CCNP Enterprise

PlAwAnSaI · Jun 7, 2009

CCNP คือ Cisco Certified Network Professional เป็นระดับของ มืออาชีพ ที่มีความสามารถพอสมควรในการสนับสนุน ติดตั้ง รวมถึงการแก้ปัญหาต่างๆ ด้าน Routing และ Switching ที่ใช้ใน Network ทั่วไป
ต้องสอบ 2 วิชา วิชาหลัก และวิชาเลือก ไม่ต้องมี CCNA ก็สอบได้ถ้าเก๋าพอ ซึ่งถ้าสอบในระดับ Professional หรือ Specialist จะเป็นการ Recertificate ในระดับ Associate ไปในตัว ดังนั้นรายวิชา CCNP แต่ละตัว ไม่ควรทิ้งให้นานเกินไป เพราะเทคโนโลยีมันพัฒนาไปเรื่อยๆ มันจะมีเรื่องใหม่ๆ มาให้เราศึกษาเรื่อยๆ แล้วก็เราไม่มีทางรู้ว่า Cisco จะประกาศยกเลิกข้อสอบแต่ละตัวเมื่อไหร่ (ยกตัวอย่างวิชา ROUTE กับ SWITCH ในระดับ CCNP ที่ยกเลิกไปแล้ว)

เจาะเนื้อหาและหัวข้อ CCNA ใหม่ และ CCNP Enterprise:
www.youtube.com/watch?v=ucgSn8fJBUU
Free CCNP 350-401 ENCOR Complete Coursewww.youtube.com/playlist?list=PLAqaqJU4wzYVS_QYH1_LEh5VLDu-Oaiwy

www.youtube.com/playlist?list=PLhfrWIlLOoKPM3poHlHLpw-b6cigthng2
CCNP Enterprise -350-401-ENCOR- Cisco Core Technologies
www.udemy.com/course/ccnp-enterprise-300-401-implementing-cisco-enterprise-core
อธิบายการทำงาน และ การตั้งค่า Ether-channel:
www.youtube.com/watch?v=waA-kTBevQ4
[CCNP ENCOR] Basic BGP and Configuration:
www.youtube.com/watch?v=y6YtCyMBhKY
[CCNP ENCOR] Introducing to Multiple Spanning-Tree (MSTP):www.youtube.com/watch?v=TxSLRuQP2bY
Introducing to Cisco DNA Center:www.youtube.com/watch?v=XaZZgOKPnG0
Describe SD-Access from Cisco CCNP Enterprise ENCOR (350-401):
www.youtube.com/watch?v=k7_0On3pcY4
=AT3aVOy8QE8ED1-JqpFKThTgoz8sbhh2WYtDY7P4SEXJDLZ-9EVaDnDOvxDnaShqTp-PvxGbl8no9VKIjSUX7BFVtiayGaD6L__EIdDyv0H3D4VJLMwzZBg_-FIi2zW6kVVT8h-HObx15CuHhxS85L1EVLRWiaRRWYZ0jc1orA7sc0QiCrAhpMp5LrxS0Ol8s4hdXvTY t=_blank]
CCNP Cisco Networking Academy Version v5.0:
forum.siamnetworker.com/?topic=294
ประสบการณ์การเตรียมตัวสอบ CCNP:
zone-network.blogspot.com/2014/06/ccnp.html

CCNP ROUTE 642-902
CCNP SWITCH 642-813
CCNP TSHOOT 642-832
Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401:

Starting from February 24th - 2020
Exam Cost: 400$
Exam Center: Pearson Vue
NO Prerequisites
Acquired Badges: Cisco Certified Specialist - Enterprise Core
Enrollment: Cisco CCNP Enterprise & Cisco CCIE Enterprise Infrastructure
Recertify CCNA 200-301 & CCNP
Expires: 3 years
CCNP Enterprise: ENCOR + Concentration Exam:

Shared Topics with CCNA 200-301:
- Design, Virtualization, WLAN, STP, NTP, NAT, ACL
https://learningnetwork.cisco.com/s/encor-exam-topics

Architecture:
Enterprise Networks Design Principles:

Tier 2, Tier 3, and Fabric Capacity Planning
- Simplify Scaling & Troubleshooting
- Depends on network size, and future growing

PlAwAnSaI · Jul 1, 2021

Tier 2 will be for Small/Mid networks:
- One building network
- Only 2 Tiers (Access and Aggregation)
- Access:
  - The first layer facies/authenticates endpoint devices
  - Connects the endpoint to their gateways (aggregation)
- Aggregation:
  - Aggregates/Communicates all the access layers
  - Runs both Layer2 and Layer3 Techs. and Protocols
  - Run in pair-devices mode/SSO
Tier 3 for Mid/Large Enterprises:
- Multiple Buildings
- More East-West traffic
- Future scaling (Horizontally)
- 3 Tiers (Access, Distribution, and CORE)
- Core:
  - Aggregate multiple networks
  - High speed/convergence
  - Runs in pair-devices mode
  - Runs at Layer 3
  - Connects to the WAN/Internet
  - Connects to servers and other Data Centers

High Availability:

First Hop Redundancy Protocols:
- HSRP, VRRP, and GLBP
- Runs at the Distribution layer
- Provides a GW for endpoints
- Needed when the Access layer is using a Layer2 techs!
Hot-Standby Redundancy Protocol (HSRP):
- Cisco Only
- 2 Gateways
- No Load-Balancing
Virtual-Router Redundancy Protocol (VRRP):
- Open Standard
- 2 Gateways
- No Load-Balancing
Gateway Load-Balancing Protocol (GLBP):
- Cisco Only
- 4 Gateways
- Load-Balancing
Stateful SwitchOver (SSO):
- Switches with more than 1 CPU
- when 1 CPU fails, the other continuous (stateful)
- best at Distribution layer
Virtual Switching System (VSS):
- A clustering technique
- Combines multiple switches
- Act as one switch
- At the distribution layer
- No FHRP will be needed then
- May also hear 'Stackwise'

Design Network Campus อย่างมืออาชีพ ต้องทำอะไรบ้าง?:www.youtube.com/watch?v=JU1gdz0VZjo

www.youtube.com/watch?v=QahRhXoZPzE
On-Premise vs Cloud Infrastructure Deployments:

On-Premise: everything is in the office, Company, Data Center
Cloud-Based: everything is at the Cloud Company

Software-Defined - Wide Area Networks:

What is SDN?:
- where have a 'software' that runs network
- so, through a 'software' be able to run and administrate
  An entire network, with its different types of devices
- that will need either a 'Controller'!!
  Or, a built-in scripting (Cisco TCL, or Python)
- SD-WAN is applying SDN to WAN part of the network!
  - the part that connects multiple networks through the Internet
  - will administer the WAN by a software
  - also contains multiple layers to achieve this approach:
    - Application
    - Controller
    - Infrastructure

SD-WAN Planes:

Generally, the SD-WAN solution consist of 4 planes (orchestration, management, control, and data plane)
The control plane:
- builds/maintains the network topology
- makes decision on where traffic flows
Cisco vSmart:
- Handles all the Overlay-network routing
- Facilitates the DP encryption between vEdges
- Propagates the policies for handling DP traffic
The data plane:
- responsible for forwarding packets
- based on decisions from the control plane
Physical/Virtual:
- WAN edge router
- Provides secure data plane with remote vEdge routers
- Implements data plane and application aware routing policies

Traditional WAN vs SD-WAN solutions:
Traditional WAN:

Each network device has its own control plane
Configuring, modifying, upgrading, and Monitoring is done 'Box-by-Box'
Automation is more difficult
New Installation requires 'from scratch' efforts

SD-WAN:

Centralized Management
Through a 'software' be able to run and administrate an entire network
Automation is easy (API)
New devices automatically finds an initial configuration/Zero Touch Provisioning (ZTP)

Software-Defined Access:

is it really that much of different technologies!
SD-Access is simply:
- applying SDN solution to access network
- when SDN controls an automates a simple campus network
And thus, there will be a controller (ex: Cisco DNA Center, Cisco APIC-EM)

SDN Implementation and Effect upon planes:

Imperative Approach:
- the control plane logic resides completely in the controller
- the controller has a complete control over programing the forwarding decisions of the networking devices
- devices then will ask the controllers before any forwarding or routing action
Declarative Approach:
- the control plane resides within the network device (just like before)
- the controller will declare the requirements of the all the Forwarding/routing decisions to the networking devices
- the network devices will then decide how to translate the Controller instructions into actions
How will the Access look like:

What is SD-WAN?:www.youtube.com/watch?v=YaxTiTYgpj4

Cisco SD-WAN - Introducing to Cisco SD-WAN:www.youtube.com/watch?v=PNJhDLh9WFI

www.youtube.com/watch?v=0Q_Px1FzlZ4

The RIB is used to create network topologies and routing tables. RIB is derived from the control plane. The FIB is a list of routes to particular network destinations.
Extended IP access list EGRESS
10 permit ip 10.0.0.0 0.0.0.255 any
!
interface GigabitEthernet0/0
ip address 209.165.200.225 255.255.255.0
ip access-group EGRESS out
duplex auto
speed auto
media-type rj45
!
An engineer must block all traffic from a router to its directly connected subnet 209.165.200.0/24. The engineer applies access control list EGRESS in the outbound direction on the GigabitEthernet0/0 interface of the router. However, the router can still ping hosts on the 209.165.200.0/24 subnet. Because Access control lists that are applied outbound to a router interface do not affect traffic that is sourced from the router.
Excess jitter and bandwidth-related packet loss network problems Indicate a need to implement QoS in a campus network.

PlAwAnSaI · Jul 5, 2021

Quality of Service (QoS):

if traffic was more than bandwidth!
if congestion WILL happen, can some traffic be more preferred than another?
Generally, UDP will be preferred over TCP (TCP will automatically do A re-transmission)
QoS Tools that will do the specific desired 'Preferring'. (Classification & Marking, Policing, Shaping, Queuing, and Scheduling)
Classification & Marking:
- for the Ingress traffic/interface
- Classification first, please classify this type of traffic, like: 'UDP=High, Mail=Low'
- Then, Marking, 'Marks' the classified traffics to identify them uniquely in the network
Classification usually happens by matching port numbers:
- if further recognizing is needed
- Network-Based Application Recognition (NBAR)
- recognized, identifies, and classifies a traffic
- based on multiple variety of things
- Word, Phrase, URL!!
Policing & Shaping:
- The Provider - Client Relation
Policing:
- From the Provider side
- Drop the exceeding ingress (Coming) traffic
- or mark-down that traffic, to be dropped later in the network
Shaping:
- From the Client side
- To avoid misunderstanding, or unwanted behavior with the provide
- Queues the excess egress (Outgoing) traffic in the 'Egress Queue'
- This is called 'Queuing'
Queuing:
- Dividing the Egress Queue, to multiple sub-queues
- Each, is differentiated by 'Priority'
- To deal with classified packets
Scheduling:
- How to empty the sub-queues, by which criteria
Congestion Management:
- Tools for Queuing and Scheduling
- Emptying the Queued traffic in the egress queue
- Weighted Fair Queuing (WFQ), Class-Based Weighted Fair Queuing (CBWFQ), Priority Queuing (PQ), Low-Latency Queuing (LLQ), Weighted Round Robin (WRR), Shaped Round Robin (SRR), Shaping
Congestion Avoidance:
- Tools to avoid congestion
- Before even happening
- At the ingress interface/s (receiving queue)
- Random Early Detection (RED), Weighted Random Early Detection (WRED), Weighted Tail Drop (WTD), Policing
QoS Application in a Network:
- Integrated Services:
  - unified settings all the way
  - uses The Resource Reservation Protocol (RSVP)
- Differentiated Services:
  - each hop has its unique settings
  - uses 'Per-Hop Behavior' (PHB)

QoS Policies:

Modular QoS Command-line (MQC)
- applying the QoS tools globally
- multiple tools will be available for multiple ports/uses
- requires 3 components to operate
  - Class-Maps
  - Policy-Maps
  - Service-Policies
Class-Maps:
- create a list, that identifies/matches some characteristics of a traffic
- classify those 'matched' traffic
- to provoke this list to operate, will need a 'Policy-Map'
Policy-Maps:
- MATCH a Class-Map
- to apply a specific action to its traffic (queue it, shape it, police it...)
- the same Class-Map can be matched multiple time on multiple interfaces
- each time, a different 'action' will be taken!
- to apply a 'Policy-Map' to an interface/s
- will need a 'Service-Policy'
Service-Policy:
- apply a 'Policy-Map' to an interface
- either 'INBOUND' or 'OUTBOUND'

Switching Mechanisms:
Device Processing vs Cisco Express Forwarding (CEF):

Process:
- processing the incoming ingress traffic
- to switch it, to the desired egress outgoing interface
- done by the CPU
- even if the CPU is very busy
- known as 'IP Input'
CEF:
- establish an area to store pre-defined decisions, as a reference
- that area = Cache Area
- will be automatically done whenever a new protocol is enabled
- creates FIB & Adjacency Table
- not exactly every thing is CEF switched (a first time ARP, CDP, Encryption)

FIB vs. RIB:

Forwarding Information Base (FIB):
- extracted from the 'RIB'
  - Routing Information Base
  - The Routing Table
- it is the Routing Table of the CEF
- always syncs with the RIB (Routing Table)
- less details
  *some operations are handled by the Adjacency Table
  - for L2 info (ARP, VLAN, MAC)

CAM (MAC Table) vs. TCAM:

Content Addressable Memory (CAM):
- a random memory
- stores MAC Addresses
- used for lookups (by the forwarding engine)
- MACs are represented as 'MAC Table'
Ternary Content Addressable Memory (TCAM):
- also, a random memory
- stores IP Addresses and subnet masks
- used for Longest match lookups
- Addresses and masks are represented as 'Routing Table'

Virtualization:
Device Virtualization:

Just Networks, BUT in Virtualized Environment
Multiple Devices inside One
Ease of Management
The Hypervisor: The new Mediator between SW/HW
Load the Hypervisor on the Physical HW, after that install OS on the Hypervisor
Now the Hypervisor = Host, and the OS = Virtual Machines = Guest
Hypervisors:
- Schedules the VMs requests to the HW
- Distributes the HW resources between the VMs
Hypervisors Types:
- Type1:
  - The Native or Bare Metal
  - Runs directly on the HW resources
  - HW --- Hypervisor --- VM
  - Citrix XEN, Oracle VM, Microsoft Hyper-V, VMware ESX/ESXi
- Type2:
  - Hosted
  - Runs as a SW besides the OS
  - HW --- OS --- hypervisor
  - VMware Workstation, Virtual Box
How to connect all these?
Virtual Switches:
- Connects all VMs Together like a Real Switch
- Assigns a Virtual Network Interface Card (V.NIC) for each VM
- Exists by default in Hypervisors Type1
- After Creating a V.Switch & V.NIC, all VMs will automatically get connected together
*also, can create Port Group for Complete Isolating (like VLANs)
*there is another V.NIC for each VM (for Internet)
Examples:
- Microsoft Hyper-V
- ESXi VSwitch

In a Cisco SD-Access solution, the Identity Services Engine (ISE) is leveraged for dynamic endpoint to group mapping and policy definition.
OSPF:
- link state routing protocol
- makes it easy to segment the network logically
- constructs three tables as part of its operation: neighbor table, topology table, and routing table
- metric is calculated on bandwidth only
EIGRP:
- distance vector routing protocol
- supports unequal path load balancing
- metric is based on delay and bandwidth by default

PlAwAnSaI · Jul 6, 2021

https://developer.cisco.com/site/sandbox
https://github.com/openconnect/openconnect-gui/releases

Data Path Virtualization:
Virtual Routing & Forwarding (VRF):

For Service Providers
With multiple clients
isolate each client in a 'Routing Table'
for duplicated addresses
requires ISP's network
- MPLS, VPN, L3VPN, BGP
BUT, for Enterprises:
- VRF-Lite > Lab 1: www.youtube.com/watch?v=338nrzH_MvU
- No Extra VPN protocols
- classic routing protocols can be used

Generic Route Encapsulation (GRE): Lab 2: www.youtube.com/watch?v=33dkYlp-H18

Virtually create a P2P path
Virtually isolate some traffic in a path
Across multiple hops
Data will be 'Encapsulated' at L3
Source and Destination ports should be specified
Virtual ports will be created on Tunnel ends

Internet Protocol Security (IPSec): Lab 3: www.youtube.com/watch?v=HUvWbd0dflE

packets travels unsecured
any sniffer, analyzer, can read data!
IPSec is a bunch of tools:
- pick the set like to secure data
- Confidentiality: Encrypt the data all the way
- Data Integrity: Guarantees delivering original data
- Authentication: only the trusted ends can communicate
- Anti-Replay: only regenerated or duplicated packets
To provide and establish all the CIA and R:
- Security Associations (SA) will be exchanged between the peers
- things like (tools, algorithms, protocols, and keys) will be discussed
Security Associations Parameters:
- hashing: redistributing data by using an algorithm (MD5, SHA)
- encryption: locking data by using a 2-way algorithm
- shared passwords
- all of the above is either statically configured, or dynamically (IKE)
Static means that every parameter is defined manually
Dynamic (Internet Key Exchange, IKE):
- a group of SA's
- end tunnels will negotiate their accepted SA's
- IKE has versions 1 and 2
- IKEv1 creates 2 Tunnels (in 2 phases):
  - Phase1: establish an authenticated tunnel, it requires:
    - authentication (PSK (requires Password) or PKI)
    - encryption (DES, 3DES, or AES)
    - hash (SHA or MD5)
    - DH group
    - lifetime (optional)
  - Phase2: negotiates SA's between end points
    - (Destination, Data, and Transport Method)

Network Virtualization:

Locator/ID Separation Protocol (LISP):
- also, a tunneling protocol (like GRE)
- establish a tunnel between edge routers and the WAN
- separates location from identity:
  - identity: IP Address of the host (Endpoint ID, EID)
  - location: IP Address of the host's GW (Routing Locator, RLOC)
    RLOC = the address facing the WAN
- useful in the case of:
  - load sharing with the provider (multi-homed)
  - tunneling IPv6 over IPv4 infrastructure
  - other VPN uses
- there are 2 required devices to perform the separation and the mapping (map this EID to that RLOC)
  - a map server (MS), and a map resolver (MR)
  - can be combined in a single device
- CCNP-CCIE Enterprise : Overview of LISP:
  www.youtube.com/watch?v=k_gsBGkF624
- [CCNP ENCOR] มาทำความรู้จัก และเข้าใจการทำงานเบื้องต้นของ Cisco LISP กัน:
  www.youtube.com/watch?v=ixHWZj2qnGo
Virtual Extensible Local Area Network (VxLAN):
- a tunneling protocol
- for data centers
- replaces VLAN as it gives 2^24 = 16,777,216 VLANs
- transport L2 over L3
- extends L2 connectivity over L3 infrastructure
- supports ECMP over CLOS (spine and leaf)
- requires L2GW and L3GW
- can use the same VxLAN number on multiple sites
- thus, the same broadcast domain will be stretched between sites

Infrastructure:
Layer 2 Infrastructure Technologies:
Static and Dynamic 802.1q trunking protocols: Lab 4: www.youtube.com/watch?v=OuvChBZDdOE

Static is to configure every port as either:
- Auto (default): waiting for the other side to negotiate
- Desirable: starts negotiating trunking
Dynamic (enabled by default):
- only requires one side to enable trunking
- negotiations will dynamically
- negotiations can be 'Disabled'

Static and Dynamic EtherChannels: Lab 5: www.youtube.com/watch?v=qre-Lc-qEcM

EtherChannels are supported on Cisco Switches
supporting both LACP and PAgP negotiations protocols
those are the static negotiation etherchannel protocols
LACP uses:
- Active: initiates bundling negotiations
- Passive: waits for other side to initiate
PAgP uses:
- Desirable: initiates bundling negotiations
- Auto: waits for other side to initiate
Dynamic:
- Mode ON: no negotiations, direct bundling (mostly L3)

When using Transport Layer Security (TLS) for syslog, 'logging host 10.2.3.4 vrf mgmt transport tcp port 6514' configuration allows for secure and reliable transportation of messages to its default port.
The TOS field in the Layer 3 header is used to perform QoS packet classification.
At Northbound APIs Layer, Cisco DNA Center support REST controls.
How to configure eBGP (external BGP):

R1(config)# router bgp 1
R1(config-router)# neighbor 192.168.12.2 remote-as 2
R1(config-router)# network 1.1.1.0 mask 255.255.255.0

R2(config)# router bgp 2
R2(config-router)# neighbor 192.168.12.1 remote-as 1
R2(config-router)# network 2.2.2.0 mask 255.255.255.0

With BGP, must advertise the correct network and subnet mask in the 'network' command (in this case network 1.1.1.0/24 on R1 and network 2.2.2.0/24 on R2). BGP is very strict in the routing advertisements. In other words, BGP only advertises the network which exists exactly in the routing table. In this case, if put the command 'network x.x.0.0 mask 255.255.0.0' or 'network x.0.0.0 mask 255.0.0.0' or 'network x.x.x.x mask 255.255.255.255' then BGP will not advertise anything.

PlAwAnSaI · Jul 18, 2021

Common Spanning Tree Protocols (STP): Lab 6: www.youtube.com/watch?v=g3UlDOX0ePA

Need redundancy, but there will be a broadcast message!
What will happen?
Then how can prevent what is called a 'LOOP',
AKA 'Broadcast Storm'?
STP requires election to be performed first
The Winner must be: 1-Lowest Priority, 2-Lowest MAC Address
After that port roles and states will happen:
- Designated Port: Forwarding state
- Root Port: Forwarding State
- Alternative / Non-designated Port: Blocking State
The entire process of election takes (30 - 50) Seconds
Max Age = 20 + (Forwarding Delay = 15) + (Learning Delay = 15) = 50 Seconds

In order to speed things up:
- Rapid STP: NO Listening, NO Blocking,
  only (Discard, Forwarding, Learning)
- Then delay will become = 3 + 3 = 6 Seconds
- What is the BIG benefit of Redundancy then!! If STP is blocking ports:
  - There will be a Per-VLAN STP (PVST)
  - Each VLAN can have an ELECTION!!
  - Each VLAN will have its own root!
  - Things are much better now
  - Specially that there is a RPVST+ (faster)!
- RPVST+ can be further simplified by using MST:
  Lab 7: www.youtube.com/watch?v=cCJqM6ESfNQ
  - Instances (Groups) that requires domain names/revision numbers
  - each instance will have its own Tree

Layer 3 Infrastructure Technologies:
Enhanced Interior Gateway Routing Protocol (EIGRP):

A Hybrid Protocol
classified as a 'Distance Vector (D.V.)' protocol
it does combine both the D.V. and Link State (L.S.) methods of measuring the metric
IP Protocol = 88
Defusing Update ALgorithm (DUAL)
AD = 90
Metric = Result of the 5K's formula:
[256 * ((K1*Bandwidth)] + [(K2*Bandwidth)/(256-Load)] + [K3*Delay) * (K5/(Reliability + K4)))]
The default 'K Values':

So = 256 x ( Bandwidth + Delay )
Bandwidth is per link, while Delay is cumulative
EIGRP will apply the formula to elect its main path
for redundant paths, Feasibility Condition (FC) is used:
- the main path is the lowest metric calculated among available paths:
  - The Feasible Distance (FD)
  - Successor
- the redundant path is the lowest 'Advertised' metric from the neighbor!:
  - The Reported/Advertised Distance (RD)
  - Feasible Successor (FS)
- only those paths can be used for Unequal Cost Load Distribution (UCLD)
- which requires the activation of 'variance'
Lab 8: EIGRP:
www.youtube.com/watch?v=Iu1JKLhnYgk
www.youtube.com/watch?v=wbNqF9uaAmg

Open Shortest-Path First (OSPF):

Link State Protocol
Dijkstra algorithm
SPF algorithm for route decision
AD = 110
Metric = Cost (less = Better)
Process ID for multiple instances
Area ID for Data Base isolation
Link-State Advertisements: negotiation between OSPF Routers, it contains:
- LSRequest: provide the missing Information
- LSUpdate: reply for the LSR
- LSAcknowledgement: reply for the LSU
Neighboring Process:

Database Description (DD)

A company plans to implement intent-based networking in its campus infrastructure. Two-tier design facilities a migrate from a traditional campus design to a programmer fabric designer.
LISP components:
- map server: network infrastructure component that learns of EID-prefix mapping entries from an ETR
- map resolver: accepts LISP encapsulated map requests
- ITR: receives packets from site-facing interfaces
- ETR: de-encapsulates LISP packets coming from outside of the LISP site to destinations inside of the site
- proxy ETR: receives traffic from LISP sites and sends it to non-LISP sites
- EID: IPv4 or IPv6 address of an endpoint within a LISP site
Multiple virtual servers can be deployed on the same physical server without having to buy additional hardware is a benefit of a virtual machine when compared with a physical server.
VxLAN characteristics:
- It uses VTEPs to encapsulate and de-capsulate traffic frames into and out of the VxLAN fabric
- Allows for up to 16 million VxLAN segments
Cisco DNA center application Policy is responsible for group-based access control permissions.
HTTPS protocol does REST API rely on to secure the communication channel.
The REST API accepts and returns HTTP (not enabled by default) or HTTPS messages that contain JavaScript Object Notation (JSON) or eXtensible Markup Language (XML) documents. Can use any programming language to generate the messages and the JSON or XML documents that contain the API methods or Managed Object (MO) descriptions.
Refer to the exhibit. An engineer must deny HTTP traffic from host A to host B while allowing all other communication between the hosts.

SW1(config)# ip access-list extended DENY-HTTP
SW1(config-ext-nacl)# deny tcp host 10.1.1.10 host 10.1.1.20 eq www

SW1(config)# ip access-list extended MATCH_ALL
SW1(config-ext-nacl)# permit ip any any

SW1(config)# vlan access-map HOST-A-B 10
SW1(config-access-map)# match ip address DENY-HTTP
SW1(config-access-map)# action drop

SW1(config)# vlan access-map HOST-A-B 20
SW1(config-access-map)# match ip address MATCH_ALL
SW1(config-access-map)# action forward

SW1(config)# vlan filter HOST-A-B vlan 10
TLS is accurate when using RESTCONF to write configurations on network devices, It is provided using NGINX acting as a proxy web server.
Wireless client device makes the decision for a wireless client to roam.
A network administrator applies the following configuration to an IOS device.
aaa new-model
aaa authentication login default local group tacacs+
A local database is checked first. If that check fails, a TACACS+ server is checked.
Considerations when using SSO as a network redundancy feature:
- must be combined with NSF to support uninterrupted Layer 3 operations
- requires synchronization between supervisors in order to guarantee continuous connectivity
The access layer typically provides Layer 2 services, with redundant switches making up the distribution layer. The Layer 2 access layer can benefit from SSO deployed without NSF. Some Enterprises have deployed Layer 3 routing at the access layer. In that case, NSF/SSO can be used.
Cisco IOS NonStop Forwarding (NSF) always runs with stateful switchover (SSO) and provides redundancy for Layer 3 traffic.
Uplink and downlink Orthogonal Frequency Division Multiple Acess (OFDMA) new enhancement was implemented in Wi-Fi 6.
The WLC send syslog level errors and greater severity messages to the syslog server.

PlAwAnSaI · Jul 26, 2021

Link State Advertisements (LSA's):
- multiple types
- depends on the advertisement they are doing
  - LSA Type.1 (Router LSA): investigates local OSPF connections
  - LSA Type.2 (Network LSA): investigates local OSPF connections for a DR
  - LSA Type.3 (Network Summary LSA): for ABR to reach links in Areas
  - LSA Type.4 (ASBR Summary LSA): for ABR to reach ASBR's
  - LSA Type.5 (External LSA): for ASBR redistribution
  - LSA Type.7 (NSSA External LSA): for ASBR NSSA

OSPF Neighbor Types:
A Neighboring router can be a P2P neighbor
- in this case no problems
or can be connected through a 'SWITCH'!!
- broadcast will happen
- elections must take place
- only One router should update the topology (DR)
a DR (Designated Router): Highest Router Priority (0-255), Def=128
- Or Highest Router ID
  - Router ID (R.ID): 32-bit Address
- DR needs BDR (second best of everything)

Lab 9: OSPF (Multi-Area):
www.youtube.com/watch?v=6WxhIillLS4
www.youtube.com/watch?v=L50UciVV77o
Reference bandwidth = 100Gbps:
- 100Gbps: OSPF Cost = 1
- 40Gbps: Cost = 2.5
- 25Gbps: = 4
- 10Gbps = 10
- Gigabit Ethernet = 100
- Fast Ethernet = 1,000
- Ethernet = 10,000
Lab 10: OSPF DR: www.youtube.com/watch?v=_Y4HnqauMtc
OSPF Summarization:
- To make all the routers in all the Areas be able to communicate
- LSDB's must synchronize
- routes and advertisements must be exchanged
- some Routers will receive 'Too Much' information about other Areas
- utilizing more resources
- this can be Filtered (ON ABR's)
  - just summarize some prefixes and advertise one prefix instead
  - done by generating a Type.3 LSA
  - or, filter these prefixes by not generating Type.3 LSA to the other router
- Lab 11: youtu.be/boKqqySahvU?t=262

Border Gateway Protocol (BGP):

the only WAN routing protocol
developed from EGP
uses TCP 179
isolates peering from neighbor advertising
needs ASN's to operate
can be used internally (iBGP) or externally (eBGP)
flexible to apply filters, maps, polices, and attributes
AD eBGP = 20/iBGP 200
Metric = Attributes
Attributes affect path selection for packets
BGP Attributes:
1. Next-hop
2. Weight - Highest
3. Local Preference - Highest
4. Locally originated
5. AS-Path - Shortest
6. Origin
7. MED - Lowest
8. External over Internal
9. IGP Metric to Next-Hop
10. Multipath
BGP Neighbor Relationships:

Lab 12: www.youtube.com/watch?v=pta39udBnUQ

Locator Id Separation Protocol (LISP) is a network architecture and protocol that implements the use of two namespaces instead of a single IP address:
- Endpoint IDentifiers (EIDs) - assigned to end hosts.
- Routing LOCators (RLOCs) - assigned to devices (primarily routers) that make up the global routing system.
IPsec over GRE example configuration:

ip access-list extended GRE
permit gre any any
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key III-PSK-En address 192.168.200.2
!
crypto ipsec transform-set III-P2-Trans esp-aes esp-sha-hmac
mode tunnel
!
crypto map III-P2-Map 10 ipsec-isakmp
set peer 192.168.200.2
set transform-set III-P2-Trans
match address GRE
!
interface Ethernet0/0
description outside_interface
ip address 192.168.100.2 255.255.255.0
crypto map III-P2-Map
!
interface Tunnel1
ip address 172.16.10.1 255.255.255.252
ip mtu 1400
tunnel source Ethernet0/0
tunnel destination 192.168.200.2
!
ip route 10.20.0.0 255.255.255.0 Tunnel1 172.16.10.2
# show interfaces ethernet 0/0 switchport
Administrative Mode: dynamic desirable => need desirable mode one side to activate the trunk
Negotiation of Trunking: On => need on both sides to re-enable with the 'no switchport nonegotiate' command
Under traffic classification and marking conditions is an outbound QoS policy that is applied on a router WAN interface most beneficial.
Sensor access point mode allows a supported AP to function like a WLAN client would, associating and identifying client connectivity issues.
As these wireless networks grow especially in remote facilities where IT professionals may not always be onsite, it becomes even more important to be able to quickly identify and resolve potential connectivity issues ideally before the users complain or notice connectivity degradation. To address these issues we have created Cisco's Wireless Service Assurance and a new AP mode called 'sensor' mode. Cisco's Wireless Service Assurance platform has three components, namely, Wireless Performance Analytics, Real-time Client Troubleshooting, and Proactive Health Assessment. Using a supported AP or dedicated sensor the device can actually function much like a WLAN client would associating and identifying client connectivity issues within the network in real time without requiring an IT or technician to be on site.
The goal of the Cyber Threat Defense solution is to introduce a design and architecture that can help facilitate the discovery, containment, and remediation of threats once they have penetrated into the network interior.

Cisco Cyber Threat Defense version 2.0 makes use of several solutions to accomplish its objectives:

NetFlow and the Lancope StealthWatch System:
- Broad visibility
- User and flow context analysis
- Network behavior and anomaly detection
- Incident response and network forensics
Cisco FirePOWER and FireSIGHT:
- Real-time threat management
- Deeper contextual visibility for threats bypassing the perimeters
- URL control
Advanced Malware Protection (AMP):
- Endpoint control with AMP for Endpoints
- Malware control with AMP for networks and content
Content Security Appliances and Services:
- Cisco Web Security Appliance (WSA) and Cloud Web Security (CWS)
- Dynamic threat control for web traffic
- Outbound URL analysis and data transfer controls
- Detection of suspicious web activity
- Cisco Email Security Appliance (ESA)
- Dynamic threat control for email traffic
- Detection of suspicious email activity
Cisco Identity Services Engine (ISE):
- User and device identity integration with Lancope StealthWatch
- Remediation policy actions using pxGrid

PlAwAnSaI · Jul 27, 2021

IP Services:
Network Time Protocol (NTP):

have to stay synchronized
give a precise information, with real timing and date
either by setting an inner clock manually
or asking someone to inform about timing
uses UDP = 123
each network device can either be a Server or a Client
Stratum is needed:
- how preferred and accurate this source is
- starts from 0 - 15
- the closest, the better
- by default: a cisco router = 8

Network Address Translation (NAT):

Private IP Addresses must not go to the Internet!
Public IP Addresses should not be assigned to private devices!
Then!!, NAT will translate Private to Public and vice-versa
NAT is done 'ONLY' 'ONLY' by Routers, no Switches, no MultiLayer Switches (MLS's)
it can be:
Static: one-one translating
Dynamic: Group-Group Translating
also, this did not solve everything, IP exhaustion still there
- so here comes Port Address Translation (PAT)
- also called Network Address Port Translation (NAPT), or NAT-Overload
PAT will do a one-65,535 Translation!!

Lab 13: www.youtube.com/watch?v=bwUlDR1Kpp0

First Hop Redundancy Protocol (FHRP):

what if the gateway went down!!
a redundant gateway must be there
but how to redirect the requests from one to another?
how many back-ups can there be?
What protocols will do this:
Hot-Standby Redundancy Protocol (HSRP):
- Cisco Only
- 2 Gateways
- No Load-Balancing
Virtual-Router Redundancy Protocol (VRRP):
- Open Standard
- 2 Gateways
- No Load-Balancing
Gateway Load-Balancing Protocol (GLBP):
- Cisco Only
- 4 Gateways
- Load-Balancing
Lab 14: www.youtube.com/watch?v=ttiwhNVQesc

Multicast:

the one - to - group transmission
only one sender, but multiple 'specific' receivers
better than having multiple senders and multiple receivers
the one sender will send only 1 packet to a Multicast Router
the multicast router will 'Replicate' the packet to multiple destinations
The Multicast Router = 'Rendezvous Point' (RP)
so, the entire operation will be done by the multicast router
in order to assign specific receivers, create a 'Group'
and 'join' the receivers and that one sender to the group
uses IPv4 block of 224.0.0.0/4 - 239.255.255.255
uses MAC range of 0100:5E00:0000 - 0100:5E7F:FFFF
Two types of protocols are needed
Protocol that joins the receivers to the Group:
- Internet Group Management Protocol (IGMP):
  - responsible for joining the receivers with the Rendezvous point
  - tells the RP that some receivers want to receive from '224.X.X.X'
  - BUT, those receivers have no idea about the sender
  - IGMP comes in 3 versions:
    - IGMPv1 (obsolete)
    - IGMPv2 (default of Cisco):
      - builds a shared tree
      - creates (*, G)
    - IGMPv3:
      - builds shortest path tree (SPT)
      - creates (S, G)
      - uses Source Specific Multicast (SSM)
      - SSM Block = 232.0.0.0/8
      - SSM informs the receivers about the sender
      - NO need for RP
Also, a Routing Protocol is needed:
- Protocol Independent Multicast (PIM):
  - routes between receivers' routers and RP
  - requires IGP
  - v2 is default
  - 2 Modes:
    - Dense Mode: like broadcast (obsolete)
    - Sparse Mode: connects the receiver's router to the RP

Network Assurance:
Network Problems Diagnosing Tools:

Ping uses ICMP: Echo Request & Echo Reply
Traceroute uses UDP
Debug:
- detailed information about behind the scenes operations
- it supports and shows everything of almost every protocol
Conditional Debug:
- more specific
- detailed information about a specific operation, BUT, per interface / per address / etc.
Lab 15: www.youtube.com/watch?v=4gGCRfuULok

SNMP & SYSLOG:

Simple Network Management Protocol (SNMP)
Monitor Networks from a single point of view
Server/Agent Relationship
uses UDP 161
the server is the requester (and recorder)
at the agent side:
- MIB Object (The Factory)
- Agent (The Messenger)
SNMP versions:
- v1: obsolete
- v2c: enhanced
- v3: supports Authentication & Encryption

The system log message:
%TUN-RECURDOWN Interface Tunnel 0 temporarily disabled due to recursive routing
is presented after a network administrator configures a GRE tunnel. Because the best path to the tunnel destination is through the tunnel itself.
To segregate multiple routing tables on a single device is the main function of VRF-lite.
Refer to the exhibit:

An engineer must deny Telnet traffic from the loopback interface of router R3 to the loopback interface of router R2 during the weekend hours. All other traffic between the loopback interfaces of routers R3 and R2 must be allowed at all times. The command accomplish this task is:

R1(config)# time-range WEEKEND
R1(config-time-range)# periodic weekend 00:00 to 23:59

R1(config)# access-list 150 deny tcp host 10.3.3.3 hos 10.2.2.2 eq 23 time-range WEEKEND
R1(config)# access-list 150 permit ip any any

R1(config)# interface G0/1
R1(config-if)# ip access-group 150 in

Connot filter traffic that is originated from the local router (R3) so can only configure the ACL on R1 or R2. 'Weekend hours' means from Saturday morning through Sunday night so have to configure: 'periodic weekend 00:00 to 23:59'
Note: The time is specified in 24-hour time (hh:mm), where the hours range from 0 to 23 and the minutes range from 0 to 59.
The configuration example to analyze 50 packets out of every 100:

flow record v4_r1
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match ipv4 source-port
match ipv4 destination-port
collect counter bytes long
collect counter packets long
!
flow monitor FLOW-MONITOR-1
record random 1 out-of 2
!
sampler SAMPLER-1
mode random 1 out-of 2
!
ip cef
!
interface GigabitEthernet 0/0/0
ip address 172.16.6.2 255.255.255.0
ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input
Data plane forwarding function does vxlan perform in an SD-Access deployment.
The time kept on a machine is a critical resource and it is strongly recommend that use the security features of NTP to avoid the accidental or malicious setting of incorrect time. The two security features available are an IP access list-based restriction scheme and an Encrypted authentication mechanism.

PlAwAnSaI · Aug 3, 2021

SYStem LOGgings (Syslog):

stay aware of 'everything'
know all what is happening behind the scenes (or even in front of)
starts from the obvious information up to 'Emergency'
Server/Client Relationship
Server can be a Normal Server that collects all the loggings
Server can use the 'Syslog' or 'Splunk' Software
client is the networking device that generates logs
'Every Awesome Cisco Engineer Will Need Ice-cream Daily'
0 = Emergency, 1 = Alert
2 = Critical, 3 = Error
4 = Warning, 5 = Notification
6 = Information, 7 = Debug

Syslog Logging Types:

Console Logging: show logs to the console user
Terminal Logging: show logs to Line VTY user
Buffered Logging: store some logs in the RAM
Remote Logging:
- collect and send Syslog messages to a remote server
- remote server must be reachable via an interface and have a Syslog Application
- monitoring will occur from the server side
- Example:
  Router(config)# logging host x.x.x.x
  Router(config)# logging traps (0 1 2 3 4 5, etc.)
  Router(config)# logging source-interface Loopback0

Netflow:

specifically, what type of traffic is passing
not the amount, the type
like: Telnet, SSH, HTTP, etc..
more info about every type of flow
by Cisco
works with SNMP
Netflow client (node) = generator
Netflow server = collector (application)
- export to UDP 2055 (can be modified)
Netflow can be exported to the CLI
versions:
- v5: popular for IPv4
- v9: template-based flow, support IPv6
  - flexible, define what to collect, what to export
Flexible Netflow:
- more options:
  - multiple exporters
  - collects more data (more fields)
  - flexible at collecting and exporting
  - uses Flow-Monitors
  - multiple Monitors for multiple collections
Lab 16: www.youtube.com/watch?v=WNvmU21jZO0

SwitchPort ANalyzer (SPAN):

will assign a switchport as an analyzer
called a span source
analyzes all types of traffic passing by this port
can be used for multiple sessions
assigns a different port as an analysis exporter
called the SPAN destination
SPAN destination ports, will be only used for monitoring
no longer sending frames, at all
can't be used for multiple sessions
Lab 17: www.youtube.com/watch?v=LKphnIaKrgg
Remote SPAN (RSPAN):
- when the destination is an interface on another switch
- of the same networks
- reachable through VLANs (trunk ports)
- Lab 18: www.youtube.com/watch?v=7AhMKHujUMw
Encapsulated Remote SPAN (ERSPAN):
- the destination is an interface on another switch
- in a different network!!
- reachable through L3 connectivity and routing
- requires tunneling to connect SRC and DST
- like GRE Tunnel

The primary components for the Cisco SD-WAN solution consist of the vManage network management system (management plane), the vSmart controller (control plane), the vBond orchestrator (orchestration plane), and the vEdge router (data plane).
- vManage - This centralized network management system provides a GUI interface to easily monitor, configure, and maintain all Cisco SD-WAN devices and links in the underlay and overlay network.vSmart controller - This software-based component is responsible for the centralized control plane of the SD-WAN network. It establishes a secure connection to each vEdge router and distributes routes and policy information via the Overlay Management Protocol (OMP), acting as a route reflector. It also orchestrates the secure data plane connectivity between the vEdge routers by distributing crypto key information, allowing for a very scalable, IKE-less architecture.vBond orchestrator - This software-based component performs the initial authentication of vEdge devices and orchestrates vSmart and vEdge connectivity. It also has an important role in enabling the communication of devices that sit behind Network Address Translation (NAT).vEdge router - This device, available as either a hardware appliance or software-based router, sits at a physical site or in the cloud and provides secure data plane connectivity among the sites over one or more WAN transports. It is responsible for traffic forwarding, security, encryption, Quality of Service (QoS), routing protocols such as Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF), and more.
The RESTCONF request:
URL - http://10.10.10.10/restconf/api/running/native/interface/GigabitEthernet/1/
HTTP Verb - GET
Body - N/A
Headers - Accept - application/vnd.yang.data+json
Authentication - privileged level 15 credentials

Response:
{
"Cisco-IOS-XE-native:GigabitEthernet":{
"name":"1",
"vrf":{
"forwarding":"MANAGEMENT"
},
"ip":{
"address":{
"primary":{
"address":"10.0.0.151",
"mask":"255.255.255.0"
}
}
},
"mop": {
"enabled": false,
},
"Cisco-IOS-XE-ethernet:negotiation":{
"auto":true
}
}
}

Model Driven Network Automation with IOS-XE:
www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2018/pdf/LTRCRT-2700.pdf
dBm is an abbreviation for 'deciBels relative to one milliwatt', where one milliwatt (1 mW) equals 1/1,000 of a watt. It follows the same scale as dB. Therefore 0 dBm = 1 mW, 30 dBm = 1 W, and -20 dBm = 0.01 mW
An engineer must create an EEM applet that sends a syslog message in the event a change happens in the network due to trouble with an OSPF process. The engineer should use:

event manager applet LogMessage
event routing network 172.30.197.0/24 type all
action 1 syslog msg "OSPF ROUTING ERROR"
Assuming that R1 is a CE router, Default VRF is assigned to Gi0/0 on R1.

There is nothing special with the configuration of Gi0/0 on R1. Only Gi0/0 interface on R2 is assigned to VRF VPN_A. The default VRF here is similar to the global routing table concept in Cisco IOS.
Cisco EAP-FAST is also designed for simplicity of deployment since it doesn't require a certificate on wireless LAN client or on the RADIUS infrastructure yet incorporates a built-in provisioning

mechanism.

PlAwAnSaI · Aug 13, 2021

IP Service Level Agreement (IP SLA):

performs specific operation
from a specific source to a specific destination
like, icmp, http, tcp, udp, etc..
logs statistics about the successes/failures of that operation
Enhanced Object Tracking (SLA Track):
- monitors the statistics of IP SLA
- performs an action based on the statistics output
Lab 19: www.youtube.com/watch?v=o_fJ3hvA0EY

https://www.udemy.com/course/complete-ccnp-encor-350-401-masterclass

Enterprise Network Design Considerations:

Three-Tier Architecture - A network topology divided into the Access, Distribution, and Core layers.
Collapsed Core Architecture - A two-tier topology where the Core and Distribution Layers have been consolidated.
Spine-Leaf Design for Data Centers: Logically, One Switch

On-Premise vs. Cloud Designs Considerations:

With a Cloud deployment, there's no need to maintain local redundant power or hardware.
A Cloud deployment, pay for resource usage instead of purchasing physical hardware.
An On-Premise deployment, it might be easier to meet compliance requirements.
On-Premise deployment, it might be easier to maintain a good user experience.
Many deployments, called Hybrid deployments, combine both On-Premise and Cloud deployments.

Fabric Capacity Planning:

How much data need to push through a data center switch?
How much data can push through a specific hardware configuration?
What is the anticipated bandwidth demand increase over time?
Switch BW Capacity = (Inter-slot Switching Capacity * Number of I/O Slots) + [(Number of SE Modules * Inter-slot Switching Capacity) / 2]
Nexus 7018 = (550 Gbps * 16) + [(2 * 550 Gbps) / 2]
= 8.8 Tbps + 550 Gbps
= 9.35 Tbps
Full Deplex Switch BW Capacity = 9.35 Tbps * 2
= 18.7 Tbps
https://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-series-switches/Data_Sheet_C78-437762.html

Redundant Design: Higher Costs

Redundant Components
UPS/Generator
FHRP

The RIB is a database of routing prefixes, and the Forwarding Information Base (FIB) is the Information used to choose the egress interface for each packet. The RIB is derived from the control plane, and the FIB is derived from the RIB.
The FIB contains destination reachability information as well as next hop information. This information is then used by the router to make forwarding decisions. The FIB allows for very efficient and easy lookups.
Although Protocol Independent Multicast (PIM) is called a multicast routing protocol, it actually uses the unicast routing table to perform the multicast Reverse Path Forwarding (RPF) check function instead of building up a completely independent multicast routing table. Unlike other routing protocols, PIM does not send and receive routing updates between routers.
One of the best practices to secure REST APIs is using password hash. Passwords must always be hashed to protect the system (or minimize the damage) even if it is compromised in some hacking attempts. There are many such hashing algorithms which can prove really effective for password security e.g. PBKDF2, BCrypt, and SCrypt algorithms.
Other ways to secure REST APIs are: Always use HTTPS, Never expose information on URLs (Usernames, passwords, session tokens, and API keys should not appear in the URL), Adding Timestamp in Request, Using OAuth, Input Parameter Validation.
with manager.connect(host=192.168.0.1, port=22,
username='admin', password='password1', hostkey_verify=True,
device_params={'name'.'nexus'}) as m:

The above Python snippet use the ncclient connect and establish a NETCONF session to a Cisco Nexus device (which is also a NETCONF server) and maintains it for the duration of the context.
ncclient is a Python library that facilitates client-side scripting and application development around the NETCONF protocol.
R1#
*May 5 39:85:86.070: %TCP-6-BADAUTH: Invalid MD5 digest from 10.10.10.1(29832) to 10.120.10.1(179) tableid - 0
from neighbor to logged device

R1(config-router)# neighbor 10.10.10.1 peer-group CORP
R1(config-router)# neighbor CORP password Cisco

R2(config-router)# neighbor 10.120.10.1 peer-group CORP
R2(config-router)# neighbor CORP password Cisco
A company has an existing Cisco 5520 HA cluster using SSO. An engineer deploys a new single Cisco Catalyst 9800 WLC to test new features. The engineer successfully configures a mobility tunnel between the 5520 cluster and 9800 WLC. Client connted to the corporate WLAN roam seamlessly between access points on the 5520 and 9800 WLC. After a failure on the primary 5520 WLC, all WLAN services remain functional; however, Client roam between the 5520 and 9800 controllers without dropping their connection. mobility MAC on the 9800 WLC feature must be configured to remedy the issue.
ip sla 10

PlAwAnSaI · Aug 30, 2021

Types of Backups:

Full: Backs up all data.
Differential: Backs up changes since last full backup.
Incremental: Backs up all changes since last full, differential, or incremental backup.
Snapshot: Backs up entire server, including state information.

Hot Site:

Power
HVAC
Floor Space
Server Hardware (No in Cold Site)
Synchronized Data (No in Warm & Cold Site)

Wireless LAN (WLAN) Design Considerations:
Wireless Deployment Options:
Cisco Access Points (APs) can operate in one of two modes: autonomous or lightweight

Autonomous:

Self-sufficient and standalone, independent devices
Used for Home or small office environments / wireless networks
Controller-less deployment model
Not commonly used in large enterprise networks

Lightweight AP (LAP):

Requires / has to join a central Wireless LAN Controller (WLC) to function.
Controller-based deployment model
WLCs can be physical or virtual
Controller communicates changes to the APs. Control And Provisioning of Wireless Access Points (CAPWAP) is an IETF standard for control messaging for setup, authentication, and operations between APs and WLCs.
LAP and WLC communicate with each other via a logical pair of CAPWAP tunnels.

CAPWAP is similar to LightWeight Access Point Protocol (LWAPP) except the following differences:

CAPWAP uses Datagram Transport Layer Security (DTLS) for authentication and encryption to protect traffic between APs and controllers. LWAPP uses AES.
CAPWAP has a dynamic Maximum Transmission Unit (MTU) discovery mechanism.
CAPWAP runs on UDP ports 5246 (control messages) and 5247 (data messages).

An LAP operates in one of six different modes:

Local mode (default mode): measures noise floor and interference, and scans for Intrusion Detection (IDS) events every 180 seconds on unused channels
FlexConnect, formerly known as Hybrid Remote Edge AP (H-REAP), mode:
- Configure and control remote wireless networkSimilar to Layer 3 roaming with CAPWAP
  Central Switched:
  - Can also Normal tunnel (via CAPWAP) mode of operation both user wireless data and control traffic to a centralized WLC.
  - Typically not the recommended mode
  Local Switched:
  - allows data traffic to be switched locally and not go back to the controller.
  - Map user traffic to VLAN on adjacent switch. Can perform standalone client authentication and switch VLAN traffic locally even when it's disconnected to the WLC.
  - Control and management traffic still sent over CAPWAP to WLC
Monitor mode: does not handle data traffic between clients and the infrastructure. It acts like a sensor for Location-Based Services (LBS), rogue AP detection, and IDS.
Rogue detector mode: monitor for rogue APs. It does not handle data at all.
Sniffer mode: run as a sniffer and captures and forwards all the packets on a particular channel to a remote machine where can use protocol analysis tool (Wireshark, Airopeek, etc.) to review the packets and diagnose issues. Strictly used for troubleshooting purposes.
Bridge mode: bridge together the WLAN and the wired infrastructure together.

Mobility Express is the ability to use an AP as a controller instead of a real WLAN controller. But this solution is only suitable for small to midsize, or multi-site branch locations where might not want to invest in a dedicated WLC. A Mobility Express WLC can support up to 100 APs.

Use Cases for Location Services:

Enterprise asset tracking
Location-based advertising

Cisco Solutions:
Real-Time Location Services (RTLS)
Cisco DNA Spaces
Cisco Meraki platform

Software-Defined Wide Area Network (SD-WAN):
Enterprise WAN:

Dedicated circuits traditionally used
Provide reliability and security
Rise in cloud usage requires simplicity

SD-WAN:

Traffic backhauling no longer required
End-to-end traffic encryption and inspection through SD-WAN
Next generation security mechanisms added
Anti-malware systems, botnet control intervention, etc.

SD-WAN Overlay = Virtual InfrastructureUnderlay Network = Physical Infrastructure

It collects statistical constraint analysis information and enforces the use of a specific encoding format for NETCONF are benefits of YANG.
Refer to the exhibit. An engineer attempts to configure a trunk between switch SW1 and switch SW2 using DTP, but the trunk does not form. switchport mode desirable command should the engineer apply to switch SW2 to resolve this issue.
An engineer runs the code against an API of Cisco DNA Center, and the platform returns this output because The authentication credentials are incorrect.
Stratum measure is used by an NTP server to indicate its closeness to the authoritative time source.
IGMPv2 is compatible only with IGMPv1.
Set of statements that defines how routing is performed is the centralized control policy in a Cisco SD-WAN deployment.
Traffic Policing:
- introduces no delay and jitter
- drops excessive traffic
- causes TCP retransmission when traffic is dropped
Traffic Shaping:
- introduces delay and jitter
- buffers excessive traffic
- typically delays, rather than drops traffic
username CCNP privilege 15 secret Str0ngP@ssw0rd!
username CCNP autocommand sho run

The autocommand causes the specified command 'sho run' to be issued automatically after the CCNP user logs in. When the command is complete, the session is terminated. Because the command can be any length and can contain embedded spaces, commands using the autocommand keyword must be the last option on the line.
Containment, threat intelligence, and machine learning features does Cisco Endpoint Detection and Response (EDR) use to provide threat detection and response protection.

PlAwAnSaI · Sep 6, 2021

Cisco SD-WAN:

Management & Orchestration Plane:
- vManage: User interface
- vBond: Orchestration and provisioning
Contol Plane:
- vSmart: SD-WAN - Policy Enforcement
  Communicates via Overlay Management Protocol (OMP)
Data Plane:
- Cisco vEdge: Edge routers

https://www.cisco.com/c/en/us/solutions/enterprise-networks/sd-wan/demos/instant-demo.html
Software-Defined Access (SD-Access):
Advantages:

Next-generation policy enforcement
Security Group Access Control Lists (SGACLs)
Policies are based on identity rather than addresses
Secure network segmentation
Virtualization of physical network
Separate virtual networks can have separate policies

Campus Fabric:

Virtual overlay network
Ideally used with Cisco DNA Center
NETCONF/YANG management
Overcomes limitations found in traditional network architecture

SD-Access Fabric:

Control Plane:
- LISP encapsulation
- Simplified routing
Data Plane:
- VxLAN Tunneling
- Virtual networks
Policy Plane:
- Cisco TrustSec
- Security groupings

Layer:

Physical: Router, Switch, etc.
Network: Underlay Network, SD-Access Overlay
Controller: Cisco DNA Center, Cisco ISE
Management: Cisco DNA Center GUI

Traditional Wireless: CAPWAP Tunnel between AP and WLC for all traffic.SD-Access Wireless: CAPWAP Tunnel between AP and WLC only for management traffic.

A customer requests a network design that supports these requirements:
- FHRP redundancy
- multivendor router environment
- IPv4 and IPv6 hosts
VRRP version 3 protocol does the design include.
Refer to the exhibit:

A network engineer is configuring OSPF between router R1 and router R2. The engineer must ensure that a DR/BDR election does not occur on the Gigabit Ethernet interfaces in area 0. Configuration set accomplishes this goal is:

R1(config-if) interface Gi0/0
R1(config-if) ip ospf network point-to-point

R2(config-if) interface Gi0/0
R2(config-if) ip ospf network point-to-point

Broadcast and Non-Broadcast networks elect DR/BDR while Point-to-point/multipoint do not elect DR/BDR. Therefore have to set the two Gi0/0 interfaces to point-to-point or point-to-multipoint network to ensure that a DR/BDR election does not occur.
A network engineer is adding an additional 10Gbps link to an existing 2x10Gbps LACP-based LAG to augment its capacity. Network standards require a bundle interface to be taken out of service if one of its member links goes down, and the new link must be added with minimal impact to the production network. The tasks that the engineer must perform in the sequence as following:
1. Validate the physical and data link layers of the 10Gbps link.
2. Execute the channel-group number mode active command to add the 10Gbps link to the existing bundle.
3. Execute the lacp min-bundle 3 command to set the minimum number of ports threshold.
4. Validate the network layer of the 10Gbps link.
Running the script causes the output in the exhibit. The first line of the script must change to 'from ncclient import manager' to resolves the error.

https://ncclient.readthedocs.io/en/latest
Refer to the exhibit:

An engineer implemented several configuration changes and receives the logging message on switch1. The engineer should Change the VTP domain to match on both switches to resolve this issue.
Classifies traffic based on the contextual identity of the endpoint rather than its IP address correct is how Cisco Trustsec enable more access controls for dynamic networking environments and data centers.
An engineer is working with the Cisco DNA Center API. Here are the methods with their actions:
- DELETE: remove an element using the API
- GET: extract information from the API
- POST: create an element
- PUT: update an element
Refer to the exhibit:

The radiation pattern represent Yagi type of antenna.
A Yagi antenna is formed by driving a simple antenna, typically a dipole or dipolelike antenna, and shaping the beam using a well-chosen series of non-driven elements whose length and spacing are tightly controlled.
Refer to the exhibit:

Assuming that all BGP neighbor relationship have been formed and that the attributes have not been changed on any of the routers, all traffic leaving AS 200 will choose Link 2 as the exit point by R4(config-router) bgp default local-preference 200.
Local preference is an indication to the AS about which path has preference to exit the AS in order to reach a certain network. A path with a higher local preference is preferred. The default value for local preference is 100.
Unlike the weight attribute, which is only relevant to the local router, local preference is an attribute that routers exchange in the same AS.
RESTCONF operations include OPTIONS, HEAD, GET, POST, PATCH, and DELETE
Signal-to-Noise Ratio (SNR) measurement is used from a post wireless survey to depict the cell edge of the access points.
Cisco Wireless - RSSI and SNR
A customer has several small brahches and wants to deploy a Wi-Fi solution with local management using CAPWAP. Mobility Express deployment model meets this requirement.
Cisco Wireless - Introducing to Cisco Mobility Express and Cisco Wireless Portfolio 2018
The wireless elements and their definitions:
- beamwidth: measures the angle of an antenna pattern in which the relative signal strength is half-power below the maximum value
- gain: the relative increase in signal strength of an antenna in a given direction
- polarization: radiated electromagnatic waves that influence the orientation of an antenna within its electromagnetic field
- radiation patterns: a graph that shows the relative intensity of the signal strength of an antenna within its space
Refer to the exhibit:

POSTMAN is showing an attempt to retrieve network device information from Cisco DNA Center API. The issue is The URI string is incorrect.
The purpose of the LISP routing and addressing architecture is It creates two entries for each network node, one for Its identity and another for its location on the network.

PlAwAnSaI · Sep 13, 2021

3 Categories of QoS:

Not Strict: Best Effort
Less Strict: DiffServ
Strict: IntServ

Common QoS Mechanisms:

Classification and Marking
Queuing
Congestion Avoidance
Policing and Shaping
Link Efficiency

Wi-Fi MultiMedia (WMM):

IEEE 802.1P markings map to WMM access categories
Access category determines InterFrame Space (IFS) and Random Backoff Timer

4 Access Categories:

AC_VO (Voice) -> 802.1P: 6 & 7
AC_VI (Video) -> 4 & 5
AC_BE (Best Effort) -> 0 & 3
AC_BK (Background) -> 1 & 2

CIR = Bc / Tc

CIR (Committed Information Rate) = AVERAGE speed over the period of a second
Bc (Committed Burst) = Number of bits (for shaping) or bytes (for policing) that are deposited in the token bucket during a timing interval
Tc (Timing Interval) = The interval at which tokens are deposited in the token bucket

Switching Mechanisms:
Process Switching:

Oldest method for Cisco IOS switching
Every packet is inspected by CPU
Processor is directly involved with every packet
Not ideal in modern networks
Available on every Cisco router platform
Debugging uses process switching

Cisco Express Forwarding (CEF):

Most preferred Cisco IOS switching process
Default in most modern Cisco IOS devices
Optimized lookup and efficient packet handling

CEF Benefits:
Less CPU-intensive than older switching methods
Distributed CEF (dCEF) allows line card forwarding
CEF Forwarding Information Base (FIB)
CEF Adjacency Table

CEF FIB:

Similar to a routing table
FIB is updated with each routing table update
Processor is not involved with route lookup
FIB is a more efficient lookup structure

CEF Adjacency Table:

Information about directly connected devices
Adjacency = reachable via single link-layer hop
Layer 2 next-hop address maintained in table

Content Addressable Memory (CAM):

Arrival port number, source MAC address, and arrival timestamp
Stale entries removed after aging timer expires
Default aging timer is 300 seconds
Switch(config)# mac address-table aging-time
True (1) or False (0) value returned upon lookup
Searches for exact binary match

Ternary CAM (TCAM):

Some L2 switches use TCAM for QoS
Primarily a multilayer switch component
Access Control Lists (ACLs) commonly use TCAM
Extension of the CAM
Returns True (1), False (0), or Do Not Care (X)
Ternary = mathematical value based in three
TCAM uses VMR format (value, mask, and result)
Value = IP addresses, protocol ports, etc.
Mask = mask bits associated with matching values
Result = permit, deny, QoS policing, etc.

FIB:

IP forwarding table or CEF table
IP destination prefix-based switching decision
FIB capacity can dictate forwarding efficiency
Modern ASICs provide line-speeds
dCEF offloads the FIB to line card modules

RIB:

IP routing related information stored
Used by all routing protocols (OSPF, BGP, etc.)
Learned routes inserted into RIB
Unreachable routes removed and RIB updated
Dynamic, static, and directly connected routes

A data MDT is created to if it is a (*, G) multicast route entries when a high bandwidth multicast stream is sent over an MVPN using Cisco hardware.
Refer to the exhibit:

An engineer is configuring an EtherChannel between Switch1 and Switch2 and notices the console message on switch2. Based on the output, this issue should resolves by Configure the same EtherChannel protocol on both switches.
In this case, using EtherChannel without a negotiation protocol on Switch2. As a result, if the opposite switch is not also configured for EtherChannel operation on the respective ports, there is a danger of a switching loop. The EtherChannel Misconfiguration Guard tries to prevent that loop from occuring by disabling all the ports bundled in the EtherChannel.
Refer to the exhibit:

The configuration to achieve a dynamic continuous mapped NAT for all users is Increase the NAT pool size to support 254 usable addresses.
When using Ternary Content Addressable Memory (TCAM) inside routers it's used for faster address lookup that enables fast routing.
In switches CAM is used for building and lookup of mac address table that enables L2 forwarding decisions.
Besides Logest-Prefix Matching, TCAM in today's routers and multilayer Switch devices are used to store ACL, QoS and other things from upper-layer processing.
Virtual components and their descriptions:
- OVA: configuration file containing settings for a virtual machine such as guest OS
- VMDK: file containing a virtual machine disk drive
- VMX: zip file connecting a virtual machine configuration file and a virtual disk
- vNIC: component of a virtual machine responsible for sending packets to the hypervisor
VoIP media session awareness does Call Admission Control require the client to send in order to reserve the bandwidth.
IaaS service providers use VxLAN to extend a Layer 2 segment across a Layer 3 network.
Refer to the exhibit:

PC-1 must access the web server on port 8080. To allow this traffic, permit host 192.168.0.5 eq 8080 host 172.16.0.2 must be added to an access control list that is applied on SW2 port G0/0 in the inbound direction.
An engineer is implementing a route map to support redistribution within BGP. The route map must configured to permit all unmatched routes. Include a permit statement as the last entry must the engineer perform to complete this task.
The RP responds to the PIM join messages with the source of requested multicast group.
Refer to the exhibit:

Atlanta(config-route)# area 1 range 192.168.0.0 255.255.252.0 command when applied will reduces type 3 LSA flooding into the backbone area and summarizes the inter-area routes on the Dallas router.
The threat defense solutions and their descriptions:
- AMP4E: provides malware protection on endpoints
- ESA: protects against email threat vector
- FTD: provides IPS/IDS capabilities
- StealthWatch: performs security analytics by collecting network flows
- Umbrella: provides DNS protection

PlAwAnSaI · Sep 19, 2021

Data centers commonly use a Spine-Leaf design, where a leaf switch connects to multiple spine switches, such that the leaf switch can reach any other leaf switch by transiting a single spine switch.
A Point-to-Multipoint design is commonly found in older wide area networks using Frame Relay or ATM.
A Three-Tier architecture is commonly found in enterprise networks and consists of the Access, Building Distribution, and Core layers.
A Collapsed Core design is commonly found in small to medium sized networks, where the Building Distribution and Core layers found in an enterprise network.
With a Cloud Design, don't need to purchase physical servers. Instead, can pay the cloud provider for actual usage of virtual servers they host. Also, even though might have servers hosted by a cloud provider, still need to be concerned with redundancy, and perhaps have duplicate servers in the cloud, along with a virtual load-balancer to distribute the load between those servers.
However, an On-Premise design usually lets better control of the end-user experience and allows more flexibility in meeting compliance requirements.
The '5 Nines of Availability' refers to keeping a network operational 99.999 percent of the time. That translates to approximately 5 minutes of downtime per year.
The '6 Nines of Availability' refers to keeping a network operational 99.9999 percent of the time, which translates to approximately 30 seconds of downtime per year.
An Active Virtual Gateway (AVG) is a type of gateway used by Gateway Load Balancing Protocol (GLBP). GLBP is unique among the First Hop Redundancy Protocols (FHRPs) in that instead of having a single gateway service all traffic from a subnet, it load balances the traffic across as many as four Active Virtual Forwarders (AVFs). An AVG accomplishes this by responding to ARP queries (for a default gateway's virtual IP address) with different MAC addresses (i.e. the MAC addresses of the AVFs in a GLBP group).
Stateful Switchover (SSO) allows a router with two route processors to fail over from its primary route processor to its backup route processor without dropping routing protocol neighborships with other routers. However, the backup route processor might drop packets while it constructs an IP routing table. To prevent those initial packet drops after the failover, a feature called NonStop Forwarding (NSF) could be used. NSF allows the IP routing information maintained by Cisco Express Forwarding (CEF) in the primary route processor to remain in memory and be used by the backup route processor.
Lightweight access points require a centralized Wireless LAN Controller (WLC), which is used to manage all of the access points from a single location. This is also referred to as a controller-based deployment model, where the WLC can be a physical or a virtual device. No management or configuration is necessary on the individual access point.
Cisco vSmart resides within the control plane and is thought of as the 'brain' of the Cisco SD-WAN solution. As policies are created within vManage, vSmart is responsible for enforcing those policies and sharing the policies with other SD-WAN routers and locations in the network. Route information from branch locations are received via the Overlay Management Protocol (OMP), and vSmart will compare the route information to the known policies in order to control traffic.
The SD-Access data plane uses Virtual Extensible LAN (VxLAN) tunneling to create the virtual SD-Access overlay network. This is UDP-based communication, meaning any device with a valid IP address has the ability for receive and forward the information. The VxLAN encapsulation allows for the creation of multiple virtual networks within the overlay, where separate policies can be applied and enforced.
The 3-step MQC process consists of:
1. Creating class maps
2. Creating a Policy Map, and
3. Applying the Policy Map.
The 'class-default' class map exists by default. Cannot create or delete it.
The Content Addressable Memory (CAM) table: is the memory architecture

used in Cisco Catalyst switches for Layer 2 switching. As data frames

arrive on a switchport, the source MAC addresses for the traffic are recorded in the CAM table. This is used to determine which outgoing switchport should be used for frame delivery.

Device Virtualization:

Hypervisors: Software that can create, start, stop, and monitor multiple virtual machines.

Type-1 ('Native' or 'Bare Metal'): Runs directly on the server's hardware.
Type-2 ('Hosted'): Runs in a traditional operating system.

Containers:

Multiple containers share same host OS
Container Engine creates Container Image
Container Image contains an app and resources required by the app
Container Engine runs Container Image
Sometimes called a 'lightweight VM'

Virtual Switches:

Virtual NIC: Software associated with a unique MAC address, which can be used by a VM to send and receive packets.
Virtual Switch: Software that can connect to other virtual switches, virtual NICs and to a physical NIC.

Site-to-Site VPN:

Can use common broadband technologies
Transparent to the client devices
Can use routers or dedicated VPN concentrators

A network administrator has designed a network with two multilayer switches on the distribution layer, which act as default gateways for the end hosts. GLBP and MSHRP technologies allow every end host in a VLAN to use both gateways.
Function in handled by vManage in the Cisco SD-WAN fabric is Performs remote software upgrades for WAN Edge vSmart and vBond.
AP(config-if-ssid)# authentication open eap eap_methods: all wireless users authenticate using dynamic key generation.
A network administrator is implementing a routing configuration change and enables routing debugs to track routing behavior during the change. The logging output on the terminal is interrupting the command typing process. The network administrator can take to minimize the possibility of typing commands incorrectly are Configure the logging synchronous command under the vty and Press the TAB key to reprint the command in a new line.
Refer to the exhibit:

When a switch that is running PVST+ is added to this network, DSW2 will operates in Rapid PVST+ and the new switch operates in PVST+. The old STP instances as RSTP (in fact Rapid PVST+) is compatible with PVST+.
OSPF:
- uses Dijkstra's Shortest Path First algorithm
- uses an election process
EIGRP:
- uses Diffused Update ALgorithm
- uses bandwidth, delay, reliability, and load for routing metric
Refer to the exhibit:

The Cisco REST response indicate Cisco DNA Center is unable to communicate with cat3850-1 and has the incorrect credentials for cat9000-1.

PlAwAnSaI · Sep 20, 2021

Generic Routing Encapsulation (GRE):

Does not provide security
Can encapsulate nearly any type of data

IP Security (IPsec):

Provides:
- Confidentiality: Encryption
- Integrity: Hashing
- Authentication: PSKs or Digital Signatures
- Anti-replay: Applies Serial Numbers to Packets
Can encapsulate unicast IP packets
Two Modes:
- Transport: Uses Packet's original header
- Tunnel: Encapsulate entire packet
Setup Steps:
1. Establish an Internet Key Exchange (IKE) Phase 1 tunnel (a.k.a. Internet Security Association and Key Management Protocol (ISAKMP) tunnel)
2. Establish IKE Phase 2 Tunnel

GRE over IPsec:

GRE encapsulate nearly any traffic type into GRE packets, which are unicast IP packets
The GRE packets are protected over the IPsec tunnel

Location/Id Separation Protocol (LISP) uses two identifiers for a network endpoint:

First, the Routing LOCator (RLOC) is the IP address of a router that can forward traffic to devices within a LISP location.
Second, the Endpoint ID (EID) identifies the endpoint within a LISP location.
The way a source RLOC knows how to reach a specific endpoint at a remote location is by querying a Map Resolver (MR), which returns the destination RLOC for the requested EID.
The MR learned the destination RLOC for the EID from a Map Server (MS), with which the destination RLOC registered the EID.
Ingress Tunnel Router (ITR)
Egress Tunnel Router (ETR)
Proxy ITR: Does LISP database lookups and encapsulation for non-LISP sites
Proxy ETR

Sample LISP Benefits:

Scale Internet Routing Tables
Over-the-Top Virtualization
Multi-Homing
Mobility
IPv6 Migration

VxLAN Switch:

support Over 16 Million VxLANs / broadcast domains,
Vxlan Network Identifier (VNI)
24-bit VNI Field,

as opposed to using Traditional Ethernet Switch:

which support just Over 4,000 VLANs / broadcast domains
(due to a 12-bit VLAN Field)

Spine-Leaf Design:

Virtual Ethernet Module (VEM): The device that does VxLAN encapsulation (has at least one IP address). Each VEM has (at least) one IP address,
and that address is assigned to an interface called a Vxlan Tunnel EndPoint (VTEP): Using an IP address from the VEM, it can setup a temporary tunnel to a VTEP on another switch. Each VTEP can be associated with one or more VNIs.
A Type 1 hypervisor (also known as a 'native' or 'bare metal' hypervisor) runs directly on a server's hardware.
However, a Type 2 hypervisor (also known as a 'hosted' hypervisor) runs on top of a traditional operating system.
No categorized as Type 3 or Type 4.
A container contains an application and its support files. The underlying operating system can support multiple containers containing applications need that operating system.
A virtual server contains an operating system.
A virtual data path is a technology that influences data flow, such as creating a tunnel between two sites.
A virtual switch runs on a hypervisor and can logically interconnect virtual devices (e.g. virtual servers or virtual routers) also running on that hypervisor, in addition to logically connecting to a physical server's Network Interface Card (NIC).
Even though 'leaking' can be configured to allow a router's global routing table and a VRF instance's routing table to exchange routes, by default, the global routing table doesn't see routes from nor exchange routes with a VRF instance's routing table.
EIGRP's metric calculation can consider Bandwidth, Delay, Reliability, and Load, with MTU used as a tie breaker if the calculation is the same for two paths. However, the calculation uses K Values to determine how influential the various metric components are in the final metric value. By default, three K Values are set to 0, resulting in only Bandwidth and Delay being used in a default metric calculation.

In YANG models, JSON and XML schema are found.
An engineer must configure HSRP group 300 on a Cisco IOS router. When the router is functional, it must be the active HSRP router. The peer router has been configured using the default priority value. Command set required is:
standby 300 priority 110
standby 300 preempt
The default HSRP priority is 100.
aaa new-model
aaa authentication login authorizationlist tacacs+
tacacs-server host 192.168.0.202
tacacs-server key ciscotestkey
line 0 4
login authentication authorizationlist
!
The effect of this configuration is The device will authenticate all users connecting to vty line 0 through 4 against TACACS+.
Converted by the AP into 802.3 and encapsulated into VxLAN is 802.11 traffic handled in a fabric-enabled SSID.
The DHCP messages that are exchanged between a client and an AP in the order they are exchanged:
- Step 1: DHCP discover
- Step 2: DHCP offer
- Step 3: DHCP request
- Step 4: DHCP ack
Refer to the exhibit:

The configuration must be applied to R2 to enable R1 to reach the server at 172.16.0.1 is:
interface Ethernet0/0
vrf forwarding bank
ip address 172.16.0.7 255.255.0.0
!
router ospf 44 vrf bank
network 172.16.0.0 0.0.255.255 area 0
Refer to the exhibit:

Router1 is currently operating as the HSRP primary with a priority of 110, Router1 fails and Router2 take over the forwarding role. 'standby 2 preempt' command on Router1 causes it to take over the forwarding role when it return to service.
The most common implementations of OAuth (OAuth 2.0) use one or both of these tokens:
- access token: sent like an API key, it allows the application to access a user's data; optionally, access tokens can expire.
- refresh token: optionally part of an OAuth flow, refresh tokens retrieve a new access token if they have expired. OAuth2 combines Authentication and Authorization to allow more sophisticated scope and validity control.
Name is Bob Johnson
Age is 75
Is alive

Favorite foods are:
- Cereal
- Mustard
- Onions
The Json syntax that is formed from the data is:
{
"Name": "Bob Johnson",
"Age": 75,
"Alive": true,
"Fovorite Foods": ["Cereal", "Mustard", "Onions"]
}
OSPF:
- summaries can be created anywhere in the IGP topology
- uses ares to segment a network
EIGRP:
- summaries can be created in specific parts of the IGP topology
An engineer is implementing a Cisco MPLS TE tunnel to improve the streaming experience for the clients of a video-on-demand server. Configure a Cisco MPLS TE tunnel on both ends of the session must the engineer perform to configure extended discovery to support the MPLS LDP session between the headend and tailend routers.

PlAwAnSaI · Sep 27, 2021

DTP modes of Trunk and Dynamic Desirable both initiate the formation of a trunk by sending DTP frames. The mode of Dynamic Auto will setup a trunk if it receives a DTP frame, but it doesn't initiate trunk formation. Also, Access mode prevents a trunk from being formed. As a result, the only two mode combinations that would fail to bring up a trunk are: (1) one side set to Access (regardless of the other side's mode) and (2) both sides set to Dynamic Auto.
In addition to the instances define in an MSTP configuration, a default instance of MST0 is created. All VLANs not explicitly assigned an MSTP instance are assigned to that MST0 instance.
A Passive Interface is an interface that participates in an OSPF routing process without sending Hello messages. This type of interface might be appropriate for an interface connecting out to endpoints but no other OSPF-speaking routers. Having such an interface be a Passive Interface would allow that network be advertised by OSPF to neighboring routers without sending unnecessary Hello messages and also prevent a malicious user from adding an OSPF-speaking router to that interface's network and forming an unwanted OSPF adjacency.
BGP neighbors must be configured with one another's IP addresses, as opposed to dynamically discovering each other with multicast Hello messages, which are used by EIGRP and OSPF. BGP neighbors form a TCP session between themselves, rather then a UDP session. Also, even though BGP neighbors can be a maximum of 255 hops away from one another (using the 'ebgp-multihop' command), by default, BGP neighbors must be adjacent to one another.
IPv6 routes can be advertised over either an IPv4 or an IPv6 session with Multiprotocol BGP. However, if an IPv4 session is used, the receiving BGP neighbor doesn't learn the IPv6 address of the router sending the IPv6 route advertisement. To overcome this issue, can configure a route map to add the IPv6 next-hop address to IPv6 route advertisements.
A cycle is defined as one complete up and down motion of an electromagnetic wave. This is used to determine the frequency of an electromagnetic wave by examining the number of cycles that happen over the period of one second, otherwise known as Hertz (Hz). For example, if an electromagnetic wave has four complete up an down motions over the period of one second, this means there are four cycles per second. Would determine that the frequency of this electromagnetic wave would be 4 Hz.
Monitor mode is a special purpose mode to which can assign a Cisco lightweight access point. When operation in this mode, the access point does not provide any network access to users. The operation is dedicated to performing various background operations, such as Intrusion Detection Service (IDS) monitoring, rogue access point detection, and location-based services, among other things.
In a Network Address Translation (NAT) configuration:

A client inside of a network has its private IP address of 192.168.10.10 translated into a publicly routable IP address of 209.165.200.226.
The 209.165.200.226 IP address is referred to an Inside Global Address, because the IP address is Globally routable and refers to a device on the Inside of the network. Also, the 192.168.10.10 IP address is referred to an Inside Local Address, because it's a Locally routable address and refers to a device on the Inside of the network.
HSRP has a default Hello time of 3 seconds. However, instead of a Hello time, VRRP uses a Master Advertisement Interval, which defaults to 1 second.
Also, HSRP has Preemption disabled by default, while VRRP has Preemption enabled by default.
While HSRP is Cisco-proprietary, VRRp is an industry standard First Hop Redundancy Protocol (FHRP).
Finally, while HSRP cannot use a Virtual IP address that is already assigned to an interface, VRRP can.

BGP:
Weight > Local preference > Originate > AS path length > Origin type > Multi-exit discriminator (Med) > Paths > Router id
We Love Oranges AS Oranges Mean Pure Refreshment

By entering the 'ping' keyword at the EXEC command line level with no IP address attached, a built-in IOS wizard will prompt for details related to the ping command that wish to execute. This allows to control things such as the repeat count, the datagram size, the source address or interface, and more.
By default, SNMP managers use UDP communication over port 161 in order to poll SNMP agent devices in the network. These polls are remote queries that are used to gather information about the hardware and software states of the devices.
Syslog messages have a code ranging from 0-7, where level 7 indicates informational debugging messages and level 0 are the most severe, emergency messages. Level 0 codes indicate an unstable or unusable system with an emergency severity.
The command 'ip flow-export destination 10.1.1.5 9995' would point a Cisco IOS device to a NetFlow collector at the given IP address, and would send the NetFlow data over port 9995.

Refer to the exhibit:

network 20.1.1.2 0.0.0.0 area 0 must be applied to R2 for an OSPF neighborship to form.
The network 20.0.0.0 0.0.0.255 area 0 command on R2, it just /24 did not cover the IP address of Fa1/1 interface of R2 so OSPF did not run on this interface. Therefore have to use the command network 20.1.1.0 0.0.0.255 area 0 to turn on OSPF on this interface.
The command network 20.1.0.0 0.0.255.255 area 0 can be used too.
The network 0.0.0.0 255.255.255.255 area 0 command on R1 will run OSPF on all active interfaces.
VxLAN uses an 8-byte VxLAN header that consists of a 24-bit VNID and a few reserved bits. The VxLAN header together with the original Ethernet frame goes in the UDP payload. The 24-bit VNID is used to identify Layer 2 segments and to maintain Layer 2 isolation between the segments.
An engineer is configuring a new SSID to present users with a splash page for authentication. Local Policy WLAN Layer 3 setting must be configured to provide this functionally.
A benefit of data modeling languages like Yet Another Next Generation (YANG) is they provide a standardized data structure, which results in configuration scalability and consistency.
YANG is a language which is only used to describe data models (structure). It is not XML or JSON.
An EEM policy is an entity that defines an event and the actions to be taken when that event occurs. There are two types of EEM policies: an applet or a script.
An applet is a simple form of policy that is defined within the CLI configuration.
event manager applet ondemand
event none -> allows EEM to identify an EEM policy that can be manually triggered
action 1.0 syslog priority critical msg 'This is a message from ondemand'
There are two ways to manually run an EEM policy. EEM usually schedules and runs policies on the basis of an event specification that is contained within the policy itself. To run the policy, use either the action policy command in applet configuration mode or the event manager run command in privileged EXEC mode.
DHCP option 43 helps lightweight APs find the IP address of a wireless LAN controller.

PlAwAnSaI · Sep 27, 2021

By default, a Cisco IOS SPAN configuration will monitor both transmitted and received traffic on a selected interface. Other options can be selected during configuration if there are specific needs, using the keywords 'rx' (only monitor received traffic) or 'tx' (only monitor transmitted traffic). The 'both' option is also available, which is the same as the default action that monitors both transmitted and received traffic.
The 'start-time' keyword allows to specify a starting time for the IP SLA probe. This can be followed by several options, such as the 'after' keyword to start the probe after a specified amount of time. Exact times can also be entered in hours, minutes, and seconds if there is a specific time that the probe should start. Other options include 'now' (for immediate probe start) and 'random' (to start the probe after a random time interval).
Applets are a more simplified tool for creating EEM policies, as opposed to scripts that are created with an interpreter language. Applets can be used within the Cisco IOS Command Line Interface (CLI) to create EEM policies.

Device Access Security:

Privilege Level Passwords:

Level 0:
- Most restricted
- 5 available commands
Level 1 (User Level):
- Read-only commands
Level 15 (Privileged Level):
- Complete device control

Least Privilege Principle: Users should only have the minimum level of access necessary to perform their job duties.

Helpdesk support staff
Junior admins
Senior engieers

Line Passwords:

CTY Line:
- Console port
- Initial configuration
AUX Line:
- Auxiliary port
- Backup console port
VTY Lines:
- Virtual terminal connections
- Inbound telnet control

AAA with a Local Database:

Authentication:
- Proof of identity
- Username&password
Authorization:
- Privileges and restrictions
- Authentication does not ensure authorization
Accounting:
- Record of user actions
- Log files
External AAA:
- RADIUS:
  - IETF open standard
  - UDP ports 1812/1813
  - Encrypts password field only
  - Network access
- TACACS+:
  - Cisco-proprietary
  - TCP port 49
  - Encrypts entire payload
  - Device administration
  aaa new-model
  username charles privilege 15 secret cisco
  !
  tacacs server TACACS
  address ipv4 10.1.1.5
  key security
  !
  aaa group server tacacs+ T-GROUP
  server name TACACS
  !
  aaa authentication login default group T-GROUP local
  aaa authorization exec default group T-GROUP local

Wireless Security:

Extensible Authentication Protocol (EAP):
802.1x Authentication:

IEEE standard which defines port-based network control
Uses EAP over LAN (EAPoL) to control access to the local area network

Supplicant: The endpoint requesting access
Authenticator: Network device controlling physical access to the network
Authentication Server: Performs the actual authentication of the endpoint

Native EAP Types:
EAP-TLS:

One of the most secure EAP types
Uses X.509 certificates for mutual authentication
Highly regarded in BYOD deployments

EAP-MD5:

Hides credentials in a hash
Common on IP phones

EAP-MSCHAPv2:

Credentials encrypted within an MSCHAPv2 session
Simple transmission of credentials
Ability to communicate with Active Directory

EAP-GTC:

Cisco alternative to MSCHAPv2
Enables more generic authentication

Tunneled EAP Types:
PEAP (Protected EAP):

Originally proposed by Microsoft
Uses X.509 certificate
Uses an additional native EAP type for inner method

Wireless controller is radio resource management performed in a cisco SD-access wireless solution.
Fabric wireless controllers manage and control the fabric-mode APs using the same general model as the traditional local-mode controllers which offers the same operational advantages such as mobility control and radio resource management. A significant difference is that client traffic from wireless endpoints is not tunnelled from the APs to the wireless controller. Instead, communication from wireless clients is encapsulated in VxLAN by the fabric APs which build a tunnel to their first-hop fabric edge node. Wireless traffic it tunneled to the edge nodes as the edge nodes provide fabric services such as the Layer 3 Anycast Gateway, policy, and traffic enforcement.
R1#
interface GigabitEthernet0/0
ip address 192.168.250.2 255.255.255.0
standby 20 ip 192.168.250.1
standby 20 priority 120

R2#
interface GigabitEthernet0/0
ip address 192.168.250.3 255.255.255.0
standby 20 ip 192.168.250.1
standby 20 priority 110

R1 becomes the active router and if goes down. R2 becomes active and remains the active device when R1 comes back online.
Refer to the exhibit:

An engineer issues a ping from S1 to S2. The initial value of the TTL are:
- The packet reaches R3, and the TTL expires
- R3 replies with a TTL exceeded message.
The login method is configured on the VTY lines of a router with these parameters:
- The first method for authentication is TACACS
- If TACACS is unavailable, login is allowed without any provided credentials
The configuration accomplishes this task should be:

aaa new-model
aaa authentication login default group tacacs+ none
aaa session-id common
!
line vty 0 4
password 7 020203948574
!
The 'default' keyword means want to apply for all login connections (such as tty, vty, console, and aux). If use this keyword, don't need to configure anything else under tty, vty, and aux lines. If don't use this keyword then have to specify which line(s) want to apply the authentication feature like this:
aaa new-model
aaa authentication login telnet group tacacs+ none
aaa session-id common
!
line vty 0 4
login authentication telnet
An engineer is concerned with the deployment of new application that is sensitive to inter-packet delay variance. ip sla responder tcp-echo 172.29.139.134 5000 command configures the router to be the destination of jitter measurements.
While configuring an IOS router for HSRP with a virtual IP of 10.1.1.1, an engineer sees this log message:
Jan 1 12:12:12.111 : %HSRP-4-DIFFVIP1: GigabitEthernet0/0 Grp 1 active

routers virtual IP address 10.1.1.1 is different to the locally

configured address 10.1.1.25
The engineer must Change the HSRP virtual address on the local router to 10.1.1.1.

PlAwAnSaI · Oct 2, 2021

EAP-FAST (Flexible Authentication via Secure Tunnel):

Created by Cisco as a PEAP alternative
Faster re-authentication
Faster wireless roaming
Uses Protected Access Credentials (PACs)

802.1x-Introduction-and-general-principles-eap-tunnel.png

Web-based Authentication (WebAuth):

No client software is required, making this a more flexible authentication method.
Commonly found in corporate guest network access.
No IP traffic allowed from the host before successful authentication.
Central Web Authentication: Used in larger WebAuth deployments where a centralized RADIUS database (such as Cisco ISE) is necessary.
Local Web Authentication: Used in smaller wireless deployments where WebAuth is handled locally by the wireless LAN controller.

WebAuth Process:

Guest user connects to WebAuth configured SSID.
Guest user opens a web browser.
WLC redirects browser to guest portal.
Guest portal authenticates user and informs WLC via RADIUS.
Access control attributes are applied to the guest user.
WLC returns successful login page to user, and any acceptable user policies for review.

WebAuth Benefits:

No special client software required
Familiarity for end users
Customizable user interface

WebAuth Limitations:

Not transparent to end users
Not as secure as 802.1x
Lack of single sign-on capabilities

Security Design Considerations:

Cyber Threat Defense:
Cisco SAFE:

Security model for modern needs
logical Places In Network (PIN)

Common PINs:

Branch:
- Typically less secure due to cost
- Most susceptible to threats
  
  Mitigation Focus:
- Endpoint malware and antivirus protection
- Wireless infrastructure protection
- Trust exploitation protection
Campus:
- Large user populations with varied devices
- Subnets and VLAN segmentation
  
  Mitigation:
- Phishing and web-based exploits
- Network malware and botnet infestation
- BYOD increases attack surface
WAN:
- Connects network resources together
- Provides critical network access
  
  Mitigation:
- Unauthorized application access
- Malware propagation
- Data exfiltration and/or loss
Data Center:
- Informational assets
- Physical and/or virtual servers
  
  Mitigation:
- Malware propagation
- Unauthorized user access
- Reconnaissance attacks
Edge:
- Primary ingress/egress for network
- Most critical infrastructure resource
  
  Mitigation:
- Web server vulnerabilities
- Distributed Denial of Service (DDoS)
- Man-In-The-Middle (MITM)
Cloud:
- Popular for convenience and cost
- Rely largely on the provider for security
  
  Mitigation:
- SLA dictates security strength
- Information storage and access
- Uptime and recovery guidelines
Management: Policy creation, change management, patching
Security Intelligence: Intelligence of emerging threats
Compliance: Internal and external policies
Segmentation: Boundaries for users and data
Threat Defense: Visibility for traffic assessment
Secure Services: Traffic protection through encryption

Endpoint Hardening:

Advanced Malware Protection (AMP) for Endpoints:
Detection Mechanisms:
- Continual endpoint monitoring
- Vulnerable software detection and reporting
Response:
- Endpoint forensics
- File and device trajectories
- Powerful analysis and tracking features
Cisco Umbrella:
- Previously OpenDNS
- DNS filtering service for internet destinations
- Machine learning continually updates database
Deploy:
- Add network public IP address into configuration
- Point all network DNS to Umbrella
- Prevent end users from changing local DNS with firewall rules
Cisco AnyConnect VPN:
- Provides access to enterprise network over public networks
- Used in conjunction with Cisco Adaptive Security Appliance (ASA)
Prevention, detection, and response
Intelligence from cloud-based analytics

Cisco TALOS:
Global stats for threat tracking
Feeds threat intel into Cisco AMP

Cisco ThreatGRID:
Static and behavioral file analysis
Used in conjunction with Cisco TALOS

Cisco TrustSec:

Traditional Access Control:

Based on topologies and segmentation
Modern networks require flexibility
Cisco TrustSec offers access control through contextual identification

Cisco Identity Services Engine (ISE):

Uses Cisco TrustSec to assign a tag
Security Group Tag (SGT)
Tags dictate which access policies are enforced throughout the network

Advantages of Cisco TrustSec:

Highly scalable and efficient
No topology changes necessary when altering access control
Not a replacement for traditional methods such as VLANs and subnets, but a supplement

JSON syntax can be written as follows:
{
"switch": {
"name": "dist1",
"interfaces": ["gig1", "gig2", "gig3"]
}
}
The primary components for the Cisco SD-WAN solution consist of the vManage network management system (management plane), the vSmart controller (control plane), the vBond orchestrator (orchestration plane), and the vEdge router (data plane).
Cisco DNA Center creates device packs through the use of an SDK to allow management of non-Cisco devices through southbound protocols.
Cisco DNA Center allows customers to manage their non-Cisco devices through the use of a Software Development Kit (SDK) that can be used to create Device Packages for third-party devices.
DTLS protocol is used to encrypt control plane traffic between SD-WAN controllers and SD-WAN endpoints.
"HTTP/1.1 204 content" is returned when cur -l -x delete command is issued. So, The command succeeded in deleting the object.
fail-safe defaults design principle states that a user has no access by default to any resource, and unless a resource is explicitly granted, it should be denied.
คือ การออกแบบให้ระบบตัดสินใจเรื่อง Access Control โดยใช้หลัก Whitelist คือ ให้ใครทำอะไรบ้าง เข้าถึง Resource อะไร และเข้าใช้งานด้วยวิธีไหน หากไม่ได้อยู่ใน Whitelist ระบบก็จะไม่อนุญาตโดยปริยาย ตรงกันข้ามกับการใช้ Blacklist หรือการระบุว่าไม่ให้ใครทำอะไรบ้าง ในระยะยาวการ Maintain จะทำได้ลำบากเพราะมีวิธีหลีกเลี่ยงใหม่ๆ ที่ต้องใส่เพิ่มเข้าไปใน Blacklist เสมอ
medium.com/incognitolab/หลักแห่งการออกแบบระบบอย่างมั่นคงปลอดภัย-secure-design-principles-64a5ba0c6142

PlAwAnSaI · Oct 3, 2021

Media access control Security (MacSec):

IEEE 802.1AE
Layer 2 protocol
Confidentiality and integrity over Ethernet
Wired equivalent of WPA/WPA2 protection
More viable option than IPsec everywhere
128-bit AES-GCM encryption
Only encrypted between MACsec peers
Internally on a switch, traffic is unencrypted
Still allows for deep packet inspection
Processed by switch ASICs
ASICs perform encryption/decryption
Less strenuous than IPsec encryption

Security Association Protocol (SAP):
Line-rate encryption/decryption
128-bit AES-GCM encryption
Cisco-proprietary
Used between Cisco switches

Macsec Key Agreement (MKA) Protocol:
Same with SAP but
For Open industry standard
Used between endpoints and switches

Downlink MACsec:
Encrypted link between client and switch
MKA protocol
Requires supplicant software
MACsec can be required or optional

Uplink MACsec:
Encrypted link between switchs
SAP
MKA option available
Dynamic or manual negotiation
Commonly layered with TrustSEC to add authentication
VTY lines in Cisco IOS are essentially Virtual Terminal connections. There is no physical hardware associated with these lines, as they are a function of the IOS software. In the running configuration, these are denoted as 'line vty 0 4', where the two numbers at the end are the line numbers. In this example, there are lines 0 through 4, for a total of five available VTY lines. These are used solely for controlling inbound Telnet connections.
The RADIUS protocol is an open standard used with external AAA database deployments. As opposed to the Cisco-proprietary TACACS+ protocol which encrypts the entire payload, RADIUS only encrypts the password field. RADIUS uses UDP ports 1812 and 1813 by default for communication.
Extended ACLs have the ability to filter between protocol types and can match traffic based on both source and destination IP addressing. Because of the ability to see IP addressing in this way, a best practice recommendation is to place extended ACLs as close to the source as possible in order to stop traffic early on. This ensures that unwanted traffic doesn't take up network bandwidth unnecessarily.
The opposite is true of standard ACLs, which are recommended to be placed as close to the destination as possible.
Modular Qos Cli (MQC) within the Control Plane Policing (CoPP) solution allows for both network traffic filtering and rate limiting.
Within MQC, have the ability to create and attach a traffic policy to an interface. ACLs are used to identify the traffic itself, against which want to take action with MQC. Filtering and rate limiting are not performed by the ACL itself, but rather it is only used for traffic identification. The MQC policy is what allows for the filtering and rate-limiting.
EAP-TLS is one of the most commonly used native EAP types. This is considered to be one of the most secure EAP types and is one of the original authentication methods defined by the IEEE 802.1X standard. This requires a certificate authority in order to use X.509 certificates for mutual authentication between the client and server.
Central WebAuth redirects network client browsers to a central WebAuth server, which requires the client to login with valid credentials in order to obtain authentication and authorization. This is used in larger deployments that contain a centralized RADIUS database such as Cisco ISE.
The Compliance domain found in Cisco's cyber threat defense framework addresses / deals with both internal and external security policies. Examples of these include standard regulations such as HIPAA, SOX, and PCI. This would also include any internal policies that are specific to network.
Cisco TrustSec is used by Cisco ISE to assign a Security Group Tag (SGT) to each device at the egress point of a TrustSec capable device. Based on the SGT tag, certain access policies will be enforced elsewhere in the infrastructure. SGTs can be used by routers, switches, and firewalls on Cisco TrustSec capable devices in order to make forwarding decisions.

An engineer configures a WLAN with fast transition enabled. Some legacy clients fail to connect to this WLAN. adaptive R feature allows the legacy clients to connect while still allowing other clients to use fast transition based on the OLTIs.
ip access-list extended 100
deny tcp host 10.10.10.1 any eq 80 -> except for http traffic sourced from the host IP 10.10.10.1
permit ip any any -> permits all traffic
Refer to the exhibit:

An engineer is investigating why guest users are able to access other guest user devices when the users are connected to the customer guest WLAN. The action resolves this issue is implement P2P blocking.
Ensure 'Peer-to-Peer Blocking Action' is set to 'Drop' for All 'Wireless LAN Identifiers'
This control determines whether the Wireless LAN Controller is configured to prevent clients connected to the same Wireless Local Area Controller from communicating with each other.
Wireless Client Isolation prevents wireless clients from communicating with each other over the RF. Packets that arrive on the wireless interface are forwarded only out the wired interface of an Access Point. One wireless client could potentially compromise another client sharing the same wireless network.
www.itsecure.hu/library/image/CIS_Cisco_Wireless_LAN_Controller_7_Benchmark_v1.1.0.pdf
A client device roams between wireless LAN controllers that are mobility peers, Both controllers have dynamic interface on the same client VLAN is the inter-controller type of roam.
Refer to the exhibit:

An engineer is troubleshooting a connectivity issue and executes a traceroute. The result confirm The probe timed out.
In Cisco routers, the codes for a traceroute command reply are:
! -- success
* -- time out
N -- network unreachable
H -- host unreachable
P -- protocol unreachable
A -- admin denied
Q -- source quench received (congestion)
? -- unknown (any other ICMP message)
www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/22826-traceroute.html#addno
An engineer configures GigabitEthernet0/1 for VRRP group 115.
interface GigabitEthernet0/1
ip address 10.10.10.2 255.255.255.0
vrrp 115 ip 10.10.10.1
vrrp 115 authentication 406530697
The router must assume the primary role when it has the highest priority in the group. Required command set to complete this task is:
Router(config-if)# vrrp 115 track 1 decrement 10
Router(config-if)# vrrp 115 preempt
9100 is the recommended MTU size for a Cisco SD-Access Fabric.
An engineer is implementing MPLS OAM to monitor traffic within the MPLS domain. The engineer must Disable IP redirects on all ingress interfaces to prevent from being forwarded beyond the service provider domain when the LSP is down.
If the noise floor is -90 dBm and wireless client is receiving a signal of -75 dBm, The SNR = Signal - Noise = -75 - (-90) = 15 dB.

PlAwAnSaI · Oct 6, 2021

Network Automation:

Overview of Software Defined Networking (SDN):

Distributed Control Plane
API
SouthBound Interfaces (SBI)
Centralized Control Plane
OpenFlow
NorthBound Interfaces (NBI)
RESTful APIs
JSON

Cisco SDN Controllers:

Cisco Application Policy Infrastructure Controller (APIC): The SDN controller that's part of Cisco's Application Centric Infrastructure (ACI) solution for data centers.
Cisco Digital Network Architecture (DNA) Center: Cisco's SDN controller focused on Enterprise networks, that goes beyond traditional SDN by including 'intent.'
Design, Policy, Provision, Assurance, and Platform

JavaScript Object Notation (JSON) Format, 2 Basic Structures:

OBJECT: A collection of name/value pairs.
- An unordered set of name/value pairs.
- Enclosed in curly brackets
- {
  "firstName":"Vekin",
  "lastName":"Lalwace"
  }
ARRAY: An ordered list of values:
- An ordered set of comma-separated values.
- Enclosed in straight brackets.
- [
  "CCNA",
  "CCNP Enterprise",
  "CCIE Enterprise Infrastructure"
  ]

Value:

Can be a string, number, object, array, null, true, or false.
Example of a JSON validator: https://jsonlint.com
{
"Name": "Vekin Lalwace",
"CCIE #": 7890,
"Tracks": ["Enterprise Infrastructure", "Collaboration"]
}

YANG Data Modeling:

Commonly used with NETCONF
Data modeling
Developed by the IETF
RFCs 6020 and 6021
https://github.com/YangModels/yang

Data Modeling Example:

Apple iPhone
Model: 12 mini, 12 Pro, 12 Pro Max, Other
Display Size: 5.4", 6.1", 6.7", Other
Color: Pacific Blue, Gold, Graphite, Silver, Purple, Blue, Green, (PRODUCT)RED, White, Black, Other
Capacity: 64 GB, 128 GB, 256 GB, 512 GB, Other
12 Pro Max, 6.7", Graphite, 256 GB

YANG Data Model of Network Interface:

NETCONF:

https://developer.cisco.com/site/sandbox
https://raw.githubusercontent.com/CiscoDevNet/python_code_samples_network/master/NC-get-config/NC-get-config.py
DevNet Associate 1.0 (DEVASC):
https://www.youtube.com/playlist?list=PLqhYARgo2Xidv82kSvJg49Kn7r1kw8hA_
Network Programmability for Network Engineer: Data Model, NETCONF, RESTCONF
www.youtube.com/watch?v=XxYDivTnVG0
Cisco DevNet Webinar Series:
www.netacad.com/careers/webinars/opportunities-in-tech/cisco-devnet-webinar-series

Refer to the exhibit:

The segment 192.168.0.0/24 has no designated router because it is a p2p network type.
Four things determine 'Air Time Efficiency'
1. Data rate (Modulation density) or QAM
2. Number of spatial streams and spatial reuse
3. Channel bandwidth
4. Protocol overhead
www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKEWN-3010.pdf
Refer to the exhibit:

A network engineer configures a new GRE tunnel and enters the show run command. The output verify The tunnel destination will be known via the tunnel interface.
AP monitor mode allows an engineer to scan configured channels for rogue access points.
Refer to the exhibit:

> Frame 24: 138 bytes on wire (1104 bits), 138 bytes captured (1104 bits) on interface 0
> Ethernet II, Src: 50:00:00:01:00:01 (50:00:00:01:00:01), Dst: 50:00:00:02:00:01 (50:00:00:02:00:01)
> Internet Protocol Version 4, Src: 209.165.202.130, Dst: 209.165.202.134
> Generic Routing Encapsulation (IP)
> Internet Protocol Version 4, Src: 10.111.111.1, Dst: 10.111.111.2
> Internet Control Message Protocol
A GRE tunnel has been created between HQ and BR routers. 10.111.111.1 is the tunnel IP on the HQ router.
In Cisco SD-WAN, BFD protocol is used to measure link quality.
To decapsulate map-request messages from ITRs and forward the messages to the MS is the function of the LISP map resolver.
VxLAN use VNI to provide segmentation for Layer 2 and Layer 3 traffic.
Set of statements that defines how data is forwarded based on IP packet information and specific VPNs is the data policy in a Cisco SD-WAN deployment.
EIGRP:
- can automatically summarize networks at the boundary
- supports equal or unequal path cost
OSPF:
- requires manual configuration of network summarization
- supports only equal path cost
- supports virtual links
study-ccna.com/ospf-summarization
The Cisco DNA Center use intent-based APIs to enable the delivery of applications through a network and to yield analytics for innovation.
The Cisco DNA Center open platform for intent-based networking provides 360-degree extensibility across multiple components, including: Intent-based APIs leverage the controller to enable business and IT applications to deliver intent to the network and to reap network analytics and insights for IT and business innovation. These enable APIs that allow Cisco DNA Center to receive input from a variety of sources, both internal to IT and from line-of-business applications, related to application policy, provisioning, software image management, and assurance.
www.cisco.com/c/en/us/products/collateral/cloud-systems-management/dna-center/nb-06-dna-cent-plat-sol-over-cte-en.html
Refer to the exhibit:

Configuration change ensures that R1 is the active gateway whenever it is functional state for the 172.30.110.0/24 network:
R1: standby 1 preempt
R2: standby 1 priority 90
VxLAN technology is used as the basis for the cisco sd-access data plane.
YANG structures data in an object-oriented fashion to promote model reuse.
show netconf | section rpc-reply command is required to verify NETCONF capability reply messages.
NTP Stratum level 1 is a server that is connected directly to an authoritative time source.
When configuration WPA2 Enterprise on a WLAN, RADIUS server security component configuration is required.
In an SD-WAN deployment, the vSmart controller responsible for distribute policies that govern data forwarding performed within the SD-WAN fabric.
The benefits of virtual switching when compared to hardware switching are VM-level isolation and increased flexibility.
Reduce AP transmit power and Increase minimum mandatory data rate are used to reduce the AP coverage area.

PlAwAnSaI · Oct 18, 2021

https://www.python.org/ftp/python/3.8.0/python-3.8.0-amd64.exe
cythonPython38>python
Python 3.8.0 (tags/v3.8.0:fa919fd, Oct 14 2019, 19:37:50) [MSC v.1916 64 bit (AMD64)] on win32
>>> print("Hello World")
Hello World
>>> #This is a comment
...
>>> my_devices = "router switch accesspoint"
>>> print(my_devices)
router switch accesspoint
>>> devices = my_devices.split()
>>> print(devices)
>>> ipaddr = "10.1.10.1"
>>> print(ipaddr)
10.1.10.1
>>> type(ipaddr)
>>> ipaddr2 = 10
>>> type(ipaddr2)
>>> ipaddr2 = "10"
>>> type(ipaddr2)
>>> string = "my" + " " + "string"
>>> print(string)
my string
>>> hostname = "nxos1"
>>> print(hostname)
nxos1
>>> hostname.upper()
'NXOS1'
>>> macaddr = "11:22:33:44:55:66"
>>> macaddr.replace(":","-")
'11-22-33-44-55-66'
>>> ipaddr = "10.1.{}.1"
>>> ipaddr.format("200")
'10.1.200.1'
>>> ipaddr = "10.4.8.1"
>>> iplist = ipaddr.split(".")
>>> print(iplist)
>>> print(iplist[0])
10
>>> print(iplist[1])
4

cisco-connect-toronto-2018-modeldriven-programmability-for-cisco-ios-xrv1-7-638.jpg

https://github.com/refeel10/encor_freewebinar

Extended IP access list EGRESS
10 permit ip 10.1.100.0 0.0.0.255 10.1.2.0 0.0.0.255
20 deny ip any any
An engineer must modify the access control list EGRESS to allow all IP traffic from subnet 10.1.10.0/24 to 10.1.2.0/24. The access control list is applied in the outbound direction on router interface GigabitEthernet 0/1. The configuration commands the engineer can use to allow this traffic without disrupting existing traffic flows is:
config t
ip access-list extended EGRESS
5 permit ip 10.1.10.0 0.0.0.255 10.1.2.0 0.0.0.255
MSDP depends on BGP or multiprotocol BGP for interdomain operation is MSDP used to interconnect multiple PIM-SM domains.
The access point is part the fabric overlay in Cisco SD-Access wireless network deployments.
Provides intrusion prevention is a characteristic of a next-generation firewall.
Refer to the exhibit:

A network engineer troubleshoots an issue with the port channel between SW1 and SW2. SW(config-if)# channel-group 10 mode active command resolves the issue.
Refer to the exhibit:

External users require HTTP connectivity to an internal company web server that is listening on TCP port 8080. Command set accomplishes this requirement is:
interface G0/0
ip address 209.165.200.225 255.255.255.224
ip nat outside
!
interface G0/1
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
ip nat inside source static tcp 10.1.1.100 8080 interface G0/0 80

CCNP Enterprise

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator