CCNP Enterprise
  • CCNP คือ Cisco Certified Network Professional เป็นระดับของ มืออาชีพ ที่มีความสามารถพอสมควรในการสนับสนุน ติดตั้ง รวมถึงการแก้ปัญหาต่างๆ ด้าน Routing และ Switching ที่ใช้ใน Network ทั่วไป
    ต้องสอบ 2 วิชา วิชาหลัก และวิชาเลือก ไม่ต้องมี CCNA ก็สอบได้ถ้าเก๋าพอ ซึ่งถ้าสอบในระดับ Professional หรือ Specialist จะเป็นการ Recertificate ในระดับ Associate ไปในตัว ดังนั้นรายวิชา CCNP แต่ละตัว ไม่ควรทิ้งให้นานเกินไป เพราะเทคโนโลยีมันพัฒนาไปเรื่อยๆ มันจะมีเรื่องใหม่ๆ มาให้เราศึกษาเรื่อยๆ แล้วก็เราไม่มีทางรู้ว่า Cisco จะประกาศยกเลิกข้อสอบแต่ละตัวเมื่อไหร่ (ยกตัวอย่างวิชา ROUTE กับ SWITCH ในระดับ CCNP ที่ยกเลิกไปแล้ว)

    • เจาะเนื้อหาและหัวข้อ CCNA ใหม่ และ CCNP Enterprise:

    • Free CCNP 350-401 ENCOR Complete Course

    • CCNP Enterprise -350-401-ENCOR- Cisco Core Technologies

    • อธิบายการทำงาน และ การตั้งค่า Ether-channel:

    • [CCNP ENCOR] Basic BGP and Configuration:

    • [CCNP ENCOR] Introducing to Multiple Spanning-Tree (MSTP):

    • Introducing to Cisco DNA Center:

    • Describe SD-Access from Cisco CCNP Enterprise ENCOR (350-401):

    • CCNP Cisco Networking Academy Version v5.0:

    • ประสบการณ์การเตรียมตัวสอบ CCNP:

    CCNP ROUTE 642-902
    CCNP SWITCH 642-813

    Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401:
    • Starting from February 24th - 2020
    • Exam Cost: 400$
    • Exam Center: Pearson Vue
    • NO Prerequisites
    • Acquired Badges: Cisco Certified Specialist - Enterprise Core
    • Enrollment: Cisco CCNP Enterprise & Cisco CCIE Enterprise Infrastructure
    • Recertify CCNA 200-301 & CCNP
    • Expires: 3 years

    • CCNP Enterprise: ENCOR + Concentration Exam:



    Enterprise Networks Design Principles:
    • Tier 2, Tier 3, and Fabric Capacity Planning
      • Simplify Scaling & Troubleshooting
      • Depends on network size, and future growing
  • 4 Comments sorted by

    • Tier 2 will be for Small/Mid networks:
      • One building network
      • Only 2 Tiers (Access and Aggregation)
      • Access:
        • The first layer facies/authenticates endpoint devices
        • Connects the endpoint to their gateways (aggregation)
      • Aggregation:
        • Aggregates/Communicates all the access layers
        • Runs both Layer2 and Layer3 Techs. and Protocols
        • Run in pair-devices mode/SSO

    • Tier 3 for Mid/Large Enterprises:
      • Multiple Buildings
      • More East-West traffic
      • Future scaling (Horizontally)
      • 3 Tiers (Access, Distribution, and CORE)
      • Core:
        • Aggregate multiple networks
        • High speed/convergence
        • Runs in pair-devices mode
        • Runs at Layer 3
        • Connects to the WAN/Internet
        • Connects to servers and other Data Centers

    High Availability:

    • First Hop Redundancy Protocols:
      • HSRP, VRRP, and GLBP
      • Runs at the Distribution layer
      • Provides a GW for endpoints
      • Needed when the Access layer is using a Layer2 techs!

    • Hot-Standby Redundancy Protocol (HSRP):
      • Cisco Only
      • 2 Gateways
      • No Load-Balancing

    • Virtual-Router Redundancy Protocol (VRRP):
      • Open Standard
      • 2 Gateways
      • No Load-Balancing

    • Gateway Load-Balancing Protocol (GLBP):
      • Cisco Only
      • 4 Gateways
      • Load-Balancing

    • Stateful SwitchOver (SSO):
      • Switches with more than 1 CPU
      • when 1 CPU fails, the other continuous (stateful)
      • best at Distribution layer

    • Virtual Switching System (VSS):
      • A clustering technique
      • Combines multiple switches
      • Act as one switch
      • At the distribution layer
      • No FHRP will be needed then
      • May also hear 'Stackwise'

    Design Network Campus อย่างมืออาชีพ ต้องทำอะไรบ้าง?:

    On-Premise vs Cloud Infrastructure Deployments:
    • On-Premise: everything is in the office, Company, Data Center
    • Cloud-Based: everything is at the Cloud Company

    Software-Defined - Wide Area Networks:
    • What is SDN?:
      • where have a 'software' that runs network
      • so, through a 'software' be able to run and administrate
        An entire network, with its different types of devices
      • that will need either a 'Controller'!!
        Or, a built-in scripting (Cisco TCL, or Python)
      • SD-WAN is applying SDN to WAN part of the network!
        • the part that connects multiple networks through the Internet
        • will administer the WAN by a software
        • also contains multiple layers to achieve this approach:
          • Application
          • Controller
          • Infrastructure

    SD-WAN Planes:
    • Generally, the SD-WAN solution consist of 4 planes (orchestration, management, control, and data plane)

    • The control plane:
      • builds/maintains the network topology
      • makes decision on where traffic flows
      Cisco vSmart:
      • Handles all the Overlay-network routing
      • Facilitates the DP encryption between vEdges
      • Propagates the policies for handling DP traffic

    • The data plane:
      • responsible for forwarding packets
      • based on decisions from the control plane
      • WAN edge router
      • Provides secure data plane with remote vEdge routers
      • Implements data plane and application aware routing policies

    Traditional WAN vs SD-WAN solutions:

    Traditional WAN:
    • Each network device has its own control plane
    • Configuring, modifying, upgrading, and Monitoring is done 'Box-by-Box'
    • Automation is more difficult
    • New Installation requires 'from scratch' efforts

    • Centralized Management
    • Through a 'software' be able to run and administrate an entire network
    • Automation is easy (API)
    • New devices automatically finds an initial configuration/Zero Touch Provisioning (ZTP)

    Software-Defined Access:
    • is it really that much of different technologies!
    • SD-Access is simply:
      • applying SDN solution to access network
      • when SDN controls an automates a simple campus network
    • And thus, there will be a controller (ex: Cisco DNA Center, Cisco APIC-EM)

    SDN Implementation and Effect upon planes:

    • Imperative Approach:
      • the control plane logic resides completely in the controller
      • the controller has a complete control over programing the forwarding decisions of the networking devices
      • devices then will ask the controllers before any forwarding or routing action

    • Declarative Approach:
      • the control plane resides within the network device (just like before)
      • the controller will declare the requirements of the all the Forwarding/routing decisions to the networking devices
      • the network devices will then decide how to translate the Controller instructions into actions

    • How will the Access look like:


    What is SD-WAN?:

    Cisco SD-WAN - Introducing to Cisco SD-WAN:


    1. The RIB is used to create network topologies and routing tables. RIB is derived from the control plane. The FIB is a list of routes to particular network destinations.


    2. Extended IP access list EGRESS
        10 permit ip any
      interface GigabitEthernet0/0
        ip address
        ip access-group EGRESS out
        duplex auto
        speed auto
        media-type rj45
      An engineer must block all traffic from a router to its directly connected subnet The engineer applies access control list EGRESS in the outbound direction on the GigabitEthernet0/0 interface of the router. However, the router can still ping hosts on the subnet. Because Access control lists that are applied outbound to a router interface do not affect traffic that is sourced from the router.

    3. Excess jitter and bandwidth-related packet loss network problems Indicate a need to implement QoS in a campus network.

  • Quality of Service (QoS):

    • if traffic was more than bandwidth!
    • if congestion WILL happen, can some traffic be more preferred than another?
    • Generally, UDP will be preferred over TCP (TCP will automatically do A re-transmission)
    • QoS Tools that will do the specific desired 'Preferring'. (Classification & Marking, Policing, Shaping, Queuing, and Scheduling)

    • Classification & Marking:
      • for the Ingress traffic/interface
      • Classification first, please classify this type of traffic, like: 'UDP=High, Mail=Low'
      • Then, Marking, 'Marks' the classified traffics to identify them uniquely in the network
      Classification usually happens by matching port numbers:
      • if further recognizing is needed
      • Network-Based Application Recognition (NBAR)
      • recognized, identifies, and classifies a traffic
      • based on multiple variety of things
      • Word, Phrase, URL!!

    • Policing & Shaping:
      • The Provider - Client Relation

    • Policing:
      • From the Provider side
      • Drop the exceeding ingress (Coming) traffic
      • or mark-down that traffic, to be dropped later in the network

    • Shaping:
      • From the Client side
      • To avoid misunderstanding, or unwanted behavior with the provide
      • Queues the excess egress (Outgoing) traffic in the 'Egress Queue'
      • This is called 'Queuing'

    • Queuing:
      • Dividing the Egress Queue, to multiple sub-queues
      • Each, is differentiated by 'Priority'
      • To deal with classified packets

    • Scheduling:
      • How to empty the sub-queues, by which criteria

    • Congestion Management:
      • Tools for Queuing and Scheduling
      • Emptying the Queued traffic in the egress queue
      • Weighted Fair Queuing (WFQ), Class-Based Weighted Fair Queuing (CBWFQ), Priority Queuing (PQ), Low-Latency Queuing (LLQ), Weighted Round Robin (WRR), Shaped Round Robin (SRR), Shaping

    • Congestion Avoidance:
      • Tools to avoid congestion
      • Before even happening
      • At the ingress interface/s (receiving queue)
      • Random Early Detection (RED), Weighted Random Early Detection (WRED), Weighted Tail Drop (WTD), Policing

    • QoS Application in a Network:
      • Integrated Services:
        • unified settings all the way
        • uses The Resource Reservation Protocol (RSVP)
      • Differentiated Services:
        • each hop has its unique settings
        • uses 'Per-Hop Behavior' (PHB)

    QoS Policies:

    • Modular QoS Command-line (MQC)
      • applying the QoS tools globally
      • multiple tools will be available for multiple ports/uses
      • requires 3 components to operate
        • Class-Maps
        • Policy-Maps
        • Service-Policies

    • Class-Maps:
      • create a list, that identifies/matches some characteristics of a traffic
      • classify those 'matched' traffic
      • to provoke this list to operate, will need a 'Policy-Map'

    • Policy-Maps:
      • MATCH a Class-Map
      • to apply a specific action to its traffic (queue it, shape it, police it...)
      • the same Class-Map can be matched multiple time on multiple interfaces
      • each time, a different 'action' will be taken!
      • to apply a 'Policy-Map' to an interface/s
      • will need a 'Service-Policy'

    • Service-Policy:
      • apply a 'Policy-Map' to an interface
      • either 'INBOUND' or 'OUTBOUND'

    Switching Mechanisms:

    Device Processing vs Cisco Express Forwarding (CEF):

    • Process:
      • processing the incoming ingress traffic
      • to switch it, to the desired egress outgoing interface
      • done by the CPU
      • even if the CPU is very busy
      • known as 'IP Input'

    • CEF:
      • establish an area to store pre-defined decisions, as a reference
      • that area = Cache Area
      • will be automatically done whenever a new protocol is enabled
      • creates FIB & Adjacency Table
      • not exactly every thing is CEF switched (a first time ARP, CDP, Encryption)

    FIB vs. RIB:

    • Forwarding Information Base (FIB):
      • extracted from the 'RIB'
        • Routing Information Base
        • The Routing Table
      • it is the Routing Table of the CEF
      • always syncs with the RIB (Routing Table)
      • less details
        *some operations are handled by the Adjacency Table
        • for L2 info (ARP, VLAN, MAC)

    CAM (MAC Table) vs. TCAM:

    • Content Addressable Memory (CAM):
      • a random memory
      • stores MAC Addresses
      • used for lookups (by the forwarding engine)
      • MACs are represented as 'MAC Table'

    • Ternary Content Addressable Memory (TCAM):
      • also, a random memory
      • stores IP Addresses and subnet masks
      • used for Longest match lookups
      • Addresses and masks are represented as 'Routing Table'


    Device Virtualization:
    • Just Networks, BUT in Virtualized Environment
    • Multiple Devices inside One
    • Ease of Management

    • The Hypervisor: The new Mediator between SW/HW
    • Load the Hypervisor on the Physical HW, after that install OS on the Hypervisor
    • Now the Hypervisor = Host, and the OS = Virtual Machines = Guest

    • Hypervisors:
      • Schedules the VMs requests to the HW
      • Distributes the HW resources between the VMs

    • Hypervisors Types:
      • Type1:
        • The Native or Bare Metal
        • Runs directly on the HW resources
        • HW --- Hypervisor --- VM
        • Citrix XEN, Oracle VM, Microsoft Hyper-V, VMware ESX/ESXi
      • Type2:
        • Hosted
        • Runs as a SW besides the OS
        • HW --- OS --- hypervisor
        • VMware Workstation, Virtual Box

    • How to connect all these?
    • Virtual Switches:
      • Connects all VMs Together like a Real Switch
      • Assigns a Virtual Network Interface Card (V.NIC) for each VM
      • Exists by default in Hypervisors Type1
      • After Creating a V.Switch & V.NIC, all VMs will automatically get connected together
      *also, can create Port Group for Complete Isolating (like VLANs)
      *there is another V.NIC for each VM (for Internet)
    • Examples:
      • Microsoft Hyper-V
      • ESXi VSwitch

    1. YANG structures data in an object-oriented fashion to promote model reuse.

    2. In a Cisco SD-Access solution, the Identity Services Engine (ISE) is leveraged for dynamic endpoint to group mapping and policy definition.

    3. OSPF:
      • link state routing protocol
      • makes it easy to segment the network logically
      • constructs three tables as part of its operation: neighbor table, topology table, and routing table
      • distance vector routing protocol
      • supports unequal path load balancing
      • metric is based on delay and bandwidth by default

  • Data Path Virtualization:

    Virtual Routing & Forwarding (VRF):
    • For Service Providers
    • With multiple clients
    • isolate each client in a 'Routing Table'
    • for duplicated addresses
    • requires ISP's network
      • MPLS, VPN, L3VPN, BGP

    • BUT, for Enterprises:
      • VRF-Lite > Lab 1:
      • No Extra VPN protocols
      • classic routing protocols can be used

    Generic Route Encapsulation (GRE): Lab 2:
    • Virtually create a P2P path
    • Virtually isolate some traffic in a path
    • Across multiple hops
    • Data will be 'Encapsulated' at L3
    • Source and Destination ports should be specified
    • Virtual ports will be created on Tunnel ends

    Internet Protocol Security (IPSec): Lab 3:
    • packets travels unsecured
    • any sniffer, analyzer, can read data!
    • IPSec is a bunch of tools:
      • pick the set like to secure data
      • Confidentiality: Encrypt the data all the way
      • Data Integrity: Guarantees delivering original data
      • Authentication: only the trusted ends can communicate
      • Anti-Replay: only regenerated or duplicated packets

    • To provide and establish all the CIA and R:
      • Security Associations (SA) will be exchanged between the peers
      • things like (tools, algorithms, protocols, and keys) will be discussed

    • Security Associations Parameters:
      • hashing: redistributing data by using an algorithm (MD5, SHA)
      • encryption: locking data by using a 2-way algorithm
      • shared passwords
      • all of the above is either statically configured, or dynamically (IKE)

    • Static means that every parameter is defined manually

    • Dynamic (Internet Key Exchange, IKE):
      • a group of SA's
      • end tunnels will negotiate their accepted SA's
      • IKE has versions 1 and 2
      • IKEv1 creates 2 Tunnels (in 2 phases):
        • Phase1: establish an authenticated tunnel, it requires:
          • authentication (PSK (requires Password) or PKI)
          • encryption (DES, 3DES, or AES)
          • hash (SHA or MD5)
          • DH group
          • lifetime (optional)
        • Phase2: negotiates SA's between end points
          • (Destination, Data, and Transport Method)

    Network Virtualization:

    • Locator/ID Separation Protocol (LISP):
      • also, a tunneling protocol (like GRE)
      • establish a tunnel between edge routers and the WAN
      • separates location from identity:
        • identity: IP Address of the host (Endpoint ID, EID)
        • location: IP Address of the host's GW (Routing Locator, RLOC)
          RLOC = the address facing the WAN
      • useful in the case of:
        • load sharing with the provider (multi-homed)
        • tunneling IPv6 over IPv4 infrastructure
        • other VPN uses
      • there are 2 required devices to perform the separation and the mapping (map this EID to that RLOC)
        • a map server (MS), and a map resolver (MR)
        • can be combined in a single device

      • CCNP-CCIE Enterprise : Overview of LISP:

      • [CCNP ENCOR] มาทำความรู้จัก และเข้าใจการทำงานเบื้องต้นของ Cisco LISP กัน:

    • Virtual Extensible Local Area Network (VxLAN):
      • a tunneling protocol
      • for data centers
      • replaces VLAN as it gives 2^24 = 16,777,216 VLANs
      • transport L2 over L3
      • extends L2 connectivity over L3 infrastructure
      • supports ECMP over CLOS (spine and leaf)
      • requires L2GW and L3GW
      • can use the same VxLAN number on multiple sites
      • thus, the same broadcast domain will be stretched between sites


    Layer 2 Infrastructure Technologies:

    Static and Dynamic 802.1q trunking protocols: Lab 4:
    • Static is to configure every port as either:
      • Auto (default): waiting for the other side to negotiate
      • Desirable: starts negotiating trunking
    • Dynamic (enabled by default):
      • only requires one side to enable trunking
      • negotiations will dynamically
      • negotiations can be 'Disabled'

    Static and Dynamic EtherChannels: Lab 5:
    • EtherChannels are supported on Cisco Switches
    • supporting both LACP and PAgP negotiations protocols
    • those are the static negotiation etherchannel protocols
    • LACP uses:
      • Active: initiates bundling negotiations
      • Passive: waits for other side to initiate
    • PAgP uses:
      • Desirable: initiates bundling negotiations
      • Auto: waits for other side to initiate
    • Dynamic:
      • Mode ON: no negotiations, direct bundling (mostly L3)

    1. When using Transport Layer Security (TLS) for syslog, 'logging host vrf mgmt transport tcp port 6514' configuration allows for secure and reliable transportation of messages to its default port.

    2. The TOS field in the Layer 3 header is used to perform QoS packet classification.


    3. At Northbound APIs Layer, Cisco DNA Center support REST controls.

    4. How to configure eBGP (external BGP):

      R1(config)# router bgp 1
      R1(config-router)# neighbor remote-as 2
      R1(config-router)# network mask

      R2(config)# router bgp 2
      R2(config-router)# neighbor remote-as 1
      R2(config-router)# network mask

    5. DHCP option 43 helps lightweight APs find the IP address of a wireless LAN controller.

    6. Wireless controller is radio resource management performed in a cisco SD-access wireless solution.
      Fabric wireless controllers manage and control the fabric-mode APs using the same general model as the traditional local-mode controllers which offers the same operational advantages such as mobility control and radio resource management. A significant difference is that client traffic from wireless endpoints is not tunnelled from the APs to the wireless controller. Instead, communication from wireless clients is encapsulated in VxLAN by the fabric APs which build a tunnel to their first-hop fabric edge node. Wireless traffic it tunneled to the edge nodes as the edge nodes provide fabric services such as the Layer 3 Anycast Gateway, policy, and traffic enforcement.

  • Common Spanning Tree Protocols (STP): Lab 6:
    • Need redundancy, but there will be a broadcast message!
    • What will happen?
    • Then how can prevent what is called a 'LOOP',
      AKA 'Broadcast Storm'?
    • STP requires election to be performed first
    • The Winner must be: 1-Lowest Priority, 2-Lowest MAC Address
    • After that port roles and states will happen:
      • Designated Port: Forwarding state
      • Root Port: Forwarding State
      • Alternative / Non-designated Port: Blocking State
    • The entire process of election takes (30 - 50) Seconds
      Max Age = 20 + (Forwarding Delay = 15) + (Learning Delay = 15) = 50 Seconds


    • In order to speed things up:
      • Rapid STP: NO Listening, NO Blocking,
        only (Discard, Forwarding, Learning)
      • Then delay will become = 3 + 3 = 6 Seconds
      • What is the BIG benefit of Redundancy then!! If STP is blocking ports:
        • There will be a Per-VLAN STP (PVST)
        • Each VLAN can have an ELECTION!!
        • Each VLAN will have its own root!
        • Things are much better now
        • Specially that there is a RPVST+ (faster)!
      • RPVST+ can be further simplified by using MST:
        Lab 7:
        • Instances (Groups) that requires domain names/revision numbers
        • each instance will have its own Tree

    Layer 3 Infrastructure Technologies:

    Enhanced Interior Gateway Routing Protocol (EIGRP):
    • A Hybrid Protocol
    • classified as a 'Distance Vector (D.V.)' protocol
    • it does combine both the D.V. and Link State (L.S.) methods of measuring the metric
    • IP Protocol = 88
    • Defusing Update ALgorithm (DUAL)
    • AD = 90
    • Metric = Result of the 5K's formula:
      [256 * ((K1*Bandwidth)] + [(K2*Bandwidth)/(256-Load)] + [K3*Delay) * (K5/(Reliability + K4)))]
    • The default 'K Values':

      So = 256 x ( Bandwidth + Delay )

    • Bandwidth is per link, while Delay is cumulative

    • EIGRP will apply the formula to elect its main path
    • for redundant paths, Feasibility Condition (FC) is used:
      • the main path is the lowest metric calculated among available paths:
        • The Feasible Distance (FD)
        • Successor
      • the redundant path is the lowest 'Advertised' metric from the neighbor!:
        • The Reported/Advertised Distance (RD)
        • Feasible Successor (FS)
      • only those paths can be used for Unequal Cost Load Distribution (UCLD)
      • which requires the activation of 'variance'
    • Lab 8: EIGRP:

    Open Shortest-Path First (OSPF):
    • Link State Protocol
    • Dijkstra algorithm
    • SPF algorithm for route decision
    • AD = 110
    • Metric = Cost (less = Better)
    • Process ID for multiple instances
    • Area ID for Data Base isolation

    • Link-State Advertisements: negotiation between OSPF Routers, it contains:
      • LSRequest: provide the missing Information
      • LSUpdate: reply for the LSR
      • LSAcknowledgement: reply for the LSU
    • Neighboring Process:

    1. A company plans to implement intent-based networking in its campus infrastructure. Two-tier design facilities a migrate from a traditional campus design to a programmer fabric designer.

    2. LISP components:
      • map server: network infrastructure component that learns of EID-prefix mapping entries from an ETR
      • map resolver: accepts LISP encapsulated map requests
      • ITR: receives packets from site-facing interfaces
      • ETR: de-encapsulates LISP packets coming from outside of the LISP site to destinations inside of the site
      • proxy ETR: receives traffic from LISP sites and sends it to non-LISP sites
      • EID: IPv4 or IPv6 address of an endpoint within a LISP site

    3. Multiple virtual servers can be deployed on the same physical server without having to buy additional hardware is a benefit of a virtual machine when compared with a physical server.

    4. VxLAN characteristics:
      • It uses VTEPs to encapsulate and de-capsulate frames
      • Allows for up to 16 million VxLAN segments

    5. Cisco DNA center application Policy is responsible for group-based access control permissions.

    6. HTTPS protocol does REST API rely on to secure the communication channel.
      The REST API accepts and returns HTTP (not enabled by default) or HTTPS messages that contain JavaScript Object Notation (JSON) or eXtensible Markup Language (XML) documents. Can use any programming language to generate the messages and the JSON or XML documents that contain the API methods or Managed Object (MO) descriptions.

    7. Refer to the exhibit. An engineer must deny HTTP traffic from host A to host B while allowing all other communication between the hosts.


      SW1(config)# ip access-list extended DENY-HTTP
      SW1(config-ext-nacl)# deny tcp host host eq www

      SW1(config)# ip access-list extended MATCH_ALL
      SW1(config-ext-nacl)# permit ip any any

      SW1(config)# vlan access-map HOST-A-B 10
      SW1(config-access-map)# match ip address DENY-HTTP
      SW1(config-access-map)# action drop

      SW1(config)# vlan access-map HOST-A-B 20
      SW1(config-access-map)# match ip address MATCH_ALL
      SW1(config-access-map)# action forward

      SW1(config)# vlan filter HOST-A-B vlan 10

    8. When using RESTCONF to write configurations on network devices, It is provided using NGINX acting as a proxy web server.

    9. Wireless client device makes the decision for a wireless client to roam.

    10. A network administrator applies the following configuration to an IOS device.
      aaa new-model
      aaa authentication login default local group tacacs+

      A local database is checked first. If that check fails, a TACACS+ server is checked.

    11. Considerations when using SSO as a network redundancy feature:
      • must be combined with NSF to support uninterrupted Layer 3 operations
      • requires synchronization between supervisors in order to guarantee continuous connectivity
      The access layer typically provides Layer 2 services, with redundant switches making up the distribution layer. The Layer 2 access layer can benefit from SSO deployed without NSF. Some Enterprises have deployed Layer 3 routing at the access layer. In that case, NSF/SSO can be used.
      Cisco IOS NonStop Forwarding (NSF) always runs with stateful switchover (SSO) and provides redundancy for Layer 3 traffic.