serial 0/0

PPP Operation
Digunakan ketika there is a need to connect to a non-Cisco router, PPP encapsulation should be
used

PPP contains three main components:

HDLC-like framing for transporting multiprotocol packets over point-to-point links.

Extensible Link Control Protocol (LCP) for establishing, configuring, and testing the data-link
connection. LCP = Layer 2

Family of Network Control Protocols (NCPs) for establishing and configuring different network layer
protocols. PPP allows the simultaneous use of multiple network layer protocols. Some of the more
common NCPs are Internet Protocol (IPv4) Control Protocol, IPv6 Control Protocol, AppleTalk
Control Protocol, Novell IPX Control Protocol, Cisco Systems Control Protocol, SNA Control
Protocol, and Compression Control Protocol. NCP = Layer 3

PPP Sessions

There are three phases of establishing a PPP session, as shown in the figure:
 Phase 1: Link establishment and configuration negotiation - Before PPP exchanges any
network layer datagrams, such as IP, the LCP must first open the connection and negotiate
configuration options. This phase is complete when the receiving router sends a configuration-
acknowledgment frame back to the router initiating the connection.

Phase 2: Link quality determination (optional) - The LCP tests the link to determine whether the
link quality is sufficient to bring up network layer protocols. The LCP can delay transmission of
network layer protocol information until this phase is complete.

Phase 3: Network layer protocol configuration negotiation - After the LCP has finished the link
quality determination phase, the appropriate NCP can separately configure the network layer
protocols, and bring them up and take them down at any time. If the LCP closes the link, it informs
the network layer protocols so that they can take appropriate action.

3.3.1.2 PPP Basic Configuration

PPP may include the following LCP options:

Authentication - Peer routers exchange authentication messages. Two authentication choices are
Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol
(CHAP).

Compression - Increases the effective throughput on PPP connections by reducing the amount of
data in the frame that must travel across the link. The protocol decompresses the frame at its
destination. Two compression protocols available in Cisco routers are Stacker and Predictor.

Error detection - Identifies fault conditions. The Quality and Magic Number options help ensure a
reliable, loop-free data link. The Magic Number field helps in detecting links that are in a looped-
back condition. Until the Magic-Number Configuration Option has been successfully negotiated, the
Magic-Number must be transmitted as zero. Magic numbers are generated randomly at each end of
the connection.

PPP Callback - PPP callback is used to enhance security. With this LCP option, a Cisco router can
act as a callback client or a callback server. The client makes the initial call, requests that the server
call it back, and terminates its initial call. The callback router answers the initial call and makes the
return call to the client based on its configuration statements. The command is ppp
callback[accept | request].

Multilink - This alternative provides load balancing over the router interfaces that PPP uses.
Multilink PPP, also referred to as MP, MPPP, MLP, or Multilink, provides a method for spreading
traffic across multiple physical WAN links while providing packet fragmentation and reassembly,
proper sequencing, multivendor interoperability, and load balancing on inbound and outbound traffic.

R3# configure terminal

R3(config)# interface serial 0/0/0

R3(config-if)# encapsulation ppp

R3(config-if)# compress [predictor | stac ]

R3(config-if)# ppp quality 80

PPP Authentication
Password Authentication Protocol (PAP)

PAP is not a strong authentication protocol. Using PAP, passwords are sent across the link in plaintext

Configuring CHAP Authentication

Multilink PPP

The Multilink PPP feature provides load balancing functionality over multiple WAN links while
providing multivendor interoperability and support for packet fragmentation, proper sequencing,
and load calculation on both inbound and outbound traffic.

Multilink PPP allows packets to be fragmented (dipecah pecah) and fragments to be sent at the
same time over multiple point-to-point links to the same remote address. Multiple links come up
in response to a defined dialer load threshold. Multilink PPP can work over synchronous and
asynchronous serial type of single or multiple interfaces that have been configured to support
both dial-on-demand rotary groups and PPP encapsulation

Multilink PPP Bundles

Multilink PPP combines multiple physical links into a logical bundle called a Multilink PPP
bundle. A Multilink PPP bundle is a single, virtual interface that connects to the peer system.
Having a single interface (Multilink PPP bundle interface) provides a single point to apply
hierarchical queueing, shaping, and policing to traffic flows.
Multilink PPP Bundles and PPP Links

Multilink PPP works with fully functional PPP interfaces. A Multilink PPP bundle can have
multiple links connecting peer devices. These links can be serial links or broadband links
(Ethernet or ATM). As long as each link behaves like a standard serial interface, mixed links
work properly in a bundle.

To designate a link to a specified bundle, use the ppp multilink group command for configuring
the link. This command restricts the link to join only the specified bundle. When a link
negotiates to join a Multilink PPP bundle, the link must provide proper identification that is
associated with the Multilink PPP bundle.

When you configure the ppp multilink group command on a link, the command applies the
following restrictions on the link:

The link is not allowed to join any bundle other than the indicated group interface.

The PPP session must be terminated if the peer device attempts to join a different bundle.

Multilink PPP bundle interfaces can be one of the following types:

 Multilink group interfaces

Virtual access interfaces (VAIs)

Configuring MPPP requires two steps, as shown in the figure.

Step 1. Create a multilink bundle.

The interface multilink number command creates the multilink interface.

In interface configuration mode, an IP address is assigned to the multilink interface. In this example,
both IPv4 and IPv6 addresses are configured on routers R3 and R4.

The interface is enabled for multilink PPP.

The interface is assigned a multilink group number.

Step 2. Assign interfaces to the multilink bundle.

Each interface that is part of the multilink group:

Is enabled for PPP encapsulation.

Is enabled for multilink PPP.

Is bound to the multilink bundle using the multilink group number configured in Step 1.

To disable PPP multilink, use the no ppp multilink command.

 Chapter Management Interface (In Band and Out of Band)

Believe it or not, one of the first things to think about when configuring a new network is management,
primarily because network management typically is the last thing to be thought of when the network is
implemented, and seemingly one of the most tedious things to change or improve after the network is
operational. One item to consider is how to handle remote access to the switch. Catalyst switches
support both in-band and out-of-band management. In-band management interfaces are connected to
the switching fabric and participate in all the functions of a switchport including spanning tree, Cisco
Discovery Protocol (CDP), and VLAN assignment. Out-of-band management interfaces are not connected
to the switching fabric and do not participate in any of these functions.

Out-of-band management is achieved initially through the serial console port on the Supervisor module.
Each Catalyst switch ships with the appropriate console cable and connectors to connect to a host such
as a Windows workstation or terminal server. Consult the Catalyst documentation at Cisco.com to
determine the kind of connectors and cables appropriate for each platform. After a physical connection
is made between the console port on a Catalyst switch and a serial port on a workstation or terminal
server, the administrator has full access to the switch for configuration. At this point, the administrator
can assign an IP address to either an out-of-band management (sl0) interface via the Serial Line Internet
Protocol (SLIP), a predecessor to the Point-to-Point Protocol (PPP), or assign an IP address to an in-band
management interface (sc0 or sc1). Supervisors for the Catalyst 4500 series switches offer an additional
out-of-band management interface via a 10 Mbps or 10/100 Mbps Ethernet interface (me1) depending
on the Supervisor model.

The choice between out-of-band and in-band management is often not an easy one because each has its
pros and cons. An in-band management connection is the easiest to configure and the most cost
effective because management traffic rides the same infrastructure as user data. Downsides to in-band
management include a potential for switches to be isolated and unmanageable if connectivity to the site
or individual device is lost, for example in a spanning-tree loop or if fiber connections are cut
accidentally. In addition, if the management interface is assigned to a VLAN that has other ports as
members, any broadcast or multicast traffic on that VLAN is seen by the management interface and
must be processed by the supervisor.

As the speed of processors has improved with newer supervisors, the risk of overwhelming a supervisor
with broadcast/multicast traffic has declined somewhat, but has not been eliminated completely. With
these drawbacks to in-band management, why doesn't everyone just use out-of band management? The
answer is simple: time and money. Out-of-band management requires a secondary infrastructure to be
built out around the devices such as terminal servers, switches, and modems. The benefit of an out-of-
band management solution is that it offers a completely separate method of connecting to the devices
for management that does not rely upon a properly functioning data infrastructure to work.
At the headquarters, an out-of-band (OOB) management network is implemented by using dedicated
switches that are independent and physically separate from the data network. Routers, switches,
and other network devices connect to the OOB network through dedicated management interfaces.
The OOB network hosts console servers, network management stations, AAA servers, analysis and
correlation tools, NTP, FTP, syslog servers, and any other management and control services. A
single OOB management network may serve all the modules at a single location.

In the Internet edge, devices outside the edge firewalls are managed in-band, using the same
physical and logical infrastructure as the data traffic. The edge firewalls are responsible of securing
the OOB network by permitting control and management connections only from the expected
devices. Connecting the outer switches or the edge routers directly to the OOB network is highly
discouraged, as it would facilitate the bypass of the firewall protection. Devices residing at the
branches are also managed in-band, and over a secure VPN connection, over the Internet.

The branches are also managed in-band over the private WAN connection. In this case, the WAN
edge routers may provide connectivity to the OOB network in a controlled manner. Access should be
 granted only for the administrative IP addresses of the branch equipment, and for the necessary
protocols and ports.

Chapter NTP
Allow for network devices to synchronize date and clock with current time
- NTP ver 4 is defined RFC 5905
- Runs over UDP 123
- Operates in Unicast (default) , Mulitcast and broadcast
- Only support MD5 for Authentication
NTP Roles :
- NTP Server
- NTP client : receives time information from NTP server

Accurate time on network devices is required for :

1. Digital certificaton validation
2. Logging with time accurate timestamps
3. Time base traffic restrictions (seperti ACL)

Verify if time is sync

- Show ntp status
Verify if time source is authenticated
- Show ntp association detail

The Network Time Protocol (NTP) synchronizes the time of day among a set of distributed time servers
and clients so that you can correlate events when you receive system logs and other time-specific events
from multiple network devices. NTP uses the User Datagram Protocol (UDP) as its transport protocol. All
NTP communications use Coordinated Universal Time (UTC).

Chapter BGP (Border Gateway Protocol)

BGP has the following prerequisites:
You must enable the BGP feature (see the Enabling the BGP Feature section).
You should have a valid router ID configured on the system.
 You must have an AS number, either assigned by a Regional Internet Registry (RIR) or locally
administered.
You must configure at least one IGP that is capable of recursive next-hop resolution.
You must configure an address family under a neighbor for the BGP session establishment.

BGP state :

1. IDLE - Router is searching routing table to see whether a route exists to reach the neighbor.
2. CONNECT - Router found a route to the neighbor and has completed the three-way TCP handshake.
3. OPEN SENT - Open message sent, with parameters for the BGP session.
4. OPEN CONFIRM - Router received agreement on the parameters for establishing session.
5. ACTIVE - Router didn't receive agreement on parameters of establishment.
6. ESTABLISHED - Peering is established; routing begins.

Router BGP AS_Number (1-65535)

Router bgp 65001

Neigbour ip_address_neigbour Remote-as AS_number

Neighbor 17.1.1.2 remote-as 65001

Network ip_address_local_network mask subnet mask

Network 17.1.1.0 255.255.255.0

Show ip bgp => networknya

Show ip bgp summary => networknya, neighbornya

How the Best Path Algorithm Works

BGP assigns the first valid path as the current best path. BGP then compares the best path with the next
path in the list, until BGP reaches the end of the list of valid paths. This list provides the rules that are
used to determine the best path:
1. Prefer the path with the highest WEIGHT.

Note: WEIGHT is a Cisco-specific parameter. It is local to the router on which it is configured.

2. Prefer the path with the highest LOCAL_PREF.

3. Prefer the path that was locally originated via a network or aggregate BGP subcommand or through
redistribution from an IGP.