CCNP Enterprise
  • CCNP คือ Cisco Certified Network Professional เป็นระดับของ มืออาชีพ ที่มีความสามารถพอสมควรในการสนับสนุน ติดตั้ง รวมถึงการแก้ปัญหาต่างๆ ด้าน Routing และ Switching ที่ใช้ใน Network ทั่วไป
    ต้องสอบ 2 วิชา วิชาหลัก และวิชาเลือก ไม่ต้องมี CCNA ก็สอบได้ถ้าเก๋าพอ ซึ่งถ้าสอบในระดับ Professional หรือ Specialist จะเป็นการ Recertificate ในระดับ Associate ไปในตัว ดังนั้นรายวิชา CCNP แต่ละตัว ไม่ควรทิ้งให้นานเกินไป เพราะเทคโนโลยีมันพัฒนาไปเรื่อยๆ มันจะมีเรื่องใหม่ๆ มาให้เราศึกษาเรื่อยๆ แล้วก็เราไม่มีทางรู้ว่า Cisco จะประกาศยกเลิกข้อสอบแต่ละตัวเมื่อไหร่ (ยกตัวอย่างวิชา ROUTE กับ SWITCH ในระดับ CCNP ที่ยกเลิกไปแล้ว)

    • เจาะเนื้อหาและหัวข้อ CCNA ใหม่ และ CCNP Enterprise:
      www.youtube.com/watch?v=ucgSn8fJBUU

    • Free CCNP 350-401 ENCOR Complete Course
      www.youtube.com/playlist?list=PLAqaqJU4wzYVS_QYH1_LEh5VLDu-Oaiwy

      www.youtube.com/playlist?list=PLhfrWIlLOoKPM3poHlHLpw-b6cigthng2

    • CCNP Enterprise -350-401-ENCOR- Cisco Core Technologies
      www.udemy.com/course/ccnp-enterprise-300-401-implementing-cisco-enterprise-core

    • อธิบายการทำงาน และ การตั้งค่า Ether-channel:
      www.youtube.com/watch?v=waA-kTBevQ4

    • [CCNP ENCOR] Basic BGP and Configuration:
      www.youtube.com/watch?v=y6YtCyMBhKY

    • [CCNP ENCOR] Introducing to Multiple Spanning-Tree (MSTP):
      www.youtube.com/watch?v=TxSLRuQP2bY

    • Introducing to Cisco DNA Center:
      www.youtube.com/watch?v=XaZZgOKPnG0

    • Describe SD-Access from Cisco CCNP Enterprise ENCOR (350-401):
      www.youtube.com/watch?v=k7_0On3pcY4

    • CCNP Cisco Networking Academy Version v5.0:
      forum.siamnetworker.com/?topic=294

    • ประสบการณ์การเตรียมตัวสอบ CCNP:
      zone-network.blogspot.com/2014/06/ccnp.html

    CCNP ROUTE 642-902
    CCNP SWITCH 642-813

    Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401:
    • Starting from February 24th - 2020
    • Exam Cost: 400$
    • Exam Center: Pearson Vue
    • NO Prerequisites
    • Acquired Badges: Cisco Certified Specialist - Enterprise Core
    • Enrollment: Cisco CCNP Enterprise & Cisco CCIE Enterprise Infrastructure
    • Recertify CCNA 200-301 & CCNP
    • Expires: 3 years

    • CCNP Enterprise: ENCOR + Concentration Exam:

    image

    Architecture:

    Enterprise Networks Design Principles:
    • Tier 2, Tier 3, and Fabric Capacity Planning
      • Simplify Scaling & Troubleshooting
      • Depends on network size, and future growing
    B-)
  • 11 Comments sorted by

    • Tier 2 will be for Small/Mid networks:
      • One building network
      • Only 2 Tiers (Access and Aggregation)
      • Access:
        • The first layer facies/authenticates endpoint devices
        • Connects the endpoint to their gateways (aggregation)
      • Aggregation:
        • Aggregates/Communicates all the access layers
        • Runs both Layer2 and Layer3 Techs. and Protocols
        • Run in pair-devices mode/SSO

    • Tier 3 for Mid/Large Enterprises:
      • Multiple Buildings
      • More East-West traffic
      • Future scaling (Horizontally)
      • 3 Tiers (Access, Distribution, and CORE)
      • Core:
        • Aggregate multiple networks
        • High speed/convergence
        • Runs in pair-devices mode
        • Runs at Layer 3
        • Connects to the WAN/Internet
        • Connects to servers and other Data Centers

    High Availability:

    • First Hop Redundancy Protocols:
      • HSRP, VRRP, and GLBP
      • Runs at the Distribution layer
      • Provides a GW for endpoints
      • Needed when the Access layer is using a Layer2 techs!

    • Hot-Standby Redundancy Protocol (HSRP):
      • Cisco Only
      • 2 Gateways
      • No Load-Balancing

    • Virtual-Router Redundancy Protocol (VRRP):
      • Open Standard
      • 2 Gateways
      • No Load-Balancing

    • Gateway Load-Balancing Protocol (GLBP):
      • Cisco Only
      • 4 Gateways
      • Load-Balancing

    • Stateful SwitchOver (SSO):
      • Switches with more than 1 CPU
      • when 1 CPU fails, the other continuous (stateful)
      • best at Distribution layer

    • Virtual Switching System (VSS):
      • A clustering technique
      • Combines multiple switches
      • Act as one switch
      • At the distribution layer
      • No FHRP will be needed then
      • May also hear 'Stackwise'

    Design Network Campus อย่างมืออาชีพ ต้องทำอะไรบ้าง?:
    www.youtube.com/watch?v=JU1gdz0VZjo

    www.youtube.com/watch?v=QahRhXoZPzE

    On-Premise vs Cloud Infrastructure Deployments:
    • On-Premise: everything is in the office, Company, Data Center
    • Cloud-Based: everything is at the Cloud Company

    Software-Defined - Wide Area Networks:
    • What is SDN?:
      • where have a 'software' that runs network
      • so, through a 'software' be able to run and administrate
        An entire network, with its different types of devices
      • that will need either a 'Controller'!!
        Or, a built-in scripting (Cisco TCL, or Python)
      • SD-WAN is applying SDN to WAN part of the network!
        • the part that connects multiple networks through the Internet
        • will administer the WAN by a software
        • also contains multiple layers to achieve this approach:
          • Application
          • Controller
          • Infrastructure

    SD-WAN Planes:
    • Generally, the SD-WAN solution consist of 4 planes (orchestration, management, control, and data plane)

    • The control plane:
      • builds/maintains the network topology
      • makes decision on where traffic flows
      Cisco vSmart:
      • Handles all the Overlay-network routing
      • Facilitates the DP encryption between vEdges
      • Propagates the policies for handling DP traffic

    • The data plane:
      • responsible for forwarding packets
      • based on decisions from the control plane
      Physical/Virtual:
      • WAN edge router
      • Provides secure data plane with remote vEdge routers
      • Implements data plane and application aware routing policies

    Traditional WAN vs SD-WAN solutions:

    Traditional WAN:
    • Each network device has its own control plane
    • Configuring, modifying, upgrading, and Monitoring is done 'Box-by-Box'
    • Automation is more difficult
    • New Installation requires 'from scratch' efforts

    SD-WAN:
    • Centralized Management
    • Through a 'software' be able to run and administrate an entire network
    • Automation is easy (API)
    • New devices automatically finds an initial configuration/Zero Touch Provisioning (ZTP)

    Software-Defined Access:
    • is it really that much of different technologies!
    • SD-Access is simply:
      • applying SDN solution to access network
      • when SDN controls an automates a simple campus network
    • And thus, there will be a controller (ex: Cisco DNA Center, Cisco APIC-EM)

    SDN Implementation and Effect upon planes:

    • Imperative Approach:
      • the control plane logic resides completely in the controller
      • the controller has a complete control over programing the forwarding decisions of the networking devices
      • devices then will ask the controllers before any forwarding or routing action

    • Declarative Approach:
      • the control plane resides within the network device (just like before)
      • the controller will declare the requirements of the all the Forwarding/routing decisions to the networking devices
      • the network devices will then decide how to translate the Controller instructions into actions

    • How will the Access look like:

      image

    What is SD-WAN?:
    www.youtube.com/watch?v=YaxTiTYgpj4

    Cisco SD-WAN - Introducing to Cisco SD-WAN:
    www.youtube.com/watch?v=PNJhDLh9WFI

    image
    www.youtube.com/watch?v=0Q_Px1FzlZ4

    1. The RIB is used to create network topologies and routing tables. RIB is derived from the control plane. The FIB is a list of routes to particular network destinations.

      image

    2. Extended IP access list EGRESS
        10 permit ip 10.0.0.0 0.0.0.255 any
      !
      interface GigabitEthernet0/0
        ip address 209.165.200.225 255.255.255.0
        ip access-group EGRESS out
        duplex auto
        speed auto
        media-type rj45
      !
      An engineer must block all traffic from a router to its directly connected subnet 209.165.200.0/24. The engineer applies access control list EGRESS in the outbound direction on the GigabitEthernet0/0 interface of the router. However, the router can still ping hosts on the 209.165.200.0/24 subnet. Because Access control lists that are applied outbound to a router interface do not affect traffic that is sourced from the router.

    3. Excess jitter and bandwidth-related packet loss network problems Indicate a need to implement QoS in a campus network.
    B-)

  • Quality of Service (QoS):

    • if traffic was more than bandwidth!
    • if congestion WILL happen, can some traffic be more preferred than another?
    • Generally, UDP will be preferred over TCP (TCP will automatically do A re-transmission)
    • QoS Tools that will do the specific desired 'Preferring'. (Classification & Marking, Policing, Shaping, Queuing, and Scheduling)

    • Classification & Marking:
      • for the Ingress traffic/interface
      • Classification first, please classify this type of traffic, like: 'UDP=High, Mail=Low'
      • Then, Marking, 'Marks' the classified traffics to identify them uniquely in the network
      Classification usually happens by matching port numbers:
      • if further recognizing is needed
      • Network-Based Application Recognition (NBAR)
      • recognized, identifies, and classifies a traffic
      • based on multiple variety of things
      • Word, Phrase, URL!!

    • Policing & Shaping:
      • The Provider - Client Relation

    • Policing:
      • From the Provider side
      • Drop the exceeding ingress (Coming) traffic
      • or mark-down that traffic, to be dropped later in the network

    • Shaping:
      • From the Client side
      • To avoid misunderstanding, or unwanted behavior with the provide
      • Queues the excess egress (Outgoing) traffic in the 'Egress Queue'
      • This is called 'Queuing'

    • Queuing:
      • Dividing the Egress Queue, to multiple sub-queues
      • Each, is differentiated by 'Priority'
      • To deal with classified packets

    • Scheduling:
      • How to empty the sub-queues, by which criteria

    • Congestion Management:
      • Tools for Queuing and Scheduling
      • Emptying the Queued traffic in the egress queue
      • Weighted Fair Queuing (WFQ), Class-Based Weighted Fair Queuing (CBWFQ), Priority Queuing (PQ), Low-Latency Queuing (LLQ), Weighted Round Robin (WRR), Shaped Round Robin (SRR), Shaping

    • Congestion Avoidance:
      • Tools to avoid congestion
      • Before even happening
      • At the ingress interface/s (receiving queue)
      • Random Early Detection (RED), Weighted Random Early Detection (WRED), Weighted Tail Drop (WTD), Policing

    • QoS Application in a Network:
      • Integrated Services:
        • unified settings all the way
        • uses The Resource Reservation Protocol (RSVP)
      • Differentiated Services:
        • each hop has its unique settings
        • uses 'Per-Hop Behavior' (PHB)

    QoS Policies:

    • Modular QoS Command-line (MQC)
      • applying the QoS tools globally
      • multiple tools will be available for multiple ports/uses
      • requires 3 components to operate
        • Class-Maps
        • Policy-Maps
        • Service-Policies

    • Class-Maps:
      • create a list, that identifies/matches some characteristics of a traffic
      • classify those 'matched' traffic
      • to provoke this list to operate, will need a 'Policy-Map'

    • Policy-Maps:
      • MATCH a Class-Map
      • to apply a specific action to its traffic (queue it, shape it, police it...)
      • the same Class-Map can be matched multiple time on multiple interfaces
      • each time, a different 'action' will be taken!
      • to apply a 'Policy-Map' to an interface/s
      • will need a 'Service-Policy'

    • Service-Policy:
      • apply a 'Policy-Map' to an interface
      • either 'INBOUND' or 'OUTBOUND'

    Switching Mechanisms:

    Device Processing vs Cisco Express Forwarding (CEF):

    • Process:
      • processing the incoming ingress traffic
      • to switch it, to the desired egress outgoing interface
      • done by the CPU
      • even if the CPU is very busy
      • known as 'IP Input'

    • CEF:
      • establish an area to store pre-defined decisions, as a reference
      • that area = Cache Area
      • will be automatically done whenever a new protocol is enabled
      • creates FIB & Adjacency Table
      • not exactly every thing is CEF switched (a first time ARP, CDP, Encryption)

    FIB vs. RIB:

    • Forwarding Information Base (FIB):
      • extracted from the 'RIB'
        • Routing Information Base
        • The Routing Table
      • it is the Routing Table of the CEF
      • always syncs with the RIB (Routing Table)
      • less details
        *some operations are handled by the Adjacency Table
        • for L2 info (ARP, VLAN, MAC)

    CAM (MAC Table) vs. TCAM:

    • Content Addressable Memory (CAM):
      • a random memory
      • stores MAC Addresses
      • used for lookups (by the forwarding engine)
      • MACs are represented as 'MAC Table'

    • Ternary Content Addressable Memory (TCAM):
      • also, a random memory
      • stores IP Addresses and subnet masks
      • used for Longest match lookups
      • Addresses and masks are represented as 'Routing Table'

    Virtualization:

    Device Virtualization:
    • Just Networks, BUT in Virtualized Environment
    • Multiple Devices inside One
    • Ease of Management

    • The Hypervisor: The new Mediator between SW/HW
    • Load the Hypervisor on the Physical HW, after that install OS on the Hypervisor
    • Now the Hypervisor = Host, and the OS = Virtual Machines = Guest

    • Hypervisors:
      • Schedules the VMs requests to the HW
      • Distributes the HW resources between the VMs

    • Hypervisors Types:
      • Type1:
        • The Native or Bare Metal
        • Runs directly on the HW resources
        • HW --- Hypervisor --- VM
        • Citrix XEN, Oracle VM, Microsoft Hyper-V, VMware ESX/ESXi
      • Type2:
        • Hosted
        • Runs as a SW besides the OS
        • HW --- OS --- hypervisor
        • VMware Workstation, Virtual Box

    • How to connect all these?
    • Virtual Switches:
      • Connects all VMs Together like a Real Switch
      • Assigns a Virtual Network Interface Card (V.NIC) for each VM
      • Exists by default in Hypervisors Type1
      • After Creating a V.Switch & V.NIC, all VMs will automatically get connected together
      *also, can create Port Group for Complete Isolating (like VLANs)
      *there is another V.NIC for each VM (for Internet)
    • Examples:
      • Microsoft Hyper-V
      • ESXi VSwitch

    1. YANG structures data in an object-oriented fashion to promote model reuse.

    2. In a Cisco SD-Access solution, the Identity Services Engine (ISE) is leveraged for dynamic endpoint to group mapping and policy definition.

    3. OSPF:
      • link state routing protocol
      • makes it easy to segment the network logically
      • constructs three tables as part of its operation: neighbor table, topology table, and routing table
      EIGRP:
      • distance vector routing protocol
      • supports unequal path load balancing
      • metric is based on delay and bandwidth by default
    B-)


  • Data Path Virtualization:

    Virtual Routing & Forwarding (VRF):
    • For Service Providers
    • With multiple clients
    • isolate each client in a 'Routing Table'
    • for duplicated addresses
    • requires ISP's network
      • MPLS, VPN, L3VPN, BGP

    • BUT, for Enterprises:
      • VRF-Lite > Lab 1: www.youtube.com/watch?v=338nrzH_MvU
      • No Extra VPN protocols
      • classic routing protocols can be used

    Generic Route Encapsulation (GRE): Lab 2: www.youtube.com/watch?v=33dkYlp-H18
    • Virtually create a P2P path
    • Virtually isolate some traffic in a path
    • Across multiple hops
    • Data will be 'Encapsulated' at L3
    • Source and Destination ports should be specified
    • Virtual ports will be created on Tunnel ends

    image
    Internet Protocol Security (IPSec): Lab 3: www.youtube.com/watch?v=HUvWbd0dflE
    • packets travels unsecured
    • any sniffer, analyzer, can read data!
    • IPSec is a bunch of tools:
      • pick the set like to secure data
      • Confidentiality: Encrypt the data all the way
      • Data Integrity: Guarantees delivering original data
      • Authentication: only the trusted ends can communicate
      • Anti-Replay: only regenerated or duplicated packets

    • To provide and establish all the CIA and R:
      • Security Associations (SA) will be exchanged between the peers
      • things like (tools, algorithms, protocols, and keys) will be discussed

    • Security Associations Parameters:
      • hashing: redistributing data by using an algorithm (MD5, SHA)
      • encryption: locking data by using a 2-way algorithm
      • shared passwords
      • all of the above is either statically configured, or dynamically (IKE)

    • Static means that every parameter is defined manually

    • Dynamic (Internet Key Exchange, IKE):
      • a group of SA's
      • end tunnels will negotiate their accepted SA's
      • IKE has versions 1 and 2
      • IKEv1 creates 2 Tunnels (in 2 phases):
        • Phase1: establish an authenticated tunnel, it requires:
          • authentication (PSK (requires Password) or PKI)
          • encryption (DES, 3DES, or AES)
          • hash (SHA or MD5)
          • DH group
          • lifetime (optional)
        • Phase2: negotiates SA's between end points
          • (Destination, Data, and Transport Method)

    Network Virtualization:

    • Locator/ID Separation Protocol (LISP):
      • also, a tunneling protocol (like GRE)
      • establish a tunnel between edge routers and the WAN
      • separates location from identity:
        • identity: IP Address of the host (Endpoint ID, EID)
        • location: IP Address of the host's GW (Routing Locator, RLOC)
          RLOC = the address facing the WAN
      • useful in the case of:
        • load sharing with the provider (multi-homed)
        • tunneling IPv6 over IPv4 infrastructure
        • other VPN uses
      • there are 2 required devices to perform the separation and the mapping (map this EID to that RLOC)
        • a map server (MS), and a map resolver (MR)
        • can be combined in a single device

      • CCNP-CCIE Enterprise : Overview of LISP:
        www.youtube.com/watch?v=k_gsBGkF624

      • [CCNP ENCOR] มาทำความรู้จัก และเข้าใจการทำงานเบื้องต้นของ Cisco LISP กัน:
        www.youtube.com/watch?v=ixHWZj2qnGo

    • Virtual Extensible Local Area Network (VxLAN):
      • a tunneling protocol
      • for data centers
      • replaces VLAN as it gives 2^24 = 16,777,216 VLANs
      • transport L2 over L3
      • extends L2 connectivity over L3 infrastructure
      • supports ECMP over CLOS (spine and leaf)
      • requires L2GW and L3GW
      • can use the same VxLAN number on multiple sites
      • thus, the same broadcast domain will be stretched between sites

    Infrastructure:

    Layer 2 Infrastructure Technologies:

    Static and Dynamic 802.1q trunking protocols: Lab 4: www.youtube.com/watch?v=OuvChBZDdOE
    • Static is to configure every port as either:
      • Auto (default): waiting for the other side to negotiate
      • Desirable: starts negotiating trunking
    • Dynamic (enabled by default):
      • only requires one side to enable trunking
      • negotiations will dynamically
      • negotiations can be 'Disabled'

    Static and Dynamic EtherChannels: Lab 5: www.youtube.com/watch?v=qre-Lc-qEcM
    • EtherChannels are supported on Cisco Switches
    • supporting both LACP and PAgP negotiations protocols
    • those are the static negotiation etherchannel protocols
    • LACP uses:
      • Active: initiates bundling negotiations
      • Passive: waits for other side to initiate
    • PAgP uses:
      • Desirable: initiates bundling negotiations
      • Auto: waits for other side to initiate
    • Dynamic:
      • Mode ON: no negotiations, direct bundling (mostly L3)

    1. When using Transport Layer Security (TLS) for syslog, 'logging host 10.2.3.4 vrf mgmt transport tcp port 6514' configuration allows for secure and reliable transportation of messages to its default port.

    2. The TOS field in the Layer 3 header is used to perform QoS packet classification.

      image

    3. At Northbound APIs Layer, Cisco DNA Center support REST controls.

      image
    4. How to configure eBGP (external BGP):

      image
      R1(config)# router bgp 1
      R1(config-router)# neighbor 192.168.12.2 remote-as 2
      R1(config-router)# network 1.1.1.0 mask 255.255.255.0

      R2(config)# router bgp 2
      R2(config-router)# neighbor 192.168.12.1 remote-as 1
      R2(config-router)# network 2.2.2.0 mask 255.255.255.0

    5. DHCP option 43 helps lightweight APs find the IP address of a wireless LAN controller.

    6. Wireless controller is radio resource management performed in a cisco SD-access wireless solution.
      Fabric wireless controllers manage and control the fabric-mode APs using the same general model as the traditional local-mode controllers which offers the same operational advantages such as mobility control and radio resource management. A significant difference is that client traffic from wireless endpoints is not tunnelled from the APs to the wireless controller. Instead, communication from wireless clients is encapsulated in VxLAN by the fabric APs which build a tunnel to their first-hop fabric edge node. Wireless traffic it tunneled to the edge nodes as the edge nodes provide fabric services such as the Layer 3 Anycast Gateway, policy, and traffic enforcement.
    B-)

  • Common Spanning Tree Protocols (STP): Lab 6: www.youtube.com/watch?v=g3UlDOX0ePA
    • Need redundancy, but there will be a broadcast message!
    • What will happen?
    • Then how can prevent what is called a 'LOOP',
      AKA 'Broadcast Storm'?
    • STP requires election to be performed first
    • The Winner must be: 1-Lowest Priority, 2-Lowest MAC Address
    • After that port roles and states will happen:
      • Designated Port: Forwarding state
      • Root Port: Forwarding State
      • Alternative / Non-designated Port: Blocking State
    • The entire process of election takes (30 - 50) Seconds
      Max Age = 20 + (Forwarding Delay = 15) + (Learning Delay = 15) = 50 Seconds

    image

    • In order to speed things up:
      • Rapid STP: NO Listening, NO Blocking,
        only (Discard, Forwarding, Learning)
      • Then delay will become = 3 + 3 = 6 Seconds
      • What is the BIG benefit of Redundancy then!! If STP is blocking ports:
        • There will be a Per-VLAN STP (PVST)
        • Each VLAN can have an ELECTION!!
        • Each VLAN will have its own root!
        • Things are much better now
        • Specially that there is a RPVST+ (faster)!
      • RPVST+ can be further simplified by using MST:
        Lab 7: www.youtube.com/watch?v=cCJqM6ESfNQ
        • Instances (Groups) that requires domain names/revision numbers
        • each instance will have its own Tree

    Layer 3 Infrastructure Technologies:

    Enhanced Interior Gateway Routing Protocol (EIGRP):
    • A Hybrid Protocol
    • classified as a 'Distance Vector (D.V.)' protocol
    • it does combine both the D.V. and Link State (L.S.) methods of measuring the metric
    • IP Protocol = 88
    • Defusing Update ALgorithm (DUAL)
    • AD = 90
    • Metric = Result of the 5K's formula:
      [256 * ((K1*Bandwidth)] + [(K2*Bandwidth)/(256-Load)] + [K3*Delay) * (K5/(Reliability + K4)))]
    • The default 'K Values':

      image
      So = 256 x ( Bandwidth + Delay )

    • Bandwidth is per link, while Delay is cumulative

    • EIGRP will apply the formula to elect its main path
    • for redundant paths, Feasibility Condition (FC) is used:
      • the main path is the lowest metric calculated among available paths:
        • The Feasible Distance (FD)
        • Successor
      • the redundant path is the lowest 'Advertised' metric from the neighbor!:
        • The Reported/Advertised Distance (RD)
        • Feasible Successor (FS)
      • only those paths can be used for Unequal Cost Load Distribution (UCLD)
      • which requires the activation of 'variance'
    • Lab 8: EIGRP:
      www.youtube.com/watch?v=Iu1JKLhnYgk
      www.youtube.com/watch?v=wbNqF9uaAmg

    • Link State Protocol
    • Dijkstra algorithm
    • SPF algorithm for route decision
    • AD = 110
    • Metric = Cost (less = Better)
    • Process ID for multiple instances
    • Area ID for Data Base isolation

    • Link-State Advertisements: negotiation between OSPF Routers, it contains:
      • LSRequest: provide the missing Information
      • LSUpdate: reply for the LSR
      • LSAcknowledgement: reply for the LSU
    • Neighboring Process:

    image
    Database Description (DD)

    1. A company plans to implement intent-based networking in its campus infrastructure. Two-tier design facilities a migrate from a traditional campus design to a programmer fabric designer.

    2. LISP components:
      • map server: network infrastructure component that learns of EID-prefix mapping entries from an ETR
      • map resolver: accepts LISP encapsulated map requests
      • ITR: receives packets from site-facing interfaces
      • ETR: de-encapsulates LISP packets coming from outside of the LISP site to destinations inside of the site
      • proxy ETR: receives traffic from LISP sites and sends it to non-LISP sites
      • EID: IPv4 or IPv6 address of an endpoint within a LISP site

    3. Multiple virtual servers can be deployed on the same physical server without having to buy additional hardware is a benefit of a virtual machine when compared with a physical server.

    4. VxLAN characteristics:
      • It uses VTEPs to encapsulate and de-capsulate traffic frames into and out of the VxLAN fabric
      • Allows for up to 16 million VxLAN segments

    5. Cisco DNA center application Policy is responsible for group-based access control permissions.

    6. HTTPS protocol does REST API rely on to secure the communication channel.
      The REST API accepts and returns HTTP (not enabled by default) or HTTPS messages that contain JavaScript Object Notation (JSON) or eXtensible Markup Language (XML) documents. Can use any programming language to generate the messages and the JSON or XML documents that contain the API methods or Managed Object (MO) descriptions.

    7. Refer to the exhibit. An engineer must deny HTTP traffic from host A to host B while allowing all other communication between the hosts.

      image

      SW1(config)# ip access-list extended DENY-HTTP
      SW1(config-ext-nacl)# deny tcp host 10.1.1.10 host 10.1.1.20 eq www

      SW1(config)# ip access-list extended MATCH_ALL
      SW1(config-ext-nacl)# permit ip any any

      SW1(config)# vlan access-map HOST-A-B 10
      SW1(config-access-map)# match ip address DENY-HTTP
      SW1(config-access-map)# action drop

      SW1(config)# vlan access-map HOST-A-B 20
      SW1(config-access-map)# match ip address MATCH_ALL
      SW1(config-access-map)# action forward

      SW1(config)# vlan filter HOST-A-B vlan 10

    8. When using RESTCONF to write configurations on network devices, It is provided using NGINX acting as a proxy web server.

    9. Wireless client device makes the decision for a wireless client to roam.

    10. A network administrator applies the following configuration to an IOS device.
      aaa new-model
      aaa authentication login default local group tacacs+

      A local database is checked first. If that check fails, a TACACS+ server is checked.

    11. Considerations when using SSO as a network redundancy feature:
      • must be combined with NSF to support uninterrupted Layer 3 operations
      • requires synchronization between supervisors in order to guarantee continuous connectivity
      The access layer typically provides Layer 2 services, with redundant switches making up the distribution layer. The Layer 2 access layer can benefit from SSO deployed without NSF. Some Enterprises have deployed Layer 3 routing at the access layer. In that case, NSF/SSO can be used.
      Cisco IOS NonStop Forwarding (NSF) always runs with stateful switchover (SSO) and provides redundancy for Layer 3 traffic.

    12. 4,096 Quadrature Amplitude Modulation Mode new enhancement was implemented in Wi-Fi 6.

    13. The WLC send syslog level errors and greater severity messages to the syslog server.
    B-)

    • Link State Advertisements (LSA's):
      • multiple types
      • depends on the advertisement they are doing
        • LSA Type.1 (Router LSA): investigates local OSPF connections
        • LSA Type.2 (Network LSA): investigates local OSPF connections for a DR
        • LSA Type.3 (Network Summary LSA): for ABR to reach links in Areas
        • LSA Type.4 (ASBR Summary LSA): for ABR to reach ASBR's
        • LSA Type.5 (External LSA): for ASBR redistribution
        • LSA Type.7 (NSSA External LSA): for ASBR NSSA

    image
    • OSPF Neighbor Types:
    • A Neighboring router can be a P2P neighbor
      • in this case no problems
    • or can be connected through a 'SWITCH'!!
      • broadcast will happen
      • elections must take place
      • only One router should update the topology (DR)

    • a DR (Designated Router): Highest Router Priority (0-255), Def=128
      • Or Highest Router ID
        • Router ID (R.ID): 32-bit Address
      • DR needs BDR (second best of everything)

    image
    • Lab 9: OSPF (Multi-Area):
      www.youtube.com/watch?v=6WxhIillLS4
      www.youtube.com/watch?v=L50UciVV77o
    • Reference bandwidth = 100Gbps:
      • 100Gbps: OSPF Cost = 1
      •  40Gbps: Cost = 2.5
      •  25Gbps: = 4
      •  10Gbps = 10
      • Gigabit Ethernet = 100
      •  Fast Ethernet = 1,000
      •   Ethernet = 10,000
    • Lab 10: OSPF DR: www.youtube.com/watch?v=_Y4HnqauMtc

    • OSPF Summarization:
      • To make all the routers in all the Areas be able to communicate
      • LSDB's must synchronize
      • routes and advertisements must be exchanged
      • some Routers will receive 'Too Much' information about other Areas
      • utilizing more resources
      • this can be Filtered (ON ABR's)
        • just summarize some prefixes and advertise one prefix instead
        • done by generating a Type.3 LSA
        • or, filter these prefixes by not generating Type.3 LSA to the other router
      • Lab 11: youtu.be/boKqqySahvU?t=262

    • the only WAN routing protocol
    • developed from EGP
    • uses TCP 179
    • isolates peering from neighbor advertising
    • needs ASN's to operate
    • can be used internally (iBGP) or externally (eBGP)
    • flexible to apply filters, maps, polices, and attributes
    • AD eBGP = 20/iBGP 200

      image

    • Metric = Attributes
    • Attributes affect path selection for packets

    • BGP Attributes:
      1. Next-hop
      2. Weight - Highest
      3. Local Preference - Highest
      4. Locally originated
      5. AS-Path - Shortest
      6. Origin
      7. MED - Lowest
      8. External over Internal
      9. IGP Metric to Next-Hop
      10. Multipath

    • BGP Neighbor Relationships:

    image
    Lab 12: www.youtube.com/watch?v=pta39udBnUQ

    1. Locator Id Separation Protocol (LISP) is a network architecture and protocol that implements the use of two namespaces instead of a single IP address:
      • Endpoint IDentifiers (EIDs) - assigned to end hosts.
      • Routing LOCators (RLOCs) - assigned to devices (primarily routers) that make up the global routing system.

    2. IPsec over GRE example configuration:

      ip access-list extended GRE
       permit gre any any
      !
      crypto isakmp policy 10
       encr 3des
       hash md5
       authentication pre-share
       group 5
      !
      crypto isakmp key III-PSK-En address 192.168.200.2  
      !
      crypto ipsec transform-set III-P2-Trans esp-aes esp-sha-hmac
       mode tunnel
      !
      crypto map III-P2-Map 10 ipsec-isakmp
       set peer 192.168.200.2
       set transform-set III-P2-Trans
       match address GRE
      !
      interface Ethernet0/0
       description outside_interface
       ip address 192.168.100.2 255.255.255.0
       crypto map III-P2-Map
      !
      interface Tunnel1
       ip address 172.16.10.1 255.255.255.252
       ip mtu 1400
       tunnel source Ethernet0/0
       tunnel destination 192.168.200.2
      !
      ip route 10.20.0.0 255.255.255.0 Tunnel1 172.16.10.2

    3. # show interfaces ethernet 0/0 switchport
      Administrative Mode: dynamic desirable => need desirable mode one side to activate the trunk
      Negotiation of Trunking: On => need on both sides to re-enable with the 'no switchport nonegotiate' command

      image

    4. Under traffic classification and marking conditions is an outbound QoS policy that is applied on a router WAN interface most beneficial.

    5. Sensor access point mode allows a supported AP to function like a WLAN client would, associating and identifying client connectivity issues.
      As these wireless networks grow especially in remote facilities where IT professionals may not always be onsite, it becomes even more important to be able to quickly identify and resolve potential connectivity issues ideally before the users complain or notice connectivity degradation. To address these issues we have created Cisco's Wireless Service Assurance and a new AP mode called 'sensor' mode. Cisco's Wireless Service Assurance platform has three components, namely, Wireless Performance Analytics, Real-time Client Troubleshooting, and Proactive Health Assessment. Using a supported AP or dedicated sensor the device can actually function much like a WLAN client would associating and identifying client connectivity issues within the network in real time without requiring an IT or technician to be on site.

    6. The goal of the Cyber Threat Defense solution is to introduce a design and architecture that can help facilitate the discovery, containment, and remediation of threats once they have penetrated into the network interior.

      Cisco Cyber Threat Defense version 2.0 makes use of several solutions to accomplish its objectives:

      NetFlow and the Lancope StealthWatch System:
      • Broad visibility
      • User and flow context analysis
      • Network behavior and anomaly detection
      • Incident response and network forensics

      Cisco FirePOWER and FireSIGHT:
      • Real-time threat management
      • Deeper contextual visibility for threats bypassing the perimeters
      • URL control

      Advanced Malware Protection (AMP):
      • Endpoint control with AMP for Endpoints
      • Malware control with AMP for networks and content

      Content Security Appliances and Services:
      • Cisco Web Security Appliance (WSA) and Cloud Web Security (CWS)
      • Dynamic threat control for web traffic
      • Outbound URL analysis and data transfer controls
      • Detection of suspicious web activity
      • Cisco Email Security Appliance (ESA)
      • Dynamic threat control for email traffic
      • Detection of suspicious email activity

      Cisco Identity Services Engine (ISE):
      • User and device identity integration with Lancope StealthWatch
      • Remediation policy actions using pxGrid
    B-)

  • IP Services:

    Network Time Protocol (NTP):
    • have to stay synchronized
    • give a precise information, with real timing and date
    • either by setting an inner clock manually
    • or asking someone to inform about timing
    • uses UDP = 123

    • each network device can either be a Server or a Client
    • Stratum is needed:
      • how preferred and accurate this source is
      • starts from 0 - 15
      • the closest, the better
      • by default: a cisco router = 8

    Network Address Translation (NAT):
    • Private IP Addresses must not go to the Internet!
    • Public IP Addresses should not be assigned to private devices!
    • Then!!, NAT will translate Private to Public and vice-versa
      NAT is done 'ONLY' 'ONLY' by Routers, no Switches, no MultiLayer Switches (MLS's)

    • it can be:
      Static: one-one translating
      Dynamic: Group-Group Translating
    • also, this did not solve everything, IP exhaustion still there
      • so here comes Port Address Translation (PAT)
      • also called Network Address Port Translation (NAPT), or NAT-Overload
    • PAT will do a one-65,535 Translation!!
    Lab 13: www.youtube.com/watch?v=bwUlDR1Kpp0

    First Hop Redundancy Protocol (FHRP):
    • what if the gateway went down!!
    • a redundant gateway must be there
    • but how to redirect the requests from one to another?
    • how many back-ups can there be?
    • What protocols will do this:

    • Hot-Standby Redundancy Protocol (HSRP):
      • Cisco Only
      • 2 Gateways
      • No Load-Balancing

    • Virtual-Router Redundancy Protocol (VRRP):
      • Open Standard
      • 2 Gateways
      • No Load-Balancing

    • Gateway Load-Balancing Protocol (GLBP):
      • Cisco Only
      • 4 Gateways
      • Load-Balancing

    • Lab 14: www.youtube.com/watch?v=ttiwhNVQesc

    Multicast:
    • the one - to - group transmission
    • only one sender, but multiple 'specific' receivers
    • better than having multiple senders and multiple receivers
    • the one sender will send only 1 packet to a Multicast Router
    • the multicast router will 'Replicate' the packet to multiple destinations
    • The Multicast Router = 'Rendezvous Point'

    • so, the entire operation will be done by the multicast router
    • in order to assign specific receivers, create a 'Group'
    • and 'join' the receivers and that one sender to the group
    • uses IPv4 block of 224.0.0.0/4 - 239.255.255.255
    • uses MAC range of 0100:5E00:0000 - 0100:5E7F:FFFF

    • Two types of protocols are needed
    • Protocol that joins the receivers to the Group:
      • Internet Group Management Protocol (IGMP):
        • responsible for joining the receivers with the Rendezvous point
        • tells the RP that some receivers want to receive from '224.X.X.X'
        • BUT, those receivers have no idea about the sender
        • IGMP comes in 3 versions:

          • IGMPv1 (obsolete)

          • IGMPv2 (default of Cisco):
            • builds a shared tree
            • creates (*, G)

          • IGMPv3:
            • builds shortest path tree (SPT)
            • creates (S, G)
            • uses Source Specific Multicast (SSM)
            • SSM Block = 232.0.0.0/8
            • SSM informs the receivers about the sender
            • NO need for RP

    • Also, a Routing Protocol is needed:
      • Protocol Independent Multicast (PIM):
        • routes between receivers' routers and RP
        • requires IGP
        • v2 is default
        • 2 Modes:
          • Dense Mode: like broadcast (obsolete)
          • Sparse Mode: connects the receiver's router to the RP

    Network Assurance:

    Network Problems Diagnosing Tools:

    • Ping uses ICMP: Echo Request & Echo Reply
    • Traceroute uses UDP

    • Debug:
      • detailed information about behind the scenes operations
      • it supports and shows everything of almost every protocol
    • Conditional Debug:
      • more specific
      • detailed information about a specific operation, BUT, per interface / per address / etc.
    • Lab 15: www.youtube.com/watch?v=4gGCRfuULok

    SNMP & SYSLOG:
    • Simple Network Management Protocol (SNMP)
    • Monitor Networks from a single point of view
    • Server/Agent Relationship
    • uses UDP 161
    • the server is the requester (and recorder)

    • at the agent side:
      • MIB Object (The Factory)
      • Agent (The Messenger)
    • SNMP versions:
      • v1: obsolete
      • v2c: enhanced
      • v3: supports Authentication & Encryption

    image

    1. The system log message:
      %TUN-RECURDOWN Interface Tunnel 0 temporarily disabled due to recursive routing
      is presented after a network administrator configures a GRE tunnel. Because the best path to the tunnel destination is through the tunnel itself.

    2. To segregate multiple routing tables on a single device is the main function of VRF-lite.

    3. R1(config)# time-range WEEKEND
      R1(config-time-range)# periodic weekend 00:00 to 23:59

      R1(config)# access-list 150 deny tcp host 10.3.3.3 hos 10.2.2.2 eq 23 time-range WEEKEND
      R1(config)# access-list 150 permit ip any any

      R1(config)# interface G0/1
      R1(config-if)# ip access-group 150 in

    4. The configuration example to analyze 50 packets out of every 100:

      flow record v4_r1
       match ipv4 tos
       match ipv4 protocol
       match ipv4 source address
       match ipv4 destination address
       match ipv4 source-port
       match ipv4 destination-port
       collect counter bytes long
       collect counter packets long
      !
      flow monitor FLOW-MONITOR-1
       record random 1 out-of 2
      !
      sampler SAMPLER-1
       mode random 1 out-of 2
      !
      ip cef
      !
      interface GigabitEthernet 0/0/0
       ip address 172.16.6.2 255.255.255.0
       ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input

    5. Data plane forwarding function does vxlan perform in an SD-Access deployment.

    6. The time kept on a machine is a critical resource and it is strongly recommend that use the security features of NTP to avoid the accidental or malicious setting of incorrect time. The two security features available are an IP access list-based restriction scheme and an Encrypted authentication mechanism.

    7. JSON syntax can be written as follows:
      {
        "switch": {
          "name": "dist1",
          "interfaces": ["gig1", "gig2", "gig3"]
        }
      }

    8. The primary components for the Cisco SD-WAN solution consist of the vManage network management system (management plane), the vSmart controller (control plane), the vBond orchestrator (orchestration plane), and the vEdge router (data plane).
    B-)

  • SYStem LOGgings (Syslog):
    • stay aware of 'everything'
    • know all what is happening behind the scenes (or even in front of)
    • starts from the obvious information up to 'Emergency'
    • Server/Client Relationship

    • Server can be a Normal Server that collects all the loggings
    • Server can use the 'Syslog' or 'Splunk' Software
    • client is the networking device that generates logs

    • 'Every Awesome Cisco Engineer Will Need Ice-cream Daily'

    • 0 = Emergency, 1 = Alert
    • 2 = Critical,  3 = Error
    • 4 = Warning, 5 = Notification
    • 6 = Information, 7 = Debug

    image
    Syslog Logging Types:
    • Console Logging: show logs to the console user
    • Terminal Logging: show logs to Line VTY user
    • Buffered Logging: store some logs in the RAM
    • Remote Logging:
      • collect and send Syslog messages to a remote server
      • remote server must be reachable via an interface and have a Syslog Application
      • monitoring will occur from the server side
      • Example:
        Router(config)# logging host x.x.x.x
        Router(config)# logging traps (0 1 2 3 4 5, etc.)
        Router(config)# logging source-interface Loopback0

    Netflow:
    • specifically, what type of traffic is passing
    • not the amount, the type
    • like: Telnet, SSH, HTTP, etc..
    • more info about every type of flow
    • by Cisco
    • works with SNMP

    • Netflow client (node) = generator
    • Netflow server = collector (application)
      • export to UDP 2055 (can be modified)
    • Netflow can be exported to the CLI

    • versions:
      • v5: popular for IPv4
      • v9: template-based flow, support IPv6
        • flexible, define what to collect, what to export

    • Flexible Netflow:
      • more options:
        • multiple exporters
        • collects more data (more fields)
        • flexible at collecting and exporting
        • uses Flow-Monitors
        • multiple Monitors for multiple collections

    • Lab 16: www.youtube.com/watch?v=WNvmU21jZO0

    SwitchPort ANalyzer (SPAN):

    • will assign a switchport as an analyzer
      called a span source
      analyzes all types of traffic passing by this port
      can be used for multiple sessions

    • assigns a different port as an analysis exporter
      called the SPAN destination
      SPAN destination ports, will be only used for monitoring
      no longer sending frames, at all
      can't be used for multiple sessions

    • Lab 17: www.youtube.com/watch?v=LKphnIaKrgg

    • Remote SPAN (RSPAN):
      • when the destination is an interface on another switch
      • of the same networks
      • reachable through VLANs (trunk ports)
      • Lab 18: www.youtube.com/watch?v=7AhMKHujUMw

    • Encapsulated Remote SPAN (ERSPAN):
      • the destination is an interface on another switch
      • in a different network!!
      • reachable through L3 connectivity and routing
      • requires tunneling to connect SRC and DST
      • like GRE Tunnel

    image

    1. The primary components for the Cisco SD-WAN solution consist of the vManage network management system (management plane), the vSmart controller (control plane), the vBond orchestrator (orchestration plane), and the vEdge router (data plane).
      • vManage - This centralized network management system provides a GUI interface to easily monitor, configure, and maintain all Cisco SD-WAN devices and links in the underlay and overlay network.
      • vSmart controller - This software-based component is responsible for the centralized control plane of the SD-WAN network. It establishes a secure connection to each vEdge router and distributes routes and policy information via the Overlay Management Protocol (OMP), acting as a route reflector. It also orchestrates the secure data plane connectivity between the vEdge routers by distributing crypto key information, allowing for a very scalable, IKE-less architecture.
      • vBond orchestrator - This software-based component performs the initial authentication of vEdge devices and orchestrates vSmart and vEdge connectivity. It also has an important role in enabling the communication of devices that sit behind Network Address Translation (NAT).
      • vEdge router - This device, available as either a hardware appliance or software-based router, sits at a physical site or in the cloud and provides secure data plane connectivity among the sites over one or more WAN transports. It is responsible for traffic forwarding, security, encryption, Quality of Service (QoS), routing protocols such as Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF), and more.

    2. The RESTCONF request:
      URL - http://10.10.10.10/restconf/api/running/native/interface/GigabitEthernet/1/
      HTTP Verb - GET
      Body - N/A
      Headers - Accept - application/vnd.yang.data+json
      Authentication - privileged level 15 credentials

      Response:
      {
        "Cisco-IOS-XE-native:GigabitEthernet":{
          "name":"1",
          "vrf":{
            "forwarding":"MANAGEMENT"
          },
          "ip":{
            "address":{
              "primary":{
                "address":"10.0.0.151",
                "mask":"255.255.255.0"
              }
            }
          },
          "mop": {
            "enabled": false,
          },
          "Cisco-IOS-XE-ethernet:negotiation":{
            "auto":true
          }
        }
      }

      Model Driven Network Automation with IOS-XE:
      www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2018/pdf/LTRCRT-2700.pdf

    3. dBm is an abbreviation for 'deciBels relative to one milliwatt', where one milliwatt (1 mW) equals 1/1,000 of a watt. It follows the same scale as dB. Therefore 0 dBm = 1 mW, 30 dBm = 1 W, and -20 dBm = 0.01 mW
      image
    4. An engineer must create an EEM applet that sends a syslog message in the event a change happens in the network due to trouble with an OSPF process. The engineer should use:

      event manager applet LogMessage
       event routing network 172.30.197.0/24 type all
       action 1 syslog msg "OSPF ROUTING ERROR"

    5. Assuming that R1 is a CE router, Default VRF is assigned to Gi0/0 on R1.

      image
      There is nothing special with the configuration of Gi0/0 on R1. Only Gi0/0 interface on R2 is assigned to VRF VPN_A. The default VRF here is similar to the global routing table concept in Cisco IOS.

    6. Cisco EAP-FAST is also designed for simplicity of deployment since it doesn't require a certificate on wireless LAN client or on the RADIUS infrastructure yet incorporates a built-in provisioning
      mechanism.
    B-)

  • IP Service Level Agreement (IP SLA):
    • performs specific operation
    • from a specific source to a specific destination
    • like, icmp, http, tcp, udp, etc..
    • logs statistics about the successes/failures of that operation

    • Enhanced Object Tracking (SLA Track):
      • monitors the statistics of IP SLA
      • performs an action based on the statistics output

    • Lab 19: www.youtube.com/watch?v=o_fJ3hvA0EY


    Enterprise Network Design Considerations:
    • Three-Tier Architecture - A network topology divided into the Access, Distribution, and Core layers.
    • Collapsed Core Architecture - A two-tier topology where the Core and Distribution Layers have been consolidated.
    • Spine-Leaf Design for Data Centers: Logically, One Switch

    On-Premise vs. Cloud Designs Considerations:

    • With a Cloud deployment, there's no need to maintain local redundant power or hardware.
    • A Cloud deployment, pay for resource usage instead of purchasing physical hardware.

    • An On-Premise deployment, it might be easier to meet compliance requirements.
    • On-Premise deployment, it might be easier to maintain a good user experience.

    • Many deployments, called Hybrid deployments, combine both On-Premise and Cloud deployments.

    Fabric Capacity Planning:
    • How much data need to push through a data center switch?
    • How much data can push through a specific hardware configuration?
    • What is the anticipated bandwidth demand increase over time?
    • Switch BW Capacity = (Inter-slot Switching Capacity * Number of I/O Slots) + [(Number of SE Modules * Inter-slot Switching Capacity) / 2]
    • Nexus 7018 = (550 Gbps * 16) + [(2 * 550 Gbps) / 2]
        = 8.8 Tbps + 550 Gbps
        = 9.35 Tbps
      Full Deplex Switch BW Capacity = 9.35 Tbps * 2
        = 18.7 Tbps
      https://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-series-switches/Data_Sheet_C78-437762.html

    Redundant Design: Higher Costs
    • Redundant Components
    • UPS/Generator
    • FHRP

    1. The RIB is a database of routing prefixes, and the Forwarding Information Base (FIB) is the Information used to choose the egress interface for each packet. The RIB is derived from the control plane, and the FIB is derived from the RIB.
      The FIB contains destination reachability information as well as next hop information. This information is then used by the router to make forwarding decisions. The FIB allows for very efficient and easy lookups.

    2. Although Protocol Independent Multicast (PIM) is called a multicast routing protocol, it actually uses the unicast routing table to perform the multicast Reverse Path Forwarding (RPF) check function instead of building up a completely independent multicast routing table. Unlike other routing protocols, PIM does not send and receive routing updates between routers.

    3. One of the best practices to secure REST APIs is using password hash. Passwords must always be hashed to protect the system (or minimize the damage) even if it is compromised in some hacking attempts. There are many such hashing algorithms which can prove really effective for password security e.g. PBKDF2, BCrypt, and SCrypt algorithms.
      Other ways to secure REST APIs are: Always use HTTPS, Never expose information on URLs (Usernames, passwords, session tokens, and API keys should not appear in the URL), Adding Timestamp in Request, Using OAuth, Input Parameter Validation.

    4. with manager.connect(host=192.168.0.1, port=22,
        username='admin', password='password1', hostkey_verify=True,
        device_params={'name'.'nexus'}) as m:

      The above Python snippet use the ncclient connect and establish a NETCONF session to a Cisco Nexus device (which is also a NETCONF server) and maintains it for the duration of the context.
      ncclient is a Python library that facilitates client-side scripting and application development around the NETCONF protocol.

    5. R1#
      *May 5 39:85:86.070: %TCP-6-BADAUTH: Invalid MD5 digest from 10.10.10.1(29832) to 10.120.10.1(179) tableid - 0
      from neighbor to logged device

      R1(config-router)# neighbor 10.10.10.1 peer-group CORP
      R1(config-router)# neighbor CORP password Cisco

      R2(config-router)# neighbor 10.120.10.1 peer-group CORP
      R2(config-router)# neighbor CORP password Cisco

    6. A company has an existing Cisco 5520 HA cluster using SSO. An engineer deploys a new single Cisco Catalyst 9800 WLC to test new features. The engineer successfully configures a mobility tunnel between the 5520 cluster and 9800 WLC. Client connted to the corporate WLAN roam seamlessly between access points on the 5520 and 9800 WLC. After a failure on the primary 5520 WLC, all WLAN services remain functional; however, Client roam between the 5520 and 9800 controllers without dropping their connection. mobility MAC on the 9800 WLC feature must be configured to remedy the issue.

    7. ip sla 10 <- The ip sla 10
       icmp-echo 192.168.10.20 <- will ping the IP 192.168.10.20
       timeout 500
       frequency 3 <- every 3 seconds
      ip sla schedule 10 life forever start-time now
      !
      track 10 ip sla 10 reachability <- to make sure the connection is still up.

      The IP SLA is configured in a router. An engineer must configure an EEM applet to shut down the interface and bring it back up when there is a problem with the IP SLA. The configuration which engineer use should be:

      event manager applet EEM_IP_SLA
       event track 10 state down

    8. Priority congestion queuing method on Cisco IOS based routers uses four static queues.
      https://packetlife.net/media/library/19/QoS.pdf

    9. Router BRDR-1 is configured to receive the 0.0.0.0/0 and 172.17.1.0/24 network via BGP and advertise them into OSPF area 0. An engineer has noticed that the OSPF domain is receiving only the 172.17.1.0/24 route and default route 0.0.0.0/0 is still missing. Configurating must engineer apply to resolve the problem is:

      router ospf 1
       default-information originate
      end

    10. Refer to the exhibit. An engineer has configured Cisco ISE to assign VLANs to clients based on their method of authentication, but this is not working as expected. utilize RADIUS profiling action will resolve this issue.

      image
    11. Refer to the exhibit. After configuring an IPSec VPN, an engineer enters the show command to verify the ISAKMP SA status. The status show ISAKMP SA is authenticated and can be used for Quick Mode.

      image
      QM_IDLE state means the tunnel is UP and the IKE SA key exchange was successful, but is idle, it remains authenticated in a (QM) quiescent state but active.

    12. vBond controller is capable of acting as a Session Traversal Utilities for NAT (STUN) server during the onboarding process of Edge devices.

    13. Cisco Cyber Threat Defense:
      • Identity Services Engine - uses pxGrid to remediate security threats
      • StealthWatch - analyzes network behavior and detects anomalies
      • Web Security Appliance - detects suspicious web activity

    B-)

  • Types of Backups:
    • Full: Backs up all data.
    • Differential: Backs up changes since last full backup.
    • Incremental: Backs up all changes since last full, differential, or incremental backup.
    • Snapshot: Backs up entire server, including state information.

    Hot Site:
    • Power
    • HVAC
    • Floor Space
    • Server Hardware (No in Cold Site)
    • Synchronized Data (No in Warm & Cold Site)

    Wireless LAN (WLAN) Design Considerations:

    Wireless Deployment Options:

    Cisco Access Points (APs) can operate in one of two modes: autonomous or lightweight

    Autonomous:
    • Self-sufficient and standalone, independent devices
    • Used for Home or small office environments / wireless networks
    • Controller-less deployment model
    • Not commonly used in large enterprise networks

    Lightweight AP (LAP):
    • Requires / has to join a central Wireless LAN Controller (WLC) to function.
    • Controller-based deployment model
    • WLCs can be physical or virtual
    • Controller communicates changes to the APs. Control And Provisioning of Wireless Access Points (CAPWAP) is an IETF standard for control messaging for setup, authentication, and operations between APs and WLCs.
    • LAP and WLC communicate with each other via a logical pair of CAPWAP tunnels.

    CAPWAP is similar to LightWeight Access Point Protocol (LWAPP) except the following differences:
    • CAPWAP uses Datagram Transport Layer Security (DTLS) for authentication and encryption to protect traffic between APs and controllers. LWAPP uses AES.
    • CAPWAP has a dynamic Maximum Transmission Unit (MTU) discovery mechanism.
    • CAPWAP runs on UDP ports 5246 (control messages) and 5247 (data messages).

    image

    An LAP operates in one of six different modes:

    1. Local mode (default mode): measures noise floor and interference, and scans for Intrusion Detection (IDS) events every 180 seconds on unused channels

    2. FlexConnect, formerly known as Hybrid Remote Edge AP (H-REAP), mode:
      • Configure and control remote wireless network
      • Similar to Layer 3 roaming with CAPWAP
        Central Switched:
        • Can also Normal tunnel (via CAPWAP) mode of operation both user wireless data and control traffic to a centralized WLC.
        • Typically not the recommended mode
        Local Switched:
        • allows data traffic to be switched locally and not go back to the controller.
        • Map user traffic to VLAN on adjacent switch. Can perform standalone client authentication and switch VLAN traffic locally even when it's disconnected to the WLC.
        • Control and management traffic still sent over CAPWAP to WLC

    3. Monitor mode: does not handle data traffic between clients and the infrastructure. It acts like a sensor for Location-Based Services (LBS), rogue AP detection, and IDS.

    4. Rogue detector mode: monitor for rogue APs. It does not handle data at all.

    5. Sniffer mode: run as a sniffer and captures and forwards all the packets on a particular channel to a remote machine where can use protocol analysis tool (Wireshark, Airopeek, etc.) to review the packets and diagnose issues. Strictly used for troubleshooting purposes.

    6. Bridge mode: bridge together the WLAN and the wired infrastructure together.

    Mobility Express is the ability to use an AP as a controller instead of a real WLAN controller. But this solution is only suitable for small to midsize, or multi-site branch locations where might not want to invest in a dedicated WLC. A Mobility Express WLC can support up to 100 APs.

    Use Cases for Location Services:
    • Enterprise asset tracking
    • Location-based advertising

      Cisco Solutions:
    • Real-Time Location Services (RTLS)
    • Cisco DNA Spaces
    • Cisco Meraki platform

    Software-Defined Wide Area Network (SD-WAN):

    Enterprise WAN:
    • Dedicated circuits traditionally used
    • Provide reliability and security
    • Rise in cloud usage requires simplicity

    SD-WAN:
    • Traffic backhauling no longer required
    • End-to-end traffic encryption and inspection through SD-WAN
    • Next generation security mechanisms added
    • Anti-malware systems, botnet control intervention, etc.

    SD-WAN Overlay = Virtual Infrastructure
    Underlay Network = Physical Infrastructure

    1. It collects statistical constraint analysis information and enforces the use of a specific encoding format for NETCONF are benefits of YANG.

    2. Refer to the exhibit. An engineer attempts to configure a trunk between switch SW1 and switch SW2 using DTP, but the trunk does not form. switchport mode desirable command should the engineer apply to switch SW2 to resolve this issue.

      image
    3. An engineer runs the code against an API of Cisco DNA Center, and the platform returns this output because The authentication credentials are incorrect.

      image

    4. Stratum measure is used by an NTP server to indicate its closeness to the authoritative time source.

    5. IGMPv2 is compatible only with IGMPv1.

      image
    6. Set of statements that defines how routing is performed is the centralized control policy in a Cisco SD-WAN deployment.

    7. Traffic Policing:
      • introduces no delay and jitter
      • drops excessive traffic
      • causes TCP retransmission when traffic is dropped

      Traffic Shaping:
      • introduces delay and jitter
      • buffers excessive traffic
      • typically delays, rather than drops traffic

    8. username CCNP privilege 15 secret Str0ngP@ssw0rd!
      username CCNP autocommand sho run

      The autocommand causes the specified command 'sho run' to be issued automatically after the CCNP user logs in. When the command is complete, the session is terminated. Because the command can be any length and can contain embedded spaces, commands using the autocommand keyword must be the last option on the line.

    9. Containment, threat intelligence, and machine learning features does Cisco Endpoint Detection and Response (EDR) use to provide threat detection and response protection.

    B-)

  • Cisco SD-WAN:
    • Management & Orchestration Plane:
      • vManage: User interface
      • vBond: Orchestration and provisioning
    • Contol Plane:
      • vSmart: SD-WAN - Policy Enforcement
        Communicates via Overlay Management Protocol (OMP)
    • Data Plane:
      • Cisco vEdge: Edge routers

    Software-Defined Access (SD-Access):

    Advantages:

    • Next-generation policy enforcement
    • Security Group Access Control Lists (SGACLs)
    • Policies are based on identity rather than addresses

    • Secure network segmentation
    • Virtualization of physical network
    • Separate virtual networks can have separate policies

    Campus Fabric:
    • Virtual overlay network
    • Ideally used with Cisco DNA Center
    • NETCONF/YANG management
    • Overcomes limitations found in traditional network architecture

    SD-Access Fabric:
    • Control Plane:
      • LISP encapsulation
      • Simplified routing
    • Data Plane:
      • VxLAN Tunneling
      • Virtual networks
    • Policy Plane:
      • Cisco TrustSec
      • Security groupings

    Layer:
    • Physical: Router, Switch, etc.
    • Network: Underlay Network, SD-Access Overlay
    • Controller: Cisco DNA Center, Cisco ISE
    • Management: Cisco DNA Center GUI

    Traditional Wireless: CAPWAP Tunnel between AP and WLC for all traffic.
    SD-Access Wireless: CAPWAP Tunnel between AP and WLC only for management traffic.

    1. A customer requests a network design that supports these requirements:
      • FHRP redundancy
      • multivendor router environment
      • IPv4 and IPv6 hosts
      VRRP version 3 protocol does the design include.

    2. Refer to the exhibit:

      image
      A network engineer is configuring OSPF between router R1 and router R2. The engineer must ensure that a DR/BDR election does not occur on the Gigabit Ethernet interfaces in area 0. Configuration set accomplishes this goal is:

      R1(config-if) interface Gi0/0
      R1(config-if) ip ospf network point-to-point

      R2(config-if) interface Gi0/0
      R2(config-if) ip ospf network point-to-point

      Broadcast and Non-Broadcast networks elect DR/BDR while Point-to-point/multipoint do not elect DR/BDR. Therefore have to set the two Gi0/0 interfaces to point-to-point or point-to-multipoint network to ensure that a DR/BDR election does not occur.

    3. A network engineer is adding an additional 10Gbps link to an existing 2x10Gbps LACP-based LAG to augment its capacity. Network standards require a bundle interface to be taken out of service if one of its member links goes down, and the new link must be added with minimal impact to the production network. The tasks that the engineer must perform in the sequence as following:
      1. Validate the physical and data link layers of the 10Gbps link.
      2. Execute the channel-group number mode active command to add the 10Gbps link to the existing bundle.
      3. Execute the lacp min-bundle 3 command to set the minimum number of ports threshold.
      4. Validate the network layer of the 10Gbps link.

    4. Running the script causes the output in the exhibit. The first line of the script must change to 'from ncclient import manager' to resolves the error.

      image
      https://ncclient.readthedocs.io/en/latest

    5. Refer to the exhibit:

      imageAn engineer implemented several configuration changes and receives the logging message on switch1. The engineer should Change the VTP domain to match on both switches to resolve this issue.

    6. Classifies traffic based on the contextual identity of the endpoint rather than its IP address correct is how Cisco Trustsec enable more access controls for dynamic networking environments and data centers.

    7. An engineer is working with the Cisco DNA Center API. Here are the methods with their actions:
      • DELETE: remove an element using the API
      • GET: extract information from the API
      • POST: create an element
      • PUT: update an element

    8. Refer to the exhibit:

      image

      The radiation pattern represent Yagi type of antenna.
      A Yagi antenna is formed by driving a simple antenna, typically a dipole or dipolelike antenna, and shaping the beam using a well-chosen series of non-driven elements whose length and spacing are tightly controlled.
      image
    9. Refer to the exhibit:
      image
      Assuming that all BGP neighbor relationship have been formed and that the attributes have not been changed on any of the routers, all traffic leaving AS 200 will choose Link 2 as the exit point by R4(config-router) bgp default local-preference 200.
      Local preference is an indication to the AS about which path has preference to exit the AS in order to reach a certain network. A path with a higher local preference is preferred. The default value for local preference is 100.
      Unlike the weight attribute, which is only relevant to the local router, local preference is an attribute that routers exchange in the same AS.

    10. RESTCONF operations include OPTIONS, HEAD, GET, POST, PATCH, and DELETE

    11. Signal-to-Noise Ratio (SNR) measurement is used from a post wireless survey to depict the cell edge of the access points.
      Cisco Wireless - RSSI and SNR

    12. A customer has several small brahches and wants to deploy a Wi-Fi solution with local management using CAPWAP. Mobility Express deployment model meets this requirement.
      Cisco Wireless - Introducing to Cisco Mobility Express and Cisco Wireless Portfolio 2018

    13. The wireless elements and their definitions:
      • beamwidth: measures the angle of an antenna pattern in which the relative signal strength is half-power below the maximum value
      • gain: the relative increase in signal strength of an antenna in a given direction
      • polarization: radiated electromagnatic waves that influence the orientation of an antenna within its electromagnetic field
      • radiation patterns: a graph that shows the relative intensity of the signal strength of an antenna within its space

    14. Refer to the exhibit:

      image

      POSTMAN is showing an attempt to retrieve network device information from Cisco DNA Center API. The issue is The URI string is incorrect.

    15. The purpose of the LISP routing and addressing architecture is It creates two entries for each network node, one for Its identity and another for its location on the network.
    B-)

  • 3 Categories of QoS:
    • Not Strict: Best Effort
    • Less Strict: DiffServ
    • Strict: IntServ

    Common QoS Mechanisms:
    • Classification and Marking
    • Queuing
    • Congestion Avoidance
    • Policing and Shaping
    • Link Efficiency

    Wi-Fi MultiMedia (WMM):
    • IEEE 802.1P markings map to WMM access categories
    • Access category determines InterFrame Space (IFS) and Random Backoff Timer

    4 Access Categories:
    • AC_VO (Voice) -> 802.1P: 6 & 7
    • AC_VI (Video) -> 4 & 5
    • AC_BE (Best Effort) -> 0 & 3
    • AC_BK (Background) -> 1 & 2

    image

    CIR = Bc / Tc
    • CIR (Committed Information Rate) = AVERAGE speed over the period of a second
    • Bc (Committed Burst) = Number of bits (for shaping) or bytes (for policing) that are deposited in the token bucket during a timing interval
    • Tc (Timing Interval) = The interval at which tokens are deposited in the token bucket

    Switching Mechanisms:

    Process Switching:
    • Oldest method for Cisco IOS switching
    • Every packet is inspected by CPU
    • Processor is directly involved with every packet
    • Not ideal in modern networks
    • Available on every Cisco router platform
    • Debugging uses process switching

    Cisco Express Forwarding (CEF):
    • Most preferred Cisco IOS switching process
    • Default in most modern Cisco IOS devices
    • Optimized lookup and efficient packet handling

      CEF Benefits:
    • Less CPU-intensive than older switching methods
    • Distributed CEF (dCEF) allows line card forwarding
    • CEF Forwarding Information Base (FIB)
    • CEF Adjacency Table

    CEF FIB:
    • Similar to a routing table
    • FIB is updated with each routing table update
    • Processor is not involved with route lookup
    • FIB is a more efficient lookup structure

    CEF Adjacency Table:
    • Information about directly connected devices
    • Adjacency = reachable via single link-layer hop
    • Layer 2 next-hop address maintained in table

      1. A data MDT is created to if it is a (*, G) multicast route entries when a high bandwidth multicast stream is sent over an MVPN using Cisco hardware.

      2. Refer to the exhibit:

        image
        An engineer is configuring an EtherChannel between Switch1 and Switch2 and notices the console message on switch2. Based on the output, this issue should resolves by Configure the same EtherChannel protocol on both switches.
        In this case, using EtherChannel without a negotiation protocol on Switch2. As a result, if the opposite switch is not also configured for EtherChannel operation on the respective ports, there is a danger of a switching loop. The EtherChannel Misconfiguration Guard tries to prevent that loop from occuring by disabling all the ports bundled in the EtherChannel.

      3. Refer to the exhibit:

        image
        The configuration to achieve a dynamic continuous mapped NAT for all users is Increase the NAT pool size to support 254 usable addresses.

      4. When using Ternary Content Addressable Memory (TCAM) inside routers it's used for faster address lookup that enables fast routing.
        In switches CAM is used for building and lookup of mac address table that enables L2 forwarding decisions.
        Besides Logest-Prefix Matching, TCAM in today's routers and multilayer Switch devices are used to store ACL, QoS and other things from upper-layer processing.

      5. Virtual components and their descriptions:
        • OVA: configuration file containing settings for a virtual machine such as guest OS
        • VMDK: file containing a virtual machine disk drive
        • VMX: zip file connecting a virtual machine configuration file and a virtual disk
        • vNIC: component of a virtual machine responsible for sending packets to the hypervisor
      B-)