CCNP Enterprise
  • CCNP คือ Cisco Certified Network Professional เป็นระดับของ มืออาชีพ ที่มีความสามารถพอสมควรในการสนับสนุน ติดตั้ง รวมถึงการแก้ปัญหาต่างๆ ด้าน Routing และ Switching ที่ใช้ใน Network ทั่วไป
    ต้องสอบ 2 วิชา วิชาหลัก และวิชาเลือก ไม่ต้องมี CCNA ก็สอบได้ถ้าเก๋าพอ ซึ่งถ้าสอบในระดับ Professional หรือ Specialist จะเป็นการ Recertificate ในระดับ Associate ไปในตัว ดังนั้นรายวิชา CCNP แต่ละตัว ไม่ควรทิ้งให้นานเกินไป เพราะเทคโนโลยีมันพัฒนาไปเรื่อยๆ มันจะมีเรื่องใหม่ๆ มาให้เราศึกษาเรื่อยๆ แล้วก็เราไม่มีทางรู้ว่า Cisco จะประกาศยกเลิกข้อสอบแต่ละตัวเมื่อไหร่ (ยกตัวอย่างวิชา ROUTE กับ SWITCH ในระดับ CCNP ที่ยกเลิกไปแล้ว)

    • เจาะเนื้อหาและหัวข้อ CCNA ใหม่ และ CCNP Enterprise:
      www.youtube.com/watch?v=ucgSn8fJBUU

    • Free CCNP 350-401 ENCOR Complete Course
      www.youtube.com/playlist?list=PLAqaqJU4wzYVS_QYH1_LEh5VLDu-Oaiwy

      www.youtube.com/playlist?list=PLhfrWIlLOoKPM3poHlHLpw-b6cigthng2

    • CCNP Enterprise -350-401-ENCOR- Cisco Core Technologies
      www.udemy.com/course/ccnp-enterprise-300-401-implementing-cisco-enterprise-core

    • อธิบายการทำงาน และ การตั้งค่า Ether-channel:
      www.youtube.com/watch?v=waA-kTBevQ4

    • [CCNP ENCOR] Basic BGP and Configuration:
      www.youtube.com/watch?v=y6YtCyMBhKY

    • [CCNP ENCOR] Introducing to Multiple Spanning-Tree (MSTP):
      www.youtube.com/watch?v=TxSLRuQP2bY

    • Introducing to Cisco DNA Center:
      www.youtube.com/watch?v=XaZZgOKPnG0

    • Describe SD-Access from Cisco CCNP Enterprise ENCOR (350-401):
      www.youtube.com/watch?v=k7_0On3pcY4

    • CCNP Cisco Networking Academy Version v5.0:
      forum.siamnetworker.com/?topic=294

    • ประสบการณ์การเตรียมตัวสอบ CCNP:
      zone-network.blogspot.com/2014/06/ccnp.html

    CCNP ROUTE 642-902
    CCNP SWITCH 642-813

    Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401:
    • Starting from February 24th - 2020
    • Exam Cost: 400$
    • Exam Center: Pearson Vue
    • NO Prerequisites
    • Acquired Badges: Cisco Certified Specialist - Enterprise Core
    • Enrollment: Cisco CCNP Enterprise & Cisco CCIE Enterprise Infrastructure
    • Recertify CCNA 200-301 & CCNP
    • Expires: 3 years

    • CCNP Enterprise: ENCOR + Concentration Exam:

    image

    Architecture:

    Enterprise Networks Design Principles:
    • Tier 2, Tier 3, and Fabric Capacity Planning
      • Simplify Scaling & Troubleshooting
      • Depends on network size, and future growing
    B-)
  • 19 Comments sorted by

    • Tier 2 will be for Small/Mid networks:
      • One building network
      • Only 2 Tiers (Access and Aggregation)
      • Access:
        • The first layer facies/authenticates endpoint devices
        • Connects the endpoint to their gateways (aggregation)
      • Aggregation:
        • Aggregates/Communicates all the access layers
        • Runs both Layer2 and Layer3 Techs. and Protocols
        • Run in pair-devices mode/SSO

    • Tier 3 for Mid/Large Enterprises:
      • Multiple Buildings
      • More East-West traffic
      • Future scaling (Horizontally)
      • 3 Tiers (Access, Distribution, and CORE)
      • Core:
        • Aggregate multiple networks
        • High speed/convergence
        • Runs in pair-devices mode
        • Runs at Layer 3
        • Connects to the WAN/Internet
        • Connects to servers and other Data Centers

    High Availability:

    • First Hop Redundancy Protocols:
      • HSRP, VRRP, and GLBP
      • Runs at the Distribution layer
      • Provides a GW for endpoints
      • Needed when the Access layer is using a Layer2 techs!

    • Hot-Standby Redundancy Protocol (HSRP):
      • Cisco Only
      • 2 Gateways
      • No Load-Balancing

    • Virtual-Router Redundancy Protocol (VRRP):
      • Open Standard
      • 2 Gateways
      • No Load-Balancing

    • Gateway Load-Balancing Protocol (GLBP):
      • Cisco Only
      • 4 Gateways
      • Load-Balancing

    • Stateful SwitchOver (SSO):
      • Switches with more than 1 CPU
      • when 1 CPU fails, the other continuous (stateful)
      • best at Distribution layer

    • Virtual Switching System (VSS):
      • A clustering technique
      • Combines multiple switches
      • Act as one switch
      • At the distribution layer
      • No FHRP will be needed then
      • May also hear 'Stackwise'

    Design Network Campus อย่างมืออาชีพ ต้องทำอะไรบ้าง?:
    www.youtube.com/watch?v=JU1gdz0VZjo

    www.youtube.com/watch?v=QahRhXoZPzE

    On-Premise vs Cloud Infrastructure Deployments:
    • On-Premise: everything is in the office, Company, Data Center
    • Cloud-Based: everything is at the Cloud Company

    Software-Defined - Wide Area Networks:
    • What is SDN?:
      • where have a 'software' that runs network
      • so, through a 'software' be able to run and administrate
        An entire network, with its different types of devices
      • that will need either a 'Controller'!!
        Or, a built-in scripting (Cisco TCL, or Python)
      • SD-WAN is applying SDN to WAN part of the network!
        • the part that connects multiple networks through the Internet
        • will administer the WAN by a software
        • also contains multiple layers to achieve this approach:
          • Application
          • Controller
          • Infrastructure

    SD-WAN Planes:
    • Generally, the SD-WAN solution consist of 4 planes (orchestration, management, control, and data plane)

    • The control plane:
      • builds/maintains the network topology
      • makes decision on where traffic flows
      Cisco vSmart:
      • Handles all the Overlay-network routing
      • Facilitates the DP encryption between vEdges
      • Propagates the policies for handling DP traffic

    • The data plane:
      • responsible for forwarding packets
      • based on decisions from the control plane
      Physical/Virtual:
      • WAN edge router
      • Provides secure data plane with remote vEdge routers
      • Implements data plane and application aware routing policies

    Traditional WAN vs SD-WAN solutions:

    Traditional WAN:
    • Each network device has its own control plane
    • Configuring, modifying, upgrading, and Monitoring is done 'Box-by-Box'
    • Automation is more difficult
    • New Installation requires 'from scratch' efforts

    SD-WAN:
    • Centralized Management
    • Through a 'software' be able to run and administrate an entire network
    • Automation is easy (API)
    • New devices automatically finds an initial configuration/Zero Touch Provisioning (ZTP)

    Software-Defined Access:
    • is it really that much of different technologies!
    • SD-Access is simply:
      • applying SDN solution to access network
      • when SDN controls an automates a simple campus network
    • And thus, there will be a controller (ex: Cisco DNA Center, Cisco APIC-EM)

    SDN Implementation and Effect upon planes:

    • Imperative Approach:
      • the control plane logic resides completely in the controller
      • the controller has a complete control over programing the forwarding decisions of the networking devices
      • devices then will ask the controllers before any forwarding or routing action

    • Declarative Approach:
      • the control plane resides within the network device (just like before)
      • the controller will declare the requirements of the all the Forwarding/routing decisions to the networking devices
      • the network devices will then decide how to translate the Controller instructions into actions

    • How will the Access look like:

      image

    What is SD-WAN?:
    www.youtube.com/watch?v=YaxTiTYgpj4

    Cisco SD-WAN - Introducing to Cisco SD-WAN:
    www.youtube.com/watch?v=PNJhDLh9WFI

    image
    www.youtube.com/watch?v=0Q_Px1FzlZ4

    1. The RIB is used to create network topologies and routing tables. RIB is derived from the control plane. The FIB is a list of routes to particular network destinations.

      image

    2. Extended IP access list EGRESS
        10 permit ip 10.0.0.0 0.0.0.255 any
      !
      interface GigabitEthernet0/0
        ip address 209.165.200.225 255.255.255.0
        ip access-group EGRESS out
        duplex auto
        speed auto
        media-type rj45
      !
      An engineer must block all traffic from a router to its directly connected subnet 209.165.200.0/24. The engineer applies access control list EGRESS in the outbound direction on the GigabitEthernet0/0 interface of the router. However, the router can still ping hosts on the 209.165.200.0/24 subnet. Because Access control lists that are applied outbound to a router interface do not affect traffic that is sourced from the router.

    3. Excess jitter and bandwidth-related packet loss network problems Indicate a need to implement QoS in a campus network.
    B-)

  • Quality of Service (QoS):

    • if traffic was more than bandwidth!
    • if congestion WILL happen, can some traffic be more preferred than another?
    • Generally, UDP will be preferred over TCP (TCP will automatically do A re-transmission)
    • QoS Tools that will do the specific desired 'Preferring'. (Classification & Marking, Policing, Shaping, Queuing, and Scheduling)

    • Classification & Marking:
      • for the Ingress traffic/interface
      • Classification first, please classify this type of traffic, like: 'UDP=High, Mail=Low'
      • Then, Marking, 'Marks' the classified traffics to identify them uniquely in the network
      Classification usually happens by matching port numbers:
      • if further recognizing is needed
      • Network-Based Application Recognition (NBAR)
      • recognized, identifies, and classifies a traffic
      • based on multiple variety of things
      • Word, Phrase, URL!!

    • Policing & Shaping:
      • The Provider - Client Relation

    • Policing:
      • From the Provider side
      • Drop the exceeding ingress (Coming) traffic
      • or mark-down that traffic, to be dropped later in the network

    • Shaping:
      • From the Client side
      • To avoid misunderstanding, or unwanted behavior with the provide
      • Queues the excess egress (Outgoing) traffic in the 'Egress Queue'
      • This is called 'Queuing'

    • Queuing:
      • Dividing the Egress Queue, to multiple sub-queues
      • Each, is differentiated by 'Priority'
      • To deal with classified packets

    • Scheduling:
      • How to empty the sub-queues, by which criteria

    • Congestion Management:
      • Tools for Queuing and Scheduling
      • Emptying the Queued traffic in the egress queue
      • Weighted Fair Queuing (WFQ), Class-Based Weighted Fair Queuing (CBWFQ), Priority Queuing (PQ), Low-Latency Queuing (LLQ), Weighted Round Robin (WRR), Shaped Round Robin (SRR), Shaping

    • Congestion Avoidance:
      • Tools to avoid congestion
      • Before even happening
      • At the ingress interface/s (receiving queue)
      • Random Early Detection (RED), Weighted Random Early Detection (WRED), Weighted Tail Drop (WTD), Policing

    • QoS Application in a Network:
      • Integrated Services:
        • unified settings all the way
        • uses The Resource Reservation Protocol (RSVP)
      • Differentiated Services:
        • each hop has its unique settings
        • uses 'Per-Hop Behavior' (PHB)

    QoS Policies:

    • Modular QoS Command-line (MQC)
      • applying the QoS tools globally
      • multiple tools will be available for multiple ports/uses
      • requires 3 components to operate
        • Class-Maps
        • Policy-Maps
        • Service-Policies

    • Class-Maps:
      • create a list, that identifies/matches some characteristics of a traffic
      • classify those 'matched' traffic
      • to provoke this list to operate, will need a 'Policy-Map'

    • Policy-Maps:
      • MATCH a Class-Map
      • to apply a specific action to its traffic (queue it, shape it, police it...)
      • the same Class-Map can be matched multiple time on multiple interfaces
      • each time, a different 'action' will be taken!
      • to apply a 'Policy-Map' to an interface/s
      • will need a 'Service-Policy'

    • Service-Policy:
      • apply a 'Policy-Map' to an interface
      • either 'INBOUND' or 'OUTBOUND'

    Switching Mechanisms:

    Device Processing vs Cisco Express Forwarding (CEF):

    • Process:
      • processing the incoming ingress traffic
      • to switch it, to the desired egress outgoing interface
      • done by the CPU
      • even if the CPU is very busy
      • known as 'IP Input'

    • CEF:
      • establish an area to store pre-defined decisions, as a reference
      • that area = Cache Area
      • will be automatically done whenever a new protocol is enabled
      • creates FIB & Adjacency Table
      • not exactly every thing is CEF switched (a first time ARP, CDP, Encryption)

    FIB vs. RIB:

    • Forwarding Information Base (FIB):
      • extracted from the 'RIB'
        • Routing Information Base
        • The Routing Table
      • it is the Routing Table of the CEF
      • always syncs with the RIB (Routing Table)
      • less details
        *some operations are handled by the Adjacency Table
        • for L2 info (ARP, VLAN, MAC)

    CAM (MAC Table) vs. TCAM:

    • Content Addressable Memory (CAM):
      • a random memory
      • stores MAC Addresses
      • used for lookups (by the forwarding engine)
      • MACs are represented as 'MAC Table'

    • Ternary Content Addressable Memory (TCAM):
      • also, a random memory
      • stores IP Addresses and subnet masks
      • used for Longest match lookups
      • Addresses and masks are represented as 'Routing Table'

    Virtualization:

    Device Virtualization:
    • Just Networks, BUT in Virtualized Environment
    • Multiple Devices inside One
    • Ease of Management

    • The Hypervisor: The new Mediator between SW/HW
    • Load the Hypervisor on the Physical HW, after that install OS on the Hypervisor
    • Now the Hypervisor = Host, and the OS = Virtual Machines = Guest

    • Hypervisors:
      • Schedules the VMs requests to the HW
      • Distributes the HW resources between the VMs

    • Hypervisors Types:
      • Type1:
        • The Native or Bare Metal
        • Runs directly on the HW resources
        • HW --- Hypervisor --- VM
        • Citrix XEN, Oracle VM, Microsoft Hyper-V, VMware ESX/ESXi
      • Type2:
        • Hosted
        • Runs as a SW besides the OS
        • HW --- OS --- hypervisor
        • VMware Workstation, Virtual Box

    • How to connect all these?
    • Virtual Switches:
      • Connects all VMs Together like a Real Switch
      • Assigns a Virtual Network Interface Card (V.NIC) for each VM
      • Exists by default in Hypervisors Type1
      • After Creating a V.Switch & V.NIC, all VMs will automatically get connected together
      *also, can create Port Group for Complete Isolating (like VLANs)
      *there is another V.NIC for each VM (for Internet)
    • Examples:
      • Microsoft Hyper-V
      • ESXi VSwitch

    1. In a Cisco SD-Access solution, the Identity Services Engine (ISE) is leveraged for dynamic endpoint to group mapping and policy definition.

    2. OSPF:
      • link state routing protocol
      • makes it easy to segment the network logically
      • constructs three tables as part of its operation: neighbor table, topology table, and routing table
      • metric is calculated on bandwidth only
      EIGRP:
      • distance vector routing protocol
      • supports unequal path load balancing
      • metric is based on delay and bandwidth by default
    B-)


  • Data Path Virtualization:

    Virtual Routing & Forwarding (VRF):
    • For Service Providers
    • With multiple clients
    • isolate each client in a 'Routing Table'
    • for duplicated addresses
    • requires ISP's network
      • MPLS, VPN, L3VPN, BGP

    • BUT, for Enterprises:
      • VRF-Lite > Lab 1: www.youtube.com/watch?v=338nrzH_MvU
      • No Extra VPN protocols
      • classic routing protocols can be used

    Generic Route Encapsulation (GRE): Lab 2: www.youtube.com/watch?v=33dkYlp-H18
    • Virtually create a P2P path
    • Virtually isolate some traffic in a path
    • Across multiple hops
    • Data will be 'Encapsulated' at L3
    • Source and Destination ports should be specified
    • Virtual ports will be created on Tunnel ends

    image
    Internet Protocol Security (IPSec): Lab 3: www.youtube.com/watch?v=HUvWbd0dflE
    • packets travels unsecured
    • any sniffer, analyzer, can read data!
    • IPSec is a bunch of tools:
      • pick the set like to secure data
      • Confidentiality: Encrypt the data all the way
      • Data Integrity: Guarantees delivering original data
      • Authentication: only the trusted ends can communicate
      • Anti-Replay: only regenerated or duplicated packets

    • To provide and establish all the CIA and R:
      • Security Associations (SA) will be exchanged between the peers
      • things like (tools, algorithms, protocols, and keys) will be discussed

    • Security Associations Parameters:
      • hashing: redistributing data by using an algorithm (MD5, SHA)
      • encryption: locking data by using a 2-way algorithm
      • shared passwords
      • all of the above is either statically configured, or dynamically (IKE)

    • Static means that every parameter is defined manually

    • Dynamic (Internet Key Exchange, IKE):
      • a group of SA's
      • end tunnels will negotiate their accepted SA's
      • IKE has versions 1 and 2
      • IKEv1 creates 2 Tunnels (in 2 phases):
        • Phase1: establish an authenticated tunnel, it requires:
          • authentication (PSK (requires Password) or PKI)
          • encryption (DES, 3DES, or AES)
          • hash (SHA or MD5)
          • DH group
          • lifetime (optional)
        • Phase2: negotiates SA's between end points
          • (Destination, Data, and Transport Method)

    Network Virtualization:

    • Locator/ID Separation Protocol (LISP):
      • also, a tunneling protocol (like GRE)
      • establish a tunnel between edge routers and the WAN
      • separates location from identity:
        • identity: IP Address of the host (Endpoint ID, EID)
        • location: IP Address of the host's GW (Routing Locator, RLOC)
          RLOC = the address facing the WAN
      • useful in the case of:
        • load sharing with the provider (multi-homed)
        • tunneling IPv6 over IPv4 infrastructure
        • other VPN uses
      • there are 2 required devices to perform the separation and the mapping (map this EID to that RLOC)
        • a map server (MS), and a map resolver (MR)
        • can be combined in a single device

      • CCNP-CCIE Enterprise : Overview of LISP:
        www.youtube.com/watch?v=k_gsBGkF624

      • [CCNP ENCOR] มาทำความรู้จัก และเข้าใจการทำงานเบื้องต้นของ Cisco LISP กัน:
        www.youtube.com/watch?v=ixHWZj2qnGo

    • Virtual Extensible Local Area Network (VxLAN):
      • a tunneling protocol
      • for data centers
      • replaces VLAN as it gives 2^24 = 16,777,216 VLANs
      • transport L2 over L3
      • extends L2 connectivity over L3 infrastructure
      • supports ECMP over CLOS (spine and leaf)
      • requires L2GW and L3GW
      • can use the same VxLAN number on multiple sites
      • thus, the same broadcast domain will be stretched between sites

    Infrastructure:

    Layer 2 Infrastructure Technologies:

    Static and Dynamic 802.1q trunking protocols: Lab 4: www.youtube.com/watch?v=OuvChBZDdOE
    • Static is to configure every port as either:
      • Auto (default): waiting for the other side to negotiate
      • Desirable: starts negotiating trunking
    • Dynamic (enabled by default):
      • only requires one side to enable trunking
      • negotiations will dynamically
      • negotiations can be 'Disabled'

    Static and Dynamic EtherChannels: Lab 5: www.youtube.com/watch?v=qre-Lc-qEcM
    • EtherChannels are supported on Cisco Switches
    • supporting both LACP and PAgP negotiations protocols
    • those are the static negotiation etherchannel protocols
    • LACP uses:
      • Active: initiates bundling negotiations
      • Passive: waits for other side to initiate
    • PAgP uses:
      • Desirable: initiates bundling negotiations
      • Auto: waits for other side to initiate
    • Dynamic:
      • Mode ON: no negotiations, direct bundling (mostly L3)

    1. When using Transport Layer Security (TLS) for syslog, 'logging host 10.2.3.4 vrf mgmt transport tcp port 6514' configuration allows for secure and reliable transportation of messages to its default port.

    2. The TOS field in the Layer 3 header is used to perform QoS packet classification.

      image

    3. At Northbound APIs Layer, Cisco DNA Center support REST controls.

      image
    4. How to configure eBGP (external BGP):

      image
      R1(config)# router bgp 1
      R1(config-router)# neighbor 192.168.12.2 remote-as 2
      R1(config-router)# network 1.1.1.0 mask 255.255.255.0

      R2(config)# router bgp 2
      R2(config-router)# neighbor 192.168.12.1 remote-as 1
      R2(config-router)# network 2.2.2.0 mask 255.255.255.0

      With BGP, must advertise the correct network and subnet mask in the 'network' command (in this case network 1.1.1.0/24 on R1 and network 2.2.2.0/24 on R2). BGP is very strict in the routing advertisements. In other words, BGP only advertises the network which exists exactly in the routing table. In this case, if put the command 'network x.x.0.0 mask 255.255.0.0' or 'network x.0.0.0 mask 255.0.0.0' or 'network x.x.x.x mask 255.255.255.255' then BGP will not advertise anything.
    B-)

  • Common Spanning Tree Protocols (STP): Lab 6: www.youtube.com/watch?v=g3UlDOX0ePA
    • Need redundancy, but there will be a broadcast message!
    • What will happen?
    • Then how can prevent what is called a 'LOOP',
      AKA 'Broadcast Storm'?
    • STP requires election to be performed first
    • The Winner must be: 1-Lowest Priority, 2-Lowest MAC Address
    • After that port roles and states will happen:
      • Designated Port: Forwarding state
      • Root Port: Forwarding State
      • Alternative / Non-designated Port: Blocking State
    • The entire process of election takes (30 - 50) Seconds
      Max Age = 20 + (Forwarding Delay = 15) + (Learning Delay = 15) = 50 Seconds

    image

    • In order to speed things up:
      • Rapid STP: NO Listening, NO Blocking,
        only (Discard, Forwarding, Learning)
      • Then delay will become = 3 + 3 = 6 Seconds
      • What is the BIG benefit of Redundancy then!! If STP is blocking ports:
        • There will be a Per-VLAN STP (PVST)
        • Each VLAN can have an ELECTION!!
        • Each VLAN will have its own root!
        • Things are much better now
        • Specially that there is a RPVST+ (faster)!
      • RPVST+ can be further simplified by using MST:
        Lab 7: www.youtube.com/watch?v=cCJqM6ESfNQ
        • Instances (Groups) that requires domain names/revision numbers
        • each instance will have its own Tree

    Layer 3 Infrastructure Technologies:

    Enhanced Interior Gateway Routing Protocol (EIGRP):
    • A Hybrid Protocol
    • classified as a 'Distance Vector (D.V.)' protocol
    • it does combine both the D.V. and Link State (L.S.) methods of measuring the metric
    • IP Protocol = 88
    • Defusing Update ALgorithm (DUAL)
    • AD = 90
    • Metric = Result of the 5K's formula:
      [256 * ((K1*Bandwidth)] + [(K2*Bandwidth)/(256-Load)] + [K3*Delay) * (K5/(Reliability + K4)))]
    • The default 'K Values':

      image
      So = 256 x ( Bandwidth + Delay )

    • Bandwidth is per link, while Delay is cumulative

    • EIGRP will apply the formula to elect its main path
    • for redundant paths, Feasibility Condition (FC) is used:
      • the main path is the lowest metric calculated among available paths:
        • The Feasible Distance (FD)
        • Successor
      • the redundant path is the lowest 'Advertised' metric from the neighbor!:
        • The Reported/Advertised Distance (RD)
        • Feasible Successor (FS)
      • only those paths can be used for Unequal Cost Load Distribution (UCLD)
      • which requires the activation of 'variance'
    • Lab 8: EIGRP:
      www.youtube.com/watch?v=Iu1JKLhnYgk
      www.youtube.com/watch?v=wbNqF9uaAmg

    • Link State Protocol
    • Dijkstra algorithm
    • SPF algorithm for route decision
    • AD = 110
    • Metric = Cost (less = Better)
    • Process ID for multiple instances
    • Area ID for Data Base isolation

    • Link-State Advertisements: negotiation between OSPF Routers, it contains:
      • LSRequest: provide the missing Information
      • LSUpdate: reply for the LSR
      • LSAcknowledgement: reply for the LSU
    • Neighboring Process:

    image
    Database Description (DD)

    1. A company plans to implement intent-based networking in its campus infrastructure. Two-tier design facilities a migrate from a traditional campus design to a programmer fabric designer.

    2. LISP components:
      • map server: network infrastructure component that learns of EID-prefix mapping entries from an ETR
      • map resolver: accepts LISP encapsulated map requests
      • ITR: receives packets from site-facing interfaces
      • ETR: de-encapsulates LISP packets coming from outside of the LISP site to destinations inside of the site
      • proxy ETR: receives traffic from LISP sites and sends it to non-LISP sites
      • EID: IPv4 or IPv6 address of an endpoint within a LISP site

    3. Multiple virtual servers can be deployed on the same physical server without having to buy additional hardware is a benefit of a virtual machine when compared with a physical server.

    4. VxLAN characteristics:
      • It uses VTEPs to encapsulate and de-capsulate traffic frames into and out of the VxLAN fabric
      • Allows for up to 16 million VxLAN segments

    5. Cisco DNA center application Policy is responsible for group-based access control permissions.

    6. HTTPS protocol does REST API rely on to secure the communication channel.
      The REST API accepts and returns HTTP (not enabled by default) or HTTPS messages that contain JavaScript Object Notation (JSON) or eXtensible Markup Language (XML) documents. Can use any programming language to generate the messages and the JSON or XML documents that contain the API methods or Managed Object (MO) descriptions.

    7. Refer to the exhibit. An engineer must deny HTTP traffic from host A to host B while allowing all other communication between the hosts.

      image

      SW1(config)# ip access-list extended DENY-HTTP
      SW1(config-ext-nacl)# deny tcp host 10.1.1.10 host 10.1.1.20 eq www

      SW1(config)# ip access-list extended MATCH_ALL
      SW1(config-ext-nacl)# permit ip any any

      SW1(config)# vlan access-map HOST-A-B 10
      SW1(config-access-map)# match ip address DENY-HTTP
      SW1(config-access-map)# action drop

      SW1(config)# vlan access-map HOST-A-B 20
      SW1(config-access-map)# match ip address MATCH_ALL
      SW1(config-access-map)# action forward

      SW1(config)# vlan filter HOST-A-B vlan 10

    8. TLS is accurate when using RESTCONF to write configurations on network devices, It is provided using NGINX acting as a proxy web server.

    9. Wireless client device makes the decision for a wireless client to roam.

    10. A network administrator applies the following configuration to an IOS device.
      aaa new-model
      aaa authentication login default local group tacacs+

      A local database is checked first. If that check fails, a TACACS+ server is checked.

    11. Considerations when using SSO as a network redundancy feature:
      • must be combined with NSF to support uninterrupted Layer 3 operations
      • requires synchronization between supervisors in order to guarantee continuous connectivity
      The access layer typically provides Layer 2 services, with redundant switches making up the distribution layer. The Layer 2 access layer can benefit from SSO deployed without NSF. Some Enterprises have deployed Layer 3 routing at the access layer. In that case, NSF/SSO can be used.
      Cisco IOS NonStop Forwarding (NSF) always runs with stateful switchover (SSO) and provides redundancy for Layer 3 traffic.

    12. Uplink and downlink Orthogonal Frequency Division Multiple Acess (OFDMA) new enhancement was implemented in Wi-Fi 6.

    13. The WLC send syslog level errors and greater severity messages to the syslog server.
    B-)

    • Link State Advertisements (LSA's):
      • multiple types
      • depends on the advertisement they are doing
        • LSA Type.1 (Router LSA): investigates local OSPF connections
        • LSA Type.2 (Network LSA): investigates local OSPF connections for a DR
        • LSA Type.3 (Network Summary LSA): for ABR to reach links in Areas
        • LSA Type.4 (ASBR Summary LSA): for ABR to reach ASBR's
        • LSA Type.5 (External LSA): for ASBR redistribution
        • LSA Type.7 (NSSA External LSA): for ASBR NSSA

    image
    • OSPF Neighbor Types:
    • A Neighboring router can be a P2P neighbor
      • in this case no problems
    • or can be connected through a 'SWITCH'!!
      • broadcast will happen
      • elections must take place
      • only One router should update the topology (DR)

    • a DR (Designated Router): Highest Router Priority (0-255), Def=128
      • Or Highest Router ID
        • Router ID (R.ID): 32-bit Address
      • DR needs BDR (second best of everything)

    image
    • Lab 9: OSPF (Multi-Area):
      www.youtube.com/watch?v=6WxhIillLS4
      www.youtube.com/watch?v=L50UciVV77o
    • Reference bandwidth = 100Gbps:
      • 100Gbps: OSPF Cost = 1
      •  40Gbps: Cost = 2.5
      •  25Gbps: = 4
      •  10Gbps = 10
      • Gigabit Ethernet = 100
      •  Fast Ethernet = 1,000
      •   Ethernet = 10,000
    • Lab 10: OSPF DR: www.youtube.com/watch?v=_Y4HnqauMtc

    • OSPF Summarization:
      • To make all the routers in all the Areas be able to communicate
      • LSDB's must synchronize
      • routes and advertisements must be exchanged
      • some Routers will receive 'Too Much' information about other Areas
      • utilizing more resources
      • this can be Filtered (ON ABR's)
        • just summarize some prefixes and advertise one prefix instead
        • done by generating a Type.3 LSA
        • or, filter these prefixes by not generating Type.3 LSA to the other router
      • Lab 11: youtu.be/boKqqySahvU?t=262

    • the only WAN routing protocol
    • developed from EGP
    • uses TCP 179
    • isolates peering from neighbor advertising
    • needs ASN's to operate
    • can be used internally (iBGP) or externally (eBGP)
    • flexible to apply filters, maps, polices, and attributes
    • AD eBGP = 20/iBGP 200

      image

    • Metric = Attributes
    • Attributes affect path selection for packets

    • BGP Attributes:
      1. Next-hop
      2. Weight - Highest
      3. Local Preference - Highest
      4. Locally originated
      5. AS-Path - Shortest
      6. Origin
      7. MED - Lowest
      8. External over Internal
      9. IGP Metric to Next-Hop
      10. Multipath

    • BGP Neighbor Relationships:

    image
    Lab 12: www.youtube.com/watch?v=pta39udBnUQ

    1. Locator Id Separation Protocol (LISP) is a network architecture and protocol that implements the use of two namespaces instead of a single IP address:
      • Endpoint IDentifiers (EIDs) - assigned to end hosts.
      • Routing LOCators (RLOCs) - assigned to devices (primarily routers) that make up the global routing system.

    2. IPsec over GRE example configuration:

      ip access-list extended GRE
       permit gre any any
      !
      crypto isakmp policy 10
       encr 3des
       hash md5
       authentication pre-share
       group 5
      !
      crypto isakmp key III-PSK-En address 192.168.200.2  
      !
      crypto ipsec transform-set III-P2-Trans esp-aes esp-sha-hmac
       mode tunnel
      !
      crypto map III-P2-Map 10 ipsec-isakmp
       set peer 192.168.200.2
       set transform-set III-P2-Trans
       match address GRE
      !
      interface Ethernet0/0
       description outside_interface
       ip address 192.168.100.2 255.255.255.0
       crypto map III-P2-Map
      !
      interface Tunnel1
       ip address 172.16.10.1 255.255.255.252
       ip mtu 1400
       tunnel source Ethernet0/0
       tunnel destination 192.168.200.2
      !
      ip route 10.20.0.0 255.255.255.0 Tunnel1 172.16.10.2

    3. # show interfaces ethernet 0/0 switchport
      Administrative Mode: dynamic desirable => need desirable mode one side to activate the trunk
      Negotiation of Trunking: On => need on both sides to re-enable with the 'no switchport nonegotiate' command

      image

    4. Under traffic classification and marking conditions is an outbound QoS policy that is applied on a router WAN interface most beneficial.

    5. Sensor access point mode allows a supported AP to function like a WLAN client would, associating and identifying client connectivity issues.
      As these wireless networks grow especially in remote facilities where IT professionals may not always be onsite, it becomes even more important to be able to quickly identify and resolve potential connectivity issues ideally before the users complain or notice connectivity degradation. To address these issues we have created Cisco's Wireless Service Assurance and a new AP mode called 'sensor' mode. Cisco's Wireless Service Assurance platform has three components, namely, Wireless Performance Analytics, Real-time Client Troubleshooting, and Proactive Health Assessment. Using a supported AP or dedicated sensor the device can actually function much like a WLAN client would associating and identifying client connectivity issues within the network in real time without requiring an IT or technician to be on site.

    6. The goal of the Cyber Threat Defense solution is to introduce a design and architecture that can help facilitate the discovery, containment, and remediation of threats once they have penetrated into the network interior.

      Cisco Cyber Threat Defense version 2.0 makes use of several solutions to accomplish its objectives:

      NetFlow and the Lancope StealthWatch System:
      • Broad visibility
      • User and flow context analysis
      • Network behavior and anomaly detection
      • Incident response and network forensics

      Cisco FirePOWER and FireSIGHT:
      • Real-time threat management
      • Deeper contextual visibility for threats bypassing the perimeters
      • URL control

      Advanced Malware Protection (AMP):
      • Endpoint control with AMP for Endpoints
      • Malware control with AMP for networks and content

      Content Security Appliances and Services:
      • Cisco Web Security Appliance (WSA) and Cloud Web Security (CWS)
      • Dynamic threat control for web traffic
      • Outbound URL analysis and data transfer controls
      • Detection of suspicious web activity
      • Cisco Email Security Appliance (ESA)
      • Dynamic threat control for email traffic
      • Detection of suspicious email activity

      Cisco Identity Services Engine (ISE):
      • User and device identity integration with Lancope StealthWatch
      • Remediation policy actions using pxGrid
    B-)

  • IP Services:

    Network Time Protocol (NTP):
    • have to stay synchronized
    • give a precise information, with real timing and date
    • either by setting an inner clock manually
    • or asking someone to inform about timing
    • uses UDP = 123

    • each network device can either be a Server or a Client
    • Stratum is needed:
      • how preferred and accurate this source is
      • starts from 0 - 15
      • the closest, the better
      • by default: a cisco router = 8

    Network Address Translation (NAT):
    • Private IP Addresses must not go to the Internet!
    • Public IP Addresses should not be assigned to private devices!
    • Then!!, NAT will translate Private to Public and vice-versa
      NAT is done 'ONLY' 'ONLY' by Routers, no Switches, no MultiLayer Switches (MLS's)

    • it can be:
      Static: one-one translating
      Dynamic: Group-Group Translating
    • also, this did not solve everything, IP exhaustion still there
      • so here comes Port Address Translation (PAT)
      • also called Network Address Port Translation (NAPT), or NAT-Overload
    • PAT will do a one-65,535 Translation!!
    Lab 13: www.youtube.com/watch?v=bwUlDR1Kpp0

    First Hop Redundancy Protocol (FHRP):
    • what if the gateway went down!!
    • a redundant gateway must be there
    • but how to redirect the requests from one to another?
    • how many back-ups can there be?
    • What protocols will do this:

    • Hot-Standby Redundancy Protocol (HSRP):
      • Cisco Only
      • 2 Gateways
      • No Load-Balancing

    • Virtual-Router Redundancy Protocol (VRRP):
      • Open Standard
      • 2 Gateways
      • No Load-Balancing

    • Gateway Load-Balancing Protocol (GLBP):
      • Cisco Only
      • 4 Gateways
      • Load-Balancing

    • Lab 14: www.youtube.com/watch?v=ttiwhNVQesc

    Multicast:
    • the one - to - group transmission
    • only one sender, but multiple 'specific' receivers
    • better than having multiple senders and multiple receivers
    • the one sender will send only 1 packet to a Multicast Router
    • the multicast router will 'Replicate' the packet to multiple destinations
    • The Multicast Router = 'Rendezvous Point' (RP)

    • so, the entire operation will be done by the multicast router
    • in order to assign specific receivers, create a 'Group'
    • and 'join' the receivers and that one sender to the group
    • uses IPv4 block of 224.0.0.0/4 - 239.255.255.255
    • uses MAC range of 0100:5E00:0000 - 0100:5E7F:FFFF

    • Two types of protocols are needed
    • Protocol that joins the receivers to the Group:
      • Internet Group Management Protocol (IGMP):
        • responsible for joining the receivers with the Rendezvous point
        • tells the RP that some receivers want to receive from '224.X.X.X'
        • BUT, those receivers have no idea about the sender
        • IGMP comes in 3 versions:

          • IGMPv1 (obsolete)

          • IGMPv2 (default of Cisco):
            • builds a shared tree
            • creates (*, G)

          • IGMPv3:
            • builds shortest path tree (SPT)
            • creates (S, G)
            • uses Source Specific Multicast (SSM)
            • SSM Block = 232.0.0.0/8
            • SSM informs the receivers about the sender
            • NO need for RP

    • Also, a Routing Protocol is needed:
      • Protocol Independent Multicast (PIM):
        • routes between receivers' routers and RP
        • requires IGP
        • v2 is default
        • 2 Modes:
          • Dense Mode: like broadcast (obsolete)
          • Sparse Mode: connects the receiver's router to the RP

    Network Assurance:

    Network Problems Diagnosing Tools:

    • Ping uses ICMP: Echo Request & Echo Reply
    • Traceroute uses UDP

    • Debug:
      • detailed information about behind the scenes operations
      • it supports and shows everything of almost every protocol
    • Conditional Debug:
      • more specific
      • detailed information about a specific operation, BUT, per interface / per address / etc.
    • Lab 15: www.youtube.com/watch?v=4gGCRfuULok

    SNMP & SYSLOG:
    • Simple Network Management Protocol (SNMP)
    • Monitor Networks from a single point of view
    • Server/Agent Relationship
    • uses UDP 161
    • the server is the requester (and recorder)

    • at the agent side:
      • MIB Object (The Factory)
      • Agent (The Messenger)
    • SNMP versions:
      • v1: obsolete
      • v2c: enhanced
      • v3: supports Authentication & Encryption

    image

    1. The system log message:
      %TUN-RECURDOWN Interface Tunnel 0 temporarily disabled due to recursive routing
      is presented after a network administrator configures a GRE tunnel. Because the best path to the tunnel destination is through the tunnel itself.

    2. To segregate multiple routing tables on a single device is the main function of VRF-lite.

    3. Refer to the exhibit:

      image

      An engineer must deny Telnet traffic from the loopback interface of router R3 to the loopback interface of router R2 during the weekend hours. All other traffic between the loopback interfaces of routers R3 and R2 must be allowed at all times. The command accomplish this task is:

      R1(config)# time-range WEEKEND
      R1(config-time-range)# periodic weekend 00:00 to 23:59

      R1(config)# access-list 150 deny tcp host 10.3.3.3 hos 10.2.2.2 eq 23 time-range WEEKEND
      R1(config)# access-list 150 permit ip any any

      R1(config)# interface G0/1
      R1(config-if)# ip access-group 150 in

      Connot filter traffic that is originated from the local router (R3) so can only configure the ACL on R1 or R2. 'Weekend hours' means from Saturday morning through Sunday night so have to configure: 'periodic weekend 00:00 to 23:59'
      Note: The time is specified in 24-hour time (hh:mm), where the hours range from 0 to 23 and the minutes range from 0 to 59.

    4. The configuration example to analyze 50 packets out of every 100:

      flow record v4_r1
       match ipv4 tos
       match ipv4 protocol
       match ipv4 source address
       match ipv4 destination address
       match ipv4 source-port
       match ipv4 destination-port
       collect counter bytes long
       collect counter packets long
      !
      flow monitor FLOW-MONITOR-1
       record random 1 out-of 2
      !
      sampler SAMPLER-1
       mode random 1 out-of 2
      !
      ip cef
      !
      interface GigabitEthernet 0/0/0
       ip address 172.16.6.2 255.255.255.0
       ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input

    5. Data plane forwarding function does vxlan perform in an SD-Access deployment.

    6. The time kept on a machine is a critical resource and it is strongly recommend that use the security features of NTP to avoid the accidental or malicious setting of incorrect time. The two security features available are an IP access list-based restriction scheme and an Encrypted authentication mechanism.

    B-)

  • SYStem LOGgings (Syslog):
    • stay aware of 'everything'
    • know all what is happening behind the scenes (or even in front of)
    • starts from the obvious information up to 'Emergency'
    • Server/Client Relationship

    • Server can be a Normal Server that collects all the loggings
    • Server can use the 'Syslog' or 'Splunk' Software
    • client is the networking device that generates logs

    • 'Every Awesome Cisco Engineer Will Need Ice-cream Daily'

    • 0 = Emergency, 1 = Alert
    • 2 = Critical,  3 = Error
    • 4 = Warning, 5 = Notification
    • 6 = Information, 7 = Debug

    image
    Syslog Logging Types:
    • Console Logging: show logs to the console user
    • Terminal Logging: show logs to Line VTY user
    • Buffered Logging: store some logs in the RAM
    • Remote Logging:
      • collect and send Syslog messages to a remote server
      • remote server must be reachable via an interface and have a Syslog Application
      • monitoring will occur from the server side
      • Example:
        Router(config)# logging host x.x.x.x
        Router(config)# logging traps (0 1 2 3 4 5, etc.)
        Router(config)# logging source-interface Loopback0

    Netflow:
    • specifically, what type of traffic is passing
    • not the amount, the type
    • like: Telnet, SSH, HTTP, etc..
    • more info about every type of flow
    • by Cisco
    • works with SNMP

    • Netflow client (node) = generator
    • Netflow server = collector (application)
      • export to UDP 2055 (can be modified)
    • Netflow can be exported to the CLI

    • versions:
      • v5: popular for IPv4
      • v9: template-based flow, support IPv6
        • flexible, define what to collect, what to export

    • Flexible Netflow:
      • more options:
        • multiple exporters
        • collects more data (more fields)
        • flexible at collecting and exporting
        • uses Flow-Monitors
        • multiple Monitors for multiple collections

    • Lab 16: www.youtube.com/watch?v=WNvmU21jZO0

    SwitchPort ANalyzer (SPAN):

    • will assign a switchport as an analyzer
      called a span source
      analyzes all types of traffic passing by this port
      can be used for multiple sessions

    • assigns a different port as an analysis exporter
      called the SPAN destination
      SPAN destination ports, will be only used for monitoring
      no longer sending frames, at all
      can't be used for multiple sessions

    • Lab 17: www.youtube.com/watch?v=LKphnIaKrgg

    • Remote SPAN (RSPAN):
      • when the destination is an interface on another switch
      • of the same networks
      • reachable through VLANs (trunk ports)
      • Lab 18: www.youtube.com/watch?v=7AhMKHujUMw

    • Encapsulated Remote SPAN (ERSPAN):
      • the destination is an interface on another switch
      • in a different network!!
      • reachable through L3 connectivity and routing
      • requires tunneling to connect SRC and DST
      • like GRE Tunnel

    image

    1. The primary components for the Cisco SD-WAN solution consist of the vManage network management system (management plane), the vSmart controller (control plane), the vBond orchestrator (orchestration plane), and the vEdge router (data plane).
      • vManage - This centralized network management system provides a GUI interface to easily monitor, configure, and maintain all Cisco SD-WAN devices and links in the underlay and overlay network.
      • vSmart controller - This software-based component is responsible for the centralized control plane of the SD-WAN network. It establishes a secure connection to each vEdge router and distributes routes and policy information via the Overlay Management Protocol (OMP), acting as a route reflector. It also orchestrates the secure data plane connectivity between the vEdge routers by distributing crypto key information, allowing for a very scalable, IKE-less architecture.
      • vBond orchestrator - This software-based component performs the initial authentication of vEdge devices and orchestrates vSmart and vEdge connectivity. It also has an important role in enabling the communication of devices that sit behind Network Address Translation (NAT).
      • vEdge router - This device, available as either a hardware appliance or software-based router, sits at a physical site or in the cloud and provides secure data plane connectivity among the sites over one or more WAN transports. It is responsible for traffic forwarding, security, encryption, Quality of Service (QoS), routing protocols such as Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF), and more.

    2. The RESTCONF request:
      URL - http://10.10.10.10/restconf/api/running/native/interface/GigabitEthernet/1/
      HTTP Verb - GET
      Body - N/A
      Headers - Accept - application/vnd.yang.data+json
      Authentication - privileged level 15 credentials

      Response:
      {
        "Cisco-IOS-XE-native:GigabitEthernet":{
          "name":"1",
          "vrf":{
            "forwarding":"MANAGEMENT"
          },
          "ip":{
            "address":{
              "primary":{
                "address":"10.0.0.151",
                "mask":"255.255.255.0"
              }
            }
          },
          "mop": {
            "enabled": false,
          },
          "Cisco-IOS-XE-ethernet:negotiation":{
            "auto":true
          }
        }
      }

      Model Driven Network Automation with IOS-XE:
      www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2018/pdf/LTRCRT-2700.pdf

    3. dBm is an abbreviation for 'deciBels relative to one milliwatt', where one milliwatt (1 mW) equals 1/1,000 of a watt. It follows the same scale as dB. Therefore 0 dBm = 1 mW, 30 dBm = 1 W, and -20 dBm = 0.01 mW
      image
    4. An engineer must create an EEM applet that sends a syslog message in the event a change happens in the network due to trouble with an OSPF process. The engineer should use:

      event manager applet LogMessage
       event routing network 172.30.197.0/24 type all
       action 1 syslog msg "OSPF ROUTING ERROR"

    5. Assuming that R1 is a CE router, Default VRF is assigned to Gi0/0 on R1.

      image
      There is nothing special with the configuration of Gi0/0 on R1. Only Gi0/0 interface on R2 is assigned to VRF VPN_A. The default VRF here is similar to the global routing table concept in Cisco IOS.

    6. Cisco EAP-FAST is also designed for simplicity of deployment since it doesn't require a certificate on wireless LAN client or on the RADIUS infrastructure yet incorporates a built-in provisioning
      mechanism.
    B-)

  • IP Service Level Agreement (IP SLA):
    • performs specific operation
    • from a specific source to a specific destination
    • like, icmp, http, tcp, udp, etc..
    • logs statistics about the successes/failures of that operation

    • Enhanced Object Tracking (SLA Track):
      • monitors the statistics of IP SLA
      • performs an action based on the statistics output

    • Lab 19: www.youtube.com/watch?v=o_fJ3hvA0EY


    Enterprise Network Design Considerations:
    • Three-Tier Architecture - A network topology divided into the Access, Distribution, and Core layers.
    • Collapsed Core Architecture - A two-tier topology where the Core and Distribution Layers have been consolidated.
    • Spine-Leaf Design for Data Centers: Logically, One Switch

    On-Premise vs. Cloud Designs Considerations:

    • With a Cloud deployment, there's no need to maintain local redundant power or hardware.
    • A Cloud deployment, pay for resource usage instead of purchasing physical hardware.

    • An On-Premise deployment, it might be easier to meet compliance requirements.
    • On-Premise deployment, it might be easier to maintain a good user experience.

    • Many deployments, called Hybrid deployments, combine both On-Premise and Cloud deployments.

    Fabric Capacity Planning:
    • How much data need to push through a data center switch?
    • How much data can push through a specific hardware configuration?
    • What is the anticipated bandwidth demand increase over time?
    • Switch BW Capacity = (Inter-slot Switching Capacity * Number of I/O Slots) + [(Number of SE Modules * Inter-slot Switching Capacity) / 2]
    • Nexus 7018 = (550 Gbps * 16) + [(2 * 550 Gbps) / 2]
        = 8.8 Tbps + 550 Gbps
        = 9.35 Tbps
      Full Deplex Switch BW Capacity = 9.35 Tbps * 2
        = 18.7 Tbps
      https://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-series-switches/Data_Sheet_C78-437762.html

    Redundant Design: Higher Costs
    • Redundant Components
    • UPS/Generator
    • FHRP

    1. The RIB is a database of routing prefixes, and the Forwarding Information Base (FIB) is the Information used to choose the egress interface for each packet. The RIB is derived from the control plane, and the FIB is derived from the RIB.
      The FIB contains destination reachability information as well as next hop information. This information is then used by the router to make forwarding decisions. The FIB allows for very efficient and easy lookups.

    2. Although Protocol Independent Multicast (PIM) is called a multicast routing protocol, it actually uses the unicast routing table to perform the multicast Reverse Path Forwarding (RPF) check function instead of building up a completely independent multicast routing table. Unlike other routing protocols, PIM does not send and receive routing updates between routers.

    3. One of the best practices to secure REST APIs is using password hash. Passwords must always be hashed to protect the system (or minimize the damage) even if it is compromised in some hacking attempts. There are many such hashing algorithms which can prove really effective for password security e.g. PBKDF2, BCrypt, and SCrypt algorithms.
      Other ways to secure REST APIs are: Always use HTTPS, Never expose information on URLs (Usernames, passwords, session tokens, and API keys should not appear in the URL), Adding Timestamp in Request, Using OAuth, Input Parameter Validation.

    4. with manager.connect(host=192.168.0.1, port=22,
        username='admin', password='password1', hostkey_verify=True,
        device_params={'name'.'nexus'}) as m:

      The above Python snippet use the ncclient connect and establish a NETCONF session to a Cisco Nexus device (which is also a NETCONF server) and maintains it for the duration of the context.
      ncclient is a Python library that facilitates client-side scripting and application development around the NETCONF protocol.

    5. R1#
      *May 5 39:85:86.070: %TCP-6-BADAUTH: Invalid MD5 digest from 10.10.10.1(29832) to 10.120.10.1(179) tableid - 0
      from neighbor to logged device

      R1(config-router)# neighbor 10.10.10.1 peer-group CORP
      R1(config-router)# neighbor CORP password Cisco

      R2(config-router)# neighbor 10.120.10.1 peer-group CORP
      R2(config-router)# neighbor CORP password Cisco

    6. A company has an existing Cisco 5520 HA cluster using SSO. An engineer deploys a new single Cisco Catalyst 9800 WLC to test new features. The engineer successfully configures a mobility tunnel between the 5520 cluster and 9800 WLC. Client connted to the corporate WLAN roam seamlessly between access points on the 5520 and 9800 WLC. After a failure on the primary 5520 WLC, all WLAN services remain functional; however, Client roam between the 5520 and 9800 controllers without dropping their connection. mobility MAC on the 9800 WLC feature must be configured to remedy the issue.

    7. ip sla 10 <- The ip sla 10
       icmp-echo 192.168.10.20 <- will ping the IP 192.168.10.20
       timeout 500
       frequency 3 <- every 3 seconds
      ip sla schedule 10 life forever start-time now
      !
      track 10 ip sla 10 reachability <- to make sure the connection is still up.

      The IP SLA is configured in a router. An engineer must configure an EEM applet to shut down the interface and bring it back up when there is a problem with the IP SLA. The configuration which engineer use should be:

      event manager applet EEM_IP_SLA
       event track 10 state down

    8. Priority congestion queuing method on Cisco IOS based routers uses four static queues.
      https://packetlife.net/media/library/19/QoS.pdf

    9. Router BRDR-1 is configured to receive the 0.0.0.0/0 and 172.17.1.0/24 network via BGP and advertise them into OSPF area 0. An engineer has noticed that the OSPF domain is receiving only the 172.17.1.0/24 route and default route 0.0.0.0/0 is still missing. Configurating must engineer apply to resolve the problem is:

      router ospf 1
       default-information originate
      end

    10. Refer to the exhibit. An engineer has configured Cisco ISE to assign VLANs to clients based on their method of authentication, but this is not working as expected. utilize RADIUS profiling action will resolve this issue.

      image
    11. Refer to the exhibit. After configuring an IPSec VPN, an engineer enters the show command to verify the ISAKMP SA status. The status show ISAKMP SA is authenticated and can be used for Quick Mode.

      image
      QM_IDLE state means the tunnel is UP and the IKE SA key exchange was successful, but is idle, it remains authenticated in a (QM) quiescent state but active.

    12. vBond controller is capable of acting as a Session Traversal Utilities for NAT (STUN) server during the onboarding process of Edge devices.

    13. Cisco Cyber Threat Defense:
      • Identity Services Engine - uses pxGrid to remediate security threats
      • StealthWatch - analyzes network behavior and detects anomalies
      • Web Security Appliance - detects suspicious web activity

    B-)

  • Types of Backups:
    • Full: Backs up all data.
    • Differential: Backs up changes since last full backup.
    • Incremental: Backs up all changes since last full, differential, or incremental backup.
    • Snapshot: Backs up entire server, including state information.

    Hot Site:
    • Power
    • HVAC
    • Floor Space
    • Server Hardware (No in Cold Site)
    • Synchronized Data (No in Warm & Cold Site)

    Wireless LAN (WLAN) Design Considerations:

    Wireless Deployment Options:

    Cisco Access Points (APs) can operate in one of two modes: autonomous or lightweight

    Autonomous:
    • Self-sufficient and standalone, independent devices
    • Used for Home or small office environments / wireless networks
    • Controller-less deployment model
    • Not commonly used in large enterprise networks

    Lightweight AP (LAP):
    • Requires / has to join a central Wireless LAN Controller (WLC) to function.
    • Controller-based deployment model
    • WLCs can be physical or virtual
    • Controller communicates changes to the APs. Control And Provisioning of Wireless Access Points (CAPWAP) is an IETF standard for control messaging for setup, authentication, and operations between APs and WLCs.
    • LAP and WLC communicate with each other via a logical pair of CAPWAP tunnels.

    CAPWAP is similar to LightWeight Access Point Protocol (LWAPP) except the following differences:
    • CAPWAP uses Datagram Transport Layer Security (DTLS) for authentication and encryption to protect traffic between APs and controllers. LWAPP uses AES.
    • CAPWAP has a dynamic Maximum Transmission Unit (MTU) discovery mechanism.
    • CAPWAP runs on UDP ports 5246 (control messages) and 5247 (data messages).

    image

    An LAP operates in one of six different modes:

    1. Local mode (default mode): measures noise floor and interference, and scans for Intrusion Detection (IDS) events every 180 seconds on unused channels

    2. FlexConnect, formerly known as Hybrid Remote Edge AP (H-REAP), mode:
      • Configure and control remote wireless network
      • Similar to Layer 3 roaming with CAPWAP
        Central Switched:
        • Can also Normal tunnel (via CAPWAP) mode of operation both user wireless data and control traffic to a centralized WLC.
        • Typically not the recommended mode
        Local Switched:
        • allows data traffic to be switched locally and not go back to the controller.
        • Map user traffic to VLAN on adjacent switch. Can perform standalone client authentication and switch VLAN traffic locally even when it's disconnected to the WLC.
        • Control and management traffic still sent over CAPWAP to WLC

    3. Monitor mode: does not handle data traffic between clients and the infrastructure. It acts like a sensor for Location-Based Services (LBS), rogue AP detection, and IDS.

    4. Rogue detector mode: monitor for rogue APs. It does not handle data at all.

    5. Sniffer mode: run as a sniffer and captures and forwards all the packets on a particular channel to a remote machine where can use protocol analysis tool (Wireshark, Airopeek, etc.) to review the packets and diagnose issues. Strictly used for troubleshooting purposes.

    6. Bridge mode: bridge together the WLAN and the wired infrastructure together.

    Mobility Express is the ability to use an AP as a controller instead of a real WLAN controller. But this solution is only suitable for small to midsize, or multi-site branch locations where might not want to invest in a dedicated WLC. A Mobility Express WLC can support up to 100 APs.

    Use Cases for Location Services:
    • Enterprise asset tracking
    • Location-based advertising

      Cisco Solutions:
    • Real-Time Location Services (RTLS)
    • Cisco DNA Spaces
    • Cisco Meraki platform

    Software-Defined Wide Area Network (SD-WAN):

    Enterprise WAN:
    • Dedicated circuits traditionally used
    • Provide reliability and security
    • Rise in cloud usage requires simplicity

    SD-WAN:
    • Traffic backhauling no longer required
    • End-to-end traffic encryption and inspection through SD-WAN
    • Next generation security mechanisms added
    • Anti-malware systems, botnet control intervention, etc.

    SD-WAN Overlay = Virtual Infrastructure
    Underlay Network = Physical Infrastructure

    1. It collects statistical constraint analysis information and enforces the use of a specific encoding format for NETCONF are benefits of YANG.

    2. Refer to the exhibit. An engineer attempts to configure a trunk between switch SW1 and switch SW2 using DTP, but the trunk does not form. switchport mode desirable command should the engineer apply to switch SW2 to resolve this issue.

      image
    3. An engineer runs the code against an API of Cisco DNA Center, and the platform returns this output because The authentication credentials are incorrect.

      image

    4. Stratum measure is used by an NTP server to indicate its closeness to the authoritative time source.

    5. IGMPv2 is compatible only with IGMPv1.

      image
    6. Set of statements that defines how routing is performed is the centralized control policy in a Cisco SD-WAN deployment.

    7. Traffic Policing:
      • introduces no delay and jitter
      • drops excessive traffic
      • causes TCP retransmission when traffic is dropped

      Traffic Shaping:
      • introduces delay and jitter
      • buffers excessive traffic
      • typically delays, rather than drops traffic

    8. username CCNP privilege 15 secret Str0ngP@ssw0rd!
      username CCNP autocommand sho run

      The autocommand causes the specified command 'sho run' to be issued automatically after the CCNP user logs in. When the command is complete, the session is terminated. Because the command can be any length and can contain embedded spaces, commands using the autocommand keyword must be the last option on the line.

    9. Containment, threat intelligence, and machine learning features does Cisco Endpoint Detection and Response (EDR) use to provide threat detection and response protection.

    B-)

  • Cisco SD-WAN:
    • Management & Orchestration Plane:
      • vManage: User interface
      • vBond: Orchestration and provisioning
    • Contol Plane:
      • vSmart: SD-WAN - Policy Enforcement
        Communicates via Overlay Management Protocol (OMP)
    • Data Plane:
      • Cisco vEdge: Edge routers

    Software-Defined Access (SD-Access):

    Advantages:

    • Next-generation policy enforcement
    • Security Group Access Control Lists (SGACLs)
    • Policies are based on identity rather than addresses

    • Secure network segmentation
    • Virtualization of physical network
    • Separate virtual networks can have separate policies

    Campus Fabric:
    • Virtual overlay network
    • Ideally used with Cisco DNA Center
    • NETCONF/YANG management
    • Overcomes limitations found in traditional network architecture

    SD-Access Fabric:
    • Control Plane:
      • LISP encapsulation
      • Simplified routing
    • Data Plane:
      • VxLAN Tunneling
      • Virtual networks
    • Policy Plane:
      • Cisco TrustSec
      • Security groupings

    Layer:
    • Physical: Router, Switch, etc.
    • Network: Underlay Network, SD-Access Overlay
    • Controller: Cisco DNA Center, Cisco ISE
    • Management: Cisco DNA Center GUI

    Traditional Wireless: CAPWAP Tunnel between AP and WLC for all traffic.
    SD-Access Wireless: CAPWAP Tunnel between AP and WLC only for management traffic.

    1. A customer requests a network design that supports these requirements:
      • FHRP redundancy
      • multivendor router environment
      • IPv4 and IPv6 hosts
      VRRP version 3 protocol does the design include.

    2. Refer to the exhibit:

      image
      A network engineer is configuring OSPF between router R1 and router R2. The engineer must ensure that a DR/BDR election does not occur on the Gigabit Ethernet interfaces in area 0. Configuration set accomplishes this goal is:

      R1(config-if) interface Gi0/0
      R1(config-if) ip ospf network point-to-point

      R2(config-if) interface Gi0/0
      R2(config-if) ip ospf network point-to-point

      Broadcast and Non-Broadcast networks elect DR/BDR while Point-to-point/multipoint do not elect DR/BDR. Therefore have to set the two Gi0/0 interfaces to point-to-point or point-to-multipoint network to ensure that a DR/BDR election does not occur.

    3. A network engineer is adding an additional 10Gbps link to an existing 2x10Gbps LACP-based LAG to augment its capacity. Network standards require a bundle interface to be taken out of service if one of its member links goes down, and the new link must be added with minimal impact to the production network. The tasks that the engineer must perform in the sequence as following:
      1. Validate the physical and data link layers of the 10Gbps link.
      2. Execute the channel-group number mode active command to add the 10Gbps link to the existing bundle.
      3. Execute the lacp min-bundle 3 command to set the minimum number of ports threshold.
      4. Validate the network layer of the 10Gbps link.

    4. Running the script causes the output in the exhibit. The first line of the script must change to 'from ncclient import manager' to resolves the error.

      image
      https://ncclient.readthedocs.io/en/latest

    5. Refer to the exhibit:

      imageAn engineer implemented several configuration changes and receives the logging message on switch1. The engineer should Change the VTP domain to match on both switches to resolve this issue.

    6. Classifies traffic based on the contextual identity of the endpoint rather than its IP address correct is how Cisco Trustsec enable more access controls for dynamic networking environments and data centers.

    7. An engineer is working with the Cisco DNA Center API. Here are the methods with their actions:
      • DELETE: remove an element using the API
      • GET: extract information from the API
      • POST: create an element
      • PUT: update an element

    8. Refer to the exhibit:

      image

      The radiation pattern represent Yagi type of antenna.
      A Yagi antenna is formed by driving a simple antenna, typically a dipole or dipolelike antenna, and shaping the beam using a well-chosen series of non-driven elements whose length and spacing are tightly controlled.
      image
    9. Refer to the exhibit:
      image
      Assuming that all BGP neighbor relationship have been formed and that the attributes have not been changed on any of the routers, all traffic leaving AS 200 will choose Link 2 as the exit point by R4(config-router) bgp default local-preference 200.
      Local preference is an indication to the AS about which path has preference to exit the AS in order to reach a certain network. A path with a higher local preference is preferred. The default value for local preference is 100.
      Unlike the weight attribute, which is only relevant to the local router, local preference is an attribute that routers exchange in the same AS.

    10. RESTCONF operations include OPTIONS, HEAD, GET, POST, PATCH, and DELETE

    11. Signal-to-Noise Ratio (SNR) measurement is used from a post wireless survey to depict the cell edge of the access points.
      Cisco Wireless - RSSI and SNR

    12. A customer has several small brahches and wants to deploy a Wi-Fi solution with local management using CAPWAP. Mobility Express deployment model meets this requirement.
      Cisco Wireless - Introducing to Cisco Mobility Express and Cisco Wireless Portfolio 2018

    13. The wireless elements and their definitions:
      • beamwidth: measures the angle of an antenna pattern in which the relative signal strength is half-power below the maximum value
      • gain: the relative increase in signal strength of an antenna in a given direction
      • polarization: radiated electromagnatic waves that influence the orientation of an antenna within its electromagnetic field
      • radiation patterns: a graph that shows the relative intensity of the signal strength of an antenna within its space

    14. Refer to the exhibit:

      image

      POSTMAN is showing an attempt to retrieve network device information from Cisco DNA Center API. The issue is The URI string is incorrect.

    15. The purpose of the LISP routing and addressing architecture is It creates two entries for each network node, one for Its identity and another for its location on the network.
    B-)

  • 3 Categories of QoS:
    • Not Strict: Best Effort
    • Less Strict: DiffServ
    • Strict: IntServ

    Common QoS Mechanisms:
    • Classification and Marking
    • Queuing
    • Congestion Avoidance
    • Policing and Shaping
    • Link Efficiency

    Wi-Fi MultiMedia (WMM):
    • IEEE 802.1P markings map to WMM access categories
    • Access category determines InterFrame Space (IFS) and Random Backoff Timer

    4 Access Categories:
    • AC_VO (Voice) -> 802.1P: 6 & 7
    • AC_VI (Video) -> 4 & 5
    • AC_BE (Best Effort) -> 0 & 3
    • AC_BK (Background) -> 1 & 2

    image

    CIR = Bc / Tc
    • CIR (Committed Information Rate) = AVERAGE speed over the period of a second
    • Bc (Committed Burst) = Number of bits (for shaping) or bytes (for policing) that are deposited in the token bucket during a timing interval
    • Tc (Timing Interval) = The interval at which tokens are deposited in the token bucket

    Switching Mechanisms:

    Process Switching:
    • Oldest method for Cisco IOS switching
    • Every packet is inspected by CPU
    • Processor is directly involved with every packet
    • Not ideal in modern networks
    • Available on every Cisco router platform
    • Debugging uses process switching

    Cisco Express Forwarding (CEF):
    • Most preferred Cisco IOS switching process
    • Default in most modern Cisco IOS devices
    • Optimized lookup and efficient packet handling

      CEF Benefits:
    • Less CPU-intensive than older switching methods
    • Distributed CEF (dCEF) allows line card forwarding
    • CEF Forwarding Information Base (FIB)
    • CEF Adjacency Table

    CEF FIB:
    • Similar to a routing table
    • FIB is updated with each routing table update
    • Processor is not involved with route lookup
    • FIB is a more efficient lookup structure

    CEF Adjacency Table:
    • Information about directly connected devices
    • Adjacency = reachable via single link-layer hop
    • Layer 2 next-hop address maintained in table

      Content Addressable Memory (CAM):
      • Arrival port number, source MAC address, and arrival timestamp
      • Stale entries removed after aging timer expires
      • Default aging timer is 300 seconds
      • Switch(config)# mac address-table aging-time <seconds>
      • True (1) or False (0) value returned upon lookup
      • Searches for exact binary match

      Ternary CAM (TCAM):
      • Some L2 switches use TCAM for QoS
      • Primarily a multilayer switch component
      • Access Control Lists (ACLs) commonly use TCAM
      • Extension of the CAM
      • Returns True (1), False (0), or Do Not Care (X)
      • Ternary = mathematical value based in three
      • TCAM uses VMR format (value, mask, and result)
      • Value = IP addresses, protocol ports, etc.
      • Mask = mask bits associated with matching values
      • Result = permit, deny, QoS policing, etc.

      FIB:
      • IP forwarding table or CEF table
      • IP destination prefix-based switching decision
      • FIB capacity can dictate forwarding efficiency
      • Modern ASICs provide line-speeds
      • dCEF offloads the FIB to line card modules

      RIB:
      • IP routing related information stored
      • Used by all routing protocols (OSPF, BGP, etc.)
      • Learned routes inserted into RIB
      • Unreachable routes removed and RIB updated
      • Dynamic, static, and directly connected routes

      1. A data MDT is created to if it is a (*, G) multicast route entries when a high bandwidth multicast stream is sent over an MVPN using Cisco hardware.

      2. Refer to the exhibit:

        image
        An engineer is configuring an EtherChannel between Switch1 and Switch2 and notices the console message on switch2. Based on the output, this issue should resolves by Configure the same EtherChannel protocol on both switches.
        In this case, using EtherChannel without a negotiation protocol on Switch2. As a result, if the opposite switch is not also configured for EtherChannel operation on the respective ports, there is a danger of a switching loop. The EtherChannel Misconfiguration Guard tries to prevent that loop from occuring by disabling all the ports bundled in the EtherChannel.

      3. Refer to the exhibit:

        image
        The configuration to achieve a dynamic continuous mapped NAT for all users is Increase the NAT pool size to support 254 usable addresses.

      4. When using Ternary Content Addressable Memory (TCAM) inside routers it's used for faster address lookup that enables fast routing.
        In switches CAM is used for building and lookup of mac address table that enables L2 forwarding decisions.
        Besides Logest-Prefix Matching, TCAM in today's routers and multilayer Switch devices are used to store ACL, QoS and other things from upper-layer processing.

      5. Virtual components and their descriptions:
        • OVA: configuration file containing settings for a virtual machine such as guest OS
        • VMDK: file containing a virtual machine disk drive
        • VMX: zip file connecting a virtual machine configuration file and a virtual disk
        • vNIC: component of a virtual machine responsible for sending packets to the hypervisor

      6. VoIP media session awareness does Call Admission Control require the client to send in order to reserve the bandwidth.

      7. IaaS service providers use VxLAN to extend a Layer 2 segment across a Layer 3 network.

      8. Refer to the exhibit:

        image

        PC-1 must access the web server on port 8080. To allow this traffic, permit host 192.168.0.5 eq 8080 host 172.16.0.2 must be added to an access control list that is applied on SW2 port G0/0 in the inbound direction.

      9. An engineer is implementing a route map to support redistribution within BGP. The route map must configured to permit all unmatched routes. Include a permit statement as the last entry must the engineer perform to complete this task.

      10. The RP responds to the PIM join messages with the source of requested multicast group.

      11. Refer to the exhibit:

        image
        Atlanta(config-route)# area 1 range 192.168.0.0 255.255.252.0 command when applied will reduces type 3 LSA flooding into the backbone area and summarizes the inter-area routes on the Dallas router.

      12. The threat defense solutions and their descriptions:
        • AMP4E: provides malware protection on endpoints
        • ESA: protects against email threat vector
        • FTD: provides IPS/IDS capabilities
        • StealthWatch: performs security analytics by collecting network flows
        • Umbrella: provides DNS protection
      B-)

      • Data centers commonly use a Spine-Leaf design, where a leaf switch connects to multiple spine switches, such that the leaf switch can reach any other leaf switch by transiting a single spine switch.
        A Point-to-Multipoint design is commonly found in older wide area networks using Frame Relay or ATM.
        A Three-Tier architecture is commonly found in enterprise networks and consists of the Access, Building Distribution, and Core layers.
        A Collapsed Core design is commonly found in small to medium sized networks, where the Building Distribution and Core layers found in an enterprise network.

      • With a Cloud Design, don't need to purchase physical servers. Instead, can pay the cloud provider for actual usage of virtual servers they host. Also, even though might have servers hosted by a cloud provider, still need to be concerned with redundancy, and perhaps have duplicate servers in the cloud, along with a virtual load-balancer to distribute the load between those servers.
        However, an On-Premise design usually lets better control of the end-user experience and allows more flexibility in meeting compliance requirements.

      • The '5 Nines of Availability' refers to keeping a network operational 99.999 percent of the time. That translates to approximately 5 minutes of downtime per year.
        The '6 Nines of Availability' refers to keeping a network operational 99.9999 percent of the time, which translates to approximately 30 seconds of downtime per year.

      • An Active Virtual Gateway (AVG) is a type of gateway used by Gateway Load Balancing Protocol (GLBP). GLBP is unique among the First Hop Redundancy Protocols (FHRPs) in that instead of having a single gateway service all traffic from a subnet, it load balances the traffic across as many as four Active Virtual Forwarders (AVFs). An AVG accomplishes this by responding to ARP queries (for a default gateway's virtual IP address) with different MAC addresses (i.e. the MAC addresses of the AVFs in a GLBP group).

      • Stateful Switchover (SSO) allows a router with two route processors to fail over from its primary route processor to its backup route processor without dropping routing protocol neighborships with other routers. However, the backup route processor might drop packets while it constructs an IP routing table. To prevent those initial packet drops after the failover, a feature called NonStop Forwarding (NSF) could be used. NSF allows the IP routing information maintained by Cisco Express Forwarding (CEF) in the primary route processor to remain in memory and be used by the backup route processor.

      • Lightweight access points require a centralized Wireless LAN Controller (WLC), which is used to manage all of the access points from a single location. This is also referred to as a controller-based deployment model, where the WLC can be a physical or a virtual device. No management or configuration is necessary on the individual access point.

      • Cisco vSmart resides within the control plane and is thought of as the 'brain' of the Cisco SD-WAN solution. As policies are created within vManage, vSmart is responsible for enforcing those policies and sharing the policies with other SD-WAN routers and locations in the network. Route information from branch locations are received via the Overlay Management Protocol (OMP), and vSmart will compare the route information to the known policies in order to control traffic.

      • The SD-Access data plane uses Virtual Extensible LAN (VxLAN) tunneling to create the virtual SD-Access overlay network. This is UDP-based communication, meaning any device with a valid IP address has the ability for receive and forward the information. The VxLAN encapsulation allows for the creation of multiple virtual networks within the overlay, where separate policies can be applied and enforced.

      • The 3-step MQC process consists of:
        1. Creating class maps
        2. Creating a Policy Map, and
        3. Applying the Policy Map.
        The 'class-default' class map exists by default. Cannot create or delete it.

      • The Content Addressable Memory (CAM) table: is the memory architecture
        used in Cisco Catalyst switches for Layer 2 switching. As data frames
        arrive on a switchport, the source MAC addresses for the traffic are recorded in the CAM table. This is used to determine which outgoing switchport should be used for frame delivery.

      Device Virtualization:

      Hypervisors: Software that can create, start, stop, and monitor multiple virtual machines.
      • Type-1 ('Native' or 'Bare Metal'): Runs directly on the server's hardware.
      • Type-2 ('Hosted'): Runs in a traditional operating system.

      image
      Containers:
      • Multiple containers share same host OS
      • Container Engine creates Container Image
      • Container Image contains an app and resources required by the app
      • Container Engine runs Container Image
      • Sometimes called a 'lightweight VM'

      Virtual Switches:
      • Virtual NIC: Software associated with a unique MAC address, which can be used by a VM to send and receive packets.
      • Virtual Switch: Software that can connect to other virtual switches, virtual NICs and to a physical NIC.

      Site-to-Site VPN:
      • Can use common broadband technologies
      • Transparent to the client devices
      • Can use routers or dedicated VPN concentrators

      1. A network administrator has designed a network with two multilayer switches on the distribution layer, which act as default gateways for the end hosts. GLBP and MSHRP technologies allow every end host in a VLAN to use both gateways.

        image
      2. Function in handled by vManage in the Cisco SD-WAN fabric is Performs remote software upgrades for WAN Edge vSmart and vBond.

      3. AP(config-if-ssid)# authentication open eap eap_methods: all wireless users authenticate using dynamic key generation.

      4. A network administrator is implementing a routing configuration change and enables routing debugs to track routing behavior during the change. The logging output on the terminal is interrupting the command typing process. The network administrator can take to minimize the possibility of typing commands incorrectly are Configure the logging synchronous command under the vty and Press the TAB key to reprint the command in a new line.

      5. Refer to the exhibit:

        image
        When a switch that is running PVST+ is added to this network, DSW2 will operates in Rapid PVST+ and the new switch operates in PVST+. The old STP instances as RSTP (in fact Rapid PVST+) is compatible with PVST+.

      6. OSPF:
        • uses Dijkstra's Shortest Path First algorithm
        • uses an election process
        EIGRP:
        • uses Diffused Update ALgorithm
        • uses bandwidth, delay, reliability, and load for routing metric

      7. Refer to the exhibit:

        image

        The Cisco REST response indicate Cisco DNA Center is unable to communicate with cat3850-1 and has the incorrect credentials for cat9000-1.
      B-)

    • Generic Routing Encapsulation (GRE):
      1. Does not provide security
      2. Can encapsulate nearly any type of data

      IP Security (IPsec):
      1. Provides:
        • Confidentiality: Encryption
        • Integrity: Hashing
        • Authentication: PSKs or Digital Signatures
        • Anti-replay: Applies Serial Numbers to Packets
      2. Can encapsulate unicast IP packets
      3. Two Modes:
        • Transport: Uses Packet's original header
        • Tunnel: Encapsulate entire packet
      4. Setup Steps:
        1. Establish an Internet Key Exchange (IKE) Phase 1 tunnel (a.k.a. Internet Security Association and Key Management Protocol (ISAKMP) tunnel)
        2. Establish IKE Phase 2 Tunnel

      GRE over IPsec:
      • GRE encapsulate nearly any traffic type into GRE packets, which are unicast IP packets
      • The GRE packets are protected over the IPsec tunnel

      Location/Id Separation Protocol (LISP) uses two identifiers for a network endpoint:
      • First, the Routing LOCator (RLOC) is the IP address of a router that can forward traffic to devices within a LISP location.
      • Second, the Endpoint ID (EID) identifies the endpoint within a LISP location.
      • The way a source RLOC knows how to reach a specific endpoint at a remote location is by querying a Map Resolver (MR), which returns the destination RLOC for the requested EID.
      • The MR learned the destination RLOC for the EID from a Map Server (MS), with which the destination RLOC registered the EID.
      • Ingress Tunnel Router (ITR)
      • Egress Tunnel Router (ETR)
      • Proxy ITR: Does LISP database lookups and encapsulation for non-LISP sites
      • Proxy ETR

      Sample LISP Benefits:
      • Scale Internet Routing Tables
      • Over-the-Top Virtualization
      • Multi-Homing
      • Mobility
      • IPv6 Migration

      VxLAN Switch:
      • support Over 16 Million VxLANs / broadcast domains,
      • Vxlan Network Identifier (VNI)
      • 24-bit VNI Field,

      as opposed to using Traditional Ethernet Switch:
      • which support just Over 4,000 VLANs / broadcast domains
      • (due to a 12-bit VLAN Field)

      Spine-Leaf Design:
      • Virtual Ethernet Module (VEM): The device that does VxLAN encapsulation (has at least one IP address). Each VEM has (at least) one IP address,
      • and that address is assigned to an interface called a Vxlan Tunnel EndPoint (VTEP): Using an IP address from the VEM, it can setup a temporary tunnel to a VTEP on another switch. Each VTEP can be associated with one or more VNIs.

      • A Type 1 hypervisor (also known as a 'native' or 'bare metal' hypervisor) runs directly on a server's hardware.
        However, a Type 2 hypervisor (also known as a 'hosted' hypervisor) runs on top of a traditional operating system.
        No categorized as Type 3 or Type 4.

      • A container contains an application and its support files. The underlying operating system can support multiple containers containing applications need that operating system.
        A virtual server contains an operating system.
        A virtual data path is a technology that influences data flow, such as creating a tunnel between two sites.
        A virtual switch runs on a hypervisor and can logically interconnect virtual devices (e.g. virtual servers or virtual routers) also running on that hypervisor, in addition to logically connecting to a physical server's Network Interface Card (NIC).

      • Even though 'leaking' can be configured to allow a router's global routing table and a VRF instance's routing table to exchange routes, by default, the global routing table doesn't see routes from nor exchange routes with a VRF instance's routing table.

      • EIGRP's metric calculation can consider Bandwidth, Delay, Reliability, and Load, with MTU used as a tie breaker if the calculation is the same for two paths. However, the calculation uses K Values to determine how influential the various metric components are in the final metric value. By default, three K Values are set to 0, resulting in only Bandwidth and Delay being used in a default metric calculation.

      1. In YANG models, JSON and XML schema are found.

      2. An engineer must configure HSRP group 300 on a Cisco IOS router. When the router is functional, it must be the active HSRP router. The peer router has been configured using the default priority value. Command set required is:
        standby 300 priority 110
        standby 300 preempt
        The default HSRP priority is 100.

      3. aaa new-model
        aaa authentication login authorizationlist tacacs+
        tacacs-server host 192.168.0.202
        tacacs-server key ciscotestkey
        line 0 4
         login authentication authorizationlist
        !
        The effect of this configuration is The device will authenticate all users connecting to vty line 0 through 4 against TACACS+.

      4. Converted by the AP into 802.3 and encapsulated into VxLAN is 802.11 traffic handled in a fabric-enabled SSID.

      5. The DHCP messages that are exchanged between a client and an AP in the order they are exchanged:
        • Step 1: DHCP discover
        • Step 2: DHCP offer
        • Step 3: DHCP request
        • Step 4: DHCP ack

      6. Refer to the exhibit:

        image
        The configuration must be applied to R2 to enable R1 to reach the server at 172.16.0.1 is:
        interface Ethernet0/0
         vrf forwarding bank
         ip address 172.16.0.7 255.255.0.0
        !
        router ospf 44 vrf bank
         network 172.16.0.0 0.0.255.255 area 0

      7. Refer to the exhibit:

        image
        Router1 is currently operating as the HSRP primary with a priority of 110, Router1 fails and Router2 take over the forwarding role. 'standby 2 preempt' command on Router1 causes it to take over the forwarding role when it return to service.

      8. The most common implementations of OAuth (OAuth 2.0) use one or both of these tokens:
        • access token: sent like an API key, it allows the application to access a user's data; optionally, access tokens can expire.
        • refresh token: optionally part of an OAuth flow, refresh tokens retrieve a new access token if they have expired. OAuth2 combines Authentication and Authorization to allow more sophisticated scope and validity control.

      9. Name is Bob Johnson
        Age is 75
        Is alive

        Favorite foods are:
        • Cereal
        • Mustard
        • Onions
        The Json syntax that is formed from the data is:
        {
          "Name": "Bob Johnson",
          "Age": 75,
          "Alive": true,
          "Fovorite Foods": ["Cereal", "Mustard", "Onions"]
        }

      10. OSPF:
        • summaries can be created anywhere in the IGP topology
        • uses ares to segment a network
        EIGRP:
        • summaries can be created in specific parts of the IGP topology

      11. An engineer is implementing a Cisco MPLS TE tunnel to improve the streaming experience for the clients of a video-on-demand server. Configure a Cisco MPLS TE tunnel on both ends of the session must the engineer perform to configure extended discovery to support the MPLS LDP session between the headend and tailend routers.
      B-)

      • DTP modes of Trunk and Dynamic Desirable both initiate the formation of a trunk by sending DTP frames. The mode of Dynamic Auto will setup a trunk if it receives a DTP frame, but it doesn't initiate trunk formation. Also, Access mode prevents a trunk from being formed. As a result, the only two mode combinations that would fail to bring up a trunk are: (1) one side set to Access (regardless of the other side's mode) and (2) both sides set to Dynamic Auto.

      • In addition to the instances define in an MSTP configuration, a default instance of MST0 is created. All VLANs not explicitly assigned an MSTP instance are assigned to that MST0 instance.

      • A Passive Interface is an interface that participates in an OSPF routing process without sending Hello messages. This type of interface might be appropriate for an interface connecting out to endpoints but no other OSPF-speaking routers. Having such an interface be a Passive Interface would allow that network be advertised by OSPF to neighboring routers without sending unnecessary Hello messages and also prevent a malicious user from adding an OSPF-speaking router to that interface's network and forming an unwanted OSPF adjacency.

      • BGP neighbors must be configured with one another's IP addresses, as opposed to dynamically discovering each other with multicast Hello messages, which are used by EIGRP and OSPF. BGP neighbors form a TCP session between themselves, rather then a UDP session. Also, even though BGP neighbors can be a maximum of 255 hops away from one another (using the 'ebgp-multihop' command), by default, BGP neighbors must be adjacent to one another.

      • IPv6 routes can be advertised over either an IPv4 or an IPv6 session with Multiprotocol BGP. However, if an IPv4 session is used, the receiving BGP neighbor doesn't learn the IPv6 address of the router sending the IPv6 route advertisement. To overcome this issue, can configure a route map to add the IPv6 next-hop address to IPv6 route advertisements.

      • A cycle is defined as one complete up and down motion of an electromagnetic wave. This is used to determine the frequency of an electromagnetic wave by examining the number of cycles that happen over the period of one second, otherwise known as Hertz (Hz). For example, if an electromagnetic wave has four complete up an down motions over the period of one second, this means there are four cycles per second. Would determine that the frequency of this electromagnetic wave would be 4 Hz.

      • Monitor mode is a special purpose mode to which can assign a Cisco lightweight access point. When operation in this mode, the access point does not provide any network access to users. The operation is dedicated to performing various background operations, such as Intrusion Detection Service (IDS) monitoring, rogue access point detection, and location-based services, among other things.

      • In a Network Address Translation (NAT) configuration:

        image
        A client inside of a network has its private IP address of 192.168.10.10 translated into a publicly routable IP address of 209.165.200.226.
        The 209.165.200.226 IP address is referred to an Inside Global Address, because the IP address is Globally routable and refers to a device on the Inside of the network. Also, the 192.168.10.10 IP address is referred to an Inside Local Address, because it's a Locally routable address and refers to a device on the Inside of the network.

      • HSRP has a default Hello time of 3 seconds. However, instead of a Hello time, VRRP uses a Master Advertisement Interval, which defaults to 1 second.
        Also, HSRP has Preemption disabled by default, while VRRP has Preemption enabled by default.
        While HSRP is Cisco-proprietary, VRRp is an industry standard First Hop Redundancy Protocol (FHRP).
        Finally, while HSRP cannot use a Virtual IP address that is already assigned to an interface, VRRP can.

      BGP:

      Weight > Local preference > Originate > AS path length > Origin type > Multi-exit discriminator (Med) > Paths > Router id

      We Love Oranges AS Oranges Mean Pure Refreshment

      • By entering the 'ping' keyword at the EXEC command line level with no IP address attached, a built-in IOS wizard will prompt for details related to the ping command that wish to execute. This allows to control things such as the repeat count, the datagram size, the source address or interface, and more.

      • By default, SNMP managers use UDP communication over port 161 in order to poll SNMP agent devices in the network. These polls are remote queries that are used to gather information about the hardware and software states of the devices.

      • Syslog messages have a code ranging from 0-7, where level 7 indicates informational debugging messages and level 0 are the most severe, emergency messages. Level 0 codes indicate an unstable or unusable system with an emergency severity.

      • The command 'ip flow-export destination 10.1.1.5 9995' would point a Cisco IOS device to a NetFlow collector at the given IP address, and would send the NetFlow data over port 9995.

      1. Refer to the exhibit:

        image
        network 20.1.1.2 0.0.0.0 area 0 must be applied to R2 for an OSPF neighborship to form.
        The network 20.0.0.0 0.0.0.255 area 0 command on R2, it just /24 did not cover the IP address of Fa1/1 interface of R2 so OSPF did not run on this interface. Therefore have to use the command network 20.1.1.0 0.0.0.255 area 0 to turn on OSPF on this interface.
        The command network 20.1.0.0 0.0.255.255 area 0 can be used too.
        The network 0.0.0.0 255.255.255.255 area 0 command on R1 will run OSPF on all active interfaces.

      2. VxLAN uses an 8-byte VxLAN header that consists of a 24-bit VNID and a few reserved bits. The VxLAN header together with the original Ethernet frame goes in the UDP payload. The 24-bit VNID is used to identify Layer 2 segments and to maintain Layer 2 isolation between the segments.

      3. An engineer is configuring a new SSID to present users with a splash page for authentication. Local Policy WLAN Layer 3 setting must be configured to provide this functionally.

      4. A benefit of data modeling languages like Yet Another Next Generation (YANG) is they provide a standardized data structure, which results in configuration scalability and consistency.
        YANG is a language which is only used to describe data models (structure). It is not XML or JSON.

      5. An EEM policy is an entity that defines an event and the actions to be taken when that event occurs. There are two types of EEM policies: an applet or a script.
        An applet is a simple form of policy that is defined within the CLI configuration.
        event manager applet ondemand
         event none -> allows EEM to identify an EEM policy that can be manually triggered
         action 1.0 syslog priority critical msg 'This is a message from ondemand'
        There are two ways to manually run an EEM policy. EEM usually schedules and runs policies on the basis of an event specification that is contained within the policy itself. To run the policy, use either the action policy command in applet configuration mode or the event manager run command in privileged EXEC mode.

      6. DHCP option 43 helps lightweight APs find the IP address of a wireless LAN controller.
      B-)

      • By default, a Cisco IOS SPAN configuration will monitor both transmitted and received traffic on a selected interface. Other options can be selected during configuration if there are specific needs, using the keywords 'rx' (only monitor received traffic) or 'tx' (only monitor transmitted traffic). The 'both' option is also available, which is the same as the default action that monitors both transmitted and received traffic.

      • The 'start-time' keyword allows to specify a starting time for the IP SLA probe. This can be followed by several options, such as the 'after' keyword to start the probe after a specified amount of time. Exact times can also be entered in hours, minutes, and seconds if there is a specific time that the probe should start. Other options include 'now' (for immediate probe start) and 'random' (to start the probe after a random time interval).

      • Applets are a more simplified tool for creating EEM policies, as opposed to scripts that are created with an interpreter language. Applets can be used within the Cisco IOS Command Line Interface (CLI) to create EEM policies.

      Device Access Security:

      Privilege Level Passwords:
      • Level 0:
        • Most restricted
        • 5 available commands
      • Level 1 (User Level):
        • Read-only commands
      • Level 15 (Privileged Level):
        • Complete device control

      Least Privilege Principle: Users should only have the minimum level of access necessary to perform their job duties.
      • Helpdesk support staff
      • Junior admins
      • Senior engieers

      Line Passwords:
      • CTY Line:
        • Console port
        • Initial configuration
      • AUX Line:
        • Auxiliary port
        • Backup console port
      • VTY Lines:
        • Virtual terminal connections
        • Inbound telnet control

      AAA with a Local Database:
      • Authentication:
        • Proof of identity
        • Username&password
      • Authorization:
        • Privileges and restrictions
        • Authentication does not ensure authorization
      • Accounting:
        • Record of user actions
        • Log files

      • External AAA:
        • RADIUS:
          • IETF open standard
          • UDP ports 1812/1813
          • Encrypts password field only
          • Network access
        • TACACS+:
          • Cisco-proprietary
          • TCP port 49
          • Encrypts entire payload
          • Device administration
          aaa new-model
          username charles privilege 15 secret cisco
          !
          tacacs server TACACS
           address ipv4 10.1.1.5
           key security
          !
          aaa group server tacacs+ T-GROUP
           server name TACACS
          !
          aaa authentication login default group T-GROUP local
          aaa authorization exec default group T-GROUP local

      Wireless Security:

      Extensible Authentication Protocol (EAP):

      802.1x Authentication:
      • IEEE standard which defines port-based network control
      • Uses EAP over LAN (EAPoL) to control access to the local area network

      1. Supplicant: The endpoint requesting access
      2. Authenticator: Network device controlling physical access to the network
      3. Authentication Server: Performs the actual authentication of the endpoint

      Native EAP Types:

      EAP-TLS:
      • One of the most secure EAP types
      • Uses X.509 certificates for mutual authentication
      • Highly regarded in BYOD deployments

      EAP-MD5:
      • Hides credentials in a hash
      • Common on IP phones

      EAP-MSCHAPv2:
      • Credentials encrypted within an MSCHAPv2 session
      • Simple transmission of credentials
      • Ability to communicate with Active Directory

      EAP-GTC:
      • Cisco alternative to MSCHAPv2
      • Enables more generic authentication

      Tunneled EAP Types:

      PEAP (Protected EAP):
      • Originally proposed by Microsoft
      • Uses X.509 certificate
      • Uses an additional native EAP type for inner method

      1. Wireless controller is radio resource management performed in a cisco SD-access wireless solution.
        Fabric wireless controllers manage and control the fabric-mode APs using the same general model as the traditional local-mode controllers which offers the same operational advantages such as mobility control and radio resource management. A significant difference is that client traffic from wireless endpoints is not tunnelled from the APs to the wireless controller. Instead, communication from wireless clients is encapsulated in VxLAN by the fabric APs which build a tunnel to their first-hop fabric edge node. Wireless traffic it tunneled to the edge nodes as the edge nodes provide fabric services such as the Layer 3 Anycast Gateway, policy, and traffic enforcement.

      2. R1#
        interface GigabitEthernet0/0
         ip address 192.168.250.2 255.255.255.0
         standby 20 ip 192.168.250.1
         standby 20 priority 120

        R2#
        interface GigabitEthernet0/0
         ip address 192.168.250.3 255.255.255.0
         standby 20 ip 192.168.250.1
         standby 20 priority 110

        R1 becomes the active router and if goes down. R2 becomes active and remains the active device when R1 comes back online.

      3. Refer to the exhibit:

        image
        An engineer issues a ping from S1 to S2. The initial value of the TTL are:
        • The packet reaches R3, and the TTL expires
        • R3 replies with a TTL exceeded message.

      4. The login method is configured on the VTY lines of a router with these parameters:
        • The first method for authentication is TACACS
        • If TACACS is unavailable, login is allowed without any provided credentials
        The configuration accomplishes this task should be:

        aaa new-model
        aaa authentication login default group tacacs+ none
        aaa session-id common
        !
        line vty 0 4
         password 7 020203948574
        !
        The 'default' keyword means want to apply for all login connections (such as tty, vty, console, and aux). If use this keyword, don't need to configure anything else under tty, vty, and aux lines. If don't use this keyword then have to specify which line(s) want to apply the authentication feature like this:
        aaa new-model
        aaa authentication login telnet group tacacs+ none
        aaa session-id common
        !
        line vty 0 4
         login authentication telnet

      5. An engineer is concerned with the deployment of new application that is sensitive to inter-packet delay variance. ip sla responder tcp-echo 172.29.139.134 5000 command configures the router to be the destination of jitter measurements.

      6. While configuring an IOS router for HSRP with a virtual IP of 10.1.1.1, an engineer sees this log message:
        Jan 1 12:12:12.111 : %HSRP-4-DIFFVIP1: GigabitEthernet0/0 Grp 1 active
        routers virtual IP address 10.1.1.1 is different to the locally
        configured address 10.1.1.25
        The engineer must Change the HSRP virtual address on the local router to 10.1.1.1.
      B-)

    • EAP-FAST (Flexible Authentication via Secure Tunnel):
      • Created by Cisco as a PEAP alternative
      • Faster re-authentication
      • Faster wireless roaming
      • Uses Protected Access Credentials (PACs)

      image
      Web-based Authentication (WebAuth):
      • No client software is required, making this a more flexible authentication method.
      • Commonly found in corporate guest network access.
      • No IP traffic allowed from the host before successful authentication.

      • Central Web Authentication: Used in larger WebAuth deployments where a centralized RADIUS database (such as Cisco ISE) is necessary.
      • Local Web Authentication: Used in smaller wireless deployments where WebAuth is handled locally by the wireless LAN controller.

      WebAuth Process:
      1. Guest user connects to WebAuth configured SSID.
      2. Guest user opens a web browser.
      3. WLC redirects browser to guest portal.
      4. Guest portal authenticates user and informs WLC via RADIUS.
      5. Access control attributes are applied to the guest user.
      6. WLC returns successful login page to user, and any acceptable user policies for review.

      WebAuth Benefits:
      • No special client software required
      • Familiarity for end users
      • Customizable user interface

      WebAuth Limitations:
      • Not transparent to end users
      • Not as secure as 802.1x
      • Lack of single sign-on capabilities

      Security Design Considerations:

      Cyber Threat Defense:

      Cisco SAFE:
      • Security model for modern needs
      • logical Places In Network (PIN)

      Common PINs:

      • Branch:
        • Typically less secure due to cost
        • Most susceptible to threats

          Mitigation Focus:
        • Endpoint malware and antivirus protection
        • Wireless infrastructure protection
        • Trust exploitation protection

      • Campus:
        • Large user populations with varied devices
        • Subnets and VLAN segmentation

          Mitigation:
        • Phishing and web-based exploits
        • Network malware and botnet infestation
        • BYOD increases attack surface

      • WAN:
        • Connects network resources together
        • Provides critical network access

          Mitigation:
        • Unauthorized application access
        • Malware propagation
        • Data exfiltration and/or loss

      • Data Center:
        • Informational assets
        • Physical and/or virtual servers

          Mitigation:
        • Malware propagation
        • Unauthorized user access
        • Reconnaissance attacks

      • Edge:
        • Primary ingress/egress for network
        • Most critical infrastructure resource

          Mitigation:
        • Web server vulnerabilities
        • Distributed Denial of Service (DDoS)
        • Man-In-The-Middle (MITM)

      • Cloud:
        • Popular for convenience and cost
        • Rely largely on the provider for security

          Mitigation:
        • SLA dictates security strength
        • Information storage and access
        • Uptime and recovery guidelines

      • Management: Policy creation, change management, patching
      • Security Intelligence: Intelligence of emerging threats
      • Compliance: Internal and external policies
      • Segmentation: Boundaries for users and data
      • Threat Defense: Visibility for traffic assessment
      • Secure Services: Traffic protection through encryption

      Endpoint Hardening:

      • Advanced Malware Protection (AMP) for Endpoints:
        Detection Mechanisms:
        • Continual endpoint monitoring
        • Vulnerable software detection and reporting
        Response:
        • Endpoint forensics
        • File and device trajectories
        • Powerful analysis and tracking features

      • Cisco Umbrella:
        • Previously OpenDNS
        • DNS filtering service for internet destinations
        • Machine learning continually updates database
        Deploy:
        • Add network public IP address into configuration
        • Point all network DNS to Umbrella
        • Prevent end users from changing local DNS with firewall rules

      • Cisco AnyConnect VPN:
        • Provides access to enterprise network over public networks
        • Used in conjunction with Cisco Adaptive Security Appliance (ASA)

      • Prevention, detection, and response
      • Intelligence from cloud-based analytics

        Cisco TALOS:
      • Global stats for threat tracking
      • Feeds threat intel into Cisco AMP

        Cisco ThreatGRID:
      • Static and behavioral file analysis
      • Used in conjunction with Cisco TALOS

      Cisco TrustSec:

      Traditional Access Control:
      • Based on topologies and segmentation
      • Modern networks require flexibility
      • Cisco TrustSec offers access control through contextual identification

      Cisco Identity Services Engine (ISE):
      • Uses Cisco TrustSec to assign a tag
      • Security Group Tag (SGT)
      • Tags dictate which access policies are enforced throughout the network

      Advantages of Cisco TrustSec:
      • Highly scalable and efficient
      • No topology changes necessary when altering access control
      • Not a replacement for traditional methods such as VLANs and subnets, but a supplement

      1. JSON syntax can be written as follows:
        {
          "switch": {
            "name": "dist1",
            "interfaces": ["gig1", "gig2", "gig3"]
          }
        }

      2. The primary components for the Cisco SD-WAN solution consist of the vManage network management system (management plane), the vSmart controller (control plane), the vBond orchestrator (orchestration plane), and the vEdge router (data plane).

      3. Cisco DNA Center creates device packs through the use of an SDK to allow management of non-Cisco devices through southbound protocols.
        Cisco DNA Center allows customers to manage their non-Cisco devices through the use of a Software Development Kit (SDK) that can be used to create Device Packages for third-party devices.

      4. DTLS protocol is used to encrypt control plane traffic between SD-WAN controllers and SD-WAN endpoints.

      5. "HTTP/1.1 204 content" is returned when cur -l -x delete command is issued. So, The command succeeded in deleting the object.

      6. fail-safe defaults design principle states that a user has no access by default to any resource, and unless a resource is explicitly granted, it should be denied.
        คือ การออกแบบให้ระบบตัดสินใจเรื่อง Access Control โดยใช้หลัก Whitelist คือ ให้ใครทำอะไรบ้าง เข้าถึง Resource อะไร และเข้าใช้งานด้วยวิธีไหน หากไม่ได้อยู่ใน Whitelist ระบบก็จะไม่อนุญาตโดยปริยาย ตรงกันข้ามกับการใช้ Blacklist หรือการระบุว่าไม่ให้ใครทำอะไรบ้าง ในระยะยาวการ Maintain จะทำได้ลำบากเพราะมีวิธีหลีกเลี่ยงใหม่ๆ ที่ต้องใส่เพิ่มเข้าไปใน Blacklist เสมอ
        medium.com/incognitolab/หลักแห่งการออกแบบระบบอย่างมั่นคงปลอดภัย-secure-design-principles-64a5ba0c6142
      B-)

    • Media access control Security (MacSec):
      • IEEE 802.1AE
      • Layer 2 protocol
      • Confidentiality and integrity over Ethernet

      • Wired equivalent of WPA/WPA2 protection
      • More viable option than IPsec everywhere
      • 128-bit AES-GCM encryption

      • Only encrypted between MACsec peers
      • Internally on a switch, traffic is unencrypted
      • Still allows for deep packet inspection

      • Processed by switch ASICs
      • ASICs perform encryption/decryption
      • Less strenuous than IPsec encryption

        Security Association Protocol (SAP):
      • Line-rate encryption/decryption
      • 128-bit AES-GCM encryption
      • Cisco-proprietary
      • Used between Cisco switches

        Macsec Key Agreement (MKA) Protocol:
      • Same with SAP but
      • For Open industry standard
      • Used between endpoints and switches

        Downlink MACsec:
      • Encrypted link between client and switch
      • MKA protocol
      • Requires supplicant software
      • MACsec can be required or optional

        Uplink MACsec:
      • Encrypted link between switchs
      • SAP
      • MKA option available
      • Dynamic or manual negotiation

      • Commonly layered with TrustSEC to add authentication

      • VTY lines in Cisco IOS are essentially Virtual Terminal connections. There is no physical hardware associated with these lines, as they are a function of the IOS software. In the running configuration, these are denoted as 'line vty 0 4', where the two numbers at the end are the line numbers. In this example, there are lines 0 through 4, for a total of five available VTY lines. These are used solely for controlling inbound Telnet connections.

      • The RADIUS protocol is an open standard used with external AAA database deployments. As opposed to the Cisco-proprietary TACACS+ protocol which encrypts the entire payload, RADIUS only encrypts the password field. RADIUS uses UDP ports 1812 and 1813 by default for communication.

      • Extended ACLs have the ability to filter between protocol types and can match traffic based on both source and destination IP addressing. Because of the ability to see IP addressing in this way, a best practice recommendation is to place extended ACLs as close to the source as possible in order to stop traffic early on. This ensures that unwanted traffic doesn't take up network bandwidth unnecessarily.
        The opposite is true of standard ACLs, which are recommended to be placed as close to the destination as possible.

      • Modular Qos Cli (MQC) within the Control Plane Policing (CoPP) solution allows for both network traffic filtering and rate limiting.
        Within MQC, have the ability to create and attach a traffic policy to an interface. ACLs are used to identify the traffic itself, against which want to take action with MQC. Filtering and rate limiting are not performed by the ACL itself, but rather it is only used for traffic identification. The MQC policy is what allows for the filtering and rate-limiting.

      • EAP-TLS is one of the most commonly used native EAP types. This is considered to be one of the most secure EAP types and is one of the original authentication methods defined by the IEEE 802.1X standard. This requires a certificate authority in order to use X.509 certificates for mutual authentication between the client and server.

      • Central WebAuth redirects network client browsers to a central WebAuth server, which requires the client to login with valid credentials in order to obtain authentication and authorization. This is used in larger deployments that contain a centralized RADIUS database such as Cisco ISE.

      • The Compliance domain found in Cisco's cyber threat defense framework addresses / deals with both internal and external security policies. Examples of these include standard regulations such as HIPAA, SOX, and PCI. This would also include any internal policies that are specific to network.

      • Cisco TrustSec is used by Cisco ISE to assign a Security Group Tag (SGT) to each device at the egress point of a TrustSec capable device. Based on the SGT tag, certain access policies will be enforced elsewhere in the infrastructure. SGTs can be used by routers, switches, and firewalls on Cisco TrustSec capable devices in order to make forwarding decisions.

      1. An engineer configures a WLAN with fast transition enabled. Some legacy clients fail to connect to this WLAN. adaptive R feature allows the legacy clients to connect while still allowing other clients to use fast transition based on the OLTIs.

      2. ip access-list extended 100
         deny tcp host 10.10.10.1 any eq 80 -> except for http traffic sourced from the host IP 10.10.10.1
         permit ip any any -> permits all traffic

      3. Refer to the exhibit:

        image
        An engineer is investigating why guest users are able to access other guest user devices when the users are connected to the customer guest WLAN. The action resolves this issue is implement P2P blocking.
        Ensure 'Peer-to-Peer Blocking Action' is set to 'Drop' for All 'Wireless LAN Identifiers'
        This control determines whether the Wireless LAN Controller is configured to prevent clients connected to the same Wireless Local Area Controller from communicating with each other.
        Wireless Client Isolation prevents wireless clients from communicating with each other over the RF. Packets that arrive on the wireless interface are forwarded only out the wired interface of an Access Point. One wireless client could potentially compromise another client sharing the same wireless network.
        www.itsecure.hu/library/image/CIS_Cisco_Wireless_LAN_Controller_7_Benchmark_v1.1.0.pdf

      4. A client device roams between wireless LAN controllers that are mobility peers, Both controllers have dynamic interface on the same client VLAN is the inter-controller type of roam.

      5. Refer to the exhibit:

        image

        An engineer is troubleshooting a connectivity issue and executes a traceroute. The result confirm The probe timed out.
        In Cisco routers, the codes for a traceroute command reply are:
        ! -- success
        * -- time out
        N -- network unreachable
        H -- host unreachable
        P -- protocol unreachable
        A -- admin denied
        Q -- source quench received (congestion)
        ? -- unknown (any other ICMP message)
        www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/22826-traceroute.html#addno

      6. An engineer configures GigabitEthernet0/1 for VRRP group 115.
        interface GigabitEthernet0/1
         ip address 10.10.10.2 255.255.255.0
         vrrp 115 ip 10.10.10.1
         vrrp 115 authentication 406530697
        The router must assume the primary role when it has the highest priority in the group. Required command set to complete this task is:
        Router(config-if)# vrrp 115 track 1 decrement 10
        Router(config-if)# vrrp 115 preempt

      7. 9100 is the recommended MTU size for a Cisco SD-Access Fabric.

      8. An engineer is implementing MPLS OAM to monitor traffic within the MPLS domain. The engineer must Disable IP redirects on all ingress interfaces to prevent from being forwarded beyond the service provider domain when the LSP is down.

      9. If the noise floor is -90 dBm and wireless client is receiving a signal of -75 dBm, The SNR = Signal - Noise = -75 - (-90) = 15 dB.

      B-)

    • Network Automation:

      Overview of Software Defined Networking (SDN):
      • Distributed Control Plane
      • API
      • SouthBound Interfaces (SBI)
      • Centralized Control Plane
      • OpenFlow
      • NorthBound Interfaces (NBI)
      • RESTful APIs
      • JSON

      Cisco SDN Controllers:
      • Cisco Application Policy Infrastructure Controller (APIC): The SDN controller that's part of Cisco's Application Centric Infrastructure (ACI) solution for data centers.
      • Cisco Digital Network Architecture (DNA) Center: Cisco's SDN controller focused on Enterprise networks, that goes beyond traditional SDN by including 'intent.'
        Design, Policy, Provision, Assurance, and Platform

      JavaScript Object Notation (JSON) Format, 2 Basic Structures:
      • OBJECT: A collection of name/value pairs.
        • An unordered set of name/value pairs.
        • Enclosed in curly brackets
        • {
            "firstName":"Vekin",
            "lastName":"Lalwace"
          }
      • ARRAY: An ordered list of values:
        • An ordered set of comma-separated values.
        • Enclosed in straight brackets.
        • [
            "CCNA",
            "CCNP Enterprise",
            "CCIE Enterprise Infrastructure"
          ]

      Value:
      • Can be a string, number, object, array, null, true, or false.
      • Example of a JSON validator: https://jsonlint.com
      • {
            "Name": "Vekin Lalwace",
            "CCIE #": 7890,
            "Tracks": ["Enterprise Infrastructure", "Collaboration"]
        }

      YANG Data Modeling:

      Data Modeling Example:
      • Apple iPhone
      • Model: 12 mini, 12 Pro, 12 Pro Max, Other
      • Display Size: 5.4", 6.1", 6.7", Other
      • Color: Pacific Blue, Gold, Graphite, Silver, Purple, Blue, Green, (PRODUCT)RED, White, Black, Other
      • Capacity: 64 GB, 128 GB, 256 GB, 512 GB, Other

      • 12 Pro Max, 6.7", Graphite, 256 GB

      YANG Data Model of Network Interface:

      image
      NETCONF:

      1. Refer to the exhibit:

        image
        The segment 192.168.0.0/24 has no designated router because it is a p2p network type.

      2. Four things determine 'Air Time Efficiency'
        1. Data rate (Modulation density) or QAM
        2. Number of spatial streams and spatial reuse
        3. Channel bandwidth
        4. Protocol overhead
        www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKEWN-3010.pdf

      3. Refer to the exhibit:

        image
        A network engineer configures a new GRE tunnel and enters the show run command. The output verify The tunnel destination will be known via the tunnel interface.

      4. AP monitor mode allows an engineer to scan configured channels for rogue access points.

      5. Refer to the exhibit:

        image
        > Frame 24: 138 bytes on wire (1104 bits), 138 bytes captured (1104 bits) on interface 0
        > Ethernet II, Src: 50:00:00:01:00:01 (50:00:00:01:00:01), Dst: 50:00:00:02:00:01 (50:00:00:02:00:01)
        > Internet Protocol Version 4, Src: 209.165.202.130, Dst: 209.165.202.134
        > Generic Routing Encapsulation (IP)
        > Internet Protocol Version 4, Src: 10.111.111.1, Dst: 10.111.111.2
        > Internet Control Message Protocol
        A GRE tunnel has been created between HQ and BR routers. 10.111.111.1 is the tunnel IP on the HQ router.

      6. In Cisco SD-WAN, BFD protocol is used to measure link quality.

      7. To decapsulate map-request messages from ITRs and forward the messages to the MS is the function of the LISP map resolver.

      8. VxLAN use VNI to provide segmentation for Layer 2 and Layer 3 traffic.

      9. Set of statements that defines how data is forwarded based on IP packet information and specific VPNs is the data policy in a Cisco SD-WAN deployment.

      10. EIGRP:
        • can automatically summarize networks at the boundary
        • supports equal or unequal path cost
        OSPF:
        • requires manual configuration of network summarization
        • supports only equal path cost
        • supports virtual links
        study-ccna.com/ospf-summarization

      11. The Cisco DNA Center use intent-based APIs to enable the delivery of applications through a network and to yield analytics for innovation.
        The Cisco DNA Center open platform for intent-based networking provides 360-degree extensibility across multiple components, including: Intent-based APIs leverage the controller to enable business and IT applications to deliver intent to the network and to reap network analytics and insights for IT and business innovation. These enable APIs that allow Cisco DNA Center to receive input from a variety of sources, both internal to IT and from line-of-business applications, related to application policy, provisioning, software image management, and assurance.
        www.cisco.com/c/en/us/products/collateral/cloud-systems-management/dna-center/nb-06-dna-cent-plat-sol-over-cte-en.html

      12. Refer to the exhibit:

        image
        Configuration change ensures that R1 is the active gateway whenever it is functional state for the 172.30.110.0/24 network:
        R1: standby 1 preempt
        R2: standby 1 priority 90

      13. VxLAN technology is used as the basis for the cisco sd-access data plane.

      14. YANG structures data in an object-oriented fashion to promote model reuse.

      15. show netconf | section rpc-reply command is required to verify NETCONF capability reply messages.

      16. NTP Stratum level 1 is a server that is connected directly to an authoritative time source.

      17. When configuration WPA2 Enterprise on a WLAN, RADIUS server security component configuration is required.

      18. In an SD-WAN deployment, the vSmart controller responsible for distribute policies that govern data forwarding performed within the SD-WAN fabric.

      19. The benefits of virtual switching when compared to hardware switching are VM-level isolation and increased flexibility.

      20. Reduce AP transmit power and Increase minimum mandatory data rate are used to reduce the AP coverage area.
      B-)

      • https://www.python.org/ftp/python/3.8.0/python-3.8.0-amd64.exe
      • c:\Python\Python38>python
        Python 3.8.0 (tags/v3.8.0:fa919fd, Oct 14 2019, 19:37:50) [MSC v.1916 64 bit (AMD64)] on win32
      • >>> print("Hello World")
        Hello World
      • >>> #This is a comment
        ...
      • >>> my_devices = "router switch accesspoint"
      • >>> print(my_devices)
        router switch accesspoint
      • >>> devices = my_devices.split()
      • >>> print(devices)
        ['router', 'switch', 'accesspoint']
      • >>> ipaddr = "10.1.10.1"
      • >>> print(ipaddr)
        10.1.10.1
      • >>> type(ipaddr)
        <class 'str'>
      • >>> ipaddr2 = 10
      • >>> type(ipaddr2)
        <class 'int'>
      • >>> ipaddr2 = "10"
      • >>> type(ipaddr2)
        <class 'str'>
      • >>> string = "my" + " " + "string"
      • >>> print(string)
        my string
      • >>> hostname = "nxos1"
      • >>> print(hostname)
        nxos1
      • >>> hostname.upper()
        'NXOS1'
      • >>> macaddr = "11:22:33:44:55:66"
      • >>> macaddr.replace(":","-")
        '11-22-33-44-55-66'
      • >>> ipaddr =  "10.1.{}.1"
      • >>> ipaddr.format("200")
        '10.1.200.1'
      • >>> ipaddr = "10.4.8.1"
      • >>> iplist = ipaddr.split(".")
      • >>> print(iplist)
        ['10', '4', '8', '1']
      • >>> print(iplist[0])
        10
      • >>> print(iplist[1])
        4

      image


      1. Extended IP access list EGRESS
          10 permit ip 10.1.100.0 0.0.0.255 10.1.2.0 0.0.0.255
          20 deny ip any any
        An engineer must modify the access control list EGRESS to allow all IP traffic from subnet 10.1.10.0/24 to 10.1.2.0/24. The access control list is applied in the outbound direction on router interface GigabitEthernet 0/1. The configuration commands the engineer can use to allow this traffic without disrupting existing traffic flows is:
        config t
        ip access-list extended EGRESS
          5 permit ip 10.1.10.0 0.0.0.255 10.1.2.0 0.0.0.255

      2. MSDP depends on BGP or multiprotocol BGP for interdomain operation is MSDP used to interconnect multiple PIM-SM domains.

      3. The access point is part the fabric overlay in Cisco SD-Access wireless network deployments.

      4. Provides intrusion prevention is a characteristic of a next-generation firewall.

      5. Refer to the exhibit:

        image

        A network engineer troubleshoots an issue with the port channel between SW1 and SW2. SW(config-if)# channel-group 10 mode active command resolves the issue.

      6. Refer to the exhibit:

        image

        External users require HTTP connectivity to an internal company web server that is listening on TCP port 8080. Command set accomplishes this requirement is:
        interface G0/0
          ip address 209.165.200.225 255.255.255.224
          ip nat outside
        !
        interface G0/1
          ip address 10.1.1.1 255.255.255.0
          ip nat inside
        !
        ip nat inside source static tcp 10.1.1.100 8080 interface G0/0 80
      B-)