Transcripts
1. Course Introduction: Hello and welcome everyone. I'm Ben Jacobson. And let me first congratulate you on taking the best next step and further in your career and taking control of your success. Whether you're a seasoned professional looking for re certification or just getting started in the industry. The new CCN a version 2.0, insures that you have the skills necessary to manage the networks of today. We're seeing exam topics like network automation, wireless and security all combined into a single exam like we've never seen from Cisco before. Naturally will be covering these all in a single course. And I'm really excited to bring this to you. The last four months for me have come together in over 18 hours, of course work ah, 100 practice questions and a dozen live labs, including tutorial for setting up your own virtual lab so you can run through those with me . I had a lot of fun point this together, and I hope you have even more going through with me. Thank you so much again and I'll see you soon
2. 1.1.1 Network Components Part 1: Hello and welcome to the CCN. A course in this section. We're gonna go over network components, routers, switches and firewalls. So, actually, before we end up talking about the individual network components, it helps to go ahead and learn a little bit more fundamentals here so that we can really keep our conversation a little more fluid. One more describing what the's different components do. Ah, and how they interact with network traffic. So what I'd like to do first is in case you don't have a familiarity with this is let's go ahead and talk about the OS I model. Now, back in the day when T C p I p was just in its infancy, uh, that we also had a different competing protocol stack. That was Theo s I Protocol stack. Ah, the OS I has its own address ing scheme and methods for routing and things like that assed does TCP over i p and an Internet protocol that the OS I protocol stack toe had this model that was the OS I model ah model used for standards development and how to get different standards to talk to each other. A communication functional model now as network engineers, we usually care mostly about the 1st 4 layers here layers one down here at the bottom and four up here at the transport. And then really, anything else is just mawr than for a lot of network. Engineers will just reference this entire section here as layer seven that it all ends up residing up here in the application layer. Now, when you're talking with your colleagues and troubleshooting issues, it really helps to get comfortable with conceptualizing your issues. In reference to the OS, I model that to say it's a layer. One problem is you're looking at a physical cabling issue that you actually do not have connectivity between two links or that and a layer to issue a data link layer issue. You're talking about Mac address problem on being able to. I have an issue in that area or with your Ethernet header as a whole. Just your Ethernet frame and we'll talk about frames and packets. Ah, little more in the next slide here when we talk about protocol data units. But then here at Layer three, your network issue where your I P addresses live in Layer four, where TCP and new DP live when you're opening up a port on your fireable that that's actually layer four inspection that's happening and that you are setting a rule for your layer for inspection and just talking a little bit like that. It sure you can understand that to be able to conceptualize this and and keep your conversations with your colleagues a little more fluid to people, Tell them, Yeah, we're looking at a layer three problem here. A routing issue or a layer. One problem. Yeah, you're looking at that. Somebody tripped over a cable when it got unplugged. And there's your layer one connectivity issue right there. So now that you have, ah, a little bit of understanding here as how we use the S. I model in our day to day operations as network engineers. Let's go ahead and talk a little bit about what protocols live in each of these layers and also what their fundamental data unit it's so here on the left, we have our protocols that live in each of layers on and the fundamental data units the word that you use for one individual piece of that data that down here at the physical layer. This is where standards like RJ 45 for your jacks that plug in with our Ethernet cables and $802.11 for wireless, the standards that describe the physical standards here for 80 J. 11 and the frequencies you're allowed to broadcast at and at what rates and things of that sort. And here your protocol data unit is gonna be the bit or also a symbol. Have you ever talked Teoh? Analog electrical engineers or people work with telephony or back with animal modems that those spoke a lot in symbols where where one in a long signal can represent multiple bits. But still, this is the protocol data unit, the individual unit of data at that physical layer. Now, when we go ahead, move up one more Here, toe layer two, we've got the data link layer and hear. Our PTU is the frame that this is where your Ethernet frame lives. You know, when you have a ah, let's say you've got just a router here and the line coming out of it, and that goes off that direction that when it transmits things out onto this line here So first you've got your Internet frame, and then right behind that, you're gonna have your I, p or Oh, SPF for ICMP header. So let's just say you're working with I p here and then right behind that, it's gonna go ahead and give you your layer four information, your TCP header or UDP header. And then here you're gonna have your application data that again as network engineers, we just don't really care about the specifics year. Ah, that it can all just sort of be application when said and done that, this is just all application layer data. So in our layer three the I P i c and P O S P f this our protocol data unit is a packet. So you would end up as saying that you have an I P packet, but at layer four with your TCP and UDP, you either have a data Graham here with UDP or you end up having a TCP segment that that's your protocol data unit at layer four. So now that we have gone over the S I model and what sort of protocols live at each layer here and that we can start talking a little bit more about network engineering topics in terms of layers about where this is actually occurring in what piece of your whole packet of data that were actually talking about were inspecting or modifying across the network. Then let's go ahead and talk about, you know, our actual components here and where they end up interacting with the data on our network. So first up start the beginning. We've got layer two switches, so with layer to that's gonna be your eternity frame that lives there. That that's what a layer to switch cares about is Mac addresses and your Ethernet frame that the things that makes switches specifically much, much better over hubs. As you can see right here with that H, uh, is the thing that makes switches way better is that they separate out our collision domains . Now, what is a collision domain mean? So, uh, imagine this right is that when you've got your computer, let's say your computer here, you got a keyboard and your mail's okay and that you've got your computer and it's out on the line here, and then here you've got another computer connected to the same line and you've got another computer here, you know, connected to the same line there. And this goes over into a router here. Ah, and that these all go together and then this goes out to the Internet. OK, but so for your individual computers here, imagine this right. It's that when your computer is talking to the router here, that when it's transmitting data out onto the line, really what it is is it's the electric potential. Eso. It's sending electricity out onto the line here and this whole line. Basically there is a transmission delay, or or Layton see, due to how long it takes for the electricity itself to propagate from one end of the line over to the other. There is a little delay their but still it's the whole line, practically that is going hot and then going cold again when it transmits out onto the line here, right, All right, so that would mean that when you have multiple computers, whoops that when you have multiple computers here that are all on the same line as we have with this section here, where we have a hub that's connecting them, it's as if this thing here isn't really Ah, box. It's as if these air actually just all connected here. That's how Hub works that when that happens. When I say this computer right here is transmitting this whole line here and this whole line here all goes hot and then goes cold, that there's electricity flowing on there. And then there's electricity, not the whole thing. So this computer and this computer, and more specifically, the router or switch in our circumstance, You up here. We had the router and R t here on our computer computer computer that this router can't differentiate and can't tell who is actually transmitting when there's multiple people transmitting, if this guy tries to transmit and this guy tries to transmit at the same time, and this line just goes way up and gets really hot all of a sudden that it's got twice the voltage there that it would otherwise, then it can't differentiate. And what that's called is that's called a collision is that you have a collision of data. Both of these guys are trying to transmit at the same time, causing ah collision now. Ah, hub, as we have here in the middle, doesn't do anything about this. It just acts as if these are all connected. Ah, and it repeats, is it? It's anything that comes in any any time that this potential goes up, there's electricity on this line. Is it? Forwards that out? Each of these, it's It's as if they are physically connected. Uh, and with a switch, though, is it? Actually, it actually takes that in. It takes it in, and a layer to switch specifically looks at our layer to information in our data there is that we've got our eternity, and then our i p here is that we're looking here at our Ethernet information. So your Mac addresses and that's what a switch actually does. Is that a first thing it looks at when you have a computer here transmitting out on the line into this switch? The first thing it looks at when that data comes in is it looks at the source Mac address is that it cares where this came from so that it now knows that computer three lives here off of port four. It says his poor five is that it will know as soon as computer three transmits a frame out onto the line and the switch gets to look at it and see that that frame came from Computer three and the Mac address for Computer three. Then it will go ahead and remember that it lives off of Port four here. Same thing for computer to it will know that it lives off of Port five as soon as computer to transmits a frame out onto the line. And that is what, Ah, Layer two switches. Primary job is its whole job. Here is really just toe. Learn what computers live off of what ports. Now, in a circumstance like this, where effectively we have three computers living off of the same port, then it will actually just remember all of that eyes that as these guys all transmit traffic out on the line and that the switch here gets to learn about it, then it will go ahead and actually remember that all three of these computers live over here off of this port over here. So layer two switches as you can kind of guess, though they only interact with network traffic up to layer to is, it's only really our Ethernet frame that's interacting with eso it can sometimes do layer to quality of service, which is class of service. Our C o s. Uh or it. Mostly. It's primary job is just to learn what Mac addresses live off of, what ports and that its primary function in the network A Sfar, as its job role in the network is toe act as ports where end devices can plug into the network. Is there really designed just for port density? They are an access layer device which will end up learning a little more about later in the course. So moving up on through the OS I model here, we do have layer three switches. Now, layer three switches are the same thing, really, as a layer to switch. But now, instead of just being able to interact with network traffic at layer two with our Ethernet frames, they can also do routing over in our layer three in our I p header, it can rout. So now really, what makes us switch a switch is that they use a six eso that's a s. I see its application specific integrated circuit so integrated circuit, right? You remember seeing those air like these little guys that have pins coming off of here and they kind of gonna look like they're little bugs or something, Eyes that they're there. These guys that are manufactured and they are are specifically programmed there, like at the logic gate level here there, specifically programmed to do Ah, one specific task. And that's that's an a sick and application specific integrated circuit. They're not generalized it all. They don't and they're very, very optimized for the job that they're doing here. So fundamentally they do. The same thing is a layer to switch. They learn what Mac addresses come in on which ports, and they go ahead and learn about those. And other than that, though, they also do. I p routing that they're referenced in our in the future diagrams of Goddio. They look like this guy. Ah, which you'll end up seeing their round here like a router. But yet they also have the ah, the symbol on it for for a switch as well. To go ahead and show that it's it's basically a router. That's a switch. Um, so they interact with our traffic up to layer three in our I P header. Uh, and they're typically not as full featured as dedicated routers, though there's a lot of things that the catalyst 35 50 cannot do. It can't do net network address. Translation. And they also don't usually like VP ends. Uh, the P and they also usually don't like VPN is they don't have the, uh, cryptographic a six built in their. Typically, they're just meant for for routing on, doing some basic later. Three tasks, maybe, like quality of service. Now routers. These are our dedicated layer three and layer four devices that these are generally best at doing, specifically routing. And when people talk about routing, they usually mean I p routing. This is layer three rounding. This is where your I P address lives. Ah, so you're a 192.0 dot 0.1. Let your I p address that. That's where that lives is up in Layer three and that this does good routing. It keeps a list of where certain I P addresses live on and figures out how to send it there . We'll talk a little more about specifically how that ends up working on the routing table and how it chooses a route to do when it has multiple available. We'll end up talking more about that layer later. They usually have far fewer ports than a switch. Does these air not really Access layer devices? The's end up being something that, uh, at the edge of your network, or at least edge of your network area or segment, to go ahead and provide routing between the areas in your network that they're typically edge devices and they provide more CPU intensive services, things like VP ends or layer for inspections and basic fire walling on things of that sort . Keeping track of your connections when we're doing address. Translation. So that leaves us at firewalls and intrusion prevention systems. I PS So ah, firewalls. Primary job is to allow some trusted network toe access, some untrusted network. So, as example here, I mean, you've got your Internet, there's a cloud in it and it comes over here and it connects into my fire Will. I can't troll farm. Alright, fireball and the your firewall then comes in and connects to your switch. Now connect off into other switches. What have you? Okay, whatever. Either way to get out off your networking There's workstation, another workstation there and to this is your trusted network, right? This is your campus and that your campus needs to get out to the Internet. Access that area Well, the Internet is really scary place, to be honest. Ah, that's where a lot of bad things happen and that you need to maintain the understanding that the Internet is very much untrusted, that there is no trust that you should be putting into the Internet that your internal campus, though you can assume, for the most part, that this is a trusted area. So you want your trusted network to be able to access the untrusted network, but not the other way around. That is the primary job off a fireable is Toe act. Let some trusted network access some untrusted network and not the other way around. Now intrusion prevention systems and next generation firewalls. That's that's how you see a lot of this right here. N g f W eyes How that is abbreviated his next generation firewall. Now they can do inspection up at the application layer on, be able to take action on your layer seven information. So this is gonna be things like you might have Web traffic that is specifically going to a destination. Or you might have Java script in that Web traffic or something like that file in there that you need to go ahead and do, scanning on something where it actually looks into that application layer and take some action on it. Now, generally, your I PS is going to be either signature based or anomaly based. Now, Signature based is where it goes ahead and scans your traffic and maybe does regular expression. Comparison will compare it against a regular expression or more often, will take a hash of it. I will go ahead and do an MD five or a shawl one to go ahead and hash it together into a small, fixed size piece of data that is relatively unique, based on what kind of traffic that is and that it has a whole database of these. A whole list of, um, of all these signatures and their definitions that this one corresponds to this virus or this one corresponds to this malware over here that you don't want in your organization, and that after it hashes together the data in your packet and it finds it matches one of these. Then, as it recognizes the signature, it'll go ahead and block it or allow it. What have you? And this is different than anomaly based detection, where Anomaly based is just that. It monitors your traffic for a certain period of time, and you let it to go ahead and learn what is the typical type of traffic flowing through your network. And then when something deviates from that norm, that's when it declares that a positive on that that's going to be a detection there. These are definitely edge devices that these would typically go between your business, your office, your campus and the Internet, but it can be placed anywhere. There's a difference in security level that will see later. You might be ableto have one physical box of this, but really have multiple logical firewalls on Be able to place thes firewalls between a D, M Z and your internal network, or between accounting department and marketing department, or some area where there's a difference in security level that where you're going from some trusted network to some either untrusted or less trusted network. Is that where you can call it as well. Now the i ps inspects application layer data usually after it's already filtered by a fireable. So we're talking about design here, right here where we had our internet and we've got our firewall here. Usually your I ps will go right here. Eso you'll end up putting on I ps in line is the common way to do on in prevention system. Now there are also things called an I. D. S. This is a detection system intrusion detection system that a lot of times those are placed off. Ah, some interface here, and just all the traffic is mirrored because it was only trying to detect things. It can't do anything about it or take any action went off to the side here just because it's it's not in line. But when on I ps is in line here, it can actually block that traffic in line if it ends up detecting something that is should be blocked. Now, down here, I wanted to go ahead and point out what the figure of a firewall is going to look like in our diagrams. It's gonna look like this guy right here. We've got magnifying glass they're showing that inspecting the traffic on your typical fireable brick wall there as well that this is These are all the gms. Three icons will go ahead and talk about that a little more later. When we talk about the lab set up and how to get that going. It's a way to virtualized your lab. And these are the built in icons with G. N s three No. At the end of each of these sections, I like to go through just a couple practice questions. Just make sure you've been paying attention on to give you a sense of what sort of questions might ended up being asked about this information here. So with our first question here, which of these are protocol data unit in layer four off the OS I model. Is it a page segment? A packet or frame? And remember, this is that layer four here. So if you remember down at layer two we had eternity as our main protocol there, and that is gonna be a frame is our protocol data unit at layer to layer three. We had a packet. It's an I P packet. Now layer four for TCP It's called a segment for UDP. You have a data, Graham. So here the answer is B A segment now, which of these devices cannot move traffic between broadcast domains? Now, we actually did not talk about this yet here, and we will soon. A little later in the course up I want to see, just in case you were aware of what this is is that a broadcast domain is a different sub net. Now we'll talk about this a little more, but in your sub net say you've got your 192.168 0.1 dot one slash 24. That means that you know, we have usable addresses from 192.168 dot 1.1 through 0.2 54 that those are usable host addresses. When you send a broadcast, it is meant to be heard by all of these addresses. Every single one of them. Every single host will receive that broadcast, and every single host will try to interpret it and look into it and see if it's information it needs to take action on or do anything about no going to a different broadcast domain would mean that you are doing routing. You need to route between sub nets and you need to route. Therefore, between broadcast domains and a route. For as far as routing goes, a router does. Routing a layer three switch, if you remember, is the same thing as a layer to switch. But it also does routing and then a firewall. Typically, firewalls are also able to route. I would not really make any sense if it were on Lee blocking traffic and not able to route anything. But here. The thing that cannot route is ah later to switch. So the answer is C A layer to switch. I hope this has been informative for you, and I'd like to thank you for viewing.
3. 1.1.2 Network Components Part 2: access points controllers and endpoints in this video will be going over the second half off the end points that you would see in your network in your day to day work that controllers here references both network controllers such a Cisco, DEA and also wireless controllers, your wireless lan controllers and access points in this case is gonna be wireless access points. So jumping right on in our wireless access points, what do they do? Fundamentally? They are wireless network access for our endpoints. They are access layer devices and really on extension of your access layer that when you have your core switches and your distribution block and your access layer switches here, then this device is actually a wireless extension really here of your access layer, such that your computers and endpoints can go ahead and connect to the land wirelessly. Now these operate in either stand alone or lightweight mode that typically when you purchase a lightweight access point, it actually doesn't have the ability to operate in stand alone. But in standalone, your traffic enters the network where that access point connects in and the access point performs all actions that are needed in managing the wireless network. It does your authentication, and it will reach out to your radius server. If you have WP to enterprise configured and your network traffic goes into the network where that device plugs in and almost ever V land that may be tagged for now with a lightweight access point, though, you're gonna end up using a controller and a wireless controller A w l see that Typically, these operate in split Mac configuration, where your network traffic actually gets tunneled back over to the wireless controller before it enters into the network. And I'll show you that a little more in the next slide here that the access points they broadcast R F networks called service set identifiers those air SS I ds. Everybody's familiar with this. I'm sure when you go to your wife, I and you pick out which ss I do you want to be called bacon? Then go ahead and connect to Bacon and we're gonna go through this a little more in detail further on in the course when we cover our F fundamentals and at layer to your wireless access points, use C. S. M. A C A. Now what is that right? That is carrier sensing multiple access. Collision avoidance. Now what does that mean? That means that when you want to go ahead, Europe here, right and you want to go ahead and broadcast onto the network or say, Actually, your access point wants to go ahead and broadcast something out to you. If one will go ahead and listen, it will listen to see if anyone else is broadcasting. If they are, it goes ahead and waits a certain amount of time before it tries listening to see if anyone's broadcasting again. If it's not, it will send out a request to you called a request to send and then your device or your computer. Your phone. Your tablet. What have you? If nobody else is transmitting, it will send back Ah paying basically saying clear to send that it does a quick little ping boom 12 to go ahead and make sure that you can reliably transmit and receive traffic. And it uses that as a pseudo reliable connection to say Yep, it's safe. I'll go ahead and send this over now moving on into the architectural little bit here is that like I was talking about with your lightweight access points here that when you connect in your wireless client and you go ahead and you broadcast over here to your lightweight access point where your traffic say you want to get out here, right, you're over here, you're a dotty, and you want to go ahead and do your DNS query. You send your traffic out. Now, your lightweight access point here say this guy actually connects it over here that you're a lightweight access point goes ahead and tunnels that traffic using cap WAP it encrypts that traffic. It tunnels it over here over to your wireless controller. So your traffic, you know, actually goes through here through this physical bit. It might go through this way. Are you might go elsewhere, depending on how your spanning tree is right now, if these air layer two links and then it goes over here to your wireless controller and it goes into your network here at your wireless controller that this is where your traffic is actually entering, not over here with lightweight access, point up a ring and split back. So in a centralized architecture, we use lightweight access points and access points there, controlled here by a wireless controller now in an autonomous infrastructure architecture. That is where you have your standalone access point. This is where you do not have a wireless lan controller, and your access points are operate independently that they don't know really that each other exists and they don't care. They just see each other as interference. Whereas if you do use a wireless controller than they can sense each other, be aware of each other and go ahead and adjust to their transmitting power and their frequency to make sure they don't interfere with each other or at least try to interfere as minimally as possible. So that's just a brief overview of your access points in the type of access points you might see your standalone verse, lightweight access points and just super brief overview here of how they actually end up working. The wireless controller will go into a little more depth and that little later and a lot more depth as far as how WiFi actually works and our our F fundamentals. But moving on here into our controllers, the first type of controller we're going to cover is the wireless land controller the wireless lan controllers manages the configuration and also many of the tasks for your lightweight access points like your authentication and your radio resource management, the one where it listens to the other access points around in the area and sees whether they are part of this controller or not, so that we can go ahead or group of controllers. You can actually have a cluster of them, or a group of them that are operating in tandem on and go ahead and sense whether the access point is part of that. So it could do radio resource management. Like I said it ox as the entry point for your network. This can help a lot in your deployment so that you don't have tohave and to end villains that you can go ahead and have your access point anywhere in the network. And you don't need the villain for which those wireless clients are connecting to to exist in that part of the network. It could be way far away in the villain doesn't need to exist there, and it will all come back to the controller and end up entering into the network there, and that's where you do your filtering and your security and your access control. As I said, it does the computing for radio resource management, and it authenticates users onto the network that your authentication requests for both the pre shared key and also radius or L DAP or tack acts are going to be happening from your wireless controller here. The next type of controller will go over briefly. Is the D. N a. The digital network architecture controller? Now you may not have heard of this. This is, ah, solution that's very, very similar to software defined networking. STN. And IT controls devices in real time and does policy based network management. You set a policy for a device or four year network. Say you want a certain V Lin to maintain a minimal amount of Layton see, or that you want to set a band with limit on a specific client or things like that. You can do that in Cisco D N A. On devices that are compatible and then moving on Leslie to our endpoints. Now our endpoints. These are your computers, your workstations, your laptops, your cell phones, your security cameras, servers. Here we have a lock over here for, like, a hotel or office. Your phones that now can have built in video conferencing in your phones. I mean, this phone here does not have built in video conferencing. It doesn't have a camera on it, but they can use much more bandwidth than we've encountered previously. And they are the generators and receivers of almost all of the traffic in our network. Like think about it that your actual router or your switch or your controller is not really itself generating that much traffic. It's all your endpoints, those air what's using all of your network services? And they consume network services, things like power over Ethernet. This is a service that your network provides and that they are consuming and they can be wired or wireless Now, just like in the previous slides. Let's go ahead and jump into just a couple practice questions before we leave off first. What type of access point is centrally configured and managed? Now I know I've drilled this into your head just a little bit here that autonomous access points operate independently and lightweight access points are centrally managed. The answer here would be be lightweight access point. And, lastly, which of these are not a feature of Cisco DNA? It's a policy based network connectivity, enhanced network visibility or partner status with Cisco Policy based network Connectivity is true. Enhanced network visibility. I didn't explicitly state this, but it does provide for very much enhanced visibility into the operations of your network and how certain clients air utilizing your network and the health of your network devices and understand Maura about where the traffic specifically is traveling in your network. It does offer this partner status Francisco that was just thrown in there to make sure you're paying attention. And that is not a feature of Cisco D. N A. I hope this has been informative for you, and I would like to thank you for viewing.
4. 1.2 Network Topologies: networked apologies. When to land in this section will be talking about the different general topology, as you'll see in your work both in the win the wide area network and also in your campus and smaller offices as well, and also in the data center, which, speaking of I'd like to first talk about the spine and lyft apology here. Now, the spine and lyft apology is that you have your spine up here and you're leaves down here . All of your leaves are connected to all of your spines. However, need none of your spines are actually connected together that you don't have connectivity right there between your individual spines. This is a really fast apology that makes sure that you if you if this guy here needs to talk to this guy over here, well, he's gonna go boom, boom right there. And if this guy right here burst into flames, great, he's gonna go boom, boom, Just right over there. Great redundancy. Really fast. Apology. But it's mostly common in data centers because it's usually that your leaves need to talk to each other, that in a campus environment out here, you're gonna have your, uh computer over here, and you're gonna have a computer over here that these two guys usually don't need to talk to each other every now and then they will, but generally not really so. Speed between the leaves is not something that we're worried about quite so much. Now let's go ahead and talk about our wind apologies just a little bit here. The first I'd like to talk about ah ha been spoke is that in the hub and spoke? This is excellent. You don't have that many links. You only have just the bare minimum enough to go ahead and get full connectivity between all of your sites. You end up with a cost savings, of course, because you have the minimum number of links required and it's simplified management. It's really common still and was much more so previously for these branch offices out here to get to the Internet. Say we've got Internet out here and connected over to the hub here that if this guy right here say, this is location 123 if Office one needed to get out to the Internet, will go over through our hub and out to the Internet from there and seeing with two if he needed to get out the Internet go down through our hub and out to the Internet. Now, if one needed to talk to two, then one would go over through the Hub and held over 22 And that's just how it worked for a long time. And that's still very common because it is much simpler to manage. You have a single point of management here, your hub. You can go ahead and go into one firewall, and you can do your management there. You could do one set of content filtering one set of rules, and it's beautiful. Now the problem is that you do have a bottleneck. Everything is on this hub here. It's got to be a big, beefy router to really be able to handle this, especially if you have a really data intensive business where perhaps these guys need to talk to each other really often that this hub could get overwhelmed or worse, if you have a lot of office to office extension to extension calling going on than this guy , better be able to do that with very little late and see to make sure that your quality is not degraded and your experience is not just terrible. And you also have a single point of failure here at the Hub. Now the thing is, is that all right? So you could have, you know, really, a second device ever nearly erased some of this here, and you could go ahead and have a second device here and have them connected. Got your switch coming out here into your switch. And this switch is really what's connecting out to these guys, and that looks like a mess. But you get the idea, and but then it's like, all right, So if this physical router gets caught on fire and goes down raw, then they still have connectivity. But really, what you're worried about is not the physical failure of the router. It's a failure of your Internet connection or your wide area network connection, that really when you have three lines coming out like this, what that really means. You got your utility pole here and say you've got your your business right here, right? And that you've got this lying coming out over to your utility pole and maybe from there goes down underground, Sri. And they You've got your office over here and your office over here and your office over here, and it splits out and goes all over to those guys. That means you still have one physical line coming out here of your office. That your ah little distracter over here. Little backhoe. Just food Could just cut that guy right there. And bam! All of your connectivity between all of your locations. They're all dead in the water. Nobody can talk to anything. Your Internet connectivity is down and you are grinding to a halt that it is just really a single point of failure and a little problematic to have just a pure hub and spoke like that. So moving on to the other extreme here, let's go ahead and talk about our full mesh that with full mesh connectivity. Now, this isn't necessarily saying that you wouldn't just have, you know, maybe one Internet connection out to hear you still could. And then to get out to the Internet, they'd still have to go through this guy. But let's just say that they all have their own Internet connections and they're all connected to each other. This definitely provides for the maximum amount of redundancy. I mean, imagine this guy goes down Great. You can still go here and go here. And it's like if this guy goes down, then two great can still go here and go over here and you Or you could go here, Here, here. If this guy goes down, then I mean, you can still have the maximum amount of redundancy here. But, man, you have a lot of links that it's either You have a bunch of VPN say this is a branch office, branch, office, branch, office, branch office. You either have a bunch of VP ends going out all to each other or men. You have got a lot of links that when you're purchasing a wide area network service an Mpls VPL s. What have you from your service provider that they will generally charge you for that kind of connectivity that you're gonna end up paying more and have a higher cost Now, also, if you have a lot of locations, you might be managing policies at every single individual site. And if you have 40 of these 50 of these 100 of these of just separate little branch offices , Then you could have just an infeasible amount of management. The administrative overhead there could just be purely prohibitive now, as a purely academic little bit here, the number of links required. The equation here is what is used to calculate that that when, in order to do full mesh connectivity, its end minus one times and over to so If I had eight offices, I'd have eight minus one times eight over to, So that would be seven times four, which would be 28 links in order to have full mesh connectivity for n equals eight. Now moving to the nice happy medium between those two. Let's go ahead and talk about our partial mesh now are partial mesh connectivity has kind of the best of both worlds, Really? Is that you could have, say a hub and spoke with dual hubs that you have more redundancy than just the hub and spoke that if this link goes down, this guy still has connectivity or if they slink goes down, he still has connectivity that it does provide better redundancy. You're gonna have fewer links and therefore less cost. And these two here are kind of just one in the same. You have less cost because you have fewer links management With this, though, that could be kind of tricky to keep track of how each device is connected and who's connected to who. That could be a little difficult. You're gonna have to keep really good records in your Excel sheet to make sure that that's all together. And some sites don't have redundant connectivity and a partial mesh. Usually kind of like this guy right here that he doesn't actually have redundant connectivity. This might be a good ah ah, good apology for you if you end up finding that say, like, this guy was your hub as spoke, spoke, spoke, but that this guy here and this guy here needed to talk a lot, and you wanted to get a direct connection between them so that it didn't have to go through the hub over here all the time. And it is overalls, more simplified management than a full mesh so moving on to our collapsed core design here . So this is kind of the network that everything wants to try and be. This is moving into our campus here, where No, We have a two tier network. We have our core distribution layer and our access layer. And remember, this is this is in the campus. This is not in your wide area network right now, so this is actually at your office or your group of offices. And this is much more typical off small to medium sized businesses to get your collapsed court where your core and distribution layer are in the same collapsed core here, and that you end up having your redundant distribution switches and then going out with redundant connectivity to your access layer switches. This is resilient, and it's scalable that you can get really big on a two tier network here. That there's no set size that Cisco has defined as to when you're too large to use a two layer network and it's still very scalable, and it's still very resilient and redundant here. One of these guys up here, your core switches could just burst into flames, and it doesn't matter. All of your guys still have connectivity through your redundant area. Here. You could end up losing an access later switch. No problem. It's just gonna end up affecting those individual people there. It really helps limit your fault Domain. That's a word to remember for the exam. That Ah, fault domain is what defines how wide oven effect that a specific fault has. That if this switch here were to go up in flames than all of the devices connected to that switch are what are affected, nothing else is. These guys over here are affected because of this switch over here, how And if one of these guys up here ends up going up in flames, then well, that actually doesn't have much of a fault domain because it just fails over to this guy. But this can survive one failure here between the two of both of them. Go up than all of these guys lose connectivity. That's a rather large fault domain, because they are not interconnected like that. To be ableto have another method to get around in the event that both of those guys were to go up in flames. Now, this is our two tier design, right? Say you get really big and getting to the point where you're just running out of ports and you don't really see how you can add in another distribution switch. Say you like adding another guy over here? Boom. And you had in another guy over here boom! And that this guy has his own switches over here that are connected over there. And you switch here and a switch here and he's connected. And all of these are all connected. And this guy Teoh connected to everything. And you got all of these guys and that you're still you're finding your just too big. Well, that's when we move over to our traditional three tier design where we go ahead and split out our core and our distribution blocks here. Such that if you really needed to get this scaled because this is the ultimate and scalability, then you just tack on another distribution block here, See? Boom! This guy just had a kid, and you ended up adding on another distribution and access block there. And you can keep doing this. You could just copy that bone. Here, here, here, here Typically, this is what ends up happening when you have multiple buildings. Is that this block here is one building. This block here is another building and then so on and so forth I'll continue scaling like that and that these might all be a few floors a piece that this guy will be like for one through three and this Gobby four through six and so on so forth. And they will have all of your people connected into those switches there. It really is the ultimate and scalability. And it adds redundancy that each of these tears does have individual roles that they end up a feeling that will talk about soon. And in this, of course, it's always good to remember. This is redundant. This is meant for redundant connectivity. To is one one is none. What do I mean by this? Is that when you have to like here, one of these can go up bone already? Great. You're gonna fail over to this guy if you only have one and say, like, this guy just is out of the picture. He just never existed. Then this got boom up, inflict Oh, God, There goes all of our buildings connectivity. And what is that costing you the hourly wage of every single one of these people? Bob in accounting and Alice over marketing. All these people getting paid 30 $40 an hour, and they're just sitting there with no ability to do anything, costing your company thousands, perhaps per minute, to go ahead and pay all these people to stand around doing nothing because you did not have redundant connectivity into your network. And now, due to a fault due to leaky pipes due to your electrical, just having a surge that now you end up costing your company a lot of money Now this also helps for ease of understanding, to really simplify your network rather than just having a spiderweb or rat's nest of connectivity, that people can really wrap their head around the three tier design It's been around for a long time and that it really helps with understanding and also isolating your faults and gain good full isolation here that in the event one of these switches down here dies. Great. You know that Onley this floor here is affected. If this guy dies, boom fails over. If this guy dies, boom fails over everything still just hums right alone. Now, in these individual layers, each one does have its own rolls to fulfill down in your access layer. This does features like power over Ethernet and port security. This also is where you're going to do your rate limiting. And this is where you run spanning tree in your spanning tree toolkit like port fast bridge bpd. You garden route guard down. Here is also where you would implement 0.1 X. And if you want to do layer to switching if you had layer to down to the access rather than , uh, routed access Er, I'm sorry that if you had layer three down the access of these air layer three links here and here and here in here, and these have their own sub nets Just point to point a slash 30 just here on that link there. Then you'd Onley have veal and switching and layer to switching down here at the access that you don't have any spanning tree up here at the distribution layer. Now that's if you had a routed access layer, and that's what that's called when you have later three switches down at the access layer to routed access layer. This is not this is becoming more common, but it's not totally ubiquitous yet that there are many people who are going this way just cause you can get a layer three switch for almost nothing, right, that you can go out and get a 35 60 or 35 50 layer three switch And I mean they're dirt cheap. Even a gigabit switch has no problem that ah lot of I T departments are now upgrading. Even when you have a really large number of switches, the price is just becoming to the point where you can do that easily and that it makes sense to go ahead and do it and simplifies on, bring spanning, tree even further out of your network, moving up to the next layer here, we're going to talk about the distribution layer. This is where you have your redundancy and load balancing, and this is also where you end up doing your packet filtering and policy based access. That's what gets implemented up here at the distribution rather than down at the access layer. And the reason why is because this is where you're aggregating all your connections together. This is where your summarizing and sending that summary route up into the core block here that the core doesn't need to care about all of this sub nets that exist over here in this Joe Schmo network closet over in building 13 A that we can just go ahead and send the whole 1 72 jobs. 1 72.16 0 slash 23 route up into the core block here knowing that that encompasses ah lot of the routes down here. This is where you're going to do your summary ization and your aggregation. And this is also where the routing between the villians happens. If you have a switched access design, that's where you have layer to down to the access. If you don't have your layer three switches down at the access layer or you just don't configure layer three links here routed links between the access and the distribution block . Then you're routing between your V lands is happening up here at your distribution layer that that's what's getting you know, guy down here. If he is on veal in six and guy over here is on viewing three and they're both connected in that if you have layer two links here, great, this is gonna go up here and it's gonna end up being switched to here and routed down into that other villain and the routing is gonna happen up here. And actually, even if you only have computer down here on the seam switch that this is really a better example of this and he's connected on delay of four in order for six to go ahead and talk to four. And I need to go up here, get routed here at the distribution layer and come back down on the lam for and that if you have a ah switched access design and this is also where your cure West policies get put into place. And this is where you have your redistribution between routing domains and your protocols happening that typically that ends up happening at the win right where you're running a protocol with your service provider and then you're also running an internal routing protocol, and then the way that ends up being pointed places, you usually have your own distribution block here, right where this connects into. Whoops. This connects into your switches here and that. These guys, you're gonna have a router here, that this connects out into your land and that here is where you're gonna go ahead and redistribute between your oh SPF here. That's internal and your BG P here that's being run external now moving on up into the core here, The only real thing that we worry about in the core is speed, speed and more speed that we want to do absolutely minimal packet manipulation. We might run some qs, but that's really about it. The whole idea is for this to be redundant and fault tolerant. And for this to really just to be on interconnect between all of the distribution blocks that the idea is not really tohave our network bead this and just stop is its We're gonna have another distribution block here and another one here and another one here. Another one here that we're adding on more buildings were adding more more sections to go ahead and scale our network out and really be able to route between all of those distribution blocks. So that's really the core is doing is to making it so all the distribution blocks don't need to be all connected independently between each other as to have just a central area. We can go ahead and aggregate those distribution block connections and have one central core to connect them all together. Now moving out into our smaller office here and away from our campus, let's talk about our SoHo, a small office home office. This is typically a single router that's single or multi homed. Now let's talk about that for a moment. As far as what homing means is that you can have a single home, multi home or dual home where if you have dual home or let's first talk about single home So you got your router. You got your Internet single home router, Internet one connection toe one I s P. Now dual homed is typically where you have to connections toe one I S P and then multi homed would be if you have at least one connection to multiple I S P s. And that's what you would end up doing for redundancy, of course, and uses either integrated or external switching for land access. Now you can get your integrated switching modules for your bias. Ours, of course. And go ahead and connect your phones and your computers all into the network, as you would needed down here as you can kind of see, you got your your router here and you're switch here, and the router and switch can just be built in together. In your eyes are, and you'll have your test top in your laptop and your phone. You know, maybe you have a little small five person branch office there that can get away with up to 48 ports in their eyes are that you really need it to be relatively large. Or just be looking to use a model off a router firewall that doesn't have the ability for switching module to use an external switch and that the external would use an access layer . Switch your layer two switches or your small 35 fifties and 35 sixties. Now, just like the other sections. Let's go into a couple of practice questions before we jump off here first. Which two of the following describe the distribution layer? Is this where we have high speed data transport? That it applies network policies, performs network aggregation, concentrates user access, provides power over Ethernet or avoids data manipulation now high speed data transport. Of course, we want all of our layers to do that, but really the one where this is focused most heavily is at the core layer now, applying network policies that yeah, our distribution layer. This is where we have our policy based access, and that's gonna end up being our first answer here is be, applies network policies and performs network aggregation. Yeah, that this is where our access layers air aggregated together, and we send off a summary route into our core layer. And as far as concentrating user access, providing power over Ethernet and avoiding data manipulation this guy and this guy just down at your access layer and avoiding data manipulation. This describes our core layer again because we're just thinking about our very high speed data transport. So our second answer here is going to be C that it performs network aggregation. And then into our last question here, how many connections are needed for a full mesh topology with eight nodes now here and is gonna equal eight. Now, you could go on. Go on. 2345678 and go. 1234567 And 123456 And continue doing that. Or you can go ahead and do eight minus one, four and minus one times and over to so this would be times a over to which this is seven times four, which equals 28 28. Here is our answer, C. I hope this has been informative for you, and I would like to thank you for viewing.
5. 1.3 Physical Cabling: copper and fibre cabling in this section. We're gonna go over the physical cables that links all of your infrastructure together, whether it's over the way in or internally at your organization. Ah, lot of network engineers spend a lot of time at the command line doing everything in a logical sets how all of our equipment logically connects together and how all of the logical connectivity requirements end up taking place and coming all together. But there's a lot of people who don't pay much attention to the physical cabling aspect of our network infrastructure and that you really need to be aware of one the physical requirements and limitations off the different types of cables you'll be using, and also just to recognize the types of cables that you'll see in your day to day work. So first up here, let's go ahead and talk a little bit about the difference between shared media and point to point that in point to point, this is your serial connections. That's these Over here. These are you are connections that you'd end up getting from a service provider typically, and this might be a T one or other type of speed and T one is 1.44 megabits per second. That's actually what to finds. T one, not the connector. Sometimes it comes in on an RJ 45 like this, but that the wires are connected a little differently. Or it might come in on a serial connection like this. And as a note in G. N s three and G industry. By the way, that's G and three. We're gonna be going over this a lot more in detail if you haven't watched the beginning off this course with lab configuration and set up that goes over Ah, lot of G. M s. Three. You want to go ahead and look through that as that's what I'll be using mostly during the lab lectures on and showing how we're setting up our topology there. This is the symbol here for a router aside shown in the previous videos. And this here this is the connection that symbolizes a serial connection that that is a point to point connection. This, however you might recall to switch and you have our computers connected. Now, in shared media, you end up having a broadcast network. You also have a collision domain. Because if this here were not a switch and rather it were ah, hub. Ah, and all of these computers here shared the same media because, remember, ah, Hub basically just connects thes as if they're one big wire that split out four ways. Then all of them are able to transmit on this media at the same time. And that is a shared media connection, whereas in point to point in a serial connection over here that the two devices know that it is a point to point connection. And they know that there is only one other device on that link, so they can go ahead and communicate accordingly. So I would list a couple little standards here as far as land media. That 100. I'm sorry. 1000 based T. This is your unshielded twisted pair. Copper. This is your RJ 45 links. The base tea is that this is U T P unshielded twisted pair. Whereas your 1000 base see X, This is your co axial. If you remember, it's gonna look a lot like cable. They will come into your house for cable TV where you have no, you're one individual little copper wire there, and then you're shielding all around it, and it will come into your end with a screw top there that's crimped onto the end. To be able to screw into your device that the base c x the 1000 based C X that is gigabit for 1000 megabits and the C X is your co axial that this has a maximum distance of 25 meters before it needs to have a booster of some kind or repeater your unshielded twisted pair your you tp. This has a max distance of 100 meters, and this is at gigabit mind you that changes a little bit if you're using a different category of cable and you end up with 10 gig connection instead of one gigabit connection. And just to give you a small sense years faras the types of fiber media that's out there. Our 1000 base L X, that this is your long distance gigabit fiber. This can be in a single mode or multi mode. We're gonna go over that a little more in just a moment here. But what this pretty much means is that single mode is highly designed and highly specific to just one wavelength of laser light in your fiber line here. And because of that, they have gotten it toe where it has very low attenuation, that it doesn't lose much of its power or any of its data for a very long time. So you can get really long distances out of this five kilometers. This is where you end up seeing your metropolitan access network, your man, or also your way, and connections from your I S P might have a fiber back haul that is single mode fibre to go ahead and get those long distances before they need to have another repeater there to boost that signal again. And then you're 1000 base S X I use this s as thes short range that this is on Lee, your multi mode fibre. That multi mode is a more general type of fiber multi mode allows more types of light. It can also allow from more bandwidth for your multiple wavelengths of light to be transmitted at the same time. And this has a much shorter distance, though, because it is more general on its not so highly tuned to just one wavelength of light. You can only get a maximum of 550 meters out of your multi mode fiber, and that is, of course, dependent on the wavelength of light that you're using that you'll need to go ahead and check out a ah book to get a full list off all of the wavelengths. They'll be available, though, as I understand on the exam here. As far as the topics go, they're not really looking for you to know all of the specific wavelengths and their distances just to know that multi mode and single mode fibre do exist, and the general difference between them moving on to our next slide here that I learned a list what the different fiber connectors look like on also hear a table as far as the color coding for your different types of fibre cables and those connectors that over here we see a lot of different fiber connectors. You might not see many of these. Usually you're single mode. You're not going to see that very much just cause that's not what you're using in the data center. It's much more expensive. The single mode transceivers are not compatible with multi moat cables and vice versa that you do need a specific transceiver for this type of cable, you do need a specific cable. It's very expensive that overall, you're just not going to see that very often unless you're in a provider setting. As to when this would make sense that you really need that distance and your multi mode. Generally these jackets, the jacket being the color of the actual Jack eating on the cable here, this is gonna be orange and you're single mode. Most part is gonna end up being yellow that your actual connector can be beige or black. Generally on this ends up corresponding to your wavelength, your 62 a half micro meter and you're 50 micro meter. Now this ends up giving you a little bit of nomenclature here. You don't really need to know that much. Uh, and overall, I don't expect you'll need to remember this table at all. But I think that is a good thing to know that the color of the cable and the type of connector the color of the connector that you're looking at, as faras fiber goes, does have a meaning here that it is trying to tell you what type of cable that it is, on what it's used for, so that you can be able to recognize this readily while you're in the data center or your campus in your network closet to people know really what it is you're looking at and have a better sense of what it is you need to do and where things need to plug into. And our next slide here would go ahead and give a little bit of a run down of the difference between single mode and multi mode cable that has already said Single Mode can have longer table runs. We saw upto five kilometers of cable. It can be run before it needs any kind of repeat er or signal booster. That is a that's a long distance. That's a couple of miles here, that you could just have fibre line running underground before it needs to plug into anything and have that signal boosted Multi mode is much, much cheaper, Though the cable itself is much cheaper, the transceivers air much cheaper unless you actually need the distance for single mode, multi mode is gonna be the way you're going to go. Single mode. As I explained it only carries one individual wavelength. It is highly tuned for that one wavelength to have as minimal data attenuation or or signal attenuation as possible so that it doesn't lose that signal as it's carried through and multi mode can carry multiple wavelengths at the same time. So over here in this little Venn diagram here who got multi mode, I'm sorry, single mode and multi mode over here and then the common properties of them. Here in your single mode, you generally have a nine micrometer core and you have higher bandwidth and lower attenuation that you can get higher band with out of your wavelength with single mode because of the lower attenuation. And it's generally used in telecom networks, your provider networks and both of them both multi mode and single mode do use glass fibre . They can both be simplex or duplex that if we go back one one slide here, I want to go ahead and talk about this guy s So you see how this is split up into two here , that this is gonna be a transceiver side on one side receive side on the other. I'm sorry. Transmit side on one side and a receive side on the other that it's split out into two separate cables, which is interesting. You can run into some problems where you have a unit directional link accidentally with your fiber lines because one of these guys just ends up getting unplugged and the line protocol stays up and it keeps on receiving. But it's not able to transmit anything or vice versa. So going back to here, it is lower band with per per wavelength in multi mode due to the higher attenuation. It's used in your land and security systems. General fiber networks. Like I said, if you don't really need the distance, the super long distance that you'll get out of single mode than there's just no need to pay the extra money. And then, lastly, I wanted to cover. Here is some power over Ethernet basics as far as how that ends up going in the types off standards that we have available down here. So power over Ethernet. If you've never heard of this, what it is that you can take your same RJ 45 your regular Ethernet cable that we saw back here. This guy and you can transmit power over it so that for your security cameras or your access points or your routers, you can have just one cable going to it. You can have more flexibility as far as where you're placing these devices because you don't need tohave power nearby. In order to be able to place your device there, you can just have this one cable going. They're moving back over. These have progressed over time. Where $802.38 f is the oldest standard. 80 is newer and BT is very new on these have progressed that as our devices have gotten more complex that, you know, now we're doing your high power wireless access points and you know, I P cameras. I p phones, of course, but our phones are getting more complicated. Video phones built in the require mawr camera on your I P camera type here in your wireless access point, with different types of wireless technologies coming out, they need more transmission power and therefore the standards needed to catch up and for supplying that power over Ethernet Down here. This shows the cable category that is needed in order to be compatible with these standards . You know, 2.3 a f came out a while ago. You only need Category three in order to be able to supply that your maximum wattage received at the end device does go down with cat three. Just because it is not as well shielded and loses a lot of that power through the distance of the line that with cat five, you're going to get much closer to that. 15 watts here at 2.3 80 supplies a maximum of 30 watts and Bt supplies a maximum of 60 watts. Now, I would remember this. No, these standards here, which what the letters are and how much power each one supplies, I can almost guarantee you that will come up at some point. Male power over Ethernet can be supplied in a switch as we see right here that this switch actually injects power into these lines here a lot times, you'll see that your P o E switch. Not all of the ports are peewee, unless it's an expensive switch, in which case you might have all of your ports be capable of P O E. And in your configuration on Cisco, you can do it as your power in line. You can turn off your p o E here by doing power in line. Never you can set it to a specific profile, or you can go ahead and just have it. Auto, Negotiate that with power over Ethernet. The way this ends up negotiating. Say you have, ah cable coming out of here and going over to a wireless access point here that the way this ends up working is that the P. O. E device that's injecting P. O. E. Is either going to be your switch over here, or it will be an injector that separate, and it will go ahead and supply a small amount of power here. When this device turns on and brings the lineup, they're actually I'm sorry. When this device turns on him, brings the lineup will supply a very, very small amount of power enough so that if this is not a P o e device, it will not damage it. And then it'll expect a small response back that there's a little chip in this guy that will go ahead and send a response back saying yes, I m p o E capable. Please send me power and what it does that this will go ahead and start sending power enough so that they can negotiate which amount of power that they actually need to send here. And it won't just be negotiating to a standard here. Thes standards give a maximum amount of watts that this guy here, our P o E access point can actually draw as much power as it needs or as little power as it needs up to the maximum amount allowed by the standard that is supported. And with a peewee injector here, this would be Let me go ahead and clean this up a little bit here with the peewee injector . Is that say you've got your switch here on switch and your switch is not a p o e switch. Then you have yo your access point here, and you need power over Ethernet to your access point. But wherever this access point is, doesn't have any power nearby. Ah, then you go ahead and you put a peewee injector. So this injector is a separate little box. That is about usually the size of like your laptop power adapter, your brick for that, that this takes in Internet on one side, and then it also plugs into a power outlet and spits out your Internet with power over Ethernet on the other side on that, this is what you would use if you have a non p o E switch, but you need to connect a P o e device. I've seen this used a lot of times with I P phones that in a lot of offices may be an older office. They didn't put a power over Ethernet switch. Or maybe there's just not enough people there where they thought it was justified to put a pee wee switch. So they go ahead and put a bunch of peewee injectors. It just simplifies you, even just the number of cables sitting on your desk. You don't need a power cable and an Ethernet cable coming in. You can just have your Ethernet cable coming in and supply power to your phone and then usually from your phone, you know, that can even just have a cable coming off of it and going over to your laptop or to your computer from there and supply the on network connection to your computer. Thanks for staying with me here, guys. Now just like the others. Let's run through a couple of practice questions before we leave off. First up, you have a connection that needs gigabit connectivity over a distance of 200 meters. What cable type should you use for the lowest cost? You have 200 meter cable run. Do you need to dio and needs to be the cheapest option And you might remember Koko actual. This was our lowest one that only has a maximum of 25 meters. This not going to do for 200 unshielded twisted pair your regular Ethernet, your RJ 45 connector. This one has a maximum run length of 100 meters, also too short for our 200 meter here now between multi mode and single mode fibre. First, just saying p o we we know this is not hurt has just make sure you're paying attention, multi mode fiber and single mode fibre. We know that both of these have a long enough run length to get our 200 meters, but which one is the cheaper option? Multi mode fibre is going to be our cheaper options. Single mode provides much greater distance Higher bandwidth over one individual frequency and multi mode fibre is cheaper and is our correct answer here. Be next. What minimum p o e standard will your p o we switch need to be compatible with in order to use a power of reason It wireless access point, which requires 30 watts of electricity to operate? Is this going to be 802.3 a f attitude? 11 a x 802.3 80 or 802.3 bt now be here is just a wireless standard that is not a p o e standard at all as to make sure you're paying attention again. So that is not gonna be our answer no 2.3 a. F. You might remember this was the earliest standard for power over Ethernet. Mind you, as a quick note that Cisco did come out with their own implementation off power over Ethernet called in line power on that was before 802.3 a f just as a little tidbit there in line power does not exist anymore switches don't support it anymore as a standard that it's it's going through the industry standard now of a f a t B T. So a F provides a maximum of 15 watts of power. That is not high enough for our 30 watts. It might turn on the Web, but the WAP just is not going to be able to operate at its maximum capacity. 802.3 bt. That is our newest standard that is coming out. That is a maximum of 60 watts of power, a lot of power able to be supplied through one cable with that standard there. Yes, this would be a correct answer if you selected this, But really, it's not the most correct answer that although this does supply the amount of power needed , it's not really the answer we're looking for. The answer is C 802.3 80 which provides a maximum of 30 watts of power in our answer is C. Now I hope that this has been informative for you, and I'd like to thank you for viewing
6. 1.4 Layer 1 Troubleshooting: layer one troubleshooting collisions, errors and mismatches at later. One. This is our our physical interface and our physical cabling that speed and duplex are some physical interface characteristics that you'll find on your network devices and your cable length. As we recall with unshielded twisted pair you tp cable on. That's your regular RJ 45 that typically has a maximum run length of 100 meters and that you're co axel, your 1000 base see X cable ends up having a maximum run length of 25 meters. Now what happens when you go above thes lengths here? Well, you end up with some weird issues of perhaps some collisions and maybe some errors on your interface that we confined in our interface statistics and the counters when we go into our device. So let's first start off here with collisions as far as collisions when you take a look at the interface statistics, which we will little later here that one off the statistics encounters there is going to be collisions. Now what causes Thies this convey be a duplex mismatch. Now what is duplex first? So with duplex, if you have, let's say you've got your your switch here and you've got your server here and you got a connection between the two. So full duplex means that both sides are able to transmit at the same time that this guy, our server, can go ahead and transmit and this guy are switch can go ahead and transmit at the same time. Both sides are able to receive that traffic at the same time. Everything is happy as long as both sides agree that the line is indeed full duplex. Now, half duplex is when Onley one side can receive or transmit at a time that Onley the switch can transmit and the server receives and waits for the switch to be done. And then the server transmits its information and does this back and forth. As you can imagine, that really slows down our connection substantially. But our cables occasionally are only capable off. Half duplex or very old devices are only capable off half duplex now. Sometimes you'll get a negotiation error. See. Duplex, for the most part, is something that is negotiated. You can go into your interface and do yo interface. Uh, interphase gig zero slash zero and do duplex full and that will go ahead and statically set full duplex on your interface. Usually, though, this is gonna be duplex auto and that you will auto negotiate between the two. But say you have full duplex statically set on one side and half duplex. Say you do duplex half on the other side, that this guy, the server, is configured statically for half duplex, and this guy to switch is considered statically for full duplex That that can cause collisions. Why? Because when you're switch thinks that it's at full duplex, right? It thinks that it can transmit, regardless of whether the server is transmitting or not. And then when your switch decides to transmit while the server is transmitting when the server is not expecting that because it's at 1/2 duplex over here. So as soon as it receives that data transmission there and it's at half duplex and it's transmitting at the same time, that's a collision boom done that we've caused a collision and mind you. All right, so on your server, you probably won't be able. Teoh, find the interface statistics anywhere and see where your collisions are. But let's say that this isn't a server. Let's say that instead of that that it's a router over here and that these guys are connected and this is half duplex and this is full duplex and that this guy is trying to transmit, and it's while this guy's transmitting. This guy here is gonna wait that if it thinks that only one Seiken transmitted a time so you cause a collision and you'll see in the interface statistics here that you can cause collisions. The other thing that can cause collisions is if your cable run is too long, that due to the propagation time, the amount of time it takes for your signal to propagate through the full length of the cable here. If this guy is say, like, you know, 300 meters instead of your 100 that it is actually at a maximum off, then you can cause late collisions that that's the counter that you'll end up seeing increment when you have a cable run that's too long. So if at some point you open up your interface, you go show interface and you see that you've got late collisions there. You can bet that probably what your issue is is that your cable run is too long and that you're gonna need to add in a switch or switch to a fiber cable or something along those lines to go ahead and resolve that as far as our duplex mismatch, the effects that you'll see this is just standard collisions. This doesn't cause late collisions, and it's hard to find this sometimes usually what will end up causing with this Is that because you keep having this back off of one side, is trying to transmit on the other side transmits, and then you have a back off because they're both transmitting at the same time and cause a collision is that you end up with a substantial amount of slowness, aunt. Small amounts of traffic, small amounts of traffic won't really suffer here. Ah, that you can do pings and you won't see any problems. You'll see the same amount of Layton see, and you won't see any issues there. It's on Lee when you start having ah lot of back and forth that one side wants to transmit while the other side is transmitting and you end up with your collisions. Now, as far as errors on your interface. An error occurs when ah, frame data or the checks don't comply with the standard. Was this really meet? So in your header you have a piece of data that's called the CRC the cyclist. Redundancy Check. Now, this item is usually adding up and is a digest off the data that is located in here that you have, you know, some pay and that your CRC is a check of that data that when you apply an algorithm to your payload here, that should match the CRC that's there. If it does not, then you know either your payload got degraded during transmission or you're C. R c got to grade during transmission or that it's the interface itself. You have your router here transiting over to your switch that maybe this interface on the router here, that this is not actually transmitting the bits that the router wants it to transmit, that it is broken in some way, or that the switch interface here that that is broken in some way and is not receiving the bits that it needs to. This is where you'll see input errors that this indicates interface issues on the other end of the cable that when you have an input error, it means that this guy is not transmitting correctly an output error, that this is where you have problems on your side of the cable, that from your end, when you have an output error, that your interface is not operating correctly or it could just be overloaded that that does happen as well. And the CRC error that this, Like I said, Onley, indicates that your data got degraded at some point during transmission and reception, that it's either your cable or your interface something either in the middle or on either side. That is having, ah, hard time here and that that's causing your data to be degraded and we'll take a look. Shortly will go into the command line. I'll show you where this information is located and how to find this in your interface statistics and where it's located in your counters Now, as far as speed and duplex go now, remember, this is a configurable items like I said, and this is part of your physical interface configuration on the device, a mismatch when you have a duplex mismatch. Like we said, this causes collisions And when you're dealing with Cisco devices, CDP also shows a warning that here's a screenshot of that right now where we've got CDP. This is a level four message for duplex mismatch A duplex mismatches discovered all an ethernet zero slash zero. That zero slash zero locally is not full duplex with marketing pc, which is what we're connected. Teoh on gigabit one slash zero on marketing PC that that interface is configured as full duplex. This is a CIS long messages generated. So if you have a cyst long collector that is set up to go ahead and get your information all collected centrally, you might see this sis log message in there and that this would end up telling you that you have a duplex mismatch and you need to go to one side or the other and either statically configuring or investigate as to why the auto negotiation is not happening correctly. As for speed mismatch, go. So first speed. How is this configured? First you go into your interface, we go interphase. No Ethernet, eh? Zero slash zero and that we just do speed speed. We could do 100. This is a megabits per 2nd 100 megabits, 10 megabits per 2nd 1000 or auto. Now, mind you for for this is for gigabit, right? 10 megabit 100 megabit. If you have 10 gig connection, this actually will only come up with auto negotiation. There's no such thing as doing a static 10 gigabit connection that you need to just set it as auto. And if it's configured correctly on both ends, then it will come up as a 10 gigabit connection. Now, if you have this hard coded to say it is, you know, 100 megabits on this site and then on the other side you do hard coded of speed 1000 on the other end this interface Say you have your router and your switch. They're connected together as 100 on this side. 1000 on this side. This won't come up. The interface actually just won't come up at all. You'll have no communication between the two hard coded, mismatched speed configuration will not bring up the interface. And I'll show you about that very shortly here when we go ahead and jump into the CLI. So let's do that right now. It's gonna be our first look here at G. N s three and how this is configured right now. Then get bring up GNS three. Here's the interface. If you want to learn how to set this up and get GNS Tree running, please view. Visit the beginning off the Siri's here about the lab configuration and we'll go through there about how to get this all set up and where to obtain the finals that you need. But here I've got R one a router, and I've got switch one hour switch, and right now they're both turned on. I haven't done any configuration to them. They're both at their default right now that are one here is connected on fast Ethernet zero size zero and switch. One is connected on Internet zero slash zero. And in fact, let's go ahead and just put our interface labels here so that we can remember where those are nice and easy. So first, let's go ahead and jump on over to our router and see what's going on over there. So we go ahead and jump in here right now. Let's just do a quick show CDP neighbor that we actually don't have any CDP neighbors here right now. And I wonder why that is that. Let's go ahead and just enable and do a show. I p or I'm sorry, let's do a show in status. I'm sorry. A show I p and brief. And we've actually just got administrative down on all of our interfaces right now. This means that the interface is shut down. Eso will need to go ahead and open up to a no shut on the interface that were connected to which is fast Ethernet zero slash zero and Eastern at zero slash zero on the other end. So let's go ahead and go into convict e or a go go to interface fast zero slash zero We're gonna do Ah, no shot. Let's just get out of conflict mode. Here we see the change state toe up and that and the alarm clear for administrative state down. So that is cleared that admin downstate and that it has now changed the line protocol state to up. Now, this is connected to a switch on the other end. Right. So here on the switch, this does have spanning tree enabled. So we're gonna have to go through our spanning tree states before this interface actually comes up on both ends. On that, we start getting CDP traffic between them to be able to see our error message. So let's go ahead and jump back into our one here and see if that's come up yet. And it has that we have got our CDP duplex mismatch discovered on fast even at 00 is not half duplex on fast, you think is your zeros were full duplex on this end, and that on the other end on switch is what the host name is is Ethernet 00 that is, half duplex on the other end on this is just because in Genesis three, the default layer to switch image comes up with the interfaces as being half duplex by default because they are just 10 megabit interfaces. They are half duplex, so it's run on over to the switch here and let's see what's going on over there that we see . We've got a handful off sis log messages. Here we go ahead and press enter and got our system of messages here that let's go and do a show interface Ethernet 00 and this is really good. I'm gonna wait for just a moment before I press the space bar to go down here. That let's go through this section and this output here that this is the first time you might be seeing this, that we've got our interface here. That it is up. The physical interface is up the line protocol is up. Usually, if you're dealing with Internet, you're going to see that you are physical. Interface and line protocol are always up, and otherwise you're just gonna be down, down. It's very rare that you end up seeing your line protocol down. If you're Ethernet, interface is up. Usually you see that in something like, uh, serial interfaces where you have the ability for your LPC to be down. But your physical interface is up. We've got our Mac address off the interface here and what the hardware is. We've got our MTU, the maximum transmission unit. Our configured a band with this is a configured item of bandwidth on the interface. It is 10 megabits, 10 megabit per second and what our configured delay is this is used in routing protocol configuration, Aziz. Well, as for tracking interface tracking as well that you can dio Ah, tracking object to keep track of this and move over in the event that the load transmission loaded reliability loaded changes much at all. And here we have our keeper lives. Now this is the thing I want to look at. Is our auto duplex and auto speed. Now just because we're in GNS three, it's telling us our media type is unknown on that We don't have any input or output flow control, but this is all going to look at right here is our auto speed auto duplex. Now, since we have this, let's see if we have any collisions going on here. If I go ahead and press space bar to go down one more time, that actually we don't have any collisions quite yet. We might not have enough traffic going between the two in order to have any collisions. The only traffic we have going on really is just CDP. We're gonna have some spanning tree traffic going on in the background as well. But that's really about all. There's probably just not enough to have caused any collisions. But down here in this bottom section, this is where you have your input errors. You're CRC checks. Your overruns, your runs your giants now runs are frames that are too small Giants airframes that are too large that if you have, ah, large frames configured on one end but not the other. You're going to get giants on this side because it's not configured to allow for frames that are that large. But down here, we've have our output errors, and our collisions has also let you know how many interface resets. The late collisions are listed here as well. So let's jump on back over to our router for just a moment. We're continuing to get messages here on this side. Let's go ahead and configure. Yep, I forgot the T on the end there. Let's configure our interface. Our fast season is you're zero for half duplex, so let's go interface fast your a slash zero. It will go duplex half and go end a change state to down change state up resets your interface when you go ahead and change your duplex. That is no longer auto negotiating. And let's jump back over to our switch here. If we do a show CDP neighbor, make sure we're still seeing our neighbor. There we are. That's excellent. If we leave this here for a little while, we'll see that we're not gonna be getting our CIS log messages anymore that if we go back to our show interface that here were still at auto speed and auto duplex. And then if we go back over to our one here and you show interface fast your size zero, they hear it actually doesn't want to do half duplex because it's at 100 megabits. Let's go over and you config t interface fast your slash zero Let's do speed 10 and duplex half and then do a do show interface fast your slash zero as a little note when you're inside the configuration mode. In order to do a show command on IOS device, you need to include the do command in the beginning. Your tab Auto complete does not work when you put do enduring configuration mode here, but that allows you to be able to do a show command without backing all the way out that now here we are at 10 megabits Half duplex. Let's go end was percenter a few times. Get out of there and that we can go back over to our switch one. Now that you've seen how to do our speed and duplex configuration on where to find where that is listed, what the current speed and duplex configuration is, Let's actually just real quick here. Show that we do a show, Roland for Ethernet zero size zero. I'm sorry. Let's just do a show, run and go into our Internet zero slash zero Happens to be that showing that our duplexes set to auto on that our speed isn't listed here that by default your speed will be set to auto as well. And if we jump back over to the router real quick and just do a show run here as well, we take a look at fast use in that zero slash zero they Here we have our duplex set toe, half an hour speed set to auto, depending on your IOS version and what kind of vice you have. You may or may not see that duplex and speed auto are here on. It may not come up as a default of being shut down, which is why it's good to go ahead and check your running configuration. Check your interface. Stets on DSI. How everything is as soon as you turn on your device here before you assume what the current configuration is. So we've gone through that. Let's jump back over to our power point briefly here, and let's just move on to a last couple practice questions before we close out for this video First, all of the staff are complaining. Ah, very slow access to the file server. You're not seeing any packet loss or unusual Layton. See when pinging the server. What is likely to be the issue now we talked about this briefly, is that if you have your server here and you have your switch here and it's connected and you have, say, half duplex over here and full duplex over here, that you're going to get collisions when there's a lot of traffic going. But when there's just a little tiny bit of traffic that you're not really going to see a whole lot of problem, you're gonna end up seeing that there's just fine. Layton see no packet loss. It would all be OK that you actually need to go into the interface and check to see if that is half duplex and check to see in your server your linens. Windows Mac server. What have you And see if that interface is configured for duplex. So here it is going to be at be duplex mismatch at the servers connection to the switch. Now, let's just clarify what this terminology is at the switches up. Link on up link is what you use to get higher up in your apology. So this would be so We've got our switch down here and our server here and that this switch connects over to our distribution switches here which connect over to our core switches here and this guy and this guy and this guy. And there we go that these here these are the up link to get higher up in our topology and that this year would be the servers up linked to get into the network and that the issue here would most likely be a duplex mismatch at the servers connection to the switch that even if you have a ah workstation here and a person working and they're trying to access the server, they might see slowness on. Then that would end up really confirming and reaffirming that the answer is B a duplex mismatch at the servers connection to the switch. And second here. What interface counter can indicate a cable run that is too long? We talked about this as well that due to the propagation time for getting a transmission from one end of the cable to the other, that 100 meters is the rule of thumb for unshielded twisted pair Category five, Category six cable that this is gonna end up causing problems with late collisions. The inter here is See now I hope that this has been informative for you and I would like to thank you for viewing.
7. 1.5 Layer 2 Concepts: there to switching principles at later to. This is where our Ethernet frame exists. And first up, I want to go ahead and talk about the type of address that we use at Layer two. And then, from there we'll go ahead and talk about what Layer two switches perform the definition of a switch and what its primary job is here and how it differs from Ah, Hub. So first up, let's talk about the address that we use at Layer two. That is our Mac address. That's media access Control M A C address. This is the layer to address that we use. It is a 48 bit address that is written in Hexi Decimal. Typically, it's written with Coghlan's In between each two characters. Cisco goes ahead and writes it as a group of four characters and a period four. In a period and four, you'll see it written in different ways, based on the vendor that you're working with and just preference. But regardless, it is a 48 bit address that consists of 12 Hexi decimal characters. The protocol data unit, down at later to is our frame. So this is where you'd have your Ethernet free here, and that's your data unit. There are broadcast unit cast and multi cast Mac addresses. You don't really need to worry about the multi cast ranges here for your Layer two addresses. It's good to know that your broadcast address is all EFS. Eso your will see here soon that will go ahead and do a lab and I'll pull open wire shark and show you that the broadcast address is all EFS that specifically one will demonstrate AARP. That's a R p. The address resolution protocol. This is what's used to translate Mac addresses into I P addresses or really vice a versa is translate your i p address into who owns that Mac address or which Mac address owns that I p address. So moving on a little bit now that we understand that we have our Mac address here, that that is our layer to address, and that's what's used to get data to the correct host on a broadcast domain or on a shared segment. Then you can talk about what a switch does and what role that plays here, so I'll switches primary purpose. So I've got a switch here and we've got four computers PC one pc to PC three PC for, and what a switch does is first, it breaks up each of these links into their own collision domain. Recall that we talked about what a collision domain is is that it's a shared wire, that this is where you can transmit and receive on each side. And that because these are all spread out into their own collision domains, that we can get a full bandwidth between two, especially when it's full duplex that if this guy and this guy PC one of B C three war to transmit at the same time, it doesn't matter because these are their own separate collision domains. When this puts voltage onto the line to be able to transmit this line here does not have an increase in voltage on. That's really what ah collision don't mean is now what it does do go. Is that all of these? Assuming they're in the same veal in as we talked about the lands before, which we are gonna assume right now that this switch is not segregated into any separate V lands, we just have one villain in this whole area here then, assuming these role in the same village is they are in the same broadcast domain. Now what does that mean? It means that PC one say he goes ahead and sends out on AARP request. Right? And that is going to be sent to all EFS for the Mac address. So a broadcast address there and what that does is that says I have this I P address. Say it's 10.10 dot n 0.1. It's gonna send out the AARP request with a destination of all EFS saying, Could the person or could the computer who owns 10 dot n dot n 10.0.0.1? Please reply. Uh, and the reply will be like, Yes, I have tend, attend attend at one. My Mac address is 10 colon, zero c colon column. Whatever, whatever. Ah, and give it the Mac address off the machine that owns that I p address. So a switches primary job is to learn what device what Mac address specifically lives off off What port? So that when PC four sends in a frame that is destined for the Mac address off PC to that the switch, assuming it knows where PC two lives. That this switch will send that frame on Lee to PC to and not to any of the other machines here on that helps you maintain your bandwidth because you don't have a bunch of useless unneeded traffic going to other devices that don't need to see it. Uh, and it helps maintain security to make sure that only toe the devices who the traffic is destined for are the ones that are actually receiving that traffic. The switch looks up the source of the Mac address of incoming frames, and that's how it learns where devices are. Is that when PC to sends a frame into the switch here, One of the attributes off that eternity header here is gonna be the source Mac address, and that'll be inside the Ethernet header. So when that frame comes in, the switch goes ahead and looks up in its cam table. The content addressable memory to see if it already knows that that Mac address lives off of that port. If it does, it goes ahead and resets the aging timer for it, and I'll explain that a little more in just a moment. If it doesn't have the entry in its table. Already, it goes ahead and creates one that says Great. I now know that the Mac address for PC two lives off of poor, too. Ellis is a sport three, poor, four, poor five and same thing for PC one. When it sends ah frame into the switch, it's gonna look at that source Mac address in that Ethernet header and see that PC one lives off of Port five. It's going to write that into its cam table so that it knows when PC four say, for example, sends ah frame in that is destined for the Mac address of PC one. It will Onley forward that frame out Port five and not any of the other ports. Soas faras aging goes, You know, when a frame comes into switch and it learns what port that that Mac address lives on it on . Lee trusts that information for a certain period of time before it decides that that may not be accurate anymore. By default. That amount of time is five minutes or 300 seconds that when a frame comes in and it learns that PC one is off of Port five, it will know that PC one is off a port five for five minutes, and when it receives another frame, it will go ahead and re set that timer back to five minutes again on. And then that way it's if there's five minutes of in activity, five minutes of no frames being reached or being received with a source Mac address of PC one than that entry in the table is removed. Now what happens when it receives a frame destined for PC one, and it no longer knows which Port PC one lives on. Well, to make sure that the switch delivers the frame as best it can to make sure that the end device actually receives it, it does. What's called flooding is it floods the frame out all of its ports and acts as a broadcast . And we'll look into that a little more in the following slide here. So with frame fording and flooding, when the switch receives ah frame and it looks at the source first and goes ahead and writes that into its camp table, the next thing it looks at is the destination. So, as I said, if it knows where that destination lives. If it knows it lives off a port one or off a port two or port three, it will go ahead and forward that out that port to make sure it only goes to the device that it's destined for. If it doesn't know it, though, or it's a broadcast, if it's all EFS, then it will go ahead and forward that out. All ports except for the one it came in one. This is actually really important concept to remember is I see this on Cisco exams all the time is when a switch receives a frame for a destination Mac address, which is not located in the camp table or it receives a broadcast frame. Then what does it do with it? It Ford's it out all ports except for the port it came in on. So let's go ahead and demonstrate this. Just a little bit over in the lab here is that I'm going to switch over to GM s three for just a moment and show you that we have the same set up here PC one pc to pc three p c four and we go ahead and set this as the 10 000 slash 24 Network. I haven't done any configuration on these devices yet, so let's go ahead and configure our I p addresses and do make sure our ports are open. And then let's go ahead and do a quick little wire shark to show you what the AARP request replies. And some of the traffic that's going on here far so first overall, PC one enable Convict E. And actually, just to switch back for a moment here, just to show you that I have all of these connected onto her fast Ethernet 00 ports here, let's go ahead and just move these around so they're a little easier to see. There we go, so it's all connected to the fast Ethernet 00 on each of these devices. So let's go back over to PC one. Go interface fast. Your zero actually do a do show I p in brief, real quick and fast. Your zero is up right now, but it does not have an I P address. We'll go ahead and do I p address. 10 001 24 bit minidisc and then let's jump on over to PC to real quick here enable show I e . Interface brief. This is also up. We'll go to convict T interface. Fast Year zero. Do I P address 10 00 to 24 bit mess and then let's go ahead and jump over to PC three. Real quick here. Enable? Sure. You know, brief. Actually, a handy little thing here is a lot of times you'll get a lot of these interfaces that are all unassigned. I like to go ahead and do exclude unassigned, and that actually shows no interfaces here because they are all on a signed. But if we do exclude down, then we have our one interface here that is up but is unassigned. Let's go back into our configure terminal, their face faster. Zero i p. Address 10 003 Also 24 bit mask. And then lastly, let's jump on over to PC four. Able supposed to show I breathe. And this is also up from 50 last year. Zero i p address 10 004 24 bit mask. There we go already. So now that we've got that going here, it's actually it's jump over here to our switch real quick and let's see if our CDP neighbors air showing. Go ahead and enable show CDP neighbors. Ah, and there they are PC 123 and four, all showing to be on fast your zero on that and Ah, and Ethernet 00 is your ones your Tuesday or three on the local side here? So let's go ahead and jump back into GNS three and let's do a wire shark capture. No, I don't want an update. And let's take a look real quick here at what's going on? Is that here real quick? We've got some spanning tree traffic that spanning tree will end up going over in much more detail later. But let's just take a look at wire sharks interface for just a moment. Here is that first we have over here the packet number, the time this is relative time as to when the capture was started. The Source. Mac address Destination Mac address. Now this will show you the highest level address that's available. So since these are layer to frames that are going through and they don't have I P addresses , then thes are not showing a address. Otherwise, they would, but they're showing a Mac address, and it might not even show a Mac address if there is not one available for the type of traffic that is going through there on here, we've got dynamic trunk protocol for negotiating a trunk. You're spanning tree on DSI DPR CDP information here that this is all fine and dandy, but let's go ahead and try hanging. So we're over on P. C. One is the one that we are doing it. Capture against here between PC one and switch one. Let's jump back over to PC one and take a quick look at the AARP table. If I do show I PR now, it knows where itself is. But that's all because we haven't tried toe access any of the other I P addresses, so we don't know where they are yet, but we go ahead and do Ping 10 002 It's very normal to lose the 1st 1 while we wait for AARP. Reply. If I do a show I p r puts show I p R. That we know know that tens years, year or two is at this Mac address. If we jump over to PC to for a few moments here and do a show interface fast. Your zero books show interface fast year zero that we see this Mac address here. See, a 010 B 310008 is the same as America Address Here, see? A 010 B 310008 That. That is the Mac address of that interface. Let's go over to our wire shark. Let's stop capturing so that we can go back up here to the purple area, which is gonna be where our pings are. And then right before that, we've got our ARPs. So we've got our AARP request here. It's who has 10.0 dot zero dot to tell 10. Does your does your Not one has a source. Mac, address here. Have you noticed down here of the same Mac address off that device and then its destination ? If we open up the Ethernet frame here, the Ethernet header, the destination is broadcast is all efs and that when it sends out that broadcast, they here we have our reply that PC to received that broadcast because it was Ford out all off the ports of the switch. So that was forwarded out here and here and here and all of these machines pc to PC three pc for all received that broadcast, but Onley pc to actually has that I p address the 10 002 so only PC to was interested to go ahead and reply to that arm. So if we go back the AARP reply here we see that the destination Mac address is now the source. Mac addresses PC ones, Mac address and the source is PC to. So now the address resolution protocol replied, Now actually has the same information again in the actual AARP reply here as that gives both the sender Mac and Target Mac address. But we could get the same information from just the Ethernet frame here, of course as well. Now I hope that you understand here that the switch if we go ahead and let's let's do this Let's go ahead and do a capture over here. Over on p C four. Let me see if I can move this around. A little better is from PC one. I want to do this. I want to go ahead and paying pc three. Remember We're doing a capture over here from PC four to switch one and from PC one. We do not know yet where the Mac address is off pc three of 10 003 So I want to show you that the broadcast the AARP request does show up here at PC four, but that PC four does not reply if we go pain 10 003 Boom! Those pings went through and over here ends up taking a little while. It's Ah, the wire shark is a little delayed when you're working in Genus Tree. As far as getting your traffic here also, it's a little interesting and that never came up. What if I go ahead and paying tens years here for and wire Shark is not bringing anything up for us here that it's ah deciding to just not give us what we want at all. Let's go ahead and quit that here. If we do stop capture and start capture young, let's try that one more time because ping pc for All right. So there's our our pings there for dio clear are Let's go ahead and ping tens years. You're three. Yes, he is immediately knew and it got a response. There was a gratuitous ARP because we cleared our AARP cash. It requested to know where it was again. You'll have to end up taking my word for it here that the broadcast is indeed forded out. All interfaces here, except for the one that it came in on as the way broadcast will always work now, just like the other sections. Let's go ahead and run through a couple of practice questions before we end off here. First up, What is the default amount of time an entry will stay in the camp table without a frame received of you. Recall that the default amount time is five minutes, which is 300 seconds. The answer here is C 300 seconds and then, lastly, how is a unique cast frame handled that is received for an unknown destination? Mac address. Now that frame is treated just like a broadcast. If you remember that, the switch wants to make sure that the destination does actually receive the frame that's coming in so it will go ahead and ford it out all of its ports, except for the one, and came in on and that is called flooding, that the frame is flooded out all ports. I hope that this has been informative for you, and I would like to thank you for viewing.
8. 1.6 IPv4 concepts and configuration: lay or three I p version for concepts and configuration moving on up from our layer two addresses to our layer three addresses. So layer to is connectivity on the same broadcast domain. And layer three is where we can get outside of that broadcast domain and get toe other networks. That layer three is where routing happens. And here we're going to talk about the most common version of I P of Internet Protocol on that's version for released, most common version right now. And we're coming up to the end of 2019 here that it's September 29th right now. So let's just go ahead and jump right on into just an overview of I P version for first I p V four addresses are a 32 bit address field there, typically represented in dotted decimal notation. So it you're 19 to 168 0.1 dot one that this is dotted decimal notation. This here would be in binary notation on the same thing down here for your mask in binary notation. Now your sub net masked. We'll talk about what exactly that is in just a moment here, but your mask is represented in either cider form. C i. D E r. That classless inter domain routing form, which is usually a slash and a number, which is the number of continuous ones down here. Or it could be represented also in dotted decimal or you see the 255 255 00 Ah, and then that would be your dotted decimal notation for your sub net mask. So let's talk a little bit about what a mask is and the parts of your I P v four address that your I P V four address includes a host identifying and a network. Identify, and your mask is what defines which portion off your address is your host. Identify air and which portion is your network? Identify air, and it does this by having a certain number of continuous ones that in this circumstance here, so our mask is the same length. It is 32 bits. I can't draw a straight line it it's 32 bits long, and everyone indicates that that corresponding bit in the address is part of the network. Identify where and that the zeros indicate that that corresponding bit up in the address is part of the host. Identify where? So in this case here we have 24 ones. So this would be a 24 bit mask, which is your really common to 55 books dot to 55 dot to 55 0.0. That this would be your 24 bit mask because all of the ones here in each eight bit portion that these role representing powers of to write eso this would be one. And this would be to four, eight, 16 32 64 1 28 And adding all of them up in each of those places will give you 255 with 256 possible combinations because we start at zero. So the to say if you have a 192 Oops, 192.168 0.1 dot to address and it is a slash 24 meaning we have a Let's go ahead and clear up some of those Reese all you you're a series series and that you have a 24 bit mask. It means that the 1st 3 full Oct it's here, and that's what these sections of eight bits are called. It is a knocked it that the 1st 3 full Oct it's so 19 to 1681 that those are all the network. Identify where that you are in the 192.168 dot one network because you have a slash 24 mask and that your host address in the 192.168 dot one network is dot to. That's how a Ibv four and mask work. Now this gets a little weird and a little confusing when you start having network masks that don't end at the bit boundary. So what I mean is that, say you have all of these are ones up to here on this guy is actually a zero and a zero and a zero. Then it gets a little weird. So then that would be a slash 21. So if this year, instead being a slash 24 were actually a slash 21 let's see if that's even a valid address . So the way I usually like to do this, let's go ahead and move on over to the next slide is that we the best way, in my opinion, to go through and show what is actually happening is by writing it out in binary. So here we have 1 72 16.10 dot five slash 21. So what that is written out in binary is this top guy right here that this oct it in dotted decimal is 17 to this Octa and died. Decimal is 16. Because we have got 1248 16 on Lee. The 16 place has a one, and that adding that up ends of giving you 16 and 10. So we've got 12488 plus two. So we've got 10 here and then back here on 5124 So a four and a one gives you five. So that's how you write out your address here in binary. And then right below it, we have our mask, our 21 bit mask written in binary, where the 1st 2 OCD it's are all ones and the last OCD it. We only have five ones because you've got 8 16 21. So what you do here it is a logical and operation, which means if you have Ah, one up top and a one on the bottom in the corresponding bit. Then the resulting bit will be a one. If you have a zero either on the top or on the bottom, the resulting bit will be zero. So here we have it ends up being that you have 10101100 etcetera. Moving on down. And this makes it so that all off, the zero bits in your sub net mask end up giving you all zeros in your resultant here. This shows you what your network identify air is. So I I didn't mention in the previous slide here that in an I p version for sub net, you have two special addresses. You've got a broadcast address in the network identify where the network identify air is when all off the host bits in the address are all zeros. So remember these zero sections of your mask, our post bits and the one section of your mask are the network bits. So the host bits when all of those are zero, that is the network identify air, which that's what we've got right here. And you end up finding that with the logical and operation. Now, if you set all of the network I'm sorry. All of the host bits toe ones instead. So if this were 11111111111 Then this will give you the broadcast address that a ah packet destined for this address where all of the host bits are ones. This goes to all off the hosts in that sub net in that broadcast domain, is it sending a broadcast out? So what? This ends up giving us is our 2 55 here and then, Ah, 11 Once this would be 1248 sets 12 14 15 says is 15. So then our broadcast address here will be 1 72.16 dot 15 dot to 55 slash 21 that this is our broadcast address for this sub net. And this is our network. Identify are now you can see that all of the's addresses so the usable addresses the ones you can actually give to your devices in this sub net is anything other than your network identify air and your broadcast address. So that's why all of your networks have X number of addresses minus two. Are your usable addresses in that network. So then you would be able to use up to dot to 54 down here, and the first address you be able to use past here is 540.1. So be 1 72 16 81 is your first usable your last usable be 1 70 to 16 15 to 54 now. Like I said, this is where it gets a little weird is that your usable addresses fully encompass that whole range is. It's once a to 16 8.1234 etcetera, up to eight dot to 55 then it goes up to 9.0 ah and 9.1234 etcetera up to 2 55 and then 10.1234 etcetera, 2 to 55. So on and so forth. Up until we get to 15 dot to 55 that that's our broadcast address there, that this encompasses a very large number of networks and I find the easy way toe to find stepping for this is to get the stepping off your last bit boundary eso here. Since we have three zeros in our subject mask in this bit boundary here in this locked it, then this is gonna do a stepping of eight that it's where our last one is. So let's go ahead and racist. I'll just explain that a little more here is that, uh we've got one to four eight. So what that means is that in the 1 70 telomerase this down here as well, real quick. What that means is that in the 1 72.16 area here, so that's, you know, these 1st 2 OCD. It's that in this oct it this is gonna have a stepping of eight. So our 1st 1 our first network there is gonna be 0.0 dot zero slash 21 that's going to go up to 1 72 0.16 0.7 0.2 55 slash 21. That that's the broadcast address off this network and that. So that's where the stepping is that your next network starts at 1 72.16 dot 8.0. The next one is 1 72 0.16 dot 16.0, and they will be 0.24 stock 0.32 dot zero etcetera. And that that is the stepping in that locked it. And that's where you can find their appealed some questions every now and then about sub netting where it asks, You know, in the 1 72 16 uh, address space, what is the third slash 21 network on what would be the network address of that? So you be able to know the 1st 1 is 10.0. The 2nd 1 is 10.8. The 3rd 1 is 10.16 so 1 72 16 16 0 slash 21 is the third network, the third slash 21 network in the 1 72 16 space. And just to go through that one more time here, let's go ahead and use a different mask length and a different address here is Let's go ahead and use all the 10 dot space. If we dio 10 dot I'm sorry, 10 dot one 0.0 dot zero slash 20 So this is the address. The network address four slash 20. Now where would the stepping be? So slash 20 Right? We end up having 16 ones for our 1st 2 OCD. It's so we've got 12345678.12345678 dot and that's 16. 1234 And that means you've got 1234 does 1234 etcetera. So we've got one to four eight 16 that our stepping here is gonna be 16. So if 10.1 dot 0.0 is our first slash 20 network than 10.1 dot 16.0 is our second slash 20 network 10.1 dot 32.0 slash 20 is our third slash 20 network. And then here you can see what would be the broadcast address of this network. You'll be this guy, really minus one. So it's 10.1 dot 15 dot to 55 slash 20 is the broadcast address of this network here. Now let's go through real quick. Is this topic on the exam does say configure and verify I P v four address ing and sub netting is that I do want to go through real quick and show you in IOS how we configure an I p v four address and verify what the I. P V four address is that the signed to an interface. And then we'll also go ahead and do that to a switch virtual interface as well, just briefly. So let's move on over to our same topology we used in the last video pc 1234 Now I actually left this the same as in the last video here, So this should already have our 10 001 slash 24 address assigned to go ahead and enable. Could you show a pipe interface brief? Let's exclude the unassigned. Excuse me that we do have our 10 001 I p address assigned there. Now if we go ahead and do show I ke interface and then just fast 00 that we see here our Internet addresses 10 001 slash 24 for the broadcast address is all too five fives that this is really for your Your mask is just 255 I mean, that is just a universal broadcast address, but that's not the broadcast address for this sub net here. But the way that we go ahead and configure that is, if we go to config. T go interface fast. 00 We do I p address and here is gonna ask for your i p address and dotted decimal notation or weaken. Set it to obtain 90 address via de HCP and just have it. Get it dynamically. I'm not gonna do that. Let's go ahead and do no i p address and do I p address. And in case you don't recall here from the lab configuration, we went over briefly in IOS that to negate a command and remove it from their configuration , you put no in the beginning, so no, I p address removes the i p address from that interface. So we do I p address 10 001 and then it's gonna ask for sub net mask in dotted decimal notation. We can add an additional i p address to make this I p address. We're configuring a secondary I p address so that this interface will respond on both this address and another address. We're not going to do that right now. We'll go and just assign it back. The 10 001 good Do show i d interface free and exclude the unassigned that we still have our 10 001 Now, real quick for a switch virtual interface, which is like a V lan interface on the switch to jump over to switch real quick here in the center switch. In that apology, we go enable. And actually, first, let's do a show feeling so we only have our default V lands here. We'll go through that in more depth a little later. But let's go ahead and create a 1,000,000,000 and go view in five. Give the name of test ls go Zelasko interface viewing five. And now we can create a switch virtual interface and s v I and this we go ahead and sign an I P address in just the same way you can call it 10 00 10 has also gonna ask for a sub net . Maskin dotted decimal notation is a 24 bit mask will go ahead and press enter. The last thing that I realized that we didn't go over here. So that's how to configure your, uh your I P address and we'll go over one more thing in just a moment. Last thing is on your switch. Do a show I P interface brief and also exclude our unassigned. Then we have the land. Five interface has the 10 00 10. Currently it is administratively downs. We need to do a no shut in order to use that interface. But that's how you configure an I P address on a switch virtual interface. But something I realized that we didn't go through is how to convert your sub net mask into dotted decimal notation. Is that your 21 bit sub net mask? What is that in dotted decimal? We know that eight ones when adding this up is to 54 but I'm sorrys to 55. But we don't know how to go ahead and do this guy. Well, we just need to add up the ones places here that when you have eight ones, go ahead and said that this guy here is the 1 28 place. The next one is 64 32 16 8 4 to 1. So we just Adam all up. So for a 21 bit mask here, we've got five ones in the beginning, so we've got 1 28 plus 64 plus 32 plus 16 plus eight. Eso won 28 64. That's 1 92 1 92 plus 32. That is sorry, I got to go ahead and go. 192 and 32 on this would be 2 to 4 and then to 24 plus 16 will give us 2 48 I'm sorry. That's to 40. And then to 40 plus eight. Gives us 2 48 That's the manual way of how you do it. Honestly, what you'll get Teoh is a certain point where you will just remember what the oct it is for certain bit links. There s O a slash 21 is to 48 in the third octave Ah, slash 20 would be to 40 in the third. Locked it Ah, and etcetera that a slash 19 will be 2 to 4 in the third octave, etcetera. So moving on to the next slide here, let's go ahead and talk about private versus public I P v four address ing. Okay, you may be well aware that we are out of public I p version four addresses that we just don't have any more and that this has been a big scare that's going on for a long time as far as what's gonna happen and has been a big driver and push for migrating to IP version six. So first private I p addresses. These are addresses that are not route herbal on the Internet. They do not uniquely identify a device on the Internet, and that's why they are not row Dubel. They are ranges that have been set aside as being allowed for anyone to use in your private area. Eso within your organization not row double on the Internet, but within your local access network, your local area network, your land that you can use these addresses. There are three address spaces in the private I P address ranges. First Class A Class B Class C Class A is 10 000 slash eight. It is one large slash eight network Class B address space is the 1 72 16 00 slash 12 address space. Ah, and this is incorrect. This is 16 not slash 12 networks that 16 slash 16 networks and Class C address space is your 19 to 16800 which includes 256 slash 24 networks. So this is 192.16800 slash 16 is the whole space and that when you go by address classes, this these addresses are in the Class C, which means that they are slashed 24 networks. If you are doing class full routing, we'll talk a little more about what class full and classless routing are when we get over to that in the next section. But for right now, just know that the full address range is the 1 to 1 60 00 slash 16 the 1 72 16 00 slash 12 as the full address space and the 10 000 slash eight is the full class A address space and that the class ful address space here means that the class full networks are slash 16 networks now, just like the other sections, let's go through a couple of practice questions before we end off here. First up, what is the network? Identify air for the I P address 10.7 dot 6.5 slash 21. So let's go ahead and do this by by step ings eyes that a slash 21 network. So we know that the 1st 16 So the 1st 2 Oct it's are going to be the same here because that's all ones on that we're gonna have a stepping in the third octave here, so 10 0.7 0.0 dot zero slash 21. What stepping with that? Allow four So 21. Let's go ahead and do we got 123456781234567812345 678 and then eight zeros on 23456788 zeros. So we've got 1248 So our stepping is going to be by eight, so our next network identify air from 10 0.7 dot 0.0. The next network identify air will be 10 0.7 dot 8.0. So 10 765 is included in this range here between these two network identify IRS that this guy is the network. Identify or 10 700 slash 21 is the network. Identify where for this address. The 10 765 slash 21 so the answer here would be See and next up is 1 72.14 dot 10.5 a public or private address. We did just go over this, but just to make sure the private I p address space that is in this general area is 172 0.16 dot 0.0 slash 12. That's the private I P address space that's in that area. This guy here is not part of that address space. So this is a public address. The answer here is a Now I hope that this has been informative for you, and I would like to thank you for viewing.
9. 1.7 IPv6 addresses and configuration: three i p Version six Concepts and configuration. The coming of I P. Version six has been imminent for quite a long time now. Ever since people realize that we were going to run out of public i p version for addresses in a short period of time, then I p Version six has been pushed to the forefront as saying This is the future and where we need to migrate Teoh Now, mind you, as you mentioned before, we've gotten really good at Net network address translation. And because of that, it's really delayed the migration toe I p version six quite a lot and made a lot of people wonder whether there is really a need to actually move toe I p version six there is. It provides a much, much larger address field as we'll see very shortly here. And because of that, we really do need to know what night PV six address looks like and how to work with them and how to configure them on our devices. So a lot of people get a little intimidated by them. We're gonna go ahead and try and remove a little bit of that scary cloak and jump in and see what they're like and try and work with them here, So let's just start right in first. An I P. V six address is a 128 bit address field. This is different than our I P version four addresses, which are 32 bits. Remember, they are four sections of dotted decimal notation where the dotted decimal represents an eight bit octet, whereas now we have what are called hex tests. Because these air written in Hexi Decimal, we have four Hexi decimal characters, each character representing four bits each hex Tet representing 16 bits, and that our hex tests are separated by Coghlan's and that that is standard notation for your i p Version six address. Now I p v six addresses really with sub nets and your mask. They work exactly the same as I p version for addresses that your sub net mask is still written in cider notation. Ah, slash 64 would really just mean there are 64 ones in a row and that that is your sub net mask and that each of your ones represents that. That corresponding bit in the address is the network identify air as opposed to the host. Identify works exactly the same as I p version for it's just bigger now because it is so much bigger. We really need some rules here so that we're not having to write out the full address every single time on a couple rules Are that one you can remove all preceding zeros within a heck , stat. So, for example, in our second hex Ted here, how we have zero db eight down here. This is the compressed version. We do not put our proceeding zero there. We just remove it. Second, if we have a section of contiguous zeros we can once Pern address, go ahead and remove that section and replace it with just a double colon. Now, mind you, this is only once per section and I'll show you shortly. Why, that is that we need to be able to know how many zeros there are. If you have a section of all zeros here toe where you have to heck stets of zeros and then say 4567 If this is actually just 0000 and we were to go ahead and replace this with colon Colon. Then we wouldn't really know if we had colon colon here and then colon Colon here and remove this guy. We wouldn't really know if there were two heck stets of zeros here or if they were to hex sets of zeros here. It could go either way. So because of that, we can Onley do the double colon trick here once per and address. So let's go ahead and talk a little bit about how I P V six addresses get assigned. So here in North America, we've got Aaron, which is the American registry for Internet numbers. Now with I P V six addresses. Because there are just so many, it's likely that everything is gonna have a public HPV six address. However, there does exist a private address space, and this is your unique local space. We'll talk about that in a little bit, but to let you know it's F C 00 slash seven colon colon slash seven eyes. The unique local address space and that is your private address space is analogous to our RFC 1918 i P V. Four address space. The 10 dot slash 812168 slash 16 you're 1 72 16 slash 12 that it's analogous to that now. The most common prefix length in I P v six eyes going to be your slash 64 that's your sub net. Your prefix At the end, you're you're slash 64 insider format at the end here. Now, to give you a sense of just how many addresses there are out there. Ah, slash 64 is even recommended on point to point links that you're wasting trillions, huge numbers of addresses, just mostly because it is compatible with you. I 64 stateless address configuration that you can automatically generate your I P v six address using your Mac. Address your 48 bit Mac address, and we'll talk about that in just a little bit. Here is faras how that's done, but that's why a slash 64 is recommended on a point to point Link is mostly for ease of configuration and just give you a little sense here. So we have Aaron in you in North America, and Aaron will generally go ahead and a sign, and I s p a block of addresses. This will commonly be a slash 16 or slash 32 then you're I S P If they have, you know, Seo large enterprise that needs some addresses and enterprise comes SP and says, Yep, I need a block of I P V six addresses. They'll go ahead and offer them generally a you know slash 48 address assignment. Now, this mind you leaves you with 16 bits off I p v six sub nets for sub netting that if you want to do slash 64 sub nets throughout your organization, as is recommended, then you have 16 bits to assign slash 64 sub nets to now. This isn't just individual devices. This is actual sub nets. That's what something like 65,000 addresses or 65,000 sub nets available. Huge numbers, huge numbers. So let's talk about our types of addresses. First, we've got our global unit cast addresses the's air addresses that start with 2001 colon colon, that that is your global unit cast range. We'll talk. We talked about what a unit cast is as opposed to a broadcast or multicast, and we'll end up talking just a moment here. But we did away with the broadcast in i p version six that really there's just a more elegant way of handling a broadcast which is just a multi cast that is addressed to everyone. That is, has a destination multicast address of all nodes off the multi cast subscription that all notes should be listening. Teoh. Now, as I mentioned our unique local address space, this is your private I p address space. This is analogous to our RFC 1918 address space in I p version. For that, this is your private I p address space and this starts with F c 00 colon colon slash seven that that is your unique local address space. Now your link Local address Your link local is a special address. This is very much like your Mac address honestly is because your link local addresses on Lee for communication on your network segment, it cannot be routed at all. So in your layer to domain, this is the address that you end abusing that a router will not route a link local address on and it is not identifiable on the Internet is not identifiable Teoh. Other areas in your network that it is only to your layer to domain. It is just not row doble at all. We have a formalized any cast address. Now any cast addresses and global unique addresses or I'm sorry, Global unit cast addresses are actually the same that there is no differentiation between them. There is just a formal definition for any cast Address ing in i p version six where in i p version four It was really just a bit of a hack to get it to work. Multi cast I p Version six is very, very heavy in multi cast. And we'll talk about some well known multicast addresses a little later here and your modified You Why 64? So this is really important. Is that with I p version six? There really is a heavy usage of stateless auto configuration. I mean, you know, an I P version four we had you know, those 169 addresses the a P i. P. A. Addresses that were really just meaning that things aren't working correctly, right? You can't really use that address to do much of anything, But in I p version six, you can actually use this address. You can use modified EU I 64 stateless auto configuration to create a globally unique address. It to go ahead and create an address that you can use to route across the Internet and I'll show you a little more about that later. Here we go into the lab as to how we end up creating that address. And I'll show you the theory here as far as how that ends up being put together. So private versus public address ing We talked about the link local address here. So this starts with F E 80 This is only applicable and can only be used within your layer to domain and is not row doble at all. Your link local address also uses the modified you I 64 to go ahead and be created here. Now, this is a little incorrect is so if we have our Mac address here, the way your modified e y 64 works is that you take the 1st 24 bits. So the first three sections here of your Mac address split that and jam F f f e in the middle and then go ahead and put your 2nd 3 sections here of your Mac address. And then on top of that, though, the seventh bit from the left should be inverted. So here, remember these air Hexi Decimal. Right? So each character is representing four bits. So our seventh bit from the left going that way. So it is going to be here. Let's just take this section right. Let's take this section. So this is 00000000 So this bit right here gets inverted toe a one. So our first character here is still going to be zero. Our second character here is gonna be a to so here instead of f e 80 colon, colon 0014 Here it's gonna be f e 80 colon colon zero to 14 and that that is modified E Y 64. Now you're neat, unique local address we talked about. This is your private I p address space. This starts with F C 00 colon colon slash seven. It is globally unique but used only for local communication in your site organization or it can be globally unique. But it is just a private I p address space like I said analogous to your RFC 1918 address space on. The reason I keep mentioning this year is I don't think I mentioned this in our I P V four video at all. Is it? I've seen this question a lot on Cisco exams is asking, You know what is the RFC of the private I p address space for I P version for And it is RFC 1918. This is a really easy one, a really low hanging fruit. I would recommend just drilling that into your brain if I don't do it first and make sure you remember that our global unit cast addresses start with 2001 colon colon slash 16. So 2001 is what a global unit cast address space starts with 2001 colon db eight slash 32 This is a special address spaces reserved for documentation. So they didn't just use our private I p address space, right? Our unique local. They decided to create a whole separate range just for example, documentation. So when you read white papers when you read our FC's, when you read other documentation, you're going to see this address space 2001 colon db eight Ah lot. And the reason why is because it is a reserved range, for example, documentation, and it is only to be used for that purpose Now. Network address translation does exist. You can do prefix translation, but it's, ah, little debatable as to whether it's gonna be used at all that there's enough addresses that all of your devices can have public addresses that are publicly row double eso. There's just not much of a need for network address translation. So let's talk about any cast verse multi cast. So any cast is one two closest, whereas multicast is one too many. Now what does this mean? Let's just talk about this very briefly here. So let's say, uh, here, you know, you've got your computer sitting out here on the Internet connected into the Internet and you want to go over to Google and that you go out to Google. Google has an address of this for some reason, because it has this deviate in it. I don't know why, but so Google, you know, to be able to get good serviceability. Let's say you got world and, uh, North and South America, Europe, Africa Because I can drill is that Google is gonna have a server over here and they're gonna have a server over here. And they're gonna have a server over here, and it makes it so that they all have the same address, right? They all have the same i p address and that depending where you are, you will end up going to the physically closest one. Or really, it's going to your logically closest one, whichever one that you get to with the least Layton, see, whichever one response first, because of the formal, any cast definition that's in I p Version six and I. P v four. We used B GP to get any Casto work so that you can have servers around the world that all have the same I p address. But whichever one response first or which have always the lowest cost is the one that's gonna end up being the one that you connect to now, as far as multi cast, this is kind of like a radio frequency that you would tune into right be able to receive the stream that's going across on that multi cast. Here's some well known multicast addresses I would commit Thies to memory FF zero to Colin Colin one This is basically your broadcast. This is going out to all I p v six nodes Your FF zero to colon colon to this is going out toe all I P v six routers all of your routers that r i p v six capable on have I p v six unit cast routing enabled they will be tuning into this multi cast address FFC or to Concho on five all Oh, SPF routers fry pd six ff zero to colon colon A All yeah GRP routers for I p v six memorize thes thes are your well knowns that you should definitely be aware of? There may be a question asking which I multicast address for a PV six is the address that all oh SPF routers will be listening Teoh, and you'll need to know it's ff zero to colon colon five. Your general multicast range as far as just multicast addresses for RPV six that is your FF 00 cold colon slash eight. So let's go ahead and jump on over to the lab for a few moments here and just get into configuring some i P v six addresses before we jump off. So here we've got a pretty basic topology, just three routers. What I want to show you is our modified you I 64 address creation and how this can happen with router advertisements and router solicitations. So router to here is the one that's going to be giving our router advertisements. R one and R three are probably going to go ahead and ask for that with a router solicitation Sending L A I p v six Pack it to the FF zero to Colin Colin to to the all I P V six routers multi cast address saying any I P v six routers out there. Please send me your router advertisement and it'll send it the prefix that it can use to generate that I p v six address using modified ey 64. I'll show you where uses the Mac address as well. I have all three of these guys turned on right now, and I have done zero configuration to them. So let's go ahead and get router to configured first, and then we'll go over the Route one and Route or three. So jumping right through the very beginning. No, we don't want to do our initial configuration dialog. And this is, ah, hanging on us just a little bit here. There we go. This follows system device reports an error. I've seen that often here. I have not found a problem with it. I may need to replace my image for this router here, but we'll see. So let's go ahead. And first just call this a route to what's so fast your zero first, let's go ahead and do a no shut I was dio iptv six address Oops I PP six Address eso ago 2001 Colon deviate Colon Let's do one too. Since this is between router one Browder to Colin. Colin to since this is router to we're gonna do a slash 64 is gonna be the address. And then let's go exit. And we actually need to turn on the TV six routing here So that commanders got the I p V six unit cast routing ever goto interphase fast zero slash one and we go I p v six address 2001 colon db eight colon 23 So this between router to and router three. Colin. Colin, too, since we're at router to slash 64 and we need to do a no shot and there we go already. So let's jump on over to Router one for a moment here. So we just got router to configured fast 00 is 2001 calling DB a column 12 is the prefix faster one is 2001 colon db eight Colon to three as the prefix. So let's go on over to Router one. No, we don't want to do our initial configuration Dialog. Here we go. Hoax came rather one and fast. Your zero do I P v six address. Now here. I want to set this toe toe config. I want to show you that it's going to auto configure both a link local address and then also using the router advertisement A what would be global unit cast address that's used for documentation since it's in the 2001 colon db eight range there. So we're gonna do auto config there. Let's go ahead and do end now. Here. I'm gonna go ahead and do actually let's go back into that interface and here. I'm just glad you're No shut. I'm gonna show you real fast once this comes up. There it goes. Now, if we do a show I p v six interface brief here. We've got our link. Local address using our modified to you I 64 to go ahead and create that address. And here we've got our global unit CASS address are 2001 calling DB a colon 12 address using our modified E Y 64 to generate that address and just show you that here, if we do show interface fast. 00 So we've got our address is C A 01 195 a 0008 And here it's Ah, see 801 So let's go ahead and go through that, actually real quick here, eyes that see A and C eight. So if we go back over to our power point real fast so that I can draw this out, So see, is that Hexi decimal right? It zero through nine and then a through f. So see here, ABC, this is going to be our 13. So if we have 1234 this is 1248 So to get 13 out of that, we've got here, Here, Here. So a I'm sorry. See? Is going to be 1101 and then a That was correct. Is it a c A c A 01 So a here is going to be 10. So to get 10 here is 1010 So our seventh bit from the left right needs to be inverted. So 1234567 Boom. This guy needs to be inverted toe a zero. We've got 11011 000 So if we split these up, we've still got our see here. But now this guy is just eight. So I've got eight here, So this turns into C 801 rather than see a just want to show you how that was done There. Now let's go ahead and real quick before we end here. Jump on over to Router three. I want to do the same thing, but then bring up wire shark real fast and show you how this happens. Whoops. No, we do not want to go through the auto configuration here. Oh, we can go Router three. Actually, it's gonna be a little easier if we just restart the router here. Let's go ahead and do that. If we go over here and go you and reload and then jump back in real quick. All right? Here we are back that this is restarted here. So we're gonna skip the auto configuration now. Would you like to Termini Own stole? Yes, Perego already. Let's go ahead. Enable t sit. Our host name toe are three. We're gonna go to interface fast zero slash one. Just make sure that's correct. Real fast. Yes, Fast. You're one. And then we're gonna go. I p address. I'm sorry, I p v six address. You're going to do that at least once. Auto config. Now, before we go ahead and do a no shut here, I want to start a capture right there between r two and r three. And since the interfaces shut right now, we don't have a whole lot going on. So if I go back over to our three real fast and do a no shut and then jumped back over to our capture, got our neighbors solicitations and advertisements and now I just stopped the capture here . I want to show you what was going on here. We actually didn't get a router solicitation. We just got a router advertisement here toe where our router advertised out to all nodes saying, what prefix that we are on here so that we could go ahead and do our stateless auto configuration. And then we got a neighbor advertisement here. Once we did our auto configuration, we didn't advertisement out toe all nodes saying, Here I am. I have this I p Version six address. Now let's just like the others. Let's go through a couple of practice questions before we end off here first. What is the most compact representation of the following I p v six address 2001 Colin DB eight Colon zeros Colon Cafe Colin zero is calling 1234 So you remember one? We already did. A little bit of compaction here is that we took out the preceding zero from this hex tech right here. So we know that we can go ahead and remove our preceding zeros. So that's already done in all of our answers here. Second, we can go ahead and remove a contiguous set of zeros and replace it by Coghlan's once per an address. Now, I also didn't say this explicitly, but you can also remove proceeding zeros. Otherwise, when they're all zeros, except for the last zero, you need a zero still there because you could only do your zero compression to replace it with double Coghlan's. Once eso this first guy here, it doesn't work because we have our double Coghlan's twice that. We don't know how many zeros are in each of these spaces. There could be one set of zeroes over here on the left, and there could be three Heck, stets of zeros here on the right. We just don't know in B, this is just This is correct in a valid way to right this address, we have one double colon here. We removed our preceding zero here, and we still have all of our zeros here, though, so this is just not the most compact representation. Is that d? If we go down to D, this would be correct, but we're missing a hex, Ted. There's the double Colin here, But then there's a zero here on We're just missing a hex test. This is just not a full address. That it would be a full address is just not correct. This is saying that there would be one additional hex Ted off zeroes up here in the left portion. That D is a correct representation off the wrong address. It's not this address that's representing and see this will be our correct answer here is that we have our 10 here are 10 here we've removed are preceding zeros in each of those hex tests and seen with our DB eight, and that we've replaced the second set of continuous zeros with a double colon. Nor answer is C. And then which of these I p version six addresses are a link local address generated using modified E Y 64. So first off the bet link local addresses. Those are our F E 80 addresses. So right now we can get rid of B and D. Since those do not start with f E 80 they are not link local addresses. Now, as far as A and C are left here, is that we're looking for one that was generated using our modified you I 64 method. So the only one here and the way you can tell this right away is if it has f f f e in the middle is that since we don't know what the Mac address was off the device that was generating this link local address, we can't really say for sure whether see is a valid one or not. But we do know that the method has tohave f f f e in the middle. So we know that the answer here is a I hope this has been informative for you, and I'd like to thank you for viewing.
10. 1.8 Comparing TCP and UDP: CP and UDP Connection oriented Verse Connection, Lis Protocol, TCP and UDP. Our protocols that live up at layer four recall that So layer one right, That's our physical Layer two is our data link. This is where Mac addresses and things like AARP live layer three. That's our network is where things like i p Internet Protocol live and then layer four transport that this is where TCP and UDP live. So TCP the transmission control protocol and UDP is the user data Graham Protocol TCP big difference between the two TCP is connection oriented. UDP is connection lists will talk about that just a little more in a little while here. So first, let's go into TCP and an introduction here. So here on the right, we've got our packet of data. Now your TCP header is between 20 and 60 bytes long. It can be up to 60 but the minimum size is 20 and that down here we have what the parts of our header are, and this is very good to be familiar with. This may not be necessary for the exam, but it's very good to just be familiar as far as what kind of information is included in the TCP Header, and that will help reinforce why UDP would be used in some circumstances over TCP and vice versa. So TCP includes, of course, the source address import on the destination address Import is your destination I P Address and Port Number Source. I P Address and Port Number thes. Both are 16 bit sections of the header. Now TCP includes a sequence number that is randomly generated by the transmitter, and we'll go over that in just a little bit here and includes an acknowledgement acknowledgement number to go ahead and acknowledge the sequence number. That that's how TCP is a connection oriented protocol is that it requires acknowledgements is that requires the other side to acknowledge that it did indeed receive that previous packet and that that packet, you know, had a valid cheque. Some s O that as far as we're concerned, we could say that that packet was received unedited and was Okay, Now this does not provide authentication like I p sec or anything like that. This is just basic kind of like CRC. Check to make sure that that was received. Ah, and not degraded in some way we have our flags here. Our urge for urgent are acknowledgement. Our push reset, synchronize and finish So urgent is telling the other side. Go ahead and process this packet right away. Do not wait for these two. Buffer acknowledges just saying that this packet is an acknowledgement. Push eyes also very similar kind of thing. As urgent as it's telling the higher level protocol. Go ahead and process this packet right away and don't wait for the others. Reset is resetting the connection. It's saying that if you had a sin sin ack ack If you had that three way handshake going and you are getting your data going back and forth, reset to saying Nope, connection no longer open. Go ahead and close that you will have to re initialize and then you have your sin to synchronize. It's your request to synchronize from one host to the other, saying, Please, I would like to synchronize with you and the other host might reply back with a sin and an act saying Yes, I want to synchronize with you, and I'm acknowledging that I received your synchronization request and Finn goes at the very end of your conversation to say we are finished and this is being closed now. Window size is that the way a window works is that TCP allows for the transmission off a lot of data without necessarily having to give an acknowledgement back. This is really great. When you're in higher, Layton see links that is hi, late and see, but not necessarily high loss, that you have the ability to get a lot of traffic going back and forth. But that Layton see the time it takes for that traffic to get from one host to the other host is a long period of time. So you don't wanna have to send a bunch of data and then wait for the acknowledgement to come back and then go ahead and send a bunch more data and then wait for the acknowledgement to come back is that you can just have a relatively large window size to where you could send ah bond data bunch, bunch, bunch, bunch much up to the size of your window. And then at that point that agreed upon size, you will send a quick acknowledgment back, and then you'll send another window worth of data over as well, and that can help in that circumstance. Uh, now, TCP does have a sliding window such that if if you miss one of thes if it ah, mrs a packet somewhere in that window and you send a reply back and say Nope, I did not receive that. Your acknowledgement does not acknowledge that full window. Then it will significantly shrink that window size and only send a very small amount of data. And that will slowly get larger and larger such that it can take advantage of your link and not have to have the overhead of sending acknowledgements back and forth. Now, as far as the flags here, like I described, is that urgent? This is saying, process the packet before any non urgent packets saying, Go ahead and process This first, your acknowledgement is saying, is acknowledging a receipt of a packet with your acknowledgement number. Here, your push is processed. The packet immediately. Do not buffer it. Reset the connection your RST flag, your sin. Synchronize your sin and AC. These are the really common ones that you'll see a lot along with your push and you're reset. Ah, and then your fin comes at the end of your conversation that you have no more data to send and that these are all in your flags here. These are one bit flags that there are only six bits here. And if one of those bits are turned on, then it indicates that that flag is active there and we will take a look at that when we take a look at a wire shark. Capture a little later here as well. I wanted to go over and I mentioned this the Syn Syn AC Act, a three way handshake. And that's really what makes TCP so awesome on. And to be connection oriented is the fact that relies on this three way handshake. And the way this ends up working is that you have some sender, some initialize er off the connection and some receiver, and this could be two laptops. This could be a server over here, a Web server that has Google on it, and you are reaching out to Google and you want to get Google's home page. Eso. What you're going to do first is you're gonna send a syn packet, a synchronization request, and it's gonna have that sin flag on that packet. Google is gonna receive that and say, Yup. I am indeed listening on that port number that destination port number that you had there. I'm going to send back a sin EC. I'm gonna accept it. I'm going to send my own a sin, and I'm going to acknowledge your sin with my acknowledgement. Now this sends it back to let's go back here for this. A moment to the source port and address. That was in your initial sin. Eso then That's of course, You how networks with network address translation is that you have that source port number . That's how it identifies your internal address for port address translation. But moving past that is that it will send it back to that source port and address. We'll send it syn AC. You will receive that that you received an acknowledgement to your sin and you also received a sin. So you send back an acknowledgment saying yes, I did successfully receive your sin request. You now have a connection open and you can proceed with data transfer that this confirms reliable two way communication saying and making sure the one side can actually hear the other before you start transmitting data, and that's what makes it connection oriented. And this is the primary difference between TCP and UDP. Your user data Graham Protocol, Your user data Graham Protocol. Your UDP header is only eight bits. I'm sorry. Eight bytes that you have 16 bits for your source port and destination Port address. This is source address Port of destination address Port Uh, and then you have the length of the UDP packet, which is a 16 bit item here, and then you have a check sum, and that's it. You'll have anything else, No flags. None of that that UDP is really just an absolute minimally sized header. T be able to send a data graham to send data out there in stream it that this has very, very little overhead. And then that's really where you would want to use. UDP is if you don't really care as to the reliability off that stream. If you just want to send the data out there and you don't really care, necessarily if the other side receives it or not, because you don't want the overhead of having to check that and open up a connection than you would use UDP Ah, big place where this is used very, very commonly is in vo i p Is that the individual packets with your little tiny bits off audio that is being streamed out from your server over to your phone here. I can't really draw a phone. But anyway, over to your phone here that's gonna send that with UDP and that all of those go through that way because it once as minimal overhead as possible. Eight bytes, right? A lot less than that 20 bytes minimum that we saw with TCP and up to 60 bites. If you end up having more information there now, I did go ahead and capture a wire shark captured here just a little earlier than I wanted to show you what the three way handshake looks like. Now, this actually is traffic going between my G N s three server and my laptop here. That I'm recording this on and 2.1 10 is my laptop and 2.80 is my GNS three server. Now here we can see up at the top. We've got our sin packet. We can see that in the info uh, column right here. But also, if we go down here and we drill in a little bit, we could see this has thesis in flag set and on Lee the sin flag. And then our next packet. This has Well, actually, this has a source I, p address and ah, source. Port number off 56565 as our port number and our source address of 1 1901 succeed dot to 19010.0.1 10. And I was getting that from the top up here. But we can also see that right here. The source port and the destination port is 3080 And this is TCP. Now, when that JI industry server receives that to 0.80 receives it, it's gonna send back its Cenac. So up here in our TCP header, we have our sin ac flags that we can see. Our sin flag is set an hour acknowledgement flag is set. You can go down here a little more and this is saying here. Expert info. The connection established. Acknowledge Cenac for server port 3080 Saying yes, I am listening on 3080 Let's go ahead and complete this handshake. You are allowed to send me data. Eso Then we received that back and send our acknowledgement for that sin. Now, let's go through real quick. I want to show you the sequence numbers here and the acknowledgement numbers. Is that this guy? He sent it off. Uh, here with a sequence number of zero. This is a relative sequence number. That wire shark ends up giving us here for this particular conversation we can see here. Here's the sequence. Number C five F 384 BC. That's a very large number. It's on arbitrary and randomly generated number here and that when we have our sin ac here that the acknowledgement number This is saying that it is acknowledging that guy Ah that we can actually see here. If we go to our sequence number here, you can see it. C five F 384 BC Our acknowledgement number is incremental by one c five F 384 b d is that we're acknowledging that plus one Ah, and it is our first acknowledgment, which is a relative acknowledgement on the sequence number. Here is also a randomly generated number from the other side that here it's a I'm sorry, a 58040 F on that sends that back. Now, I really just want to show you the three way handshake here, the syn syn ack ack. And then from here, we've got you push ac and act, and then it's just sending data back and forth. And here we've got you know, our http data eyes, it actually sent an http get requests over to the server here once that was all finished. But just like the other sections, let's jump on through a couple of practice questions before we finish off here. First up upon a Web server receiving a TCP packet with the sin flag on Port 80. What flag or flags will be set in the response packet. Now, a Web server. We're gonna assume here, that is, since it is a Web server that it is listening on TCP Port 80 cause that is for H T. T. P. And also does a little note. You should already know this, but 443 TCP is https. But since it is listening on port 80 then it should accept this packet and begin to set up that three way handshake. So it is going to send back a acknowledgement to that sin that was received. Its going to send its own sin back as well. So we'll have both be sin and AC flags set. The answer here will be see And finally you are configuring a remote access VPN and want to minimize the amount of overhead in the data streams. Which protocol should you use for the VPN, or should you choose for the VPN to use? Now? We had talked that TCP has a minimum header size of 20 bites. UDP Onley has a header size of eight bites way smaller, right? The answer here to minimize our overhead is going to be a UDP. Now I hope that this has been informative for you and I would like to thank you for viewing
11. 1.9 Wireless Principles: principles in this section, we're gonna go through some of fundamentals that 802 did. 11 uses four wireless communication and mostly as it pertains to just radio frequencies and how they interact with the environment. The we're gonna get a lot more into the configuration in architecture, off a wireless deployment in a network environment a little later in the course. But here would go through radio frequency principles that we can understand a little more about how wireless interacts with the world around us that most network engineers meet are really aware of how wireless works, that they know how to configure. It has this idea your put a password on the router and things of that sort. But they don't really understand the types of factors that you need to take into account when you're planning a wireless deployment or positioning of a wireless access point. And those are the kinds of things we're gonna be talking about here. So let's first start in our slide. Here are F principles, so, of course, wireless communication uses radio frequency signals now are F signals are electromagnetic waves. You don't really need to know exactly what that means. But here I have a chart showing where the different frequency ranges are and the ranges that were using for our wireless communication here. And that's the 2.45 gigahertz range is I'm sure you've seen that before when you're configuring wireless 2.4 and five gigahertz eyes where our wide by ends of taking place. And to get that a little bit of perspective we have down here. Our TV FM radio, A M radio are down here in the megahertz ranges on. Then all the way up here. We've got our visible light spectrum way up in the terror hurts and pet it hurts. Paid a hurts range and X ray and gamma ray way down here in the exit hurts kind of range. Now I hope you understand what a frequency is. It's a descriptor off something cyclical and saying how many cycles that that process goes through Her second that one hurts is once per second. So if you have a radio frequency or electromagnetic waves that looks like this and from peak, it's a peak. And by the way, this is called a trial. This is called a peak that from peak to peak. If this is one second lips one second, then this would be one hurts. If this, however, was no 11 millionth of a 2nd 110.0 I don't really know how many zeroes off the top my head here at the moment. Well, millionth of a second. This would be one megahertz for its happening one million times per second. So something to keep in mind is that radio frequencies, the waves do have energy loss when there are no obstructions due to free path loss. The further away you are from an access point, the weaker the signal will be. That is just the nature of the propagation off the electromagnetic waves. There are other things that can get in your way. Are they such as wolves on other obstructions that this causes a decrease in amplitude? Specifically, there's an energy loss in the obstruction that the energy gets transferred into heat in the actual obstruction in your wall or in your cabinet, what have you and that the wave comes out on the other end with a decreased amplitude on that causes degraded signal that you're receiving device is not able to interpret that as well because off decorated signal, there was something we're gonna talk about little more in the next slide as well is reflection that reflections are actually something really important that have bigger play here than you might even realize. They do not cause a change in amplitude, but they can cause multi path interference on What does this mean? As it means, say, we have the ceiling up here. We've got our our cabinet here and say, You've got your laptop over here. I'll say the laptop is a little higher, right? Let's say it's actually like up here and we've got our laptop here. So then you've got your access point emanating your waves here, those waves are going to go up to your ceiling and reflect. Some of it will reflect and come down. Some of it will continue going and end up as a degraded signal on the other side due to the so material absorbing that and part of it here is going to reflect here off of your cabinet . It's gonna come here that's gonna reflect off and go over to your device in that manner, and that you now have two paths here that your same signal will be taking and depending on how far away these are, those paths might not be exactly the same length. And this is where the problem comes in when your signal arrives to the destination at different times, depending on when that time is in relation to your frequency, how out of phase it is. We'll talk a little bit more about what phase moons in just a moment here and paying how out of phase it is. It can either amplify the signal and cause you to get better simple. Or it could also cause a significant decrease in the signal. They can just cancel each other out if they are completely out of phase, which is why you might be next to somebody who is has a good signal on your computer, for whatever reason has almost no signal. You may be at the mercy of reflection of multi pack interference here, so let's talk a little bit more about that in the next slide. Is that with multi padding, as I showed here, we've got our obstacle, our cabinet and we've got our receiving device or laptop, and the ceiling and that we have two pads here, one going that way and one going that way and that won't go into the ceiling is a little longer. And it may be long enough such that we end up out of phase now, these charts here, this shows your signal right, your frequency and that The middle line here is to give you a reference point for how these line up based in time, where this is time, the X axis is time, so on in face signal is when it arrives and it doesn't need to necessarily arrive at the same time but needs to arrive in phase. So if it arrives, you know, one frequency length passed on and it is actually just off by one full hurts or one full frequency. They're not hurt because one second or one cycle that they can be in phase. And when they're inveighs, these guys add together that they add together and you end up with a frequency that is, or a with a signal that as twice the amplitude or both of those amplitude added together and end up with a better signal. A better amplitude in your signal there. If they are 90 degrees out of phase. Then you're going to end up with some degradation there that these guys are little out of phase that you end up, you add them together. So so here, Right where this line is meeting up is that we've got the length year between the access and the peak, and we've got the length here between the access and the peak. Now, this then ends up actually that you end up with a little bit better of a signal, they will add together a little bit. But the sense of not being so good because as your time goes on, say, like here where we've got a little bit negative and here we're a little bit in the positive that that actually just about cancels each other out right there and that you would run into problems at certain points during your signal here that it will cause some interference. And if it is 180 degrees out of phase, then then they are completely out of phase and cancel each other out that you've got your full length here and your full life year in the positive and negative and they will just cancel each other out that depending how out of phase they are, you might run into some problems there. And this chart over here is just giving a very similar kind of information there that this is showing these two lower ones are your reflected signals. Thes are your primary and you're reflected. And this larger one here is showing what your resulted signal would be in that case, so moving on to this concept of interference and signal And now introducing a new word noise is this is something I want to talk about our signal and noise and how these are measured and what types of units you see for this. So signal R s s I is how that's measured. It is relative signal strength index, and it is measured in decibel. Miller wants abbreviated as D B M. Now Desa belts are a log rhythmic measurement and it is measured in relation to Miller wants for our RSS. I now are Sasae is a negative value and the closer to zero is better. Eso if I have an r s s i of negative 30 dbm that is better than a negative 40 DBM and similarly a negative 20 DBM or a sasae value is better than negative and our signal to noise ratio is calculated by our RSS I value minus our noise floor on that is going to be in the same measurement our noise level. We can see here in this chart We've got an average noise level of maybe about like right here and that we've got average signal level of maybe like right here and that we've got our signal to noise ratio. Is this area right here that length that distance between the two, which would be our RSS I minus our noise level will give us that value and that is your signal to noise ratio which you'll see in some applications when you go ahead and try to take a look. There's an application called Insider i N S s I d e r I as i e. R. Insider is an application that tries to show you the networks that are around and what is interfering with what and how strong your signal is so you can get a better sense of where interference is mostly coming from that this will give you Ah value off your snr, your signal to noise ratio. And this is how that is calculated that moving on a little bit into our standards right is that now that we understand a little bit more about signal and how that's measured, that is measured in decibel mill, Imants. And something to note is that if you have a change in decibels, a decibel change off the re decibels, other that flips three decibels, that that is a change of about times. Two eso if I have an increase of three decibels. So if I go from negative 30 dbm to negative 27 DBM, then that means that my signal strength is now approximately two times what it waas at 30. That negative 27 is approximately two times the signal strength of what it is at negative 30 and something a little weird to get used to. But that is how that works. So our wireless standards, you know, there's been a lot of them. I'm sure you recall we've got to 11 a B, g n and the newer A. C. And then coming out soon is also a X, which we're not gonna talk about here but I wanted to go through these standards a little bit and show you what frequency they operate. At 811 A as a five giver, five gigahertz frequency Heroes released back in 1999 and at the same time was also released a 2 11 be at 2.4 gigahertz. Our higher frequency has lower amounts of penetration. It cannot get through objects as well as our lower frequency. So we also get a longer amount of distance with our lower frequency. But as you can see right here, we're sacrificing our max throughput that we don't have nearly the amount of throughput available with our lower frequency of 11 megabits with aged 11 B, but 54 with aged 11 A. A little while later, we released a 2011 G, which brought 54 megabits to the 2.4 gigahertz spectrum. Being able to get us faster speeds a little farther away from our access points and then moving on up. We had aged 11 en, which is available in the G 110.4 and five gigahertz area, and that this provided speeds of up to 600 megabits and then a C gives us gigabit speed up to 2.3 gigabits, and this operates only at the five gigahertz range. Now the 2.4 and five gigahertz range is 2.4 range is the I S M frequency range and five gigahertz is U. N II is the abbreviation for the frequency range that is set aside for the wireless communication in that area. Now I, sm, provides three non overlapping frequencies and they are 22 megahertz wide. Now what does this mean? So I'm sure you know that there are a lot of channels available right when somebody says that you would change this from Channel 6 to 11 or something along those lines is that there are actually 14 2.4 gigahertz area channels that are 22 megahertz wide. At this chart here shows where those channels lie. In the IAS M band, there are three non overlapping and it is Channel 16 and 11 that those are the three non overlapping channels. Those air where your you'll want to clump your devices and make sure that they're broadcasting on 16 or 11 so they don't interfere. Fear with other access points or receive interference with other access points. I mean, sure, you could pick Channel three, but you're going to get interference from anything around. That's broadcasting and Channel One or Channel Six. You're gonna get a lot of interference there on have the potential for much degraded performance because you're using Channel Three instead of one or six or 11. And the way you know wireless controllers wound up working is that they'll try and spread out your access points to make sure that they're alternating in one and six and 11 so that if you have no access point, access point access point, same room and this guy, right that he is broadcasting Channel one. And this guy is broadcasting Channel six and this guy is broadcasting on channel 11 And then you say You've got this guy Another access point here. So we added, in addition, boom, we an access point right there and he'll go ahead Rockets home broadcast Channel one right , so that you have minimal interference between your access points and that your controller should be the one taking care of that for you. But a good thing to keep in mind in the event that you need to configure this yourself. So moving on a little bit into our S s I d right. I'm sure you've heard a lot of people talk about SS ideas or you've seen that before, Configured it yourself and s i d. It is, of course, the name of your wireless network. It equates to a V land on the wired network that Cisco does recommend that you have one ss i. D. Her view. And it doesn't make much sense to have multiple SS ideas corresponding to a single the land because typically your SS ideas will have different security requirements. And why would you want different security requirements to get onto the same network segment into the same villain? Your SS idea can be between two and 32 characters, long as defined in standard. And something to note I've seen has come up on exams before at layer two WiFi $802. Levin uses C S M a c A. What is that? That's carrier sense multiple access collision avoidance. So does that mean that means that before each access point before each station transmits, it listens and it waits to see if anybody else is transmitting. First, it avoids a collision because there's no way to detect a collision there and that actually , what ends up saying is it sends a request to send over to the recipient. And then if the recipient thinks everything is okay, it'll send back a clear to send a message to say, You are OK, you can send Go ahead and get your transmission across. You have this much step time toe work with is it will go ahead and even say in there in that frame how much time that the transmitting station has available to transmit in. And that's how WiFi fundamentally works is that it allows for very small increments of time to be used by each station in the area that needs to transmit and to go ahead and transmit in the increment of time. Great. Now it's turn is done and needs to allow somebody else to transmit, and it will wait until there's an open space toe where it can go ahead and transmit. This is also why here in a very crowded area with a lot of different access points and as this ideas around you can get very degraded performance because you're station is having toe wait a long time before it's allowed to transmit. So then let's go ahead and talk a little bit about the types of encryption used with WiFi. The de facto encryption standard right now is W P A and W p A. To with WP a being developed a little bit because T. Kip the Temporal Kee Integrity Protocol uses RC for Aziz, the encryption algorithm that that is found to be insecure, that that has been cracked on that WP a two is really the only way to go right now, and the most Secure Way and W. P A three is on its way here and will be released soon as the new encryption standard due to security concerns. With WP A to so w P A. It is a legacy protocol. It's no longer considered secure, and it was developed as a patch in a sense, for wept for wired equivalent privacy that W E. P was used, but it was susceptible to many different types of attacks and WP a addresses many of those , but it is now considered no longer secure. The encryption, both of them used before way handshake. Now the four way handshake. You might have to know this. I would be aware of what this is. You don't really need to know the specifics of how this works, that they send a nonce, which is a randomly generated number, and that they go ahead and derive a key to use between the two. That the authenticator here is your wireless controller. This guy here is your wireless access point. We'll talk more about how that ends up working later in the course that your lightweight access points really rely on your controller to do many aspects of your wireless, uh, communication and that your traffic actually enters the enterprise network at the controller as opposed to the access point. We'll talk about that more later. So W P A. Two uses A E s, the advanced encryption standard, and that uses the CCMP encryption algorithm, which is stronger than the RC for encryption algorithm. It can be set up as PS K. That's pre shared key with VP A too personal or to use 802.1 x with WP A to enterprise, this would be something like radius authentication to go ahead and have this incorporate with your active directory or another. Whatever other directory mechanism you're using for user account management to go ahead and have your staff or clients authenticates onto the network. Thank you so much for joining us. There's just like the others. Let's run through a couple of practice questions before we end off here. So, first, if a main and reflected wireless signals are received 180 degrees out of phase, what will happen to the received signal on the client device? Is it A. The signal will be amplified. Be the signal degraded, but only a small amount. Or see the signal will be completely canceled out real quick. Just to remember, Here we go ahead and take a look at our signal. Go like that. One more. Here is that This would be I can't really draw very well. But this would be 180 degrees out of phase, where we've got a peek here and a troll here that these are completely out of phase and will end up cancelling each other out. The answer is C. And finally, what are the three non overlapping channels in the 2.4 gigahertz spectrum of you know to 11 . Is it a 15 and 10 to 6 and 11 16 and 11 or 17 and 11? This is something you'll definitely need to remember. The answer is 16 and 11 are our channels that are non overlapping in the 2.4 they hurt spectrum. I hope this has been informative for you, and I'd like to thank you for viewing.
12. 1.10 Virtualization: in fundamentals. When you look at the exam topics for the new CCN A, you'll notice that this particular topic feels a little out of place. Cisco is asking us to explain the fundamentals of virtual ization specifically as it pertains to virtual machines. Now, this isn't necessarily talking about network device virtualization and virtual machines in that respect, but just virtual machines in general. More specifically, virtual machines hosted on more generic hardware, which network devices can be virtualized on, and we'll talk a little about that a bit later here. But first, let's go ahead and talk about what a virtual machine really is and how it differs from our traditional architecture. So traditionally, you have these single physical machines running a single operating system. Generally thes are single purpose is that if you have your domain controller with your DNS services and maybe your D HCP. Maybe if you might split that out as well. But you're going tohave that running on a single machine. So in the traditional architecture you would have a single physical box that would perform those services. This ends up giving you a lot of sprawl in larger organisations when you need many domain controllers and many D. Http servers and you have separate machines for many different applications that your organization is running, and you can only ever have one application on each machine because you want to separate them out to limit the amount of conflict that they end up having with each other on the operating system. You end up with rows and rows of physical machines that every time you need to spin up a new machine, you need to physically send someone out there to rack and stack a new physical device to set up a new operating system. And to get that going. This also ends up meaning that the physical machines are often underutilized, that when you only have ah, single purpose on your physical device. You might peek out your CPU at 10% on, and that's it, and maybe 30 when it's running updates. But you end up really under utilizing your machines, and that does not look very good for your efficiency of your business or for the I T department now in physical machines. Of course, the U. S has direct access to the machine hardware. The operating system is directly interacting with the processor and with the components on the mother board. It is interacting with your memory on the operating system is handling its own scheduling for that hardware. And as far as the operating system is concerned, it has full access to the hardware available on that physical machine to that physical hardware. Like I said, this does limit machines to a single purpose because it limits the physical machine to a single purpose. Because you could only have one operating system running concurrently on your machine and that that caused significant server sprawl with regards to the physical devices. Now step onto the stage virtual ization. So with virtual ization, you end up still having a single operating system that runs on your hardware. But this offering system X is ah, hyper visor. What is a hyper visor dio So ah, hyper visor will go ahead and present virtual hardware to a guest operating system. Now, the operating system that's running on our hyper visor say each one of these little boxes here, right? They Each one of these is a Windows server operating system, just to give an example saved. God knows Server 2016 running on each of these on Boom here, here, here and here and that server 2016 is faras. It is concerned it's here at the OS Layer. It thinks that it has this physical hardware available to it, and it goes ahead and schedules its memory. It handles its processor tasks and schedules the processor and does all of the operating system tasks, as it normally would. But what it is interacting with is actually this virtualized hardware, this virtual machine that the hyper visor is presenting to it. So the hyper visor actually handles the scheduling and the resource management for the physical hardware, uh, and takes the instructions from the virtual machines and schedules that l so that the physical hardware is able to react appropriately. Now this does allow for some pretty interesting things, right? Is that for one you can over allocate these guys. You can make it so that these machines think that they're huge, be some off. The parts can be larger than the whole. But that does cause some problems. Of course. Say that you end up on Lee having let's say that this machine this physical machine has I don't know, 32 gigabytes of memory, right? And each of these six guys, you end up giving each of them 16 gigabytes of memory, right? Because whatever application that you're running on these guest operating systems, no, no throws an error, saying you don't have enough memory when you have less than 16. So you go ahead and give each 1 16 and that works, and that's fine. Ah, but you can run into problems where, if they start as a whole, taking up more than the physical 32 gigabytes of memory Well, you've run out of memory and you're trying to address space that's outside of your address in range, and you could crash or hyper visor crasher guest operating systems. Or you could just suffer significant performance problems, depending on how you're hyper visor is configured. So, I guess said the hyper visor presents the guest operating systems with virtualized hardware with virtualized machines. As far as this guest operating system is concerned, it has full physical machine available to it. It has a certain amount of memory. It has a video card. It has ah, processor with X amount of cores that's capable of certain instruction sets that All of this has passed into the guest operating system, and the guest operating system is unaware generally that it is in a virtual machine that it is on a hyper visor, so it just acts as it normally would. And the hyper visor handles those instructions appropriately so that it can schedule it out so that it all works in unison. They'll this does significantly increase our utilization, right? Is that now you went from this physical hardware that can Onley run off one single workload . In our traditional architecture, you have your application running on your one operating system that is running on your one physical machine and then boom. Now we have our one physical machine that can run many operating systems that are all individual computing areas, right? These are all separated from each other at the hyper visor that these act as totally separate physical machines. They cannot interact with each other at the level off the operating system that they are totally separate. They can't address each other's memory. They can't access each other's data at all unless you go ahead and configure it as such, and unless you go usually through the network is that they can communicate with each other . You know, through the network, right? Is where maybe this guy right here is hosting. Ah, file share. Maybe he's a file server. And maybe this guy right here is an application server that needs to access files on that file server. Then maybe it does it through the network, and in this case, through the network, it might be in the same villain. So that network connectivity might never leave this physical machine here. That that network traffic might go into our hyper visor and then just go straight over with our virtual networking That would be in the hyper visor. Now the virtual networking in a hyper visor is not something we're going to cover in any detail. It all here that Cisco is very specific about this particular topic that we're just talking about virtual machines and nothing vendor specific. I do list here, VM where just as the es ex i hyper visor. That's just an example. There is, of course, solutions from Citrix. And then also, you know, hyper V from Microsoft. And there are others as well that are open source and closed source. There are many options for hyper visors that you can do a little research and find one that would fit your needs appropriately, no. Although this exam topic was only talking about virtual machines, I do want to go over a little bit more about what virtualization in the network looks like so as faras network virtualization some items. And I've seen this question come up on Cisco exams before, which is why I want to mention this are some examples of network virtualization, our virtual land, taking one physical switch and dicing it up into multiple virtual switches. Basically, that's essentially what's going on. It's not literally There are other things that do this like virtual device contexts on the nexus and on the Cisco A s A for our a s a contexts. But the virtual land is a type of virtualization. Our virtual sand having a V land for our storage area network, a virtual routing and forwarding instance, a virtual private network being able to encrypt our data and send it across some overlay network and get to it as if we are on that same land and be on a virtual private network or virtual port channel virtual poor channel is what allows multi chassis ether channel toe work. We'll talk about that a little more later with either channel and basically what that is allows you to bundle multiple links together. So you've gotta switch over here and a switch over here and you've got multiple links between each other and you allows you to bundle them so that you get increased bandwidth. Now what virtual port channel does, is it virtualized this So that say you've got Let's go ahead and erase this real quick. Say you've got a switch here and a switch here and a switch here. And you've got two links going this way. And two links going this way is that this allows you to go ahead and bundle these so that these all look like one single link one virtual link to, ah, spanning tree and give you multi chassis either channel. But then, of course, as far as device virtualization goes. So that's really just network virtualization. As faras device virtualization goes. We just spent a little while talking about virtual machines on that that is in server hardware. Now, something I did want to mention briefly with virtual machines is that Cisco and other networking vendors do provide virtual machines off their appliances that work on generic hardware. You can get a new a s, a V, which is a virtual essay that runs on generic hardware. You don't need your physical essay to be ableto have a s a services and provide those services to your data center. You can spin this up in the cloud if you want in your azure or your Google cloud. Your AWS be ableto have your service is provided by a S A in that kind of environment without having a physical appliance there. The SS is the virtual switching system that's in our nexus switches and allows you to take multiple nexus switches and have them act as a single logical switch. Have them basically share a brain on and have a single supervisor. Go ahead and control both of those switches and we talked brief about s a device contexts that s a contexts allow you to take a single physical A s a right. If you actually have your physical appliance, your physical s a and chop it up into multiple virtual essays. So each one actually acts as its own. Separate A s A. And you can allocate resource is to each one so that no one context can take up. All of the CPU utilization can take up all of your clock cycles available in your device, so one of them could just be getting hammered by some attack. And it won't affect the rest of your physical device and then virtual device contexts on the nexus switch line that that also allows for you to take your single nexus switch and dice that up into virtual nexus switches and actually create ah, full virtual machine, a full virtual nexus switch that has its own ports assigned to it, its own hardware available to it to use as much like very much like a virtual machine. But it is specific to a nexus and same thing with an essay device contacts on a say context . It's very much like a virtual machine, but it's a little different, though, in the way Cisco handles that now, just like the other sections, let's go through a couple of practice questions before we finish off here first, which of thes are not a benefit of using virtual machines over physical machines, a increased hardware utilization. And remember this question, it said, which these are not a benefit is be decreased. Administrative overhead. See increased network bandwidth or D increased efficiency? A. We do get increased hardware utilization, so that's good. Be decrease administrative overhead. I didn't say this explicitly, but this is true. You have much easier management off your machines when you're able to manage your virtual machines as opposed to your physical machines, right for your physical machines, you gotta either power shell into each of them or remote desktop or physically walk over there and go manage it with your virtual machines. You can usually connected to your host. Or you might have a single orchestration or management software and VM where it might be like V center ah, where you go ahead and connect your V center and you manage multiple VM hosts, which each have their own virtual machines in them, and be able to manage all of your machines from a single pane of glass and be able to do that quickly and easily. It does have decreased administrative overhead on. We did touch briefly on as well that the idea of spinning up a virtual machine as opposed to provisioning. A new physical machine does have its own advantages. You can create templates, you know, for your virtual machines and be able to automate a lot of that process that there's a lot of administrative tasks that are reduced when you use virtual ization instead of individual physical machines. So be yes, is also a benefit. Now see increased network band with, uh, this is on Lee talking about virtual machines. It doesn't have any real bearing on our bandwidth available. So, see is just not a benefit and D increased efficiency because of your decreased overhead, you end up getting increased efficiency and your increased hardware utilization that you get better efficiency out of your available resource is. So the answer here would be. See that that is not a benefit of using virtual machines. You're increasing network bandwidth on Leslie. A virtual machine has direct access to the host machine hardware. True or false, this should be a pretty quick one just to make sure that you're paying attention. The answer is false. That although there are circumstances where you can provide your virtual machine access to your hardware, you can provide it direct access to that and passed through your hardware to your virtual machine in general. And most generally, it does not have direct access to the host machine hardware that it is using virtual hardware. And then the hyper visor is taking care of scheduling for that hardware and providing that to the guest operating system. Now, I hope that this has been informative for you, and I would like to thank you for viewing.
13. 2.1 VLAN fundamentals and configuration: V lands. Virtual lands are really the first sign of virtual ization that came to networking. You know, before virtual lands you ended up having a whole switch is just one broadcast domain. So that meant that you had routers everywhere that if you had two computers connected to the same switch, those were in the same broadcast domain. So they were in the same subject that a virtual land allowed you to carve up a switch such that different ports on that switch could exist in different broadcast domains. And that now you could trunk those as well. But we'll talk about that in the next video. First, let's go ahead and just talk about the beginning here off the land, the local area network. So this was originally made up of just layer two switches, right? Is that you had thes ports here that are all in the red. Villain. There are not feeling the red sub net there. And then you had this ports on this switch that are all in the green sub net there and then over on this guy on the right, you had all these ports that are in the blue sub net over there and that you needed to have a router in between them here in order to split out and separate these broadcast domains on each side of it. This really made it such that you clumped your staff together. Say, this is the accounting department over here. And this is the marketing department over here. And this is the I T. Department over here and that you needed to have all of your I T computers connected to the switch and all of your counting computers connected the switch in your marketing computers over here. And you had no freedom to just move one of these guys over here because now he would be connected into an accounting switch and he would end up being on the accounting sub net there that you couldn't intermingle this and just you assigned the port to be in a different sub net because you had to go through the router. That whole switch was an accounting switch. This whole switch was a marketing switch, and this whole switch was an I t switch and that you couldn't get around that, that these were just one broadcast domain. So step onto the stage the virtual land. The villain allows us to stake this one switch and split it up into multiple broadcast domains. It kind of splits it up into multiple logical switches. Now, this isn't like the virtual device contexts on Ah, nexus switch where it actually is its own routing table and things like that that this just allows you to take. You know, So you have a couple of ports here that are in the red sub net and then let me get my other color here. Then you also have a couple of ports here that air in your green sub net. And then if we go over here, you've also got a couple of ports that are in your blue sub net that those could all be intermingled on the same switch here. Because now you can separate out different ports into a different broadcast domain that when a red broadcast comes through here, it's on Lee going to go out the red ports. And if a green broadcast were to come out, it will only go out the green ports so on and so forth that this made it soon. Now you really have a V lan for your department is that you have on accounting V Land and a marketing V lan. And if you want to move a computer here from this switch over to this switch over here, great, you could just pop him onto a port and put that port into whatever veal in that you needed that computer to be part of. And that there you go. It allowed for a lot more freedom for you to be able to situate your office however you wanted. And honestly, it simplifies things a lot more as well. In my opinion, that rather than just having ah, whole physical device dedicated for one sub net, you can split it out. And it allows for a lot more freedom here. And it makes more logical sense, in my opinion. So let's talk about the ranges of villains that you can have on Cisco devices. So there are 4096 V lands that you can use zero through 4095. There are a few reserved ones Villa and one is a default violent that you cannot delete on Cisco Devices, villains 1000 to 3 1005 are also defaults for older technologies for F d D I and Token ring . You cannot delete these. You can use them, but you can't delete them. They're reserved. The standard range for villians is villain to through 1001. Now the reason why this is the standard ranges because this is what's propagated with V tp v tp is is the villain trunk ing protocol. The exam topics don't actually mention v tp at all. But I would like to just sort of let you know briefly what this is. Say you got your switch here, right? And you've got billions. 157 10 20 to 36 40 and great. And you've got another switch here, right? And he's connected and you've got another switch here and here and they're connected. And these air connected and and you've got another switch over here and he goes down to a switch over here and a switch over here and connects over to a switch over here and they're Ugo and let's say maybe they're connected here. Great. Now you have these V lands and you want to go ahead and get them on all of these switches. Well, I mean It's gonna be a little bit of administrative overhead to jump into each one of these individual switches here and configure V limb 57 10 20 to 36 40. And to go into each one of these and then say now you got spiffy and you want to go ahead and add of you and 50 on their great Now you need to jump into every one of these switches and Advil and 50 onto there. That, uh, V t P is a protocol that allows for these switches to all communicate that information as they can go ahead and talk. And as long as they're in the same V tp domain and the authentication information is right , depending on the version of E. T. P, then this set of villains will go ahead and propagate out and just show up on all of these switches. Now, mind you, there won't be any port configurations. If you need any ports inside of these villains, that configuration won't actually propagate through at all. But these inter switch links should be trunks, and we'll talk more about that in the next video. But this should all be trunks and members of all villians by default, so you'll have layer to connectivity and to end here from end to end through all of these inner switch links automatically by just adding this veal in onto your V tp server on, it's just one of your switches will act as a V TP server. So when you make changes to that one, those changes air propagated out towards all the others on, that's that's how the TV works Now, we're not gonna go into more detail about that here because, like I said, the exam topics don't mention BTP at all. So you don't really need to know this, or at least you shouldn't. Ah, and that I just want to let you know how BTP works in case you ever run into that here so you know what it is. So these are the villain ranges. I would make a point to know that 1002 through 1005 is an reserved range. Volume one is your default villain that you cannot delete thes and that you can have 4096 total villains from 0 to 4095. On that, those two as well are reserved that I would know these things for the exam and make sure you commit this to memory. So let's go ahead and jump on over to the lab for a little bit. Here, let's go ahead and open up G N s three and take a look at our topology. So we've got PC one. Switch one into and pc to over here on this side. So PC one. I've already gone ahead and configured the i P address 10.1 dot 2.1 slash 24 on the fast you Jeanette 00 interface and on PC to have also configured 10.1 dot to dot to slash 24 on the Ethernet 00 interface and that what we want to do here is I haven't done any real configuration to switch one or two is that we want to go ahead and take Villain 50 and create that on switch one and switch to and put Ethernet 00 on each of these switches in developed 50. So that PC one and PC to are in the same broadcast domain, right? So let's go ahead and do that. First, I'm gonna jump over to PC one and just show the configuration we have. And then let's jump on over to switch one and two and get that going. So first over on PC one here is if we do a show I p interface brief. We see that we do have our fast using at 00 with 10 1 to 1 on that it is up. So I've done a no shut on this interface. So then let's go ahead and jump on over to switch one first. First off here if the command for seeing what villians you have is show villain. Now this shows your V lands up here, What ports are access ports in that ville in and the villian number, the name of that villain and the current status off that viewing. Now there is also a bunch of information down here with your empty you for the villain and your ring number for token ring and things like that. We we don't really need this information here. Eso if you just don't want to display that you could do show you and brief and they'll just show us the villain numbers, names, your ports and the status so violent. Arms are Ethernet. 00 is an access port in V. Liam one right now. So we want to go ahead and put that into villain 50. So what? We go convict interphase. Internet 00 And then let's do switch port access villain 50. Now, we didn't create this villain yet, but the switch is going to be nice enough to go ahead and create it for us that it's saying that this V land that you try to put this port inside of doesn't exist. But you want to put a port in it. Great. I'm gonna go ahead and just create it for you here. Awesome. So now if we do a do show the land brief that we see, we've got our veal and 50 here just gives us a default name of the lands your 050 Ah, and that we now have our Internet 00 inside of that villian. Awesome. So let's jump on over to switch to here and on Switch to we do the same thing. Show the lamb brief. We've got our view. Am one. All of our ports are in VL m one. We've got our default villains there as well. So let's go convict e And here, let's go ahead and create the villain if we go veal and 50 and that's how you create a feeling as you do villain and the number of the villain. And that creates that veal in on the switch. Here, you can also specify the name you want to call us the Accounting 1,000,000,000. And then if we do a do show delay in brief, we've got 50 is our accounting villain now, Interestingly enough, I've found that if you set the name and you do not exit first, it hasn't shown this up here That's hit or miss, depending on what switch your on. Sometimes it takes effect immediately. Other times you have to do exit to exit out of villain configuration mode before you'll end up seeing the name actually change here. So now that we have you and 50 there, let's go to interface Ethernet 00 and you switch port access veal and 50 Moscow end show villian brief. Great. We've got Ethernet 00 here on that. We also have even at 00 over on switch one as in veal and 50 as well. Let's jump on over to PC one and see if we can ping PC to right now. So if we go paying 10 1 to 2 now, it's pretty usual. You know, maybe the ports are going through some configuration changes that we should maybe just do this one more time and make sure that that is not going to go through for us. And it is not interesting. So the sharp part of you might have noticed that we have here that our Ethernet 00 on each of these switches is in veal and 50 However, that broadcast domain is not extended to between the switches that I did go through and I configured, Ah, switch port No, negotiate or configured this interface on each side as an access port. So we do not have a trunk between them to We'll talk about what trunk ing is in the next video. When we go over our 0.1 Q fundamentals on how frame tagging works to be able to do inter switch communication and trunk ing of villains between switches. But this interface here is just an access port. It's still in V Liam one. So when we send our are out from PC one over to PC to when we sent our are about to say, Hey 10.1 dot to dot to What's your Mac address? Uh, that it's never getting over there. It's a broadcast, right? So we broadcast it out in Villain 50 and this Internet 00 is the only interface. That's envy. Land 50. So what is a switch do when it receives a broadcast? It sends it out All ports that are in that broadcast domain that, except for the port that it came in on. Right. So there are no other ports on this switch, one that are in the villa and 50 broadcast domain. So since it came in on even at 00 that frame just comes in and dies and does nothing else. So we need to go ahead and put Ethernet 01 on switch one and switch to into the land 50 and hopefully that will resolve our connectivity problem here. So let's go ahead and take care of that real quick. So over on switch one, let's just go to interface Ethernet zero slash one, and that is something is from interface configuration mode on and some other configuration moves. You can just jump directly into another interface without having to an exit out of interface configuration mode first and then into your interface. Just a little Iowa's tip there. So here we're gonna go switch port access villain 50. And then now let's go ahead and do that on the other side as well. On switch to interface Eastern is your stash warn switch Poor access Violin 50. Now you notice here that it is to give us a native villain mismatch with our CDP that ah cdp was exchanged between the two switches, right? And what I had one of the ports in Villa and 50 and the other envy lamb one that we did get a CIS log message here saying that there was a native villain mismatch discovered, Ah that although you were getting connectivity because it is untaxed traffic, I was coming in onto the wrong villain that CDP was exchanging and letting each switch know what v land that their ports were inside off. So now that we've gone ahead and set those inner switch links here, the Ethernet 01 in TV land 50 Let's see if we're able to ping between PC one and PC to so if ago, paying 10 1 to 2. Boehme works without a problem that we are indeed able to ping between the two now because we do have end to end connectivity in the same broadcast domain that all of these ports are now in the same feeling. Awesome. Now, just like the other sections, let's go ahead and run through a few practice questions before we end off here today. First up, what is the default villain that all ports are a member off on a switch. This should be one that you have ready right off the back your hand and that is a villain. One is the default villain that all ports on a switch are a member off when you pick it out of the box. And secondly, what is the command to set a switch as an access port in villain 20 port access 20 years go into the land. 20 is switch port access Villain 20 or access villain 20 and this is at interface configuration mode. The answer here is see switch Port access Villain 20. I hope this has been informative for you, and I would like to thank you for viewing
14. 2.2 dot1Q fundamentals and configuration: 802.1 Q Fundamentals and configuration. Now that we understand how different V lands on one switch, segregate out a broadcast domain, we need to be able to allow that villain to traverse multiple switches such that veal in 50 on my current switch can talk to Villain 50 on an adjacent switch that if I have my accounting PC on Switch one and another accounting PC on switch to, I need those people to talk. But then also a marketing PC on a marketing villain that one's own switch one the others on switch to I need to allow those to talk as well. So in order to do that, we need a method off tagging our traffic in that inter switch communication that inter switch link such that we can differentiate between which traffic belongs on which villain. So let's just start back up here with the villain. Right is that in this picture we have over here the green villain and the purple villain, which is our accounting and our marketing that when accounting wants to talk to the other accounting computer, the port here on switch one that is in the Greenville in and this port here connecting switch one and switch to is what's called a trunk and that it uses either 802.1 Q or I sl as a standard for tagging within the header of that traffic. Which villain the purple or the green here. That that traffic is a member off. Such that when accounting sends out an AARP for the Mac address of the accounting to P. C S I. P that since it comes in on a Greenport, it goes out this trunk, tagged as green and then, when switched to, receives that broadcast on the Greenville in that's tagged as green, it sends it out all of its green ports and same thing with the purple is that comes across , tagged his purple and then goes out all of the purple ports, but not any off the greens. So this villian virtual ises switches into multiple logical lands, and you know, we needed a standard for this inter switch communication. And that's where I sl and 0.1 q came into play. I sl was Cisco proprietary method of tagging your V lands in your inner switch communication and I s l by the way stands for Inter Switch Link, and it had a lot of problems with not being very efficient and having a much larger header . It's also legacy and not used anymore. You won't even have the option to use I s l as the encapsulation method on your newer switches that will Onley dio 0.1 Q However, on your older switches, you do need to go in and specify that you want your encapsulation to be 0.1 Q that when we use DTP dynamic trunk ing protocol, some of these older switches will negotiate to I S l encapsulation by default, and we actually need to manually go in and change that. So let's talk about the 0.1 Q tag. Since the exam topics only include 802.1 Q That's really all I'm going to go into deeply here. So the 802.1 q v land tag is a four byte header field that's in our layer to header, and here it fits between our source address and our type and length. Our tlv s in our layer to header there. The villain i d portion off that tag is 12 bits long. The standard range uses 10 bits. Our 1000 92 on the 4096 year started 1024 the 4096 being with their two additional bits, and that this standard here, of course, is defined in Tripoli's 802.1 Q that that is what defines our header here. Now trunk ing is referring to a switch port that is configured to transmit and received 802.1 q tagged frames by default on Cisco switches A trunk is a member off all villains. It will accept all villains. And it will transmit all violence such that when you have a switch here, right, and you've got host coming off here, that's in the red violin and you've got a new inner switch link here that is a trunk by default. Any broadcast sent from here will also go out the trunk and same thing if we had a different viewing over here, say the green villain and you got your computer over here. When he sends a broadcast, the green will also go out our trunk now dynamic trucking particle. I mentioned that very briefly. This is what allows a port to become a trunk automatically is when it can negotiate and detect that the other side off the link here is also a switch that has the ability to be a trunk is. It sends out these frames saying, I want to be a trunk. I want to be a trunk and it tries to negotiate trunk ing. Now it is considered best practice to turn off deep TP anywhere and everywhere, and Onley use static trunk ing to do switch port mode trunk. You might have to do switch port No negotiate in order to disable DTP that it poses a security hazard on your interfaces that are facing your host Senior clients out there in the office bombs computer is actually receiving thes DTP negotiation frames. And with some clever software, you can go ahead and negotiate a trunk with the switch and be able to receive traffic to your machine that is not intended and is outside of the villain that you should be part of as an access port that you've negotiated a trunk sued by default. You are a member of all villains. Now the first command here. I did mention that we need to go ahead and manually specify our encapsulation as 0.1 Q When you have the option of 0.1 Q or I s l that you do need to specify one or the other before it'll allow you to go ahead and statically set the port mode as trunk. And this is only on switches that support I sl, though, which has been phased out. So you'll only see 0.1 cute, of course. Like I said, that thought not on the exam. But I wanted to make you aware that on some of these older switches you're going to run into, you will have to specify your switch. Port trunk encapsulation 0.1 Q So with 0.1 Q It goes ahead and tags all of your villians right from 0 to 4095 is that has that little item here? The villain i D. Where this traffic this frame is part of this villian. Now to save on our overhead here, we have the ability to send certain traffic intact that just does not have our 802.1 q V land tag at all and that that traffic must be defined to be in a villian, and that is called our native villain. Any untaxed traffic is considered to be part of the native villain. Now this is a configurable items you can do. Switch port trunk, native violent to define. Which villain I D is considered the traffic to be part of when it's received a ntags and which villain I D traffic will be sent across the trunk intact. This reduces overhead. If you have five billions and approximately the same amount of traffic on each, then you have 20% less overhead because one of these doesn't need that four byte tag added into every single frame header, and that the native ilium must match on each side of the trunk. In order to function properly, it is possible to have a mismatch native villains and to get things toe work. But then that's how you get your villains intermingled and you end up with multiple sub nets on the same broadcast. Romain, which just doesn't work and doesn't end 12. So I want to go ahead and jump into a lab here and show you what the villian tag looks like . when in a wire shark capture Here, let me just go ahead and bring up G. N s. Three is that we have our accounting PC one and two here and our marketing PC one. And to hear accounting PC are the Accounting v Atlanta's villain 30 and marketing villainous villain 50. I haven't done any configuration to these switches yet. I haven't even put the ports as access ports to their respective villains. And there the actual villains themselves or not configured on the switches. Yet, however, I have put the I P addresses on each of these PC's here, which really are just routers, and I'm using Represent PC's so we don't need to do any configuration there right now. So let's go ahead and hop into our switches, configure our access ports here and our trunk and do that on both switch one and two, so our trunk on each of them will be Ethernet 01 and then our villian 50 will be even. It's your zero on each and Villa and 30 will be either net 02 on each. So first, let's go ahead and jump on over to switch one, and just to show. Here we do show veal and Bree we have the lamb one or default villian and all of our ports are member off Gilliam one as access ports. So let's go ahead and configure our villains first. Here we'll go. Complexity vi Lam 50. And just to make sure here, Villain 50 was our marketing villain. Villain, 30 is our accounting dealing Iago name marketing and view and 30 name counting. And then let's go to, uh, Ethernet 00 It looks like, actually, even as you're a one is a trunk already here. If we take a look here, it is excluded from the list, and this is something that you might want get used to is the idea that when an interface is not showing up as part of a villain here in the show villain output that it generally means it's a trunk that Onley access ports in these villians show up here and the command for showing those a show interface trunk and that shows us that Internet 01 is encapsulated I sl right now because it auto negotiated as I sl on each side since in GNS, three were emulating an old switch here and they still support I sl on. That we see are native violin is one. Now I sl does still does still tag its native villain, but we'll go ahead and reconfigure this here for 0.1 Q momentarily even. Is your a one? Well, let's go ahead and do switchboard trunk encapsulation 0.1 Q Now, just to show you here, our our options are negotiate SSL and 0.1 Q So our DTP would be negotiated. We can go ahead and just do 0.1 Q Since we're going to set this as switch port mode trunk and by default, our trunks are members off all villians. So just to check back here, we need even its euro zero in villian 50 and zero to in villain 30. So go. Your name is yours. Europe Switch Port Access Villain 50 Go interface zero to looks, switchboard Access Feeling 30 hope and I just need to make sure switch poor mode access. Don't do that. Overall, Ethernet 00 as well. Switch port mode access. Excellent. Now, if you go ahead and do a show interface Trump, we'll see that we have encapsulation of 0.1 Q and that is trunk ing because is a trunk motive on rather than negotiating here. Now let's jump on over to switch to and will do the same configuration here. Perfect tea. It's veal in 50 name marketing. Villa 30 name accounting. So make sure I got those correct here. Marketing is 50. Accounting is 30. Let's go. Exit interface. Eternity 00 Switch pork trunk encapsulation 0.1 Q Switch Poor mode Trunk. Let's go ahead and do exit interface. Ethernet zero slash one. Oh, I just did the wrong interface here. Didn't die. Yes, I did. 01 needs to be our trunks. 00 is an access port. Let's go ahead and go back into eternity. 00 here and do This is what this is made for us to go and just copy that. Their do know switch. Port trunk encapsulation 0.1 Q Do you know switch poor mode? Trunk No switch Port trunk encapsulation 0.1 Q Do switch poor mode. Access Switch poor access feel in 50 since one Internet 00 interface even at 01 Switch poor mode up switch. Poor trunk encapsulation 0.1 Q Switch for mode. Trump Exit Go to eternity. Zero to you're going to switch. Poor mood access switch. Poor access feeling 30. We'll go end. Excellent. So now we've got this all configured here. Let's go ahead and take a look at what our tag traffic will look like. If we just started capture here between switch one and switch to they're ago. We don't need an update. Got some spanning tree traffic. Now let's go ahead and run a ping between our accounting PC's here. 10 131 and 10 132 So if we jump on over to accounting PC one, just go enable. Let's go Paying 10 132 It's very normal to miss the 1st 1 while it waits for AARP. Reply. Now let's jump back over to our wire shark here and let's stop. That's we can scroll up and take a look. So this remember this is in between our two switches on Internet 01 here. If we go and take a look at our traffic, our broadcast here that if we open up our Internet frame our type is an 802.1 Q and our view and I D is villian 30 for our 10 131 that our traffic here came in on Internet 02 which is part of Villain 30 and then went out our trunk and it was a broadcast, right? And it went out our trunk and broadcast out such that when switched to receives it and knows it's part of the land. 30 It on Lee sends that broadcast out villain 30 interfaces, which was Ethernet 02 So we have here our tag. Our header item are header field for 802.1 q Saying the villain I d is 30 and then we end up getting our reply back on that. Now. Our unit cast packets as well for our Ping our echo and echo reply for Temelin Tree 1 to 10 . 132 It's the same thing that it's tagged as villian 30. Now, if we go ahead and just briefly to drive this home, go to marketing PC one and Ping marketing PC to now something I want to do here as well that I think will be fun is to briefly start a capture on this interface here as well. Just a show that the broadcast does not show up there. When we go ahead and do this, capture that. Let's go over to our PC one our marketing PC one. Let's go Ping 10 1 to 2. Very normal to miss our 1st 1 again. And if we jump back over here too, our capture And it looks like that wire shark did not actually decided to capture our traffic here that I made it a little angry and it it decide to stop. It is not learning any kind of capture anymore already. Will you just have to take my word for it there That you did see the 802.1 Q tag here and that this is what you would end up seeing if you capture some traffic and you see traffic like this. You know, you're looking at a trunk, and if you set a trunk as a span port, that switch port analyzer, port toe, where you can go ahead and take that traffic and duplicated out another poor to have it mirror that so that you can usually do an I. D. S. Perhaps an intrusion detention detection system. Teoh, take in all of that traffic and find malicious traffic or unusual traffic. And we'll all be tagged for your veal in as well, so you can separate out that traffic now, just like the other sections. Let's go through a couple off practice questions before we end off here. First up, What is the name of the protocol used to negotiate trunk ing on a switch port? Is it villain trunk ing protocol? Is it link Aggregation Control Protocol L. A. C P is a dynamic trunk ing protocol DTP or is it extensible Authentication Protocol E a. P or EEP? And you should know by now that is, see dynamic trunk ING protocol DTP that allows to switch ports that are directly connected to negotiate themselves to a trunk rather than just being an access port. To know each other is a trunk and to start sending tagged traffic with the appropriate encapsulation. Really, how Maney bits are available for representing a villain i D and an 802.1 q tag. You might recall that the 0.1 q tag one que tag here is four bites and within that four bite field here that we have 12 bits available for our actual villian I d to make up for 1096 possible combinations who are answer is C 12 now. I hope this has been informative for you. Now I would like to thank you for viewing.
15. 2.3 Layer 2 Discovery Protocols: layer to discovery protocols, CDP and LDP. From a very practical perspective, the later to discovery protocols have been invaluable to me. As a network engineer, you know, there's, ah, lot of times when you will come into a situation depending upon what kind of position that you have, where you may come into a situation where you don't know what the topology is. You don't know what devices that are there. You may suspect or have some basic information, but you may not have a detailed and up to date network diagram to know what it is that you're actually coming across and that you may need to do some investigative work to try and find out what it is that is directly connected to the device is your own and toe work out the topology here. And you could do that a few ways, right? I mean, you could do a show Mac address table, back address table, etcetera. Ah, and be able to see you know, your Mac address and your port that's connected to a Mac address. Important. You know, if you have ah, lot of Mac addresses coming over the same port here that you might have a switch over here on something like that to be ableto work out where your devices air connected. But that is very tedious and doesn't really provide you a whole lot of information and may not provide you information to be able to connect to your adjacent devices. And this is where your layer to discovery particles really come in is that they give you a lot of information about your directly connected devices when these particles are actually running. So let's go ahead and first jump into CDP here. So CDP is Cisco Discovery Protocol. It is a proprietary discovery protocol by Cisco. This actually came out. First CD came out, CDP came out first and LDP followed suit a little while later that cdp our Cisco being the innovative company that they are, thought it would be a really great idea to be able to identify directly connected Cisco devices and see what they are, what kind of device that they are, what software they're running or what interface you're connected on what I p address your you could connect to, to be able to manage that device, etcetera, that it provides information on and to directly connected Cisco Devices. Now there are another vendor out there. HP at least, did support CDP for a little while, but I don't believe they do any more in their devices. That CDP, I believe, is only ah Cisco Device protocol here. Now it does advertise out this information using a layer to multi cast address, and this is that address here. 01000 c all sees and that it's a multi cast layer to frame that is sent out. Although it's on, Lee intended to go to one connected device. If you're running Ah, hub, you may see multiple CDP neighbors or frames coming in on one interface. No, it's default Advertising interval is 60 seconds with a default. Whole time off, three times that. 180 seconds. Now what does that mean? They'll say you have a switch here, switch one and you have switch here switched to and that they are connected as soon as thes interfaces here come up that they will go ahead and send out a CDP frame to each other so that they will discover each other and know that they're there now. As soon as that sent out. It will not send another one for another 60 seconds. So one minute later is when it will go ahead and send out another CDP frame and advertisement so that they know that each other is alive. Now let's say where the whole time comes into play. Here is let's say that this interface stays up, but let's say switch one that this guy crashes, that this interface, the physical interface is still up. That may even still be switching traffic, that you might have another interface over here, and it may still be fording traffic over that you're a sick that's involved there for the switching your at application. Sorry, application specific integrated circuit is still functioning at that level, but things like spanning tree or your routing protocols the things that require CPU are not actually running anymore because this guy's software has crashed, that it won't be running CDP anymore or sending those frames because that is a software process that runs that after 180 seconds after three minutes, where switch one has not sent a CDP frame to switch to, then switch to, you know in its table here, where has the neighbor, and then the information about that neighbor, so on so forth switched to will go ahead and remove switch one from that table after 180 seconds of not seeing that frame come across, even though this interface is still active and that nothing has changed there. That that may be a reason why your device disappears from your CDP neighbors. But yet you're interface is still up. Is a circumstance kind of like that now? The actual information that is shared across to show CDP neighbor does vary by the device and a West version that as time has gone on, Cisco has gone ahead and updated CDP and allowed it to include more information. And a lot of that comes from its TLV format. Here is that you've got a header and then just thes tlv fields thes type length variable where it tells you your type of information that's listed here, and that's a to bite peace and then your length, and that's a to bite piece. In the length is the total length of your T O V field and then your variable, which includes your data off that type and that The whole thing here is off that full length here so that it can add as many of these as they see fit. That is very extensible. And because of that, as software revisions have occurred and going on, they've included and removed some information here there and been able to really customize this as they see fit. And a lot of that comes from the fact that this is CDP. That is a Cisco proprietary protocol, that Cisco is under full control of this and Cisco can go ahead and choose to add or remove information. And they don't need to go through the industry standard regulatory process to be able to make those changes to an industry standard. So a little more information here about CDP and what kind of information you see is that in order to get our information, you do show CDP neighbors now. Actually, before I get to that, I wanted to tell you how to enable CDP on globally and on an individual interface. So on Cisco devices, by default, CDP should be running. But in some circumstances you do want to turn off CDP, and that command is no CDP run and that is a global configuration command. No CDP run is the global command to disable CDP and then similarly to re enable that globally you will do CDP run is your command to enable CDP globally Now on an individual interface at your i f config interface configuration mode that in order to enable or disable CDP on that one particular interface, you would do a CDP enable or no cdp enable and that that's how you do CDP or disabled CDP on one individual interface and CDP run is how you do it globally. That's something to remember that I believe may be on the exam is that they might go ahead and reference something about how to disable it on an individual interface. It's good to know that it is not the same command. The interface is enable globally is run. So when you go ahead and do a show CDP neighbors, it spits out this table. Right, So you've got your device. I d. This is gonna be the configured host name on the remote device on your neighbors. The local interface here is the interface on our end. So let's say ah here. We've got our switches the name the host name of the device. So if we go ahead and go here and it's switch switch and that this guy is connected to the 35 50 here 3550 So the local interface here now we're actually connected to 35 50/2 different interfaces. We've got two links going across here. The local interface is the interface on our side on switch side. And then over here port I d weigh on the end. That is the interface on the remote side that we're connected to. Hold time. Remember that? 180 seconds is the default. Hold time. This will count down as time goes on. We wouldn't expect this to go below 120 seconds because of our default advertising. Interval off 60 seconds now, capability. This has a legend up here. Our capability codes where it could be a router. A trans bridge, a bridge source, route bridge. A switch host capable of I GMP the Internet Internet group management protocol. The repeater. A phone is that will let you know what kind of device that you're connected to here. And then also we have our platform. What kind of physical chassis that were connected to the platform information that down here our routers are 26 20 routers and that we're connected to the fast Internet 00 interface on both of those. And those are connected to the fast Ethernet 203 and fast. Even at 201 interfaces locally, thes two routers are actually two separate physical devices. Whereas these 2 35 fifties are one physical device that were connected to twice. Now, this gives you a whole lot of information, right? But we can get a whole lot more information than we do that with show CDP entry and then give the device I d. Now you can also do show CDP entry for for interface to show CDP neighbor on an interface and people to get that way but show CDP entry and give you the device I d that this will spit out. A whole lot of information will tell you the device I d will tell you all of the I P addresses assigned to that device. It will show you I p addresses that are designated as management I p addresses. Then we have here. Of course. Our capabilities written out not in code, but in the full words here listed. And the rest of our platform information that here it's a little truncated by the number of characters and we end up getting our full platform information there along with our local interface and our port I d on the remote side. And then here we get our software version. We can see what IOS that were running and for what kind of device. Thesis eat 35 50. This is a catalyst 35 50 switch, and they were running the I P Services Canine dash M release of the software IOS version 12 dot to on that switch. Mind you, that's a little old, of course, but it tells you here what software that you're actually running and what release your running that if you want to do a discovery on your network by doing show CDP entry, you totally could. You don't need to go into every individual device and do a show version To get that information. You could just do a show CDP entry and down here, this shows you a little information about CDP. The advertisement version and details about the protocol Mrs Information that we just don't really need to know right now that the ccn A is not concerned with If you were running v TP which CCN now no longer includes V tp in its exam topics, so we don't really need to worry about it. But we covered that previously. That is the villain trumping protocol that if you want to know what management domain that this device was part of for V tp that is also in your show CDP entry information here in this particular version. And I'll show you what duplex you're running that you might be able to find a duplex mismatch by doing show CDP entry that this is on the remote side. What duplex that it is at. So if you know that this interfaces at half duplex and this is showing full, then you've got do plugs mismatch, and that will be able to tell you that information as well. You get a wealth of information here, as you can surely tell, and that this can be an absolute lifesaver when you're going through your day to day operations as a network engineer, if you don't know what's connected, or you just need some information about it or you don't have access to that device. Maybe it's managed by another vendor. Maybe it's managed by another department that you couldn't go ahead and do. Show CDP neighbor or show CDP entry and get a whole lot of information about what it is that you're connected. Teoh. Now, something to note briefly is that the Cisco A s. A. The adaptive security appliance that that does not run a discovery particle. It does not run CDP because it is a security appliance. It is not meant to be discoverable. It's meant to be as invisible as it can. And because of that, it does not run CDP. So let's move on to the industry standard here. We've spent a lot of time talking about Cisco Discovery Particle. Let's talk about the link layer Discovery Particle. Now this is the industry standard response to CDP. It does the whole lot of the same stuff, and it operates in very much the same kind of way. It's defined in the standard 802.1 a b, and this came a fair bit of time after CDP that Cisco released the Cisco Discovery particle on a couple of years later. The industry responded with L L D piece, and that was a really good idea. Let's go ahead and add this into our standards. It does have a very similar type length value format. As with CDP now, the timers are a little different here. We have a default advertising interval off 30 seconds. A default. Hold time. Interval of four times that. 120 seconds. So the same thing. We would not expect our hold time to go below 90 seconds because we should be seeing a 32nd advertising interval. And down here, we just have the format of the frame for l L D P. They see you've got your TLV is down here. We've got our chassis. I d in our port. I d This is gonna be your host name here in your port. I d that you're connected to their source and destination. Mac, address on this is the end of the LDP data unit. So Link Layer, Discovery Protocol data unit. So I want to show you what the output of show LDP neighbor and show LDP entry looks like here. So on your Cisco device, it is gonna be the same commands here. Or show LDP neighbors have so cdp neighbor and then show L L D P entry instead of show cdp entry. Now, you do have very similar commands. It is LDP run and enable. Ah, that is just LDP and said a CDP they could see the output looks a little different down here that we end up getting our port i d. Import description. Now, this is local interface and port I d on. Then you have your chassis i d which gives you your Mac address of the device that you're connected. Teoh The system description and this convey Ari from vendor to vendor. But this ends up showing us our software version the same with our show CDP neighbor. And then also our capabilities where it is a bridge and a router where a bridge is a switch and it's a router. So it's a layer three switch on that. We get our villain I d. That this is on. Although this was not advertised in our tlv for LDP on this particular device, our management address, if it's included there, here it is not on this device and our physical media capabilities and things of that sort that wants you to be aware of what the output looks like here. If you've got a lab available, go ahead and run CDP and L. L. D P. And do this a couple of times to show CDP neighbor, an LDP neighbor and show CDP entry and LDP entry and take a look and what kind of information you end up getting. If you have a router available to it for a router and a switch available, do it first switch. If you happen to have a phone available, you might want to take a look at what the output looks like when you have a phone connected and be able to understand how that is displayed as well. Now, just like the other sections, let's run through this a couple of practice questions before we end off here That first up , what is the default advertisement? Intervals off. See DP. Remember CDP and LDP do have different advertisement intervals. L. L D P has an advertisement interval off 30 seconds, whereas CDP has an advertisement interval off 60 seconds by default. So the answer here will be C 60 seconds and next up, what command is used to disable CDP on an interface in Iowa's? Remember, there were two different commands for enabling and disabling CDP one for global and the other for a particular interface that globally the command is CDP run to enable it and no cdp run to disable it At the interface level, the command is enable so it'll be CDP enabled to enable it and no cdp enabled to disable. Our answer will be a no cdp enable. Now, I hope that this has been informative for you. I'd like to thank you for viewing.
16. 2.4 RPVST+ Part 1: rapid pervy land spanning tree part one. So this may be your first real introduction into spanning tree protocol or you may have been dealing with it for a long time. I over this video and the next I really recommend you watch these a few times until you really feel very comfortable with spanning tree protocol off. All off the information that a network engineer can have being well versed in spanning tree protocol, I feel is one of the most important things. You can really have a career very focused heavily on routing. Ah, and be in the routing protocols and no B GP inside and out. But if you're ever in the enterprise or small business environment being very familiar with spanning tree protocol and its operation and how to optimize it is really something that will become very, very valuable to you. I do want to mention that the exam topics for the ccn a Onley include rapid pervy land spanning tree that we're only talking about the Cisco proprietary spanning tree protocol. That is the rapid version. The rpv S t there does exist the industry standard spanning two protocols But the CCN a exam topics do not cover that at all, though it will certainly help us to understand our progression just a little bit here. So starting off, let's go ahead and start from the beginning and go with just original spanning tree protocol. It's 802.1 d is the standard where is defined. It was a protocol created in order to provide a loop free switching topology. Now let's just talk about what that means, right? And where spanning tree protocol comes into play, is that say you've got a server here, You've got switch switch switch and you got these connected in a nice little loop there. Excellent. And you've got your server overall in the end here, let's say your server needs to talk Teoh your work station over here and that these both have their own I P addresses, whatever they may be. So what's the first thing it's gonna do? Say you ping it out? Well, it's gonna try and find the Mac address of that work station, so it's gonna send out AARP and what is an AARP? It is a broadcast. And then how does a switch handle a broadcast? If Ford's it out all ports except for the one that it came in on. So this switch is gonna forward that broadcast out there and out there. This guy's gonna receive it and it's got forwarded out here. This guy's gonna receivable forwarded out there. Excellent. So this guy receives it, He's go forward. That out there is Guys, go forward it out there and you see where this is going. We've got a loop here going this way and another loop going that way. We've got two of these going around. This will never end. There is no time to live valuer t tl in a layer to frame. So this frame will be forwarded around and around and around at near Uighur speed. Right, Because we are using a six now for switching and that this just fording superfast all the way around and that we have thousands of these going per second. And if we don't do anything to interfere, then we may continue sending broadcasts out is creating more of these packets these frames that affording around at super fast speeds and then causing our switches to become bogged down and perhaps eventually even crash. Just bringing your network down to its knees because we have a switching loop. So this is why 802.1 d was created, right? Let's go ahead and prevent that from happening. But the problem is, is that the original 802.1 d was very slow to converge, and we'll talk about what convergence means a little bit more in the next slide here. But so as time went on, you know, original 82.1 D takes over a minute, really? To go ahead and converge in a minute, you know, back in 1990 really wasn't that long. If your computer went down for a minute, that wasn't really a big deal. But nowadays, when everything relies on your network connectivity, ah, minute of downtime can feel like a New York minute, the longest minute of your life. But the later reversion are the later revisions here end up speeding up that convergence time with rapid spanning tree protocol. But the general principles of how it works end up staying about the same. So Cisco, in response to 802.1 d created pervy land spanning tree, so 802.1 D. A limitation of this is that you only have one single instance running on your switch. So say you have ah 100 villians that So you have this topology over here, right? And you've got yo of five different villains running here. Your villains may not span across all of your switches so you could end up with a really sub optimal paths because you have no way of having a separate spanning tree topology for each of your villains. And this is where per villain spanning tree comes into play is that you could have your route Bridge that is elected for V. Liam won and your room Bage is elected and we'll talk about that again a little more in the next slide here. But you have your route bridge here for V. Liam one. And then you could have a root bridge here for veal and five and a road bridge here for villain 10 and that you can end up doing some semblance of load balancing at Layer two with spanning tree by splitting out where your bridges are based on your virtual apology or logical topology here where 802.1 D Onley cares about your physical topology. Pervy land spanning tree nail cares about your logical topology and runs a separate spanning tree instance for each of your viewings. Nail. Mind you, of course, this can get problematic when you have a lot of the lands. You have 102 100,000 villains, mind you that they really huge number of violence. But say you dio that if you're running a separate spanning tree instance for each of these villains that that could really bogged down. Your CPU is especially on older hardware running a separate instance of spanning tree for each one of those villains, especially when convergence happens or topology changes happen that could seriously bob down your CPU and cause some problems. And this is where the industry standard MST multiple spanning tree ends up. Coming into play is that multiple spanning tree allows you to take the general idea of pervy land spanning tree of having multiple instances of spanning tree, but allows you to assign an instance of spanning tree to a group a villians to save ilium. One through five goes to a Group one, and that villains six through 10 goes to spanning tree instance two and so on so forth so that you can still get the benefit of having multiple spanning tree instances. But you don't necessarily run into the problem off having a separate instance for each individual villain and potentially really bogging down on your switches here. Now it does have mawr configuration complexity, and because of that, Cisco does recommend you stick with rapid per villian spanning tree whenever possible. But I just want to make you aware that multiple spanning tree does exist. So convergence speed was increased with 802.1 w that that is rapid spanning tree protocol. R S T P is 802.1 w that this change the way that spanning tree works just a little bit, but then also seriously decrease the amount of time required for a port to go from blocking toe forwarding. That, in order to create a loop free topology, is that you block some ports that are not needed. You block the least, or I mean the highest cost ports that create your loop, such that you don't have a loop anymore, but it can then transition that port back into fording in the event that your path to the root bridge ends up going away for some reason, either us which crashed or burst into flames or somebody tripped over a wire. What have you If you still need to get to the root bridge, you still can by transitioning your blocked port into a forwarding port. A report or designated port, as will end up seeing a little bit here. So let's go ahead and talk a little bit about our terminology. I threw some terms out here like report designated Port Route, Bridge, all that kind of thing in the election process. Let's talk about some of these terms here. So first I'm sure you figured it out. Ah, bridge is just another term for a switch. Let's just get that out of the way here. In case you weren't aware that a bridge and a switch that those are interchangeable right now that our route bridge this is the one that is elected as the root of spanning DRI that this is defined by the bridge with the most superior. The best bridge I D. And the Bridge I D is defined as our priority number plus our Mac address so you'll have your priority, which by default is 32 7 68 You'll have your priority number dot and then your Mac address . And so, if all priority numbers in your topology for all of your switches are all the same than the switch with the lowest Mac address number with the with this being big Indian right is that this side is your most significant bits. And this side is your least significant bits that the Mac address with the lowest number will end up winning here as the root. And this honestly is really problematic because, you know, as our vendors have gone ahead and created our switches and manufactured them, they typically started from the beginning of their Mac address, allocated ranges so at the bottom and then continued their weight up as they were manufacturing there switches. This is a problem because our older switches then have a tendency toe have lower Mac addresses. So if you leave your priority numbers the same and the default across your topology and you only rely on your Mac address, chances are you're probably going to get on old on older switch as your route bridge in your topology, which could be a good thing. It could be a bad thing. You're older. Switch might be your big beefy one. You don't need to replace for a long time, or it could be your old old switch. That's just a guy that is sitting out on the network that should be replaced any minute here, because it's morning on its last leg that that guy ends up being the root in the core of your network because you didn't end up setting your bridge priority or your bridge i d. As a way that you wanted. So your bridge priority. Let's talk about that for a minute. It's that it is a configurable attributes in increments of 4096. This is because that your priority is really your configured number, plus the villain I D. For rapid spanning tree or rapid, rapid purview and spanning tree. It is, plus your view, an idea, and how many villains can you have in the extended range? While 4096. That's why you can only do increments of 4096. So say your bridge priority was the default 32 7 68 and that we are running on villian five . So our bridge priority will actually be 32 7 73 because it is 37 68 plus five. And when you do a show spanning tree, it'll end up giving you that information here of what the priority is and what the configured is and the veal and I d. So you could end up putting that together to know which villain instance that that's running on. So our bridge protocol data unit, this is the data unit. This is the item that the packet of information that is sent around the network so that the switches can actually figure out who is the route the core of the network here Where should all of their connections trying get to in order to, uh, be ableto have continuous connectivity across the network but without creating loops? Is that your B p D you? This is what is sent around. This includes your bid, your bridge i d. It also includes the path cost. Ah includes the path cost from the perspective of the advertising switch. So this is an advertisement, right? Is that if we have switch here and switch here and that they're connected. This guy's advertising out a bpd. You let's say that we also have switch here and that this is our route right here that when this guy sends out its bpd you that the cost of this link right here is going to be what is labelled as the path cost in that bpd you that is sent across this link here is not taken into account until this switch receives that bpd You that this switch is the one that actually adds in that link cost to the whole path cost for the path cost of the route and then also includes the port i d. The timers that are used for your listening and learning or you're discarding and your, uh, other phases for your port types here, which will go through that in the next slide and also in the next video as well for your phases and more in depth of the operation here. But it includes the port I D that it was sent out on and then also the route I d. That whatever switch that the advertising bridge thinks is the route, it will send out the I d off that route with its bpd. You such that if these two switches go ahead and send each other Ah, bpd you and they do not agree on which bridge is the root bridge, then they will pick whichever one is superior on. Go ahead and use that one and accept it as the root bridge. It'll go through its synchronization process here to converge and haven't apology change to ensure that they don't cause a loop by having a new path to the root here and then convergence just to get that out of the way. It is the act of calculating a stable state for spanning tree topology that when you're topology, converges when you have convergence, you are now in a stable state. All of your switches agree on which bridge is the root bridge. They all agree on what paths to take and that there are no changes happening with spanning tree protocol at that time. That when your network has converged or you hear a network engineer saying that they're spanning tree is still converging or they're waiting for convergence there, waiting for spanning tree protocol to complete it's calculation and to propagate down the network such that everything is stable and that we don't have any topology changes happening with spanning tree protocol. So we just went through a bunch of terms here. Make sure that you know these by heart. No, these very well be very familiar with each of them. They will come up a lot. So let's talk about the types off ports that we have in spanning tree that there are a different a few different roles that your ports can play in rapid purview and spanning tree . So first up, we've got a route port, So let's go ahead and draw our little toe triangle Topology here once more Boom, boom, boom, boom At a Make things a little more interesting, Let's go ahead. And this is the route here and that. Let's say this guy here just to add some costs and you're this guy's 100 megabit link and then these guys are one gigabit links. So our route port is the ports that is calculated toe have the shortest path cost to the root bridge, so root bridges up here, you know it's sending out BPT use that we know are superior to these guys, so this guy ends up getting elected as the root. So now both of these switches here, let's say this is switch three and this is switch to end up here. This is which one? Let's say so. Switch three and switch to now. Need to find these shortest path cost to the root bridge will switch to is directly connected with a one gigabit link. This is going to be our shortest path cost. So this port right year that's going to become a route port. It is neat port that is used as the shortest path to the root. And for switch three, because of the cost here of traversing the 100 megabit link that we've got to one gigabit links the cost. There ends up being lower to traverse to one gigabit links. So it's going to be this port right here. That is going to be our route. Port four, switch three. Now a designated port. This is a port connecting to a downstream bridge away from the root. So this is where it is a special circumstance for the root bridge. Specifically, is that all off its ports are expected to be designated ports designated ports designated port because it is the route, it does not have any ports that are the shortest cost to the route because it is the root. So all of its ports are supposed to be designated ports and are supposed to be non blocking that it is forwarding out all of its ports because it is the route, all of its ports should be the shortest cost to the root for which ever, uh, switch that it's connected to It may not be in this circumstance here, where this is not the shortest cost to the root. However, this still up here is going to be the designated port and Onley. This side down here will end up getting blocked because our route is superior. It has the superior bpd. You, the inferior side, is the side that ends up getting blocked will go through that a little more a bit later or in the next section here that our next port type is our alternate port. So this is a port. So we have Let's go ahead and label these out here. Let me let me clean this up just a little bit as we've got our report there and that. Let's go ahead and whoops. Go ahead and put this guy back and this guy back, we've got our designated ports here and our route ports here. And this guy here is going to be a designated port as well. And so we also need an alternate port. That's where this guy comes in. Is that this is on alternate port. It is a discarding port with an alternate path to the root bridge. That switch three here had two possible paths to get to the root bridge. Go in this way and going that way. Ah, and it ended up being that going this way through switch to was the shortest path cost. So that ended up being the root port. Now it's alternate path. In this circumstance. Because of our topology, this will end up being blocking. And this is our alternate path. This is our alternate port. That isn't a blocking state, a discarding state that this is where our loop is stopped and that because our property of the root bridges that all ports are designated forwarding ports that it is not blocked up here on switch one. It is blocked down here on switch three. Now a backup port. This is a special port type that's used in the event that you have. Ah, hub that. Let's say you've got this. We've got this guy. Let's have got Ah, hub here Hub and that we have two connections coming down here to this. Kyle, say this is switched to and this is which one. And that this guy is route. And that on switch to here, right is that one of these two ports they're connected to the hub are gonna end up being a route port the other one? Because it is, Ah, hub, Right, that this here is one collision domain. It is on the same segment that one of those ports will need to be blocked and and the way it is blocked is a backup port. A backup port is a special port type when it's connected to the same segment on the same switch and that it actually ends up using the port I d. So the lower port I d wins. So let's say that on the right here. We've got Port one and on the left here, we've got Port three I can't really draw that small here. Port three is that the lower port I D will win support. One will be our route. Port Port three will be our backup port, all right? And that an edge port an edge port is another special kind of port that is supposed to be connecting to an end point. Let's say it's connected to a server or to a workstation or to, ah, phone Over here. I cannot drawl a phone. Okay, Phone I can't telephone. But over to a phone is that it is a port fast enabled port. We'll talk a little bit more about port Fast a little later, but what that does is it transitions at port directly to affording state such that it does not listen at all. It doesn't block this port when it ends up going through its synchronization process, which will talk about the next slide here. That it is an edge port because it is port fast, enabled that it is assumed that this is connected to an end point to a server or toe a workstation, just not to another bridge. And that is our port type. It's an edge port Now this is a edge port until it receives a bpd. You let's say somebody goes ahead and unplugs their computer from this and somebody plugs in a switch and that we now have switched five down here on that. This guy's going to send out a B P d you this If this port had port fast enabled on it. Well, now it is no longer an edge port. That rapid, pervy, land spanning tree will recognize that I just received Ah, bpd. You on a port fast enabled port. I'm going to transition this port away from that and take it away as an edge port and that it will now do a re calculation and send out apology change notification to the other Switch is involved. Okay, I know that that's been a lot. I recommend reviewing the port types as well that this is gonna come up a lot on that. We're gonna go ahead and review the operation a little bit next, and then we'll go into this a little more in depth in the following video. So rapid, pervy land spanning tree operation. Let's say we've got our topology over here and that we've got You are computers on each side. We've got four switches in the middle and let's say we had a power outage and that power just came back. All of these guys are coming online back at the same time. Now, in when the switch comes online, rapid, pervy land spanning tree assumes itself as the root is that each of these guys will assume that they are the root and that they'll go ahead and send out bpd. You saying I am the root on the core, the network until it finds out otherwise. Now, if an adjacent switch has a superior bpd, you so switch four receives switch ones. Let's say all of these guys let just to set some ground rules here for which switches gonna end up being the root. Is that switch one? Let's say he's gonna be the root that maybe we set the priority here. Or maybe this just has a lower Mac address. Which one's gonna be the root and that all the other guys here have on inferior bpd? You are inferior. Bid that switch for as soon as it receives that superior bpd you. It will send a proposal that switch. One sends this proposal over to switch for to accept the superior bpd You as root now, as soon as that happens and switch for receives that proposal and it knows that this is a superior bpd you. It goes through what's called a synchronization operas. It operation is that all of its other ports that are connected to other switches all of its non edge ports end up being blocked. It goes ahead and shuts this guy down, except for the port to the root, the port to to switch where it received that superior bpd you and it goes through a synchronization here toe where once that happens, it sends an agreement back saying Yes, I agree that you are the route, or I agree that you are my path to the root and that we should begin forwarding traffic so this port ends up opening to Ford traffic. This ends of opening the forward traffic. The port types will be as appropriate. If it is a root port or a designated port, it will end up going ahead and taking care of that as needed. And the does will begin forwarding traffic that this guy nail is in discarding state and we'll go through toe where it is learning what is going on is learning the Mac addresses that are on each side and that it will then begin transitioning this into affording so that it can send that superior bpd you out. And that when switched, three receives it, which switched three Actually received it. Going this way, right? Is that Switch three received it. It sends the agreement back. Switch three cuts off all of its non edge ports so that it can send that agreement back and go through its synchronization and switch to same thing. It received that superior bpd you and cuts off its non edge ports and goes through the agreement and synchronization toward these air, discarding. Then this superior bpd you gets forwarded out and that we know end up calculating our best pads to the root or a best pass to each other, such that it's all about the best pads to the route, so that if depending on the speeds, the path costs here, if all is the same than it'll end up being the superior bpd you from the individual switch to determine which of these ports end up being a discarding state, a alternate port as opposed to a root or designated port, and that this continues downstream in this manner until the optimal route path is found and the topology is converged. Now, I know this was a super brief fly by of the operation of Rapid Purvin and spanning tree. I know you're probably still very unclear in how this works and that is OK. We will continue with this in part two in the next video here and go through some labs as far as calculating and figuring out our port states given a topology and the known Bridge I DS so that we can make sure you're very familiar with spanning tree operation. Now, just like the other sections. Let's run through a couple of practice questions before we end off here. First up, what is the default priority used in a bridge? I d. Now you should recall this that our 4096 is our stepping the increments that were allowed to assign our bridge i d. And this is also the minimum for your bridge. I d. That our default bridge I d is 32 7 68 65,005 36 This is actually our maximum bridge I d. You can possibly assign. So our answer is C 7 32,068 and then finally which port type indicates the port is connected to a downstream bridge and not used as an optimal path to the root? Is it a designated port alternate port, backup port or edge? Port An edge port is connected to an edge device and endpoint. A server or a workstation or router is something that is not a switch. Our backup ports. Remember, This was a thing that happens when you have a shared segment with multiple interfaces here . If I have like, ah, hub here and one here that this is the port that ends up becoming a backup port because you're on a shared segment here and that our alternate port. This is a port also in a discarding state that is an alternate path to the root. Our designated port is connected to a downstream bridge and is not used as an optimal path to the route. I know that this may have been a little confusing with the way that this was phrased, You can look forward to that kind of thing on the Cisco exams that it really seems like they try and trip you up sometimes. But it's just you need to be very familiar with the technology involved and make sure that you understand so that you know that the designated port is not used as an optimal path to the root. It is connected to a downstream bridge on alternate port is connected upstream, but it is an alternate route path. It is not uses our route port because it is not the optimal path, but it is a path to the root. And that's where our alternate port comes into play, where that's different from our designated. So the answer is a a designated port hope that this has been informative for you, and I would like to thank you for viewing
17. 2.5 RPVST+ Part 2: rapid, pervy land spanning tree, part two port states and operation. I know after the last video that you're probably still very unsure as to how rapid spanning tree works. And that is definitely okay. That's why I split this up into two parts that the first time around recall I wanted to go through what the different port types were and the general operation of rapid spanning tree here and also a little bit of history as to how spanning tree came about and what exactly it's used for. So here I do want to go back through the operation again. We're gonna end up going through a lab here with a couple of switches and will calculate out what the port states are before we go and check that in the lab and then also run. Some debugging here will take a look at what exactly rapid supervillain spanning tree is doing. So first up, let's go ahead and talk about what different port states that we can have here that this we did not cover in the last video so rapid per villain spanning tree. Unlike regular spanning tree, it consolidates down into three port states. They can either be discarding, learning or forwarding in the discarding state. The port is discarding all frames except four bpd. Use that all non bpd You frames are being discarded, and it is accepting and receiving. It's it's actually processing any BP to use so that it actually knows what it's getting here. That's not discarding all traffic. It will pay attention to bpd use, or it could be learning. Now, in this case, it's accepting the traffic, but not fording anything. It's just learning what Mac addresses are on this port here. Is that looking at the source Mac address in every frame that comes in and noticed, noting that that it lives off of that port? Or it could be fording, in which case it's a fully operational port. This is a little simpler than the standard spanning tree. In my opinion, it takes five ports states and brings it down into three for us and is a little less for us to remember here. So I want to jump back through a little bit as far as the rapid pervy lien operation. Now, I put the slide up here just to have continuity with the last video that this is how we laid that out previously by one Explain this a little differently that when a rapid spanning, tree enabled switch first comes online, it sets all of its ports into a blocking or discarding state. And during that time, it sends proposal frames out all of its ports, which are non edge ports. Remember that non edge ports are any that do not have port fast enabled and have not received a bpd. You so it supports that connect to a router or some other end device. A workstation of server. What have you So the switch were on. Local switch will send out proposals to all of its neighbor switches, telling them that it's the root bridge, because when a switch first comes online, it believes it's the route. First, if it's correct, and if the neighboring switches understand this to be correct and and see that this bpd you is superior, then they will send back an agreement and they will synchronize. There are rapid spanning tree. There are STP interfaces accordingly, so any non edge interfaces they will then go ahead and shut down and begin to synchronize that. And that's the sink operation that starts. And if the receiving switch. If it doesn't agree with this, though, if it has a superior bpd, you already Maybe it's the route. Maybe it knows off a route already that has a better priority. Then it will send back that superior bpd you to the remote switch. And the remote switch will adjust its interfaces dynamically. Of course, like a male, go through the alternate and back up and reports and old set those according to the superior bpd you it just received. That's really not so much aiming at locating the root bridge per se, but more of just the path to the root bridge, right? So with that, you know, of course, it's the shortest costs, the low least path cost to the root bridge that actually matters here. And I wanted to show what those costs are based on the links speed. And here is that for both 802.1 d regular spanning tree and rapid spanning tree, remember rapid pervy land spanning tree is a Cisco proprietary protocol that the industry standard is just rapid spanning tree particle. That rapid spring tree protocol is you're 20 terra bits divided by the speed. That's what this guy is here spanning tree used to be 10 gigabits divided by the speed, but it was adjusted later for higher link costs that it now doesn't follow a linear progression like that. But you can see what the costs are here that I've found in the Cisco switches that support the spanning tree and standard spanning treat we're using. The spanning tree costs the regular spanning tree costs instead of the rapid, spanning tree cost which will see in the lab coming up here. So I'll go ahead and make sure that you're aware of this table for the exam. Just in an event that this information comes up and mostly just for rapid spanning, tree standard spending tree. You can probably discard that as far as the lab goes. Let's go ahead and take a look at what our topology is gonna be, and then we won't jump in there and start taking a look at our spanning tree operations. So here we have a three switched apology. We're going tohave switch one here set as our roots switch. This is going to be set by saying the priority as 4096. Remember that That is the lowest, the best priority number that we can have. And it must be in increments of 4096. And down here on switch to we're gonna have our backup routes. Switch this. We're gonna set our priority to 8000 192 that this is the next increment of 4096 Up. We only have one veal in here, and that's all we're gonna worry about. And here's our pork connections for how these switches are set up. So what's gonna happen here, right, is that we've got our roots switch and by definition, the roots which all of its ports are designated ports, that we don't have any route ports on the route switch because it has it is the root already on. We don't have any alternate ports because it is the root. It's at the best place, or the location was trying to find the cost to now the backup routes, which it has our two pads are. Pads are equal cost because they're all fast Internet and negotiating at 100 megabits. So using our table just previously that ends up having a cost of 19. So all of these have a cost of 19. All the links Dio So right here. This is gonna be our route port. And then over here, we're getting up having a designated port. Now, in a circumstance like this. So this guy, switch three. He's got a route port right here, of course, because that is, you know, cost of 19 to get over there. But it's a cost of 38 to go back all the way around in that direction. So of course, that's gonna be the report. But then this right here, how do we know if that's the desert airport? Or that's the designated pore over here since only one side ends up being blocked and the side that is blocked is the side on the inferior switch and switch three has the most inferior bpd. You It's having a real inferiority complex here. It's got the most inferior bpd. You out of the three switches here so it will block its side here. This will become the alternate Port ST over here, and our switched two port fast 01 That's going to be a designated port on that side. This happens so that we have a faster switch over a faster fail over in the event of this link going down here that if both of these were blocked, we'd have to wait for both switches to process the topology change notification order for that linked to be enforcing state. But one of them is a designated port. The other is an alternate port that is in the discarding state. So with that, let's go through into our lab here and take a look that we're just going to jump right into the command line first. So let's take a look over here. I've got all three of them open here. I want to let you know that for this particular topology, I ended up running into some problems of GNs three that it wasn't handling the links between the switches correctly, showing them all as shared links at half duplex, even though the links were actually being negotiated at full duplex. And I'm not exactly sure why, that is. When I was writing the d bugs, I wasn't seeing that we were getting the agreements back correctly as we should. And because of that, I went to my physical switches here. My physical topology were doing to 37 fifties and a single 35 50 switch here and link them up in the fashion that you saw. And that's why our port naming is a little different here. We're not going in through G. N s three that I found that this was more reliable. So over on switch one, remember, This is our route if you go ahead and enable only to a show spanning tree. So this is our route here. They see that our bridge i d. Our priority is 4097 which is 4096 with the system I d. Extension of one. Remember, this is for V Liam one. If it were to, then this would be a priority in 4098 because it's adding that villain I d. On there. And here is our Mac address. Here's the timers that it's using. Four rapid spanning tree appeared is letting us know that his rapid spanning tree protocol if this were standard spanning tree protocol, this would read I Tripoli up here. I've already gone through. As you can see and configured the priority here and also said it to be rapid spanning tree because it defaulted 2802.1 d initially here. But I want to go through and show you what this output looks like here. Down here we have our interfaces for veal lamb. One what role they're currently at in their status. The cost then here's 19 because these air fast Ethernet ports the type is point to point links, which is a switch to switch link. This is what it should be because it's full duplex, that it cannot possibly be a shared link because you cannot have full duplex on a shared link. The priority number for this interface here and the role is designated and the interface name. Now, do you want to show you real quick? As far as how we did set that priority, that we just do a show run and let's include spanning trip information. So here we've got spanning tree mode, rapid per villain spanning tree. Now these are global configuration commands. This one here was defaulted already. I did not put that command in, and this one I did to set the priority to 4096. There's some old configuration items still on the switch that I had set port fast on a couple of interfaces to test with that that is not needed here. That Ah, these two interfaces are the ones that go over toward other two switches that we do show CDP neighbor. Actually, let's go ahead and just expand this a little bit into a show CDP neighbour, and that's a little more readable here that we've got switched to and switch three off of fast U Turn it 102 and fast Internet 103103102 and up here that these other two interfaces that are running spanning tree and are in Ford State at the moment here. So then let's jump on over to our back up real quick. Our switch to that's enabled. Let's go ahead, do a show spanning. Now I do have a couple of other links that are running over between areas, and we don't need to really pay attention to these at the moment that the two that are actually have our devices connected are faster than it 01 and 03 that this has a configured priority that here we actually have the route. Information is here, and the bridge information of the switch were currently on is down here that 8192 is my priority, the next stepping up from 4096. The priority of our route is the 4097. It gives us that Mac address and the cost to get to the root. We're only traversing a single fast Ethernet link in order to get there to have a cost of 19. We have the timers that are included because that's in that bpd you that we end up going ahead and sending around is the timers that is being used. And here's the port that is the shortest path cost of one that's being used toe access. The route that is our route port there, and that is the fast Ethernet 03 right there where it shows us the role is a root, and we have our costs of 19 all the way down. This guy's hard coded for 10 megabits to be able to get that 100 costs there, and I believe it's half duplex for that shared port type. There so why don't want to do is let's do this. Go ahead and shut these two interfaces on switch One is that let's shut down 10 to 1103 Let's enable debugging for our spanning tree events and take a look at this negotiation as it happens, and see that the proposals are sent in the agreements air received back so you can actually tell what is happening here. Let's go ahead and go Convict Terminal, and here you'll get an introduction to the Interface Range Command that this is definitely really helpful. Interface range fast using it one slash zero hopes fast one slash your slash to through three. Let's go ahead, do a shot and we'll do do. I'm not really sure if we've seen the do command before. That's how you do enable level commands or just execution commands like show commands or debug commands. When you're in configuration, whether interface configuration, mo global configuration, any of the configuration modes, so do debug spanning events. Oops! Helps if I can type debug There we go. Do you know, shot maybe expand this guy out a little bit so we can see what's going on And there we go. There's our rapid spanning tree events are debugging coming up. Received our agreements on both here already. Okay, so let's go ahead and do it. Do you all for Andi Bugel? That is how you disable debugging is It's you space. All that stands for un debug all. So here up we end up having that our two interfaces faster than that 102 on ones your three chain state toe up when we did our no shut and then we our setting our bridge i d These were the only two interfaces that were running spanning tree so spanning tree was not running at all until we went ahead and enabled these interfaces here so that we're setting our bridge i d. And that's excellent our system idea 4096 in the fourth eyes and 97 because of the veal and I d there. So we're initializing the port spanning tree is starting up on that interface and that immediately it thinks it's route. So it's setting all of its ports to designated ports because it thinks it's a route right now. And then it's transiting the proposal out because it thinks it's route. I'm proposing that I'm the routine. It's sending that out all of its interfaces. So it's initializing the port, saying it doesn't need sending out the proposal and look at the timing on this is all happening in the same 10th of a second here. So then it. Soon as it sends out that proposal, it receives an agreement back that the other switch on 103 and that was switched to that. It receives an agreement that switched to agreed, saying yes, I think that you are the route. I will accept that. And then it will go ahead and sync with its peer switch. Three. If it has any topology change, which it should not at the moment, and it's still transmitting another proposal didn't get a response back on fast your ones you're to hear yet, and it's still sending out another one, and then eventually here it took it a little while his which this is actually out of out of line a little bit. If you look at the timing, that's a little interesting that sent out the proposal. Uh, cells actually look at the wrong second, but the next second here. It received the agreement that's going fast. 102 on that agreement there. So you can see that this is what it's sending out the proposals receiving the agreements when they agree that they are the root on, go ahead and they will sink down the line and continues down until the topology is fully converged and that everything is synchronized. Thanks for running through that, just like the others. Let's go back over to the power point here so that we can run through a couple of practice questions before we end. Now. First up, in which Port ST does a switch port running rapid spanning tree protocol, learn Mac addresses but does not forward traffic. Is it in the listening state affording state the learning state or the discarding state? Well, I'm sure the word learn here gave it away for you. That it would be see in the learning State that the port states here are discarding, learning and forwarding. So see learning is the state in which it is accepting all non bpd traffic and bpd. You traffic, and it is looking at it for learning. Mac addresses that air living off of that port. So the answer is C learning. And finally, when a switch running rapid spanning tree protocol receives a new superior bpd, you what process does it start on? All of its non edge ports? Is it a discarding? Be synchronizing, see restarting or d fording. Now this may seem simple. There's a couple things here to note is that when we say new superior bpd you This is a new superior BTU they hasn't received before, So not just on additional one. Because, of course, all of our switches do continue to send out BPT use as kind of keep a lives and what processes start on all of its non edge ports. So of course, yes, if it receives a new superior bpd you that it hasn't received before. First it sends out apology, change notification T c n. We may not have mentioned that explicitly, but you don't really need to know that that much just need to know the operation. But it's a topology change notification because there has been a change in topology, and the process that starts is that begins the sink process. The synchronization process on all of its non edge ports toe where it begins discarding and sending out the proposal and awaits on agreement. So the answer here would be be synchronizing. I hope that this has been informative for you, and I would like to thank you for viewing.
18. 2.6 Etherchannels concepts and configuration: either channels, concepts and configuration. Now that we've gone through spanning tree and we understand the purpose there to create a loop free topology, we can go ahead and talk a little bit about how we create redundancy in our network and how we do it effectively so that we're not just wasting a bunch of links that if you end up having a situation like this where you've got your switch and another switch, let's say you've got, you know, server up here and you've got workstation down here and these guys are connected and these guys are connected. These guys are connected. Let's say you want to add a redundant link here between your two switches. That's a switch. That's a switch. And you want to go ahead and add this redundant link here. Well, one of these is going to end up being blocked, and as we found out, it's gonna be blocked on the inferior switch side on the highest port number, and that that's where that's gonna end up being blocked. But let's say you want to actually go ahead and use that port there. Well, you could put it in a different V land on both could be boarding traffic, one on one villain and the other on the other. If you have your priorities set correctly here but what we wanted on the same villain well , this is where an either channel comes into play is that we can take these two interfaces and bundle them so that these two physical links appear as a single logical link to spanning Tree such that it will only count this as a single link and not say that there's a loop their asses long as we create that either channel. So let's talk a little bit about what this does link redundancy. It presents multiple physical interfaces as a single logical port to spanning tree. And here's that situation I was talking about right here where you have one of your links that are blocked because you have a loop here that's formed. But when you create an either channel, all of your links can be forwarding because the main reason remember right is that what creates a loop is the fact that the switches handle broadcasts in the way that they dio that if a broadcast is sent down this link right here and this switch receives it, it's gonna go ahead and forward it out. This link and any other links that it has as well, is that it's a broadcast. It goes out every interface except the interface it came in on. However, down here in this second situation, when a broadcast comes down, it's not going to go back out this interface because both of these interfaces air bundled together such that they are the same logical interface that when it comes in that interface , it's come in this whole either channel. It's so it's not gonna forward that broadcast back out that either channel. So it's like a single logical interface. This allows for our redundant links to be utilized instead of blocked, and it also allows for more redundancy. That's much more quick to fail over that. In the event that on interface falls out of a neither channel great, it falls out the either channel the, uh, lying particle and the physical interface will go down, down great on, and then the either channel just keep forwarding traffic, but without that interface included in the bundle that you can have up to 16 links that you know, we could have Boom. 3456 You can have 16 links here, and you can also specify what the minimum number of links are that you can go ahead and say , I want four links here in my either channel. Let's they've got four here but that I want my men links men links to be to such that we can lose two of these guys and the either channel is still considered to be up, and it will still go ahead and forward traffic through. So the way that either channels are negotiated and they are is with the use of L. A, C P or Paige P ah. That's link Aggregation Control protocol, which is the industry standard, or Paige P. P a g p, p, a g p. As port aggregation protocol. I think I did that wrong is P a G P port aggregation protocol and poor aggregation. Protocol is the Cisco proprietary method. It's not recommended to be used because it is proprietary that actually in the exam topics here were on Lee going over L. A C p. So that's all that will mention honestly. The only main difference is the terminology is that Paige P uses auto desirable, whereas L. A. C P uses active passive as our port types on. We'll go ahead and discuss what that is in just a moment here. So when you go ahead and bundle your links together, we now also have increased throughput. Right is that we've increased bandwidth available here that we can go ahead and utilize all of these links that that's the other main. And that's actually the main benefit here is that you can get increased bandwidth between your switch links because you can utilize all of the links there rather than having one of them blocked and be stuck using just a single one gigabit link or 10 gigabit link. You can bundle Ah bunch of your one gig or 10 Giger 40 gig links and get this 100 gigabit throughput between your switches, and that happens in a specific type of manner. Here is it does allow for low balancing that the algorithm that's used hashes, source and destination information to figure out which linked to use. So really, what this means right is that if I've got switch, switch to links between them that are bundled and you've got workstation over here and you've got server over here. Connected, connected. And then also, let's say we've got another workstation over here, right? And he's connected. Nail this guy here. This this workstation. When he goes ahead and tries to get in contact with this server over here, then he's gonna send out that frame. This switch is going to go ahead and hash the source and destination information by default . It uses the source and destination Mac address. It goes ahead and hashes that together and will get a number out of it to determine which link that it's going to use here. Which means that if this computer always tries to talk to this server, generally your traffic will always pass through the same link here. Now, this computer here, when he talks to this server over here, he might use this link instead. So, really, what this means, right is that if we've got to one gigabit links here between our switches, if this one workstation keeps trying to throttle and hit this server really hard, it's only gonna ever get one gigabit of throughput, right, because the same source and destination Mac address are trying to contact each other over and over, so you're only ever going to get one gigabit of throughput. But if both of these guys trying go and they're spread across our to individual links here and you're ones using what and the others using the other, we might get a full one gigabit of throughput for each of them at the same time. So it's it's aggregating the traffic together, but really based upon source and destination information. So anyone machine is never really going to see the benefit here off having that increased throughput. It's going to be if you have many machines. Now, you can use different load balancing algorithms. As I showed down here that you have, uh, your show either channel load balance, what will show you what your current lo balancing configuration is on? And then you have different items that you can select. I've seen some switches where they have available the layer four information your port numbers for TCP or UDP. You can go ahead and add in there to be hashed together for the load balancing algorithm that generally your source or destination Mac or source or destination. I P address will be really good. The problem that you can run into its called ether channel polarization, right? Is that Let's say you've got your server here and the same configuration. You Your two switches together, but then over on this side, you've got another server and that these two guys, these two servers, talk to each other. Ah, lot, uh, let's say over here you've got, like, a bunch of other workstations and stuff like that ball. Ah, there we go. There we go, etcetera. So on and that you've got all this connected. If these two servers are talking to each other a lot, you can end up with, really just like one of your links in your either channel being saturated just because it's you have to destinations two sides that are just always talking to each other. A lot ends that you end up duty or load balancing algorithm only taking into account the source and destination Mac. So they will always use the same link in your easier channel. And you end up with, like, really not good load balancing here, and it's just one of your links ends up very highly utilized, and that that that could be just not real good here and cause a little bit of problem. The load balancing does work best when you use a number of links. That is a power off to. Was that mean? It means if you use the number of links in your either channel used to or four or eight links in your either channel awesome or 16 links Great. That that will really load balance very well. It's just because of the hashing algorithm that's used its intended for a power of two. If you use three links or five links, or, like seven links or something like that, just on odd number it you can end up again with, like either channel polarization, where one of your links ends up highly utilized because it's really taking over, You know, mawr off the traffic due to the load balancing algorithm, and it's just not gonna end up balancing out very well for you. So let's talk about how we configure on either channel and and how it is negotiated up. So with L. A C p our link aggregation control protocol, we have the port states or the modes of active and passive and then, regardless, we also have on just your hard coded on on is not recommended. That's because this can cause a loop if you haven't either channel configured on one side and not on the other side. And you just have on ah well on the side that it is configured is on. It will be forwarding traffic and on the other side of the physical interfaces will come up and the line protocol will come up. It'll forward traffic. It's just not going to participate in spanning tree correctly. Eso you might end up with a one sided loop here where one of the two switches ends up causing a loop. Now, if both sides are configured as passive, the link, the either channel will not come up. That's kind of like you have just a wallflower on one side will fall on the other side. What do they do? They stared each other and they wait for one to do something that both being passive will not do it, both being active as well. We'll take a little bit longer to come up. It's kind of like they both run to each other, bam and just be each other's heads and then they step back for a moment. It's like, Oh, whoa, yeah, We actually want to negotiate, needs your channel So they go ahead and bring that up, one being passive, the other being active. That is your quickest and best way to get your either jail to come up that will come up a little faster and will be excellent for you. So as far as the requirements for configuring on either channel, first and foremost, all of your ports must be of the same type. You all fast Internet or gig, Internet, etcetera on that they need toe. All have the same physical interface configuration, the same speed and duplex settings that your physical interfaces should all be identical. And the switch port settings from the first port. When you go ahead and chances are probably the way you're gonna configure this is you're gonna use your interface range commands. You're gonna be like in range. You know, fast Ethernet 101 through for uh, and then you're gonna be in your I f range config mood, and you're gonna go ahead and do the configuration here on your range to go ahead and tell it what channel group to be in and when you do that. The switch port settings though the logical port settings from the first port are copied to the others in the channel group configuration and what that is is you know the Allowed V lands the port fast, setting the port priority. The channel group setting. That's when you apply it. It's really copied from the first port to the others. Eso whatever's on the first port. That's what's going to be on the others. Really. What I recommend you do is to set all the ports to be the same to begin with so that you know for sure what it's going to be. Ah, and can actually visualize and seeing your convict before you configure your channel group what those poor settings are gonna be so you don't have to guess about it now. As far as the actual configuration, it is the Channel Group Channel Hyphen Group Command to add the interfaces to on either channel on a layer three. Either channel is possible. You go ahead and configure your interfaces here. Right to be in Channel Group one for poor Channel one for you're either channel there and then you go into your either channel interface. It's going to be interface poor channels, which you could do. Po P 01 you know, for for poor Channel one interface PO one. And now that you're in that interface in that interface configuration mode, you could do no switch port and that you've just create a layer three. Either channel A routed either channel interface, multiple physical interfaces that form together to be one logical routed interface on that can be really good here as well. And in a los circumstances can be very helpful. What I want to do from here is to go ahead and configure an either channel on our same topology down here. I have that open in GNS three right now, so let's go ahead and slide on over to there for a moment. I have done zero configuration here. This is all freshly turned on, so we'll need to go ahead and open up our interfaces on a sign our configuration items here and I'll show you that when we have these connected and our interfaces air up that two of these three interfaces are gonna be in blocking state on that. When we go ahead and configure are either channel, then it will be in a fording state with spanning tree. And then we'll go ahead and configure our I P addresses here 10 001 and tens years or two on ping between them just to show that we do have connectivity. So let's go ahead and get that going here real quick. First, let's move on over to l three. Switch one. No, we do want want to go through our initial configuration. All right, so here we are back. I want ahead and swapped out those switches that we're here with the correct switch image so that we can actually get are either channel configured. You run expanding tree as well. So let's go ahead and get this configured now. I haven't done much of anything to any of these guys here except set their hosting just that we can go ahead and see which device were actually on. So over on, switch one. Let's check back here. So you've got Ethernet 012 and three on each side that are our either channel interfaces that we're gonna go ahead and bundle together So let's get that going here. So we're gonna go to our first if I do. Ah, do show interface status that we've got Internet is your A 12 and three. They're negotiating as trunks, uh, and that they are up and connected. Now, all devices are all interfaces. Show is connected just because they are emulated interfaces in GNS three that it's just a nature of Genesis three. Let's go ahead and do our, uh, either channel configuration here on our interface range into range. Internet zero slash one through three. Excellent. And then all of our if we do a do show, Ron, all of our interfaces here should be the configured the same. Yep. So if all got no configuration, we've got your 12 and three. There's just duplex auto. Uh, and right now we don't care about any kind of configuration. We only have one V land Villa one s. So we're just gonna go ahead and get our either channel configured and up here. Uh, if I do a do shows spanning now, we're on the route switch here. So we would actually need to go over to our other switch to show that some of these are in blocking safely. Do a do show spanning on switch to that. We've got Internet 02 and 03 are alternate ports in blocking state that those are our most inferior ports and those are the ones that are blocking here to prevent that switching loop . So let's get those unblocked. So if we go ahead, do you hear Channel Group A su channel Group one mode. So here's where we select our active or passive or on we're gonna go ahead and do active on this side. Excellent. Creating a poor channel interface. Poor Channel one. This does reset your interfaces. They will go down and then come back up. Yep. And they're suspended because, well, we don't have L. A c p. Configured. We don't have any other child configured on the other side. That's not negotiating the port channel here, so let's go ahead and negotiate that on the other end here. Go interface range. Eastern it 01 through three. Same thing here. Channel Group, one mode. Pass it. And then, actually, I wanted to show you who do a do show run. So first, that does go ahead and apply that configuration to all three interfaces because we're in the interface range. But then also want to show you that this is the same configuration is the other switch that all we have is duplex auto as well up here, the poor channel. Now that's configured. This is a switch port interface that this is where I was talking about, that you could do no switch port on and turn this into a routed interface. And that's the same thing. How you do with the other interfaces, even if it's none, either channel to any of your interfaces. If you want to turn into a routed interface, you could do no switch port and then assign an I P address to that interface. It's really like this interface exists on one villain and that that interface has an I P address on, and it's not going to forward traffic out that interface or any incoming traffic that's coming into that interfaces not going forward it it'll route that traffic. So we do have here a show, said L. A C P, currently not enabled on remote port. I don't know if that's actually true. It may have just taken in a moment here. Yep. That the port Channel came up once it negotiated. That did take about one second there. So we go ahead and do end and show either channel. You do show either channel summary or just show either channel. We've got either jail Group one. There are three ports. There are a maximum number of ports in this, each of channel off. Four. It just happens to be the image that were on and the version of software that we can go ahead and set there. So we could also do show either channel load balance, as we saw previously. This is using source and destination. I p address is what it is using to go ahead and load balance. It'll hash that information together to choose which interface that it's going to forward that traffic through. Now If we do our show spanning here now, all of our interfaces are in designated state and forwarding. That Poe one is now our port channel is now our route port see. Spanning Tree sees this as an interface as a logical interface and in fact it dynamically adjusts the cost based on the cost of the interfaces that are members off that pork channel . And in fact, if you have dynamic negotiation here, if you use auto or passive or active or passive as your negotiation, it will go ahead and dynamically adjust this cost, based on how many ports are active within that either channel at the time. So that's pretty cool in itself, but also something to be aware of that in the event you have several port channels, maybe you have to pour channels that are connecting your infrastructure together here, that one of them may be blocked and the other is your report channel that in the event one of your interfaces falls out of a poor channel. You could have a convergence event because the cost of that port channel now went up to make it so that it is no longer the optimal path to the route. You could have a spanning tree convergence event happened because of that, So I just want to take you through, configuring a either channel here and configure poor channel and show you what happens with that nail, just like the other sections. Let's run through a couple of practice questions before ending off here So first up, what is the interface Command used to place an interface into either channel to now. We did just see this year that, uh, the full command is not quite listed here. That we would need Teoh select what type of negotiation that we want to do. Or just set it to statically on the mode for your either channel. But this is a physical interface command. So this is not a switch. Port Command, this is Channel Group to is the command that we would use to place it into either channel to the answer is C and then finally what two pieces of information does a switch use by default to determine what link to send traffic in on either channel and the two pieces of information that most will use by default? We did see on that particular switch that we're connected to, which is a image in GNs three that he was using the source and destination I P address. But most generally you will see that it uses the source and destination Mac address and that is A and C are our answers. I hope that this has been informative for you. And I would like to thank you for viewing
19. 2.7 wireless architectures and AP Modes: wireless architectures. Now this video is going to be a very theory heavy video. We're not gonna have any lab information or sessions here in this video that it's going to be about the architectures and modes of operation that you can have with your lightweight access points in a Cisco Wireless LAN controller environment and how that ends up working from a more general kind of perspective in the following videos will go through Ah, some lab exercises about how to configure these and and see the interface of the wireless controller and jump in there a little bit. So let's first go ahead and talk about the types of access points that you'll see here in the excess point architectures. So you have two main architectures here, centralized in autonomous. So the way you'll see this is that you can either have laps LAPD's lightweight access points or autonomous access points autonomous access points so a lightweight access point requires a controller. It relies on the wireless controller for a lot of different functions. It'll do things like authentication. You can operate in split Mac architecture toe where your traffic is actually tunneled back to your controller so like right here. We've got our controller. Here's our wireless access Points are lightweight access points. This here is just some arbitrary wired infrastructure. Is could be ah, whole campus. This could be a whan link in between. You could have hundreds of switches, their routers, all sorts of things in between. That what these do these lightweight access points thes create a cap weap tunnel that's control and provisioning of wireless access points standard. And it creates a tunnel, an encrypted tunnel between the lightweight access point and the controller here. Now there's a lot of different information that flows through that tunnel. One is just control information to your authentication information and things of that sort . You're lightweight access Point does handle something's handles. You know, the buffering of frames and the beacon intervals the the actual creation of your beacon frames to go ahead and send out. And some items like that are handled by your access point. But a really large number of just control items are handled by your wireless controller. Now an autonomous access point. This is probably what you're more used to. This is your standard excess point that you go over to micro Center or best buyer. What have you and go purchase? Ah, and it operates on its own. Independently. You configure an SS i d. On that one access point on that access point operates alone. Now this you causes some problems if you have a larger environment or even if you just have a relatively small environment. But with a large enough office to where you wanna have your S s I d span across your whole office. Is that sure? You can configure the same password on each of the access points and have them old broadcast the same s s I. D. And your computer will go ahead and you disassociate from one access point and re associate to the other. But it's gonna have to it it's gonna have to run through a process. To do this. You're actually gonna have service disruption on needs to disconnect from one reconnect to the other and go through its d HCP again if it's using D HCP for address assignment and get that connection going again. We're as with lightweight access points in having a controller based centralized architecture is that you can have inter access point roaming and that you don't need to go through a lot of that process, that it can be much more seamless on and be a much more excellent experience for the end user here. Now, that's just for access point architectures here the difference between centralized and autonomous architectures. Now, let's talk about that. Mac architecture were talking about this split Mac versus the local Mac. So in split, Mac, the wireless controller is the entry point for wireless client data. Now here, this is kind of just a diagram showing what we had here with our cap wap tunnel right, and that we've got our arbitrary amount of infrastructure here where our wired infrastructure that's there. And then we have our wireless controller and we have the interfaces that are wireless controller the physical interfaces that are wireless controller uses to connect into our infrastructure over here that with our split Mac architecture, your wireless client, you know, you transmit out data over into the wireless access point that wireless access point receives that data. It actually sends it out through that Camp WAP tunnel. So it's traversing through the network across this V land that your access point is on, you know, typical. You would have a management veal and just for your access points. And that that's where your data is being tunneled and goes to the wireless controller and then the wireless controller. Depending on which S s I. D. That you're connected, Teoh, we'll go ahead and dump out that traffic onto the network on the appropriate V land, using what's called a virtual interface that it'll send it out through that virtual interface. And that's the physical entry point of your traffic onto the network. So if you have, say, a guest network, your guest, as this idea in your wireless client is connected to the guests network, you don't need your guest villain appearing at the switch where the wireless access point is connected that you don't need tohave that veal in there. You only need the management villain that your wireless access point is using to connect to the wireless lan controller that that's the only place where you need your data villain or your guest, the land or your voice villain on. And things of that sort is where your wireless controller connects into the network. This allows for a single point of entry into the network. It is a much safer and more appropriate approach to the design here that you don't want your insecure veal in to be appearing out on the network if you don't need it there to be spread across end to end where all of your access points are, because these access points are going to be connected to your access layer switches. Uh, and you don't really want your guest network to be showing up over on your access layer switches. If you don't have Teoh that you don't need somebody going ahead and plugging in and maybe using VT. P r. You know, to negotiate a trunk with you or you're trunk ing protocol, your DTP or dynamic trucking protocol to negotiate a trunk with you and then end up being able to transmit or receive traffic onto the guests network just without any security whatsoever that that's where split Mac comes in handy now. Local Mac, of course. So this is your your more traditional fashion. This is where you have your autonomous access point, and it does not necessarily need to be an autonomous access point. You can have a lightweight access point that operates in a local Mac fashion. And we'll talk a little bit more about that a little later here when we talk about reap and H reap. But local Mac is where your data spits onto the traffic when your traffic spits onto the network right at the access point there that that's your entry point for your data. On that, you need all of your V lands for your SS ideas to appear on the switch where that access point is actually connecting into your network. Now we talked a lot about here these cap WAP tunnels. There's also another standard called El Weap. Now L. Webb is deprecate ID that it's not really used any more. It can be used as a fallback. We didn't really cover it in the exam topics for this exam, but I did want to mention it here. We'll go ahead and just briefly mention the protocols. I'm sorry the ports used for that. Now L. Webb is Cisco proprietary, but even Cisco is sort of letting go of it here they're using and preferring cap WAP instead that it is the newer and more preferred protocol. It is the industry standard. It uses deep kapil abuses de TLS for our transport layer encryption for encrypting that traffic between the lightweight access point in our wireless controller cap web, I would know these port numbers. It uses UDP 5 to 46 for the control information and UDP 5 to 47 for our data. Eso if we're sending data across client data, it sends that using 5 to 47 the control information for controlling the lightweight access point from the W l see here that that uses 5246 l lap. You don't necessarily need to know these because it is not really mentioned in the exam topics. But I did want to show it here just for your information that UDP 12,000 to 22 for the control 12,000 to 23 for data, and it uses A E S for the encryption standard instead of d. T. L s. Now our that's that's with our tunnel. Right now, our access points are lightweight access points. There's actually several different operating modes that our lightweight access points can use it. It's not just, you know, couldn't lightweight access point out there, and it's used for clients to connect, and that's it that we can do a lot of other things with. You know, having this wireless radio out there, and we could provide other services and we can with the controller. The help of having a controller here that can listen in on many wireless access points on many lightweight access points and get all that information together can provide a really interesting picture of what the wireless environment looks like out there across our campus . And that's what some of these AP modes provide for us. Our standard normal default operating mode is local mode, of course, that this is where it handles client traffic, that you operate as a wireless access point into the network your clients connect and associate, and that you just handle wireless traffic. Now this is where need local Mac architecture ends up. Coming into play again is with a trip or flex Connect a trip that's hybrid remote edge access point that is actually a deprecate ID name for this. The new name is Flex Connect. That you'll see a trip every now and then, though, is that this is for managing your lightweight access point over a lan connection that say you've got your h Q over here and that you've got your branch office over here and you've got a win connection between the two that, uh, over in your branch office, you say this way in, connection goes down and you've got your wireless controller here, and you've got your wireless access point over here that if this way in connection goes down, boom, your wireless goes down and see what I'm seeing a lot more of is that you used to be the matter where you have your weighing connection here, right, and that all of your Internet traffic from your branch goes across this way in connection and then out into the Internet from here from your h Q and that your return traffic goes the other way. That's not really how people are doing it that much anymore. That the way a lot of it works is that you don't want to saturate this very expensive win connection with all of your Internet traffic from your branch is that you're gonna have ah , your own Internet connection here at your branch and that your Internet traffic goes out from there. But with your lightweight access point right is that you have, ah lot of your functions that end up happening at your controller. Eso generally if you're operating in your standard of local mode. If you're win connection goes down. Remember your tunnel here of tunneling your cap. WAP your user data back to H Q. That's gonna go down because you're win Connection went down. So this is where a tree and flex connect come in. This allows your lightweight access point to operate a lot like on autonomous access Point . To use the local Mac architecture toe, have your client data go out onto the network, where the access point connects into the network so that your Internet bound traffic it can go out to the Internet directly from our branch office and not have to go across our when link there and head out to the Internet. And that from there, you know you might have your private wind link here and that you're when you're H Q. Destined. Traffic will just be routed at the router that's at your branch office and sent across that win link from there. But that's where Flex Connect comes in handy that's where you end up using. That is when you have a branch office or some other remote access point that you want tohave operate in a local Mac kind of situation. You know, ah, situation where it might lose connectivity to the wireless controller, but you still want it to be operational. Our other modes here in monitor mode eso monitor mode is not one where it handles client data. This Onley provides location based services that it's sitting there, is listening to your clients and is providing location based services. Rogue Detector This is where your access point it's sitting there and listening. It's listening for other SS ideas for other beacons to be broadcast out and sending all of that information over to your wireless controller such that your wireless controller now knows it can listen to multiple access points. And you see how strong that signal is from all of them and that you can know relative to your access points where this rogue access point where this rogue s I D. Is out there and because of that, you know, it can also check the broadcast Mac address off. That S s I d that its hearing on, and it can see if that Mac address is showing up on your wired network. So then, you know, if there is some wireless entry point onto your network that is not controlled by your wireless controller, that if you have somebody and this happens all the time, of course, right is that Ah, let's say you've got your campus here, right? You've got building, building building and that you've got wireless access point here, wireless access point and another one here, warrantless exits point and another one over here. Wireless access point. Right? And let's just say, Ah, there is a desk right here. I don't know, desk outside and that Yo Bob Bob comes in. Bob's working here. He's on his computer there. Bob Bob's all happy. He's working on a computer. But Bob, you know, has really crappy wireless signal from these guys that are really far away. So what does he do? He happens to have a ah, you know, a, uh, Ethernet port right there that we actually ran. You know, when he's in a cable out to this desk, that's outside, and he doesn't have, you know, a wired connection on his computer that he needs your wireless. So was he do he brings in a wireless router from his home and he goes ahead and plugs it in to go ahead and create his own wireless network Right here. Bob's real happy. He's got strong signal Now he's on the network. He's going in, He can access the things he needs to access, and he's got a wireless network there. Well, this wireless network, he may have just left the encryption open. You know, he might have it so that you don't need a password to get onto there and that you now have a wireless entry point onto your wired network that you do not control anymore. So the Mac address it's being broadcast here by this wireless access point that Bob has brought in that your wireless controller. Let's say you have a wireless control right here. Your wireless controller can listen in to these wireless access points, and those are getting the broadcast from that router that Bob brought in and that they're sending the Mac address back to our wireless controller wireless control or sees that Mac address on your network and can no and warn you and make you aware of the fact that there is a wireless entry point onto your network that you do not control. And it is a rogue access point. The other methods they can operate in here are sniffer mode. Sniffer is on Lee, supported with Aero Peak. It's used as just a wireless capture. It'll go ahead and capture wireless frames, and it'll capture all traffic on a given channel. That Aero Peak is a piece of software Ah, that you need to use in order to be able to operate in sniffer mode and get that information. And then finally you have wireless bridge mode, right? Is that Let's say another thing you've got building right here, building right here, and you've got highway going between. You have, like, car here. I can draw a car is driving around whatever OK is going down and that Ah, while you just bought this building over here and it's gonna end up costing you some obscene amount of money to dig up the ground here and lay a fiber cable between the two or delay a cable between the two to get that connectivity on that you want to connect them well, you can go ahead and have a wireless bridge wireless, wireless boom and have a wireless bridge between the two. Such that. Now you have this whole land out here and you've got your offices, all there and all your workstations there in your workstations there and that you've just got this wireless bridge between the two or better. So you've got, like, some remote little shed out here that needs connectivity and that you can go ahead and have a wireless bridge there. It acts as a point to point or point to multi point wireless bridge that you know, this guy and this guy could both be connecting to this guy that it's not your relaying. It's just they're both connecting to this guy. And that would make it a point to multi point that you're actually doing a land toe land connection. Ah, and is acting as a wireless bridge. Now it's all I had for this section here. I know it's been very theory based and really heavy in that matter. I would really make sure that you remember the access point modes the local Mac and split Mac and the architectures and understand the Cap WAP tunnel and its role in the wireless architecture here, and also what ports that those operate over now, just like the other sections. Let's run through a couple of practice questions before we end off here. First up, which Mac architecture in a centralized AP deployment, would allow wireless clients to still access the Internet using a branch offices Internet connection. If communication with the wireless controller is lost now, this is a little open to interpretation that, you know, this is taking that same kind of situation where we've got our wireless controller here in our HQ. We've got some branch office out here and that we've got our win connection between the two and we've got our wireless access point here and that we have an Internet connection out to the Internet from our branch office. In this kind circumstance, if our way in connection went down, which Mac architecture would allow wireless clients over here at the branch to still access the Internet using that Internet connection right there on that, we know that that answer is split Mac. Actually, that is not correct. The answer here is local Mac that that is the architecture that would end up allowing that police don't pay attention to this. My apologies. The answer here is a local Mac, and then which access point mode does not handle client data, and Onley provides location based services. Now there are only three of the four here that are actually access point modes. Local mode is our normal regular mode, where it's handling client data. Beacon is not an access point mode. Sniffer mode requires Aero Peak and acts as a wireless capture device, and a monitor mode is one that provides location based services. I will correct the previous question in the uploaded Power point before I upload that here . I hope that this has been informative for you, and I would like to thank you for viewing.
20. 2.8 Physical WLAN connections: W lan infrastructure, physical makeup and management. In this video, we're gonna be talking about the physical infrastructure requirements of your wireless land infrastructure. So where your access points connect into your network, What are the requirements there where your wirelessly and controller connects into the network? What are the requirements there? What kind of traffic will you see and what sort of the lands you need going to each of these devices? And how does this end up working? So first up, let's go ahead and talk about our access point network connection. So lightweight access points on Lee require management connectivity to the wireless controller. So this is because we end up using our cap WAP tunnel to tunnel our client traffic back to the wireless controller here that this tunnel is going to be a D TLS tunnel for encryption and it forms that, and Onley needs this management veal in going to the lightweight access point that all of your client traffic gets sent back to your wireless controller before it spit out onto the network there. And we had talked about this a little bit before, where you don't need end envy lands in a wireless infrastructure that if you have a guest wireless network, you don't need your guest villian. Whatever your access point connects into your network, you only need it at your wireless controller and infrastructure from that point. Because of that cap, Web tunneling and these split Mac architecture. Remember that between local Mac and Split Mac as to whether the access point is handling local Ethernet switching to go ahead and put your client traffic onto the network at the access point, or whether it is tunneling it back to the wireless controller and supporting onto the network there so lightweight access points they typically reside in their own villian. Generally, you'll find that there will be a villain save Eelam 100 on that this is going to be your wife I villain and that this is gonna be where all of your access points were side. And they'll be in their own network there in their own broadcast domain, so that you don't bog down any of your other villains with the traffic that these air going to be generating. And that way, it's also for security that nobody can snoop in on all of your wireless traffic as it's traversing through your wired network, even though it is encrypted. You wouldn't necessarily want to expose that as another attack vector onto your network. So then moving on over on Actually, first, I just want to show the bottom of a lightweight wireless access point here. That right here is gonna be your Ethernet cable for your RJ 45 to connect into the network . This is gonna be the consul port. If you need to console directly into your access point to be able to get command line access, perhaps it's not working or you need some troubleshooting that that would be how you connect that there. Generally, these are power over Internet, but do have the ability for external power here that you could go ahead and connect to your power brick and connected until wall to people to get power to this thing. But generally they're they're all power over Ethernet capable. As long as you have a power over Ethernet switch or injector, then you should be able to supply power in that fashion, moving over to our wireless controller here on the wireless controller, our physical connections are called ports. Now this is something important to get used to. As far as the terminology for wireless controller is that interfaces are not ports, that on a switch or on a router, a lot of times will reference an interface. And we just need to get away from that here and understand that we have many virtual interfaces that are used through our physical ports. Nil down here. We've got a 55 0 wait, Wireless controller. This actually has all SFP ports for its physical connections on. And then over here, that guy is gonna be our out of band management port. That that is our service port there that these physical ports that are used for all the other traffic for our wireless traffic in our authentication traffic that those, uh, can all be lagged using L. A, C, p or Paige P depending on your software version to go ahead and make sure you get more throughput out of that. And then this is gonna be where all of your client traffic comes in and out, and your access point management traffic that here you're dynamic interfaces are gonna be your client traffic and that you have a P manager interface for your access point management. Now you can do your management interface through your service. Port your out of band management or it can go through your standard port here, your physical pork for your management interface. And that's how that connects into the network. All of your V lands. Four. Your wireless networks for SS I DS will need to appear at the location where your wireless controller plugs into the network that all these villains villain A, B and M that that is all for your wireless traffic, for your client traffic and for your management interface that that management villian needs to appear here and for your AP villain. Where you just talked about that. You have a separate veal and generally four just your access point management that that villain needs to appear here as well. This is why your wireless control are typically has a very central location in your network . It's going to appear usually close to your core, because all of your traffic is going onto the network at this location that this typically resides very close to your core or in that area. So then also, you don't need to spread your client villains out across the network for end and villains that they can just resign either in your core or in a distribution block that this wireless controller is appearing in. Now, of course, the physical ports, they are all trunks by default. Eso your connections, of course, will need to be a trunk as understood by the different V lands that needed to appear here as well. And like I said, they can't be aggregated to get higher throughput. So let's talk a little bit about our management access and how we actually get into our wireless controller four management. So the exam is only going to talk about some management access and tax. I'm sorry. Tasks that need to be performed in the web. Gooey. Uh, this is a screenshot here off the monitor tab of the web. Gooey for this 55 0 wait, Controller Just show you here. I mean, you got a little screenshot of the front of your controller and which ports are actually active on. We've got our management address and our service port I p address here for out of band management if we want. So this is where the management I P address is going out one of these ports, right? Whereas the service Port I p address this is our service port are out of band management I p address. Now, where this is important is for external authentication for your tack, ax plus or radius authentication for your 802.1 x for your wireless authentication or for authenticating just into the device itself into the controller on getting that tack axe authentication to allow an administrator into the controller that that is going to use our management i p address. And it's not the service Port i p. But the management i P address will be the source i p. Address off. That authentication query on this is important if you've ever configured radius before, where you need to identify your radius authenticator by the source i p address. It's the client I P address you typically configure in your radius server Teoh identify which device is sending a radius authentication request, and that this management I P address is the one that you'll need to use to do that. So, like I said, the wireless controller is managed the web gooey, or you can also ssh or telnet into it that you can get command line access to your wireless controller. And it does have some additional features where you can run your D bugs and get some additional information. But for the most part, your management is going toe happen through the web, gooey for configuring wireless lands were getting client information that you do have a lot more information available to you readily through the web. Gooey Here. Now, I do want to talk a little bit about these management protocols. Ssh, Telnet, Your http https, which both of those are configurable for the wireless controller can be managed to http or https, so encrypted or not encrypted. Ah, and then also for radius and tack ax. Plus that the exam topics for the CCN a very specifically say to describe these management protocols. So I want to make sure that you're aware of ports they use, what purpose they are and whether they use encryption or not. So encryption. I'm sorry. Encrypted management is always preferred. You'll always want to encrypt your management access. That is best practice you'll never want to use Http. Unless you have two, you'll never want to use Telnet unless you have Teoh that https for encrypted and ssh for encrypted. It's gotta be the way you'll want to go Radius and Tech X. Plus, there is a little bit of debate as to whether tack explosively preferred or not. Radius is more commonly used in my opinions a little easier to set up because there are so many radius servers available that these are your Triple A servers, your authentication authorization and accounting servers that these air the servers that host your user accounts Where your controller or your access point. I'm sorry. Yes, sir. Controller will send you know, the user name password request over along with what it is you're trying to access, and the radius server will reply as to whether that is authorized or allowed or not. You're telnet and ssh thes are your command line interface protocols the things you'll use with, like putty or another terminal emulator. To be able, Teoh, get command line access into your devices. Telnet has no encryption whatsoever. If you've ever run a wire shark against tell net conversation and they typed in a password , you be able to see in your wire shark capture the password in plain text. There, in your packets, Telenet offers zero protection whatsoever, whereas ssh does exchange. SSL Key said it is a secure shell and does encrypt all of its communication back and forth just for a little bit of information. As far as the encryption radius will Onley encrypt the password in its communication and in its queries. Whereas Tack X Plus encrypts the full conversation, the whole packet is all encrypted. Whether that's preferred or not is a little up for debate. It is always better to have mawr encryption, in my opinion. But radius is just a little easier to set up because of how widely available it is. I would make sure that you're aware of the port numbers for each of these four. Http. Https. They're probably very aware of that of Port 80 and 443 TCP Telenet uses 21 TCP as S H 22 TCP the ones you may not be so familiar with our radius and tack. X plus radius uses UDP that it is not a connection based protocol. It is 18 12 UDP by default and Tack X plus, however, does use TCP as poor 49 TCP by default. So then let's move over into our management a little further here and just show how we configure the management access in our wireless lan controller. So just let you know it's gonna be over here in the management tab on. Then we've got our options for http https and then also Telnet and S S h. All of these are configurable. You can configure whether to allow http or https or whether to allow tell net or ssh! In this particular controller, we only allow https and ssh tell Net and http are not allowed. You also have your time out configuration here, https. Redirection. In case you navigate to the http website, if you wanted to automatically redirect to https for that management access on, then the maxim number of sessions your maximum number off clients that are able to connect via telnet or ssh at any given time. Concurring connections. So that's the wireless controller management access on how you end up gaining access and configuring that access here through the web. Gooey. Let's talk a little bit about how you manage an access point. A lightweight access point. So the lightweight access point. It can be managed through as a sage or telling it or through the con support via the CLI. You can't do a whole lot of management there. It's really just to get it connected to the wireless controller or to do some debugging. If you need that, we can connect into the access point itself and get that information. I just want to show you here. What a show version on the access point here. Looks like they here. We've got a lightweight access point 12 42 that this is the show version output of that there is some more yo information up here. But I just had one screenshot here off. This is to show you what that would end up looking like. And then down here, though in our wireless controller, this is really where you're going to manage your access point, mostly unless you need to do debugging and get into the command line. Teoh debug some connections that you might go through the command line, but otherwise you're gonna go through your wireless controller and that's over here. So this is over on. The advanced tab is where we configure whether it is allowed to ssh or telnet into the access point itself. So to get here, this is gonna be in your wireless tab and then over in all access points. Now you can get to whether you want just list the A N a Z radio access points of the B, G N access points or global configurations set all of them at once, which this telnet and ssh configuration is available in the global configuration that you can set all of them at once. But if you just want to set an individual access point, perhaps you just need to get into it to do some debugging. Then you can go into the individual access point Goto all access points click on the access point that you want to get into. This is this particular Mac address for this access point, and then on the advanced tab, we have our telnet and ssh configuration. We would want Teoh check these boxes if we want to allow the telnet or ssh access to that particular access point. Like I said here, management access must be enabled per access point or globally. So with that, like the other sections, let's run through this a couple of practice questions before we end off here. So first up, what interface is used by the wireless controller to communicate with external authentication servers? Is it a virtual interface dynamic interface management interface or the service interface? So specifically, this is what interface is used on. Remember the service Port is our physical out of band management port that that is not where our authentication requests originate from the virtual and dynamic. Our four hour AP management and our wireless client traffic. The answer here will be see. The management interface is what is used to communicate with external authentication servers. And finally, in order to manage a lightweight access point, directly navigate to the access points I pee in a Web browser. True or false, the answer here is going to be be false that you cannot manage an access point directly through a Web. Gooey. It does not have one that you can get to it by command line through Ssh or telnet that will have to be enabled is disabled. By default on. They'll have to be enabled per access point or globally for all of your access point so that you can get in through the command line. Thank you for joining. I hope that this has been informative for you. And I'd like to thank you for viewing.
21. 2.9 Configuring an SSID on a WLC: configuring a wireless land in this video, we're going to spend all of our time in a wireless controller that this exam topic has us cover configuring a wireless land through the wireless controller, gooey only on that we should configure items such as the security settings, the Cure West profiles and some wireless land settings, and just go over the general creation of a wireless land that it really feels like that. Cisco is trying to make sure that you, as a ccn a understand how to administer a wireless network where a Cisco Wireless controller is used, that you actually have the information, the skills necessary to get in there and do administrative tasks first. I did want to go ahead and go over what you can do as far as a lab environment. For this, wireless controllers are a little difficult to get your hands on. Sometimes I have not found a way to emulate this in GNS three yet, but they're pretty cheap, though that I do want to go over here real quick that we can take a quick look. I did a brief search over on eBay and that we can pick up a 2106 for 30 bucks. Mind you, that doesn't come with, like, the power cord or anything like that. But still you can see, like here's one free shipping with for $37 with the power cable, and you can pick up the lightweight access points pretty cheap as well. So, for like 50 bucks, you could end up getting yourself a wireless lab to go ahead and work with it may or may not be worthwhile that the information we're covering here should be enough to get you to ccn a. But if you're looking to go for any of the wireless specialties, you might want to go ahead and pick up a controller so that you can work with that. So without further ado, let's go ahead and jump into our wireless controller here and take a look at things. So here we've got a 55 0 wait, Wireless controller. This is actually a production controller, So you're going to see some, uh, wireless lands there that I didn't put there. But we're gonna go ahead and create a test wireless land so we can go through that process and show you where the configuration items are so first just to give you a brief overview of the interface here that we've got your honor monitor tab right now and that we have our general summary with the management address is also tells you are software version what ports are active on your wireless controller and you can get some information about how many radios that you have your access points on. The most recent law guy does most recent traps that are going on here that we have, Ah, a few rogue access points detected here in order to create a wireless land. We're gonna go over here into our W lands tab here. This lists your existing W lands. Now, on this page, we have the option to go into our aapi groups. I do want to talk about that here for just a moment that your access points are grouped together into access point groups and that you can assign a W land to an access point group such that your s I D is only broadcast from a specific group of access points such that that way you can have different as this idea is based upon where you are in your campus or a different as this I d at a branch office or different is this idea in a different department things of that sort to go ahead. And maybe you have different security requirements over at the accounting area that you only want to do specific Mac filtering and only allow specific devices to connect to the wireless there. But over in your marketing department, it really doesn't matter and that you just have your regular WP to Enterprise Wireless, and then they're allowed to connect with their personal devices and things of that sort. When you first spend up your wireless controller, you're gonna end up seeing just this default group here that all of your W lands are a member off the default group. By default on, you cannot remove them. Your access points will all be a member of this group as well by default, but you can remove them that you do not need your access points to be broadcasting all of your W lands at once. So let's move back over to our W lan configuration here. If you go to the W Lands section and then here, we're gonna go over to our create new in the top, right and click Go. And here we go ahead and create our W lan. We're just gonna call this test and the I d number can be whatever you want or just gonna leave at the default of eight this increments by one each time we'll go ahead and click apply in the upper right. And now we're in our W land configuration screen. So just as a note, by default, when you create a W land, it is going to come up as disabled that there is this enabled check box here, it's going to be unchecked when you first created, you'll have to check that in order to actually broadcast and enable your s s i d. We're gonna leave that unchecked since this is just a test w land we're going through for just this information here. The interface. Now, this is one that is interesting to get used to is the concept of ports verse interfaces. We discuss that in the previous video where your ports are your physical ports on the physical device, but you're interfaces are these virtual interfaces these more closely aligned Teoh V lands their veal in interface is kind of like switched virtual interfaces on a switch that you can go ahead and create. And actually, let's let's do that real fast is that let's go ahead and just click. Apply here is that we save our test W lan, and let's take a quick look over our interfaces. If we go over to our controller tap here and then we go over to interfaces. We have our interfaces here that the, uh, interfaces you can have them tagged with a villian eso that if you were connections into your network from your wireless controller, are trunked. Then you would have your villians split out here, and then you'd have your I p address off that particular interface as well. Like us, it's kind of like a switched virtual interface and the dynamic interfaces. Those are the ones that are responsible for handling client traffic, that that's where you have your as we saw where we could select what interface our SS ideas associated with this dynamic interfaces the type of interface that will be used to support client traffic going in and out of the wireless controller here. So let's go back over to our W lands for just a moment and we'll go through some of the other settings here. So here we have our test w land. In order to get into the configuration again, we click the W land I d. The number eight there and here we see is still disabled. Now by default descended up, coming with the security policy of WP a two with 802.1 x authentication that you know that be the w p. A to enterprise with your radius authentication or something similar. And right now we're using our management interface. Let's go ahead and set this to be our Corp interface actually is the one that will handle our client traffic. And if we go over to our security section here, your layer to security, this is where you'll find your your security for your S s I d. That you're used to to set your w p a two b p a two or weap r 802.1 x or or does none and have it be an open network. Ah, that down here is where you would configure your 802.1 x for your radius authentication that this is the check box that you would need for that If you want. Just a pre shared key will be this guy here, your PS K for your pre shared key, and you'd have to check that to be able to supply what the pre shared key is in order to connect to the network. Your Layer three Security. This is where you have ah, like a captive portal if you've ever connected to a wireless over at the hotel or at a coffee shop nearby, and that when you connect, it pops up a Web page where you need to accept their terms of service or pay for the network, or what have you. That is a layer three security policy toe where you have, ah Web policy here and that we can have a do authentication where you need to log in with your enterprise credentials or that it's just passed through to where it redirects it or sends it through. You might just have to click to accept the terms of use. What have you that those role in your layer three security policy here and your Triple A servers this is where you have your authentication authorization and accounting servers. These are your radius and your l dap. Your tack acts plus servers that this is where you end up configuring which servers for it to use and in which order for your authentication and your accounting servers that you do need to go ahead and configure the global servers first. So it's going to be back over in our securities tab here. I believe it will take a look at that in a little bit. You need to configure your servers globally, and then they will show up here as options for you to set for this particular W land for your radius or your tak acts. Or L Deb as faras que Os for your wireless land That's over a narc US tab here, of course, Now you do have their medals, right is what we've got. Bronze, silver, gold and platinum. This is a question that has come up in a couple of Cisco exams that I have taken where it asks for voice which quality of service profile is most appropriate. Needs was platinum that I would make a note of what the's cure west levels are. There are only four of them. So I would go ahead and make a note of them just to make sure that that stays in your mind in case the question comes up. But we can go ahead and configure things here like whether we want to do net flow monitoring to export our flow information. We'll end up talking about net flow mawr in a later section of the course here. But what net flow does is it tells you information about the source and destination I p address how much data was transferred over what port it was. Ah, lot of information about your traffic so that you can get some things like like who's hogging all your bandwidth or how much time is really being spent over on Netflix and how much bandwidth is that using and things of that sort. We could also set our per user bandwidth s O that you could do upstream and downstream rate limiting per user or per S s I d and things of that sort that over on our policy mapping, we don't have any policies here. But if we went ahead and created policies elsewhere in the wireless controller. This is where we would apply those over it. Our advanced tab here There's a lot of options. Eso here, a couple of ones that I do want to point out our first up flex connect. So Flex Connect is the rebranding of reap and a tree. The remote edge access point that Flex connect is what allows for local switching for local Mac operation off your access point and remember what that is. That's where your client traffic goes out onto the network directly at your access point that if you have a branch office or something of the sort that in the event that branch office loses connectivity with the wireless controller that the staff at that office don't necessarily lose wireless capability because their traffic will go directly onto their network at their access point and not have to traverse their way in, link back to their wireless controller and go out onto the network. From there, I make a note of some of these options that are here that we can go ahead and do client profiling and off channel scanning Differ. Now this is if you want to go ahead and have it differ scanning so periodically the access point will go ahead and scan the other channels. See how much traffic, how much noise there is there and go ahead and send that back over to the wireless controller For your radio resource management, your are RM. On. That's to go ahead and select which channel is least crowded so that you can go ahead and have the least interference. Possible. American set things like your idol. Time out for your clients on then. Also your WiFi direct clients policy and your Aero Net i e. You can override your Triple A. You can set D H C P server override for a particular W land because this is something that will be set for a whole interface. And mind you, that's not globally. That's just for an interface. Remember, we selected that interface over here in our general tab and the D. H. C P server. Information is something that would be set on your interface, and that's that's what's here in our advanced tab. And once you get things configured to how you would want, honestly, the things that you would want to configure for just a basic S s I d you got your name. The interface is what you need to configure got go ahead and enable it. I'm not going to enable that right now. Set your security. Maybe it's just gonna be a PS K. We'll go ahead and check PS K That unchecked our energy 0.1 x will set our PS K here. Great will be WP two Awesome qs. We don't really worry about Cuba West right now and we'll have any policies. And let's say this is gonna be an s society that's over in our branch that we want to do Flex, connect and then actually want to do local authentication. Just in case that we lose connectivity to our controller. We want people to still be able to authenticate with the PS K. So that's awesome. We'll go ahead and set that here, uh and then that's all good to go. That's all we need to do. We go ahead and click, apply disabled mdn s snooping. MDMS is multicast DNs that's used for things like your chromecast on other devices that it goes ahead and broadcast out multicast DNs. It's not broadcast and multicast out DNs information. It's its own protocol there, over UDP 53 53. But we'll go ahead and click, OK, that we don't really care about the MDMS snooping right now. Uh, oops. I forgot to uncheck for the Layer three security policy here. Let's go ahead and click. Apply. And there we go. That's all good to go if we go over to R W lands. We now have our test W land, and it now says that it's still disabled. The admin status is disabled. Remember, I said it to use our Corp interface. So if we go back over to our interfaces here, that let's see what's involved with creating a new interface. If I create a new interface, let's call this the test interface. And this is where we set our view, and I d states is gonna be over on vellum. 1 10 is our test. Oh, click. Apply. Now, here we have some things like our guest land and quarantine. Now, these are things that, if you can have it so it doesn't have access to other networks at all within your organization, such that your traffic will get stopped at the wireless controller. If you try and access other networks that are in your organization. But here we set what physical port, the primary physical port it's going to go out of and then the backup physical port that it should use. We'll set the I P. Address, net mask and gateway of our virtual interface. Here are dynamic interface for this interface the I P address for And then here we also set our D h c P server information. This is for D HCP relay that when a client could necks and you go ahead and send out d HCP this is going to relay that d HCP discover over to this T h c p server that you configure here. It can also provide a secondary. You can also add access control lists onto your interface and you know what that is is where it's a permit and deny statements for specific source and destination pairs for extended access control lists. And you can also do port numbers as well your layer for information. And they could also set an M. D. N s profile, for which M DNS destinations or devices are allowed to be snooped so that it remembers that information is able to reply on behalf off your discovery requests there and honestly, that's about it Now, just like the other sections here. Let's run through a couple of practice questions before we end off on this video. Is that Popes? If we go back over to this guy here now, where in the wireless controller gooey is flex Connect Configured? Is it in the controller tab and then an interface groups. You select your group and you configure flex connect there Or is it on your W lands tab? You click your W an I D to get in Tora test w lan, and we go over to our security tab and configure flex connect there, or is it in the advanced tab of our W Lan configuration? Or was it over an hour AP Group in the advanced section of our AP group on I hope you remember that this answer is C. It's over in the advanced tab off our W land configuration is where we enable flex connect and then also flex connect local authentication on a couple other flex connect options as well. And then finally, all of your access points are part of the default group AP group and you've just created a new W land. But it's not being broadcasted. What is the likely solution to broadcast the s s I d. Now remember that all of your w lands are part of the default group and cannot be removed. So since all of your access points are part of the default group AP group, then it should broadcast as long as the W lan is enabled and as long as it's checked to broadcast. But that will be checked by default. That was on the general tab of our W land configuration all the way at the bottom. It had our check boxes to whether we want to broadcast the S s I d or not. But that's really just setting out the beacon intervals that they're the beacons, that you don't necessarily need to have it broadcast in order to connect to it, that it would still be available there. But here is it a enabled A W land in the W lands double an I D general check box to enable and then click apply? Or is it add the W lan to the default group in W lands aapi groups default group W lands. Now it's definitely not be because all of your w lands a part of the default group. Do you need to activate the W lan with your check box next to the W lan? Just over on our w lan I d section in our list of lands on? Or do you need to reboot the wireless controller and or the access points involved that something is just not working right? The answer here is a that that is the most appropriate answer. That there is three check box there to enable the W land as long as everything else is at the default here on that, you created your W land. If it is not being broadcast while it's because it is not enabled, I hope that this has been informative for you, and I would like to thank you for viewing
22. 3.1 Reading a routing table: interpreting components of routing tables. The routing table gives you a lot of information, and it's important to be very familiar with a routing table so that you can quickly gather the information that you're looking for and understand what is going on with the routing decisions that the router is making. What should go over more about how a router makes a decision for each packet that comes through in the next video. But in this one, we're just gonna go over the type of information that a routing table provides and how that's laid out. And then we'll go over an example routing table here so we can read through that. So first up, let's talk about the terms that we're going to use now. This is a large table with a lot of text. I know. So let's go through each 11 by one from the top here, and we'll go ahead and talk about this briefly. Is that first up? We're gonna have the protocol code. Now there is a code next to each, uh, item in the routing table, and that one is going to indicate from which source that the router has learned about that route. It indicates the method by which the router has learned off this route, meaning rip or O S P F B GP static, etcetera. That is, which routing protocol it learned it. And then also what type of route it is from that particular protocol that will have some things like an external route from O. S P. M for an external type one or type two or an external from E I. G R P. And we'll talk about that a little more as we get into those sections as well. For O SPF, it will give us the prefix now the prefix. As a term, the network prefix is the network identify air off the wrapped that if you have ah slash 24 route right on, we have 192.16820 slash 24. Is the network our prefix? Is this guy here that it is the network identify air address of that network and that's what will end up displaying their for us. And then so it will have the network mask the network mask, which is also known as the prefix length. Our slash 24 at the end there. That is our network mask. We did talk about that a little previously before that, that's a term they'll come up very often. Your next hop address that this is going to be the I. P. Address that your router forward the traffic to in order for the traffic to reach its destination. That if you have a router here, right, and then you have router and router and these guys are connected that let's say this is the 10 00 network right here, 10 000 network. And this is the 10 010 network. And then over here, this guy's got the 10.1 dot one network and that this guy has the 10.1 dot two network over here. Great. All right, so then you as a computer are connected here and that you send ah, packet over to your router that's destined for 10. 120 on. Let's say that this I p address of this router right here is 10 0.0 dot 1.2 than the next. Hop for your packet that sent this way that has a destination of 10 12 network. It's gonna have a next hop for the routing table. They're assuming your router knows about that network. It will have a next top of the 10 01 to address that is going to forward that traffic over to this router right here in order for it to get to that network. Now, if it's a directly connected network, it'll end up saying so that it's a directly connected network and it won't have a next hop . It'll just say that it is directly connected the administrative distance of a route. This is something that's really important to remember and understand on. We'll go ahead and talk about administrative distance much more in the next video. But administrative distance is effectively the relative trustworthiness of routing information, and a lower number is better. So, for example, a directly connected rap. Let me go ahead and clean this up here a little bit. Air ego. Okay, great. Already. So a directly connected right. You got your router boom. And let's say also have got here router and router and boom. So a directly connected route for this router that's gonna have an administrative distance of zero. It is directly connected. It doesn't matter if you tell it otherwise, in any way, shape or form that that route is directly connected. It's going to know that that's that's where it is. Ah, but a static route. If I say let's say this is the one network and this is the two network and then this is Router Three and this is router for on this is route or five. And let's say that, uh, we say that in order to get to the two network that you go to route or three excellent as the next top that that's a static route that we entered that has an administrative distance of one. Now say we're running B GP external, E B GP, Between our peers here, E B G p has an administrative distance of 20. Or if we're running E i g r p within our area here and that we have all these guys you're exchanging routes here and that they're all happy is yeah, GRP neighbors Yeah, GRP has an admission of distance of 90 on. You can kind of see how this is going right is that oh SPF has won 10. Rip is 1 20 so on and so forth that all of our routing protocols here, that information that the router receives its going to use that information in a specific order and that order follows our administrative distance from low to high is that it starts at the low as being the most trustworthy information and then, as that is not available. Then it goes ahead and gets higher here and higher and uses whatever information is available until doesn't have it. Then the route is just removed from the routing table entirely. Something else that's in our routing table, that is, varies quite a lot. Based on the protocol is our metric. The metric is the cost off the route, and this is a relative number that is calculated very differently based upon the routing protocol, for example, Rip just uses hop count that if I have, you know, these four routers here and that this guy wants to get over to the network that's over here . What? We have 123 hops in order to get there. So this is a cost of three. It is just hop count now. Oh, SPF will take into account the bandwidth of each link to go ahead and calculate the cost of that link and add that up to be able to calculate what the metric is to get to your destination network from your current location. Now remember, Oh, SPF is a link State protocol. It has a full map of your network in its database so that it knows the cost of each link connecting each of the routers. And it can calculate what the least cost path is to your destination from your current location there. And that's exactly what it does now. E. J R P has, ah, large complicated, uh, metric calculation that honestly will end up going over in the next video. But you don't need to know it. Really. We're just gonna touch on it very briefly. I don't want to show you what it is. But then there's also things like I asked I s integrated system to in great system that that uses us something that's very similar to hop count as its metric. But like I said, this is something it's relative to each routing protocol on is really just used for deciding which direction or which path to use within ah particular routing protocol. This doesn't really have any bearing on selecting which routing protocols information to use or which routing protocols route to use just which route within that particle to use our gateway of last resort. This is our default route. This is sometimes written like this or 0.0 dot 0.0 slash zero. It can also be written 0.0 dot 0.0 slash 0.0 dot 0.0 or you don't need to slash their that it's just having your mask be all zeros and your prefix be all zeros that this is the default route. This is a route that will match everything and that will end up talking about this in the next video about the routing decisions that will only end up using that if a more specific route does not exist. So it's the gateway of last resort. You know, I've checked my entire routing table. I do not have a more specific route for the destination that you're looking for. So I'm gonna go ahead and use my gateway of last resort and just send the traffic over there trusting that that router will know what to do with the traffic that I have here. Great. So now that we've run through some of these terms here, let's take a look at a routing table on how this is all laid out. So here we've got show I p route. I went ahead and and set up our router right with with O S, P F and EI GRP and rip and be GP on. Also, put in a static route in there as well, so we could take a look at what a nice full routing table looks like here. So the first thing I want to brought to your attention is how we got here. Show I P route on IOS. That is going to be your method of getting this information here is show I P route. Of course, you can add your, uh, filters on the end to go ahead and include or begin with certain information on. Do you take that out now? Our codes up here. These are our routing codes. So this tells you the source of information and a little bit of information about the route . We've got our connected route, our static route routes learn from rip routes learned from B GP routes. Learn from E I g r p s d Yeah. GRP External shows an e x which we can see right down here. We've got d with an e x on then Right below it, We've gone over Oh, SPF with an e two for external type to route from Oh, SPF now I did not configure ias toe I s on here so we don't end up seeing our lower case I with r l one or l too, but it's just not covered in the ccn a here, so we don't really need to Here. We've got a static route. Nail the way this is laid out here. You've got your prefix here, right? Boom! And then you're prefixed length Boom. All of these air slash 20 fours. Except for this guy that this guy is a host route a slash 32. It is the most specific route that you can have now, next to that information, you've got two numbers here separated by a slash the left number is our administrative distance off the routing protocol, the source of the information. The right number is our metric. So for rip here right within our we've got an administrative distance of 120 then the metric within the protocol is one that this is one hop away for E i g r p. We have our administrative distance of 1 70 Now I know I told you E J R P is an administrative distance of 90. But this is an external route that we actually have a different administrative distance for external routes from the i g R P. And that is 1 70 And then next to that, we have our metric here for that which, as you can see, looks much different from the other metrics that are around or except perhaps the other E i g r p metric up here. It's because of the metric calculation algorithm that it uses ends up with this long, larger number. That's that's more specific. It takes into account much more information so that you can have more specific differentiation between route paths within your network. Now here, the sea, the directly connected routes. Now this tells you that this is directly connected. It doesn't show you that this hasn't mystery of distance of zero, but it does. It has a mission of distance of zero an hour static route down here. This has our Ministry of Distance of one. Now we could go ahead and provide a metric, but it's not really needed. It's a static route. S O r metric is zero hour Oh, SPF mystery of distance of 1 10 with a metric here of two. Ah, and so on that. So, next to that next to our administrative distance and metric information here we go ahead and erase some of these lines next to that to the left, we're going to see the via and then an I P address. Now this I p address here, this is your next hop I p address that That's your the router that it's forwarding this traffic to where it learns that this is the next top. This is the shortest path to get to that destination and directly next to that you end up having a timer here where it's in hours, minutes, seconds. This is how long that this router has known about this route that here it's note about this be gp route for eight minutes and 49 seconds here, whereas this rip route down here. It's only known about this for six seconds. No, for rip, it shows us here. What interface that this is going out off is that it's novia 10 144 and it's out interface fast Internet to one. Ah, for B g p. It's not showing us what interface it goes out of, and same with our static route. It does not show us what interface it goes out off that our directly connected routes. It tells you what interface here that your route is directly connected on. And then same for J R. P and O SPF is it shows us here. What interface? That that next hop lives off off on this particular router. So up at the top here, this is where your gateway of last resort would be listed. It will show you your I P address will be. Gateway of Last Resort is and given I p address here, say, here it's like 10 3 Whoops. 10 312 And that that would be the gateway of last resort There. That's where that default route is listed is up at the top here. Awesome. Appreciate you going through this with me now, just like the other sections. Let's run through a couple of practice questions before we end off here. First up, what attributes denotes the relative trustworthiness off the routing information received? Is it the metric the administration, the administrative distance or the prefix? Now here the answer is administrative distance that that is your number. You know, that's zero for connected and one for static and 94 e I. G R P and 1 10 for your OS pfm 1 20 for your rip. And if we have to put up here 20 for your B GP or at least e b g P down here will be 200 for your I be GP, and that's something that we'll talk about briefly a little later that there is external B GP, an internal B GP that that's just something that we don't really need to know for the ccn A that the exam topics do not cover it. But the answer here is C administrative distance that it denotes the relative trustworthiness of the routing information received. And finally, if a route in a routing table has a source code of D, from which routing protocol was the route learned? The answer here is C E I G R p. I hope that this has been informative for you. I'd like to thank you for viewing.
23. 3.2 Routing decisions and attributes: route attributes and boarding decisions. Now that we understand the type of information that is stored in the routing table and how that's displayed to us, we can talk about how the router takes this information into account when deciding how to forward traffic, that each route has its own attributes and those air used to make the forwarding decision. So let's first talk about the type of information that's included with a route that there are three main items that are used by a router to determine which route to use for forward in your traffic. Those are the administrative distance, the metric the prefix length. Now we had talked about this briefly before, where the administrative distance is a descriptor of the relative trustworthiness off that route that from which source did this router learn about this destination? And how much does the router trust that source and then the metric is used within that routing source. So if you have your oh SPF or your rip information, if you have the same Route 40 SPF and rip first is gonna trust, Oh, SPF first, because it's gotten a Ministry of Distance of 90. Whereas Rip has a mystery of distance of 1 20 So that's fine. But then let's say you have the same route twice in Oh SPF, where one has a a distance of 100 the other has a distance of 10. And by distance, I actually mean metric that this is the the metric is inside that route, a source inside that protocol that the lower metric generally wins eso here. It would end up using the route that has the metric of 10 in oh SPF and then our prefix length. If all is equal, if you have the multiple routes to the same destination address in oh SPF and both those routes have the same metric, then it will use which ever route has the highest prefix length. So if I have a slash 24 route or I'm sorry slash 24 round and then also a slash 25 round, let's say it's 192.168 dot 1.0 slash 24 then also the same 192.168 dot 1.0 slash 25 while 25 has the longer prefixed length. It is 25 bits long in its prefix in its network mask. So this is a more specific route and it will choose that over the less specific route. And then, actually it's not in this order here that first it will trust administrative distance and then it will trust the prefix length and then over that the metric. So if I have a route with the source of the SPF, it will first trust the slash 25 rounds before it trusts the slash 24 or will use not necessarily trust. It will use the slash 25 over the slash 24. But if I have multiple slash 25 they all include the same destination, but one has a better metric. It will use that instead. And it was a little confusing. Will run through that a little more as we go here. So first I want to talk about administrative distance. Right? Is that administrative distance? This is a table that you should know. This is not explicitly mentioned in the exam topics for the ccn A. But this is something that will be very handy for you to know this information to know that e B GP wins out over I be GP or that e I g r p wins out over Oh, SPF to know this table is something basic that the network engineer should. No. So I don't need to run through all these with you. You can go ahead and study this table and just commit this to memory later. It's not that much information. Just make sure that you know this now. Metric. So your metric is used to decide the best path within a routing protocol. As I said that when you have multiple paths to the same destination within the same routing protocol than it will use your metric to determine which path toe actually use. So some protocols, like E I, g r P and O SPF, they'll actually do equal cost, multi padding or also unequal cost multi padding. In the case of E I g R P. And what this means is that if I have destination here and source here and let's say I've got router, router router and these were all connected right like this boom, boom, boom, boom and that this path year has a metric of 10 and that this path year also has a metric of 10 that oh, SPF and er GRP have the ability to go ahead and and do multi padding to route your traffic in a round robin fashion between both of them and tow. Have your traffic sent both ways and the same thing. Vice versa would end up coming back both ways. This can be problematic, of course, because you have a symmetric routing going on that it could come in one of both ways and that that that causes problems mostly most of firewalls that firewalls do not like asymmetric routing. They don't like to see traffic coming back in on an interface that it was not expected on, expected to go out and back in on the same interface. Really, you can configure them generally for asymmetric routing, but overall it causes problems in my opinion, and it's also more difficult to them. Figure out where you're having trouble if you are. If you're using equal cost or unequal cost multi padding because you don't necessarily know for sure which direction that your traffic is taking, so that adds a few extra steps into your troubleshooting toe. Understand where the problem is actually happening here If you're running into issue. So lower metric, as I said, is generally better. Your metric of 10 is gonna win out over a metric of 100. Kind of makes sense lower is better. It's good to think of it in a cost kind of sense. Still like 40 SPF I listed down here how our protocols handle metric calculation. Rip is just a straight hop count. If I have router, router, router, router, boom, boom, boom. And I want to get from here over to here, then this is gonna be 123 hops. It's gonna be a cost of three. And that's that's just how that works is just hop count. 10 hops is passes through 10 routers. It does not care what band with each of those links are. It could have a one gigabit here and then big budget Cut a T one right here, one megabit, a 1.4 megabits and so on. And you could have gigabit here etcetera. And then we could have our alternate path where this guy is just all gigabit all the way across. If this one has one extra. But all of these are gigabit, gigabit, gigabit just all the way across. It doesn't matter. It's gonna take the lower hop count and go that way, even though we've got a t one right here that's gonna be bottle necking the living daylights out of that traffic there. So rip not a very sophisticated method in calculating metric ah, West pf uses bandwidth and it does it with a reference bandwidth. Now, this is a configurable items in Oh, SPF. You don't need to know how to do that, but just know that you do have the ability to change the reference bandwidth. This is a local change on Lee. You will need to change this on all of your oh SPF routers in your domain if you decide to do that because on Lee that one router where you're changing it is going to use that new reference bandwidth. But moving on here So by default Oh, SPF uses 100 megabits as it's referred. Spanned with that 100 megabit connection has a cost of 1 10 megabits a cost of 10 1 megabit a cost of 100 so on and so forth it will go ahead and use that as its cost calculation. And it'll add up all of the costs in your topology to get what the total path cost is and will use that as the metric at your location There. Now, I s I s This is not a protocol you see often at all. But it also defaults to something very similar to hop count is it's really hot count. Times 10 is what the default is. I asked. I s is really meant to be something that you go in and tweak and configured yourself quite a lot that you're really supposed to go ahead and configure your cost at a per hop kind of basis there rather than just leaving it up to the hop count by default. But that's really up to you. You can go ahead and leave it as hop count if you wish, But this is also a configurable. Items on a per hot basis. You can configure your cost. B g p uses its own kind of thing, uses route attributes, but the default that it really comes back to him folds back. Teoh is A s path that it uses the shortest autonomous system path. Now think of an autonomous system, right? Is that it's meant to be that you have, like, routers just here on that. This year, this cloud is an A s. And then over here, you would say this is Comcast. And then over here you've got routers and both This here is an A s. Let's say this is I don't know, Cox, and I mean, these guys are connected. And then let's say you've got another one over here and he's connected. And that I would say, You've got one more over here, little tiny provider over there, and he's connected, and these guys are connected that actual, Let's go ahead. And just for the sake of the argument here, lets you raise this guy and put this year and go ahead and connect these guys. Now, when Comcast when we've got, you know, router over here, wanting to get to this destination by default, it's gonna go ahead and go with a s path, the shortest s path. While the shortest day s path here is to pass through cox, it just goes to Cox, and then, boom, it will go over to our destination, whereas over here it's got a pass through two different autonomous systems. Now, this is a little weird, of course, because it doesn't take into account anything within these autonomous systems that your autonomous system, your B GP autonomous system, generally rides on top off some interior gateway protocol like oh, SPF for ei GRP or eyes Tyus, what have you on that be cost within that autonomous system like you might have 10,000 routers inside this autonomous system here that your traffic now needs to pass through in order to get to your cocks autonomous system that you just don't know be GP is totally oblivious and unaware of this. And generally, that's okay that the Internet engineers out there have have really optimized is much better so that you end up getting you good flow through the Internet. But that's why be GP is is used as the routing protocol off the Internet is because it is hyper scalable. Like that is taking into account autonomous systems as a whole that it doesn't really care about the individual routers or the per hop kind of thing. It cares about your whole autonomous system, but anyway, moving on to e g. R p briefly. This is the metric calculation used for E i G r p. This is kind of why you end up with those really long costs or metrics from E i g r p. When these are all the same or all at their defaults. A lot of these K values go away, and this simplifies this is not something you need to know. Not at your ccn a even at CCMP really c c i e. Might be something where you actually need to know. This is just to be aware of the fact that E. J R. P has its own special metric calculation going on. And that's part of the sophistication of what makes E. I. G. R P so special as a distance vector routing protocol that acts a lot like a link state protocol. And part of that comes from its metric calculation being a very sophisticated metric calculation. So let's move on to our prefix length here to describe our routing decisions that if a destination address is included in multiple entries in the routing table than the most specific route is used. So, for example, here ah, packet is received for a destination of 19 to 168 30 to 100 with the below routing table with this guy here, and it will end up using our rip route. Now the question is, why is that so the reason why is that eso? Although we've got an e r g r P route here, that is a longer prefix length. It does not include the 0.100 address. Our slash 26 on Lee goes up to 1 91 68 32.64 or actually got 63. 64 is the start of the next sub net there. So this 1 91 68 32 0 slash 26 is 192.168 dot one I'm sorry 10.32 dot one through 63 are 3 64 that that is that network, and that does not include our destination. And now, although SPF has a better administrative distance than rip, it will use the rip route because it has a longer prefixed length. Ah slash 24. Anyway, thank you for going through this video with me, just like the others. Let's run through a couple of practice questions before we end off here. So first up if a route to the destination network 10.1 dot one slash 0.0 such 24 is learned from the below sources which route information will be inserted to the routing table now remember, is going to if it has the same route 10 110 slash 24. And if it learns it from multiple sources, it's on Lee gonna put one of them in the routing table, and the one that's gonna do is the one with the lowest administrative distance. So let's remember what the's are here, and we can go ahead and do this in order. Now First, you've got 24 hour e b g p. Just put it be there, and then we've got 90 for our e i g r p. You could put a D there and then we've got 1 10 for r o SPF. We've got 1 20 for a rip. Now here. If it's learned from all of these sources, if you have all of these being the ones that's learning this 10 110 slash 24 route from its going to use the one from B GP from E B GP because that is an administrative distance of 20 . Answer here is C And then finally what will the next hop address be for a packet destined for 10.10 dot 10.1 30 using the following routing table. Now we have three entries here that all include or actually they do not all include that look like they could all include this address here, right is that we've got 10 10 10 0 slash 26 slash 25 slash 24 being from OS PFE, edger P and B G P respectively. Now 10 10 10 1 30 That actually is not included here in the 10 10 10 0 slash 25 that 10 10 hopes and I can draw today 10 10 10 zero slash 25 is actually zero through 1 27 is the last address there because it's breaking this up this slash 24 into two different networks. Eso it zero through 1 27 and then 1 28 3 to 55. So this actually does not include that address and therefore this one definitely does not include that address because that is zero through 64 or zero through 63. So then the route it'll use here is the one from B G P, which is Although we have more specific routes here. Those do not include the destination address. The answer here will be the B G P route, which has a next hop address of 10 155 to the answer is C 10 155 I hope that this has been informative for you, and I would like to thank you for viewing.
24. 3.3 IPv4 and IPv6 static routing: i p version for an i p version six static routes and route tracking. So these two exam topics for the CCN a show that we should know how to configure static routing for I p version for and I p version six and then also it talks about floating routes and floating static routes. Now the idea of a floating route is toe have a backup round like a fail over route. But specifically, a floating route is one that is not in the routing table until it is needed Now. What would cause a route to not be in the routing table? Well, that would be, say, perhaps, if we had a route to a duplicate destination, but with a different administrative distance. So let's say you've got a route right to the 10.1 dot two 0.0 slash 24 7 and let's say that we had a static route right that has an administrative distance of one. And then let's say we also learned this by oh SPF and that has it mystery a distance of 1 10 So our static route is the one that's gonna show up in the routing table. We actually will not see this route. If it's the same route, the 10 120 slash 24 it's the same route. We're not going to see it in the routing table at all just because it has a higher administrative distance. Now what we can dio is that when we configure the static route, say, we wanted to use our oh SPF route right because it's dynamic and will probably route us around to different locations using a different next hop address, depending on how the O SPF topology is looking. And let's say we just wanted to use our static route as a fail over Ah, back up just in the event that oh SPF was not available, that our neighbor ship went down that while we're configuring this static route that we can go ahead and actually set this toe have a new administrative distance of 111 so that our O SPF road will be the one that showing up in the routing table until it's not that if our neighbor ship goes down or the route disappears. If you SPF no longer knows how to get to that destination than our static route with the administrative distance of 111 is the one that's going to show up in the routing table that that's what a floating route is. It's one that's not in the routing table, but one that's configured or there as a backup to take the place off another route in the event that that route is no longer valid or is no longer there at all. And the way that we're going to implement this is with route tracking and wow, tracking uses I. P s L. A which I know s L. A. A lot of your network engineers will be like a service level agreement, Or you might have known about the feature in IOS called I P S L. A. P. S L. A. Allows you to monitor ah lot of different attributes or metrics off a route or of a destination. And you can take action on that using tracking objects with the track command and that what we're gonna end up using, though, is our icmp echo With I PSLs, we're going to send out pings and then when those pings air no longer successful, we're going to use our tracking object to remove a route from the routing table so that we can use our floating static route as our backup. So first, let's go ahead and talk about static routing and what the syntax is for. Configuring that here. So a static route is configured with the I P Route command from global configuration mode. Use I p route. You give the network address off your destination network and the mask for that sub net. So this would be, you know, if it were a 25 bit mask. The now be 255 0.255 dot 255.1 to 8 a za last bit for a 25 bit mask. And let's say that this were the 10 000 network or this could be the next network up could be the 10.0 dot 0.1 28 slash 25 network, and that that would be valid 255.255 dot 255.1 28 when we can just make things easy and do a slash 24. Go ahead and have a zero at the end here and just have this be the entire 10 00 network. But then we also need to give our next top address the Z here, which is the I. P address of our next hop router, the router to which were affording this traffic that we believe knows how to get to our destination. That address will need to be an address that appears off of one off the directly connected routes off your router. Now, for I p version six, the syntax is almost exactly the same. You're going to use I p v six route and you're gonna give your i p v six network address instead of dotted decimal notation for your master going to give the prefix length with a slash in the prefix length and then disease for the next hop I p v six address for the next hub router There. As we said before, we're gonna use our tracking objects to make a floating static route that static routes are usually most trusted, their most trusted directly or next to directly connected routes which directly connected rounds having a d of zero. That static routes have an administrative distance of one, and that is a configurable item, though, that we can set our distance metric on the end of our static route, which is what we're gonna be doing to have one of the routes be preferred over the other. So let's talk about how our route tracking is configured and the syntax for that here. So for route tracking just is a little overview. It allows us to use tracking objects to add or remove routes from the routing table and that they use i p s l A. So it's we use a tracking object to use the results of the I P. S l. A. To affect routing tables. But the I P s l. A is the one actually doing the operation here testing the connectivity. This is commonly used for I S P fail over. That's how I see this used very often is that you've got, you know, router here and to I S P is one here, one here. Let's say you've got calm guest and that you've got a t and t over here and that you go ahead and track. You know your connectivity out to Google. You're a daddy. Daddy! Daddy over here using a T and T as your primary. When that fails, then go ahead and use Comcast as your secondary. So you would have a preferred static route going out A T and T and track that route using a tracking object as we did here. And that when that tracking object fails, when that eyes no longer reachable, then our Comcast would take over here and that we need to do this the source interface fast . Ethernet 00 because otherwise, if we don't specify our source interfaces this interface right here and as soon as it flips over right toe are Comcast. And it just starts sending these echoes out our Comcast line than our tracking objects could go positive again. It's going to send over out a T and T You're going to get route flapping. Ah, that you're tracking object is gonna go up and down because it is miss configured. So the configuration for PSL and you're tracking object is that first, we from global configuration mode do R I P s l A command and given index number. This is a number for your i p s l A. Here we use number one. We're gonna use the ICMP Echo operation on this is going to be in this particular set here to a daddy Daddy, Daddy and that we're gonna set our source interface since they go out fast. Ethernet 00 is gonna be a little different in our lab configuration up next year. Just talking about the syntax. The time out here is gonna be in milliseconds. It's saying after how long that I've sent this ICMP echo, how long do I wait to get a reply before I consider it to be timed out And this is a little different, but very similar to the threshold value threshold is saying after How long do I consider this to be unsuccessful. Now a at time out. It's no longer waiting for it to get back. If the ICMP echo comes back, well, it doesn't even care about it. It's not going to consider it to be returned. It all this is going to say it timed out, whereas threshold, it will still know that it's there. You know, we have received it registered that, but I will consider it to be unsuccessful, though that it's saying, How long can this wait or how long in this take before it is considered unsuccessful. And this is also in milliseconds, that to milliseconds is very, very quick. We might want to increase that a little bit more. Probably has set that to be the same as the time out which will set to be one second in the frequency is in seconds. This defaults to 60. We're gonna want to set. This is something much lower. So we don't have to wait a full minute for our transition to occur Here we have it set to three seconds Will probably do something similar to that. You know something I do usually forget to dio when I'm configuring I p s l. A is to actually start the thing. So although here in the first few lines, you know, we're configuring I PSL and setting up the parameters and what operation it should do in the time out and frequency and all. We haven't actually started the operation yet, and that's what this line does is that we go ahead and set. It's the I P s l. A schedule command. We're gonna schedule the I P s l. A one and we're going to tell it how long that it should occur and should go on forever. We could set this to only happen for a week or a day or only happened for an hour and so on . You can go ahead and use. This is a very flexible type of tool, but we're gonna have this run forever. And we got Tell it when to start, and it's going to start now and then. Now that we have our I p s l. A object and is started, we can go ahead and move it into a tracking object and use a tracking object to actually track the results off this I p s l. A operation and then be able to use those results to influence the routing table. We're going to create a tracking object. It's tracking object number 10. It's gonna be a response. Time reporter. Now the response Time reporter RTR that is an older command that you might not find in the newer IOS. That's what's gonna show up in our lab here. So it's RTR one so saying I PSL a number one. That's the same number that was up here. We're gonna track it for reach ability, hopes for readability. And then now that we have our tracking object configured, we can use that in a static route here where we just have the same syntax for our I P route . This is a 32 bit route where we have a 320.8 and it's all to five fives for our dotted decimal sub net mask. We have our next hop I p address here, and we're going to track this route with tracking object number 10 and that that's the syntax for configuring your tracking here. Now, let's go ahead and take a look at what our lab topology is gonna be like so that we can jump into the lab and get this configured and take a look at how that works. So this is the topology we're gonna be using for the lab. We've got our one here. On the far left are four here on the far right. These actually have look back interfaces. This one is all fours for not for not for not for, and this one is all ones 1.1 dot 1.1. You'll end up finding do student simplicity's sake that I really like to number our addresses and our sub nets for where they are in our lab so that you can look at it and immediately tell what this is four or where it is, for example, the address between for the network between r one and R two. Here, this is gonna be 10.1 dot 20 slash 24 and this is gonna be 0.1 on this side, and this is gonna be dot to on this side. Similarly, over here. This is 10.1 dot 3.0 slash 24. This is gonna be 0.1 on this side, and this is gonna be 0.3 on this side 10.3 dot 4.0 slash 24 0.3 and 0.4. And then just to finish it up here 10 dot to 10.0.4 dot zero slash 24 Excuse my writing dot to here and for their All right, so that's the address ing for our lab here. And what we're gonna do is that we're going to set a primary route here to be able to ping from 1.1 over to Fort out for and get the reply. We're going to set a primary route going through route or three on and around the bottom here with a secondary going through router to and we're gonna set up route tracking specifically on our one here is that we're just going to set up some static routing over on r four. Well, actually, we need to do route tracking as well. We'll go ahead and set up route tracking on R four and R one that our tracking is actually going to track the reach ability to our three. Now, if you work this out for a few moments on your own, you might understand us toe. Why that it just ends up being a lot more complicated to get our set up going here, that we would need static routes that if we want to track the readability toe like our four right, that we end up meeting some method to be able to get there. So we need a static route that is not tracked pointing over this interface using our three as our next hop and then have a static route pointing over to the loop back here with that being tracked using the tracking off whether this interface here is reachable, and that just makes things a little more complicated. I would rather go ahead and just track our reach ability to our three. We're gonna track the reach ability to the interfaces on each side here that are closest to the routers that are doing that tracking. And then we're gonna go ahead and turn off our three. Ah, and then once that's not reachable anymore and are tracking object fails, then that should go ahead and flip over to our floating static route that is using our two as our transit router here to reach Fort Out four will have a continuous ping going so that we can see where that loses some blips and then is successful again. So I have already configured all of the's interface I P addresses. I have also already put a static route into R two and r three, pointing over to fort out for and 1.1 so that when our pings go to the through these routers, they know how to get them to their destination. So let's go ahead and get our i. P. S, l. A. And our tracking objects are static routes configured on R one and R four. But first, let's take a look at our to our three. And I'll just show you that what I have configured here is actually there. So let's just jump to real fast ago enabling show I p interface brief. We've got 10 12 and 10 42 arms are 10 to 4 networks here and the 40.2 on each one's. That's wrong. Browder too. And if we do show I p Ralph that we've got our i p v four routes here for $1.1 and 4.4 there as well, and we go over to Router three real quick go enable show I interface brief. Perhaps There we go. We've got our interfaces configured here. We do show I p route. We've got our static routes configured here on our three. So let's jump over to our one and we will get our I p s, l. A and our static route configured here. And then we'll do that over on our four as well. So if we go ahead and go enable convict e Let's go ahead and create our i p s L a one, and we're gonna just take a look. Our operations available here, there's a lot of different operations available. The one we're gonna uses ICMP echo. But you can see you could use this for a lot of different operations. But the CCN A is not concerned with that's we're not really gonna touch on that at all here . So let's go ahead and do our ICMP echo our destination. We're gonna go ahead and track or test our reach ability to our three and specifically to the interface on our three that is attached to our one. This is gonna be 10 133 is the destination, and we're gonna use a source interface. What's a source interface of fast 01? Because that is the interface of our one that is connected to our three. Excellent. Soon let's go ahead and set our time out toe. One second, we'll set our threshold to the same and then we'll set our frequency. Let's have this run every three seconds. Excellent. And then we can go ahead and start our I p s l a using the I P s l a schedule command, we're scheduling I PS only number one well said its life to be forever and the start time to be now excellent. And what right now if we just do a do show? I PSLs statistics that we have three successes right now already that it is running the operation timeto live is forever and the last start time is actually correct. It's in UTC time. That's when it started when I entered that time or that command for the i. P s schedule for it to start Now that that's when that started in the last round trip time . It tells us what that was there and it is 28 milliseconds. We can see that that is still running here as well, and that the latest operation start time is when it continues to run our pings. Awesome. So now that we have our i p s l a going, we haven't created our tracking object on and we also haven't set up our static route yet to be able to ping for not for not for not for. So let's go ahead and create our tracking object. Did you track one using the response Time reporter? And that's what the old tracking object calls Thehyperfix s L A ICMP Echo is a response time reporter. So we've got I ps one and we're testing it for readability. Awesome tubs. And then let's go ahead and create our static route here. Now, if we go I p route and this is going to have the destination of $4 for dollar for dollar for that could be a 32 bit round. And then this is going to use the next top address of router three, 10 133 And we're going to track this realm. This route is gonna be tracked using tracking object number one. And there we go. No, if I do a do show, ikey Well, that route is here that the $144 for dollar 44 is here because our tracking object is live . If I do a do show track that reach ability is up. Ah, and that it is tracked by the static I p routing here that you can see where this is being used in our show track. Now, I could also do a do show track one toe only show our tracking object number one here. Awesome. So now that we know how to get there from Router One using Router three. Let's go ahead and set our backup static route here. So let's dio i p Ralph 14 14 44 with a 32 bit mask. And then we're gonna set our fording router to be 10.1 dot to dot to that that's our next hop address and that we're going to set a distance metric for this. We're gonna set this to just be town, that that is higher than the one that is a default for the static row. And now that we did that, if we do a Jew show ikey round that our original route here, the 10 133 is the next top is what showing up as a static in our routing table here. And that's just what's there. And that's what still gonna be there because it has a lower distance. It has a distance of one, and the one that we just put on as our floating static has a distance of 10. So now let's go ahead and just configure Router four with the same things and then we'll pain between them. I P s L a one. We're gonna do an ICMP echo. We're gonna echo the 10 343 address using a source interface of fast 00 And we're gonna go ahead and set our time out to be 1000 our threshold to be 1000 and our frequency to be three. I must do I PSL schedule scheduling one, but the lifetime of forever A start time of now, go ahead and create our tracking object Tracking object one. Using the response time reporter off one. We're going to track reach ability. I'll go ahead and create our route that is being tracked. I p Round. Let's give you toe 1.1 dot 1.1 using a 32 bit mask with the next hot hop on dress of $10.3 dollars, $4.3 and tracking using object one. Excellent. And then let's go ahead and just add in our backup route here of 10.1 dot I'm sorry 10 dot to dot for dot to and have that have a distance of 10. Let's do a show I p round and that we are using our $10.3 dollars $4.3 were using Browder three as our next top here for our static route there. If we do a show track that our last operation returned code, okay, that it is up. So our tracking are tracking is good and that right now if we go ping one by one by one by one with a source Ford Ford Ford for Let's just repeat that 100 times and we are successful . We're getting good communication there. So then now let's go ahead and do this is let's let's watch. What happens is that let's go ahead and run a ping here. I'm gonna run it. We're just gonna repeat it 10,000 times. So we've got a good ping going, and that's gonna go here for a little while. So let's run on over to GM s three and let's turn off Router three. Actually, before I do that, I want to go ahead and save the configuration on Router three and then go back over here. Let's go over to Router three and let's stop it and let's jump back over to Router for and boom. Our echoes stumped, and then they started again, and that's what we wanted to see here for do control shift 66 twice. And there we go is that we had the little blip here, right? That this is where our tracking object was. Not aware of the fact that router three is down, that it did not know that that route was no good anymore and that our i p s l a had not run again yet to know that it wasn't succeeding. And then once it did run and it timed out and found it was no longer succeeding. Then if we do a show, I p round that route is actually removed from the routing table. It is just not here anymore that we're now using 10 dot to 10.0.4 dot to and here it shows we have the administrative distance of 10 of that route that that is just not not there anymore. If we do a show track, our reach ability is down. If we do show i PSL a statistics the our last operation return time out that we've had 21 failures now already and that's what's going on now. We could go ahead and we could run those pings again and turn round or three back on on, we probably won't even ever lose one. When this ends up being successful again are we might lose one while it gets the ARPs back . But we might not. And actually, we can go ahead and ah, let's turn on Router 31 more time and we can go back over the router. Three. We can watch eternal in here. It's gonna take it a few moments for that to happen. Let's go ahead and start our pain here. We did actually lose the 1st 1 That may have been it right there. Let's go ahead and do control shift 66 Let's do a show I p route. And what do you know? What actually was is that while we're back here to using our 10 343 with our administrative distance of one because our show track is back up here, that our reach ability is up and that our i p s l a show I PSL statistics is now successful here again. We returned code. Okay. Awesome. I'm glad you went through that with me here. Now, just like the others. Before we finish off, let's run through a couple of practice questions. So, first up, what is the Global Configuration Command used to create a static route for the 192.168 dot 10.0 slash 23 network with a next hop off. 10 1 12 1 Is it route 1 91 68 10 0 Such 23 10 1 12 1 Remember, this is the Global Configuration Command. Now we do know we used the I P Route command. Now, it's just which one of these sin taxes are most correct. That we do know our network address comes first. Now, is it B or C? The answer here is C due to our ah sub net mask here that he slash 23 is 254 in the third upped it and not to 55 As for a slash 24. So our answer here is C and finally, what attributes is used to influence the routing table in the case of a floating static route, is it the metric the cost, the administrative distance or the next hump now with a floating static route? The attributes that were really taking advantage of here is the administrative distance off a route that that's what we're using to hide a route from the routing table and then to put it back in in the event we need it as we're using the administrative distance off that route. Now, I hope that this has been informative for you, and I would like to thank you for viewing.
25. 3.4 OSPFv2 part 1: Oh, SPF theory and neighbor adjacent sees the exam topics for the new ccn A. Here are really pretty sparse on Oh, SPF that all they want you to know is how to configure a single area Oh, SPF domain and verify its configuration and also to understand what a DRM BDR are and how they are elected. But I really wanted to go over Oh, SPF in a little more depth than that. And make sure that you understand the theory of it a little more and actually, how it operates, that it really helps to know these things when you're troubleshooting. Oh, SPF. When you get into an environment that's a little more complicated, perhaps, than just one single oh SPF area and might also have virtual links or multiple areas on a SB ours and get your a Byars in there and perhaps, um, summer ization and things like that. So without further ado, let's go ahead and talk about oh, SPF and its theory and how a neighbor Jason C. Is formed. So 1st 0 SPF stands for open shortest path. First, the SPF algorithm shortest Past path first algorithm was developed by a man whose last name is Dykstra. Askew could see right here that he developed the algorithm for SPF for shortest path. First, this is what's used in spanning tree, but then also in the West PF. And so oh, SPF is is routing protocol, right? It is a dynamic routing protocol that routers use to exchange information about the routes that they know about about the networks they know about. And, oh, SPF uses a cost metric that it goes ahead and advertise is out with its link state advertisements to say how much it costs or what speed of link that it has to be able to get to that destination. So in that way, your router can make an intelligent decision, right? It could decide to take the quickest path, the shortest path to the destination here. And that calculation to figure out the shortest path is one that is done on a per router basis. So oh, SPF is a link state particle. What does this mean? This means that O SPF is actually aware. Now if I have, let's see, I have you know, this many writers here and they're connected like that and that got that guy that guy. That guy, That guy. Let's say they're connected. That's connected. This is connected. And let's see. Looks like that on. Yeah, that This guy, if this is all 10 SPF domain here. Right, This is just 10 SPF area. This is a link state algorithm. So each of these guys here, if they're all in this area zero here, which will talk about a little later, that area zero is the backbone area of Oh, SPF that there is a requirement that all areas need to connect to area zero directly. But we'll talk about that a little more in the next slide. That if this is area zero than this router right here, he knows about this link. He knows the status of that link and the status of this link and the status of this link. He knows that this router here and this router here both believe that this link is present and that it is up, and it knows what the speed is of that link and what the the reliability and some other uh attributes of that link are so that it can put that into its topology table into its database. It's actually database, not topology table. That's in E I g R p. But into its link state database, the l S D. B, and be able tohave this database so that it can calculate from this starting point to this ending point what is the fastest path there? Or from this starting point, this router could calculate over to also, if we had another router over here, boom, connected and connected, that if we wanted to go over to here as our destination, what will be the fastest path to get there? And it can calculate that because it knows what the state of all of these links are. And then that way, when one of these links goes down and this guy sends out a link state update and l s u over to its neighbors and then this sends out the link state updating it knows that that link is no longer available. It can go ahead and update its link state database and be able to re calculate what the quickest path is to that destination network. Now the, uh oh SPF is going to go ahead and run Dykstra's algorithm, the shortest path first algorithm on its database every time that there's a change. So when it first fully populates the database, right, it's gonna go ahead and run the algorithm, and it's going to find what the quickest path is to all of the known networks in, oh, SPF. So I mean, each of these things usual layer three links right between you know, this guy and this guy is that this link right here is a layer three link that is its own sub net. And this is its own sub net. And so is this one, because he's rolled routers right. These interfaces are all routed interfaces. They're not layer to interfaces. There's no switching happening here. It's all routing. So all of these things are all their own networks and oh, SPF on each one of these routers is going to figure out what the quickest way is to get to all of these networks. And that way as well. If we had, you know, a network over here and a network over here and a network over here and network over here, you might have. This is a department over here, your marketing department, or you might have over here. This is your I T department over here. And this is your sales department over here That sales might want to talkto the I T department that maybe there's some network share over there or a printer. It wants to print Teoh. So oh, SPF has already figured out that this router right here has already figured out what the shortest path is to get to the I T. Network over here because this network would have been advertised out as part of the Link State advertisements from this router over here. And that would be in the Link state database of this guy. So then all he's gonna do, you know, he's got forward over his traffic to the next hop, and then that next hump has already figured out what the quickest path is to that destination. So it's going to ford it around so on and so forth that's know how link State Protocol works. And because of that, there's no this requirement that all of the SPF routers in the same area must know about all of the links in the area. So I mean, you can do some route filtering with O. S. P. F R or use a route map to go ahead and filter the routes that it learns about through SPF. But that's really just not a good idea. That's not how you want to handle that sort of effect in, oh, SPF because of the fact that's a link state protocol, and that all of the routers want to know where all of the networks are. That all of their databases, all of their links day databases should be identical when it is stabilized once converged. So just as a last little note here Oh, SPF does not use TCP or UDP to communicate that it's adjacent seas form at Layer two, so you will only have adjacency so like between layer to connected routers. So, like for this router right here, right, he's going to see this guy as a neighbor. This guy is a neighbor in this guy's a neighbor, and that guy's a neighbor because they're all connected right? This guy will not show up as a neighbor, and this guy will not show up as a neighbor because they are not layer two adjacent that it it just doesn't see them there. It knows that its there as part of the SPF domain because of its link states. But it does not see it as a neighbor because it is not layer two adjacent. But the protocol that it uses to go ahead and communicate is protocol number 89. Again, that's not TCP or UDP. It is its own Hello protocol, uh, and that the hello packets are sent to a destination multicast address of 2 to 4.0 dot 0.5 . That is the multi cast destination address for all Oh SPF routers. So let's move on into the next slide here about oh, SPF neighbor adjacent seas. I'm sorry about the SPF error areas. The domain, as I said, is split up into areas. Right, So all of the routers in the same area need to know about all of the links in that area. If there is another oh SPF area, as we have over here like area 10 then these guys over here Router six, router eight. They don't need to know anything about what's going on in area 10. Now, by default, they dio they do see that, but you can go ahead and summarize this area 10 and you summarize that act router seven because Router seven here rather seven is really part of both area zero and area 10 at the same time is that it's got this interface here. Gig one slash zero. That's in area 10 but that's got these two interfaces here fast 01 and 00 that are actually in area zero. And because of that, router seven has the link state database for Area zero and area 10 and it needs to maintain that. But what we can do is we Comptel router seven to go ahead and summarize area 10. Let's say that area 10 actually encompasses the 10.0 dot 0.0 slash 16 that encompasses the whole 10 0 network. On that, that is area 10. And so every router seven will go ahead and advertise, saying 10 000 slash 16 is accessible through me and that you can get to 10 00 16. So you might have like your 10 01 10 0 to 10 03 10 04 10 05 etcetera. These all splitting off into their own routers that they've all got their own sub nets here . Maybe, like a little slash 20 fives going off here and so on, so forth. And they're all connected. And that, yo, if if this guy boom he just goes down, goes up in flames and Router nine now sees that Oh, no, that network over there is no longer accessible. So sends ls you these links state updates out to all of its neighbors and everything. Then that floods out through the network and the l S U and man, it's going man network down and sending that over the router seven around or sevens like Okay, great. And it's not gonna do anything with it because it is advertising this summary here, so it doesn't need to flood that update out into area zero because area zero doesn't care about the little ah slash 25 network over here in the middle of area 10 that went down. It just cares and knows that it can access everything in the 10 0 slash 16 network through router seven. So it doesn't go ahead and send that update. So, as a general rule for oh, SPF is that, uh, area zero is the backbone area and that all areas need to directly connect to it. And that's that's to follow the rules, right? That if I were to go ahead and create another area, let's say this guy connects over two laps. This guy connects over to Router 10 and that router 10 connects over to this guy here and that over here we now have Area 11 that this area this breaks the rules right here because it is not connected over to area zero. This actually won't work. That it, your neighbor Jason sees won't form because it doesn't have a connection over to area zero . That what you actually need to do is to create a virtual link toe where this guy router 10 creates a virtual link to Router seven and that it's it's really acting like that. Router 10 now has an interface that is connected to area zero eso that Router 10 is kind of part of area zero and also part of area 10 and also part of area 11. To go ahead and actually fix the issue here and followed by the rules you don't need to know about that were not configuring a virtual link at all during this course, but all the routers in a single area must maintain the entire link state database for the area We just talked about that. And routers, which connect to two or more areas. They're called a Byars area border routers a router seven here, that's your a B R. And that is connecting Area zero, an area 10. There's also something to mention real quick, called in a SBR on autonomous system Boundary router, Autonomous system, border router. This would be like if you have, ah, a rip domain. If you have some external system, let's say we have, you know, a router over here and he's connected and that you actually have, like, E i g R p over here and that this router right here, you know, Router 11 that he is redistributing his E i g r P routes into, oh, SPF. Then Router 11 would end up being Our SPR are autonomous system boundary router, and that's just what it is. It's it's boundary router that connects to things that are outside off your autonomous system of your process. Number 40 SPF. So let's talk a little bit about neighbor adjacent seas and how those form and the process behind that here. So the way neighbor Jason sees form is that hello? Messages are sent out. Now it is a hello protocol that is actually the SPF Protocol. It sends out this special type of message. Hello on that in that Hello. It has some attributes, and specifically four of them must match in order for a neighbor adjacency to form. Those are the area I d. The sub net mask, the hello and dead timers and the authentication password. So area I d. You know, if you've got a router here that thinks it's in area zero and he's connected to a router here that go like that thinks it's in area seven, that, uh, this right here. You will not get a neighbor adjacency to form that. They need to think they are in the same area. Now, if I were to go ahead and read role this a little bit, go like this and go maybe like this where that's area seven. And this and that area zero on that. This guy right here is actually an area border router than that works because this interface here is in area seven and this interfaces in area seven. So it's happy they'll go ahead and create an adjacency, assuming everything else follows by the rules. So sub net mask. If you have a miss configured sub net mask, you will not get a neighbor adjacency to form. This is something to check is that sometimes you can go ahead and accidentally put a slash 25 instead of a slash 24. And then it won't work there that if you have, say these two routers and they are connected and this one here is 10.0 dot 0.1 and this guy right here is 10.0 dot zero dot to if this one is slashed 24 this one is slash 25 this will not work. They will not form in a marriage agency because the sub net masks are not to the same on the links that they are trying to form an adjacency on. And this comes back to where these air forming over layer to that they have to be layer two adjacent in order for an O SPF adjacency to form the hello and dead timers. So the hello timer is the frequency at which ah, hello Packet will be sent on. The dead timer is usually four times the hello. And it is how long until the neighbor is considered dead. That how long until I haven't received a hello packet. Am I gonna wait before I consider that neighbor dead? Eso those must match in order for an adjacency to form. If they do not match, an adjacency will not form. That's all there is to it. So having mismatched timers is not a problem you'll ever have with neighbor ships that are active, that if the timers are mismatched, the neighbor ships will not be active anymore. If you have an active neighbor ship and you change the timers, the neighbor ship will come down and they will not be active anymore. The authentication password you can form or set up authentication for O S P. F s that you have a password that you need to have configured in order for it to form a neighbor ship. That, of course, that needs to be the same in order for them to form neighbor ships as well. So let's take a look at this wire shark here. Real quick. So we see in the very beginning, you know, we've got the protocol here first that it is its own special protocol. It'll oh, SPF and that we have here 1st 10 1 to 1 and 10 1 to 2 are our two routers and that our hello packages sent out with the destination of the multicast address of all oh SPF routers and then you a little while later, How is in the middle of configuring? Oh, SPF here before I started the capture. So this is your eight seconds later or a little while later that the guy actually replied and sent out another hello packet. And then this is a direct response that they actually go to uni cast when they're talking to each other directly, and that the hello packages sent out. Now what they do is that they send back at first database descriptor packets, DVDs to go ahead and give a little summary of all off the routes that they know about. So let's go ahead and draw this out. Right? Is that you've got router, router boom, and that you just configured Oh, SPF on both of them. So they go. Hello, Hello. And now that they're, like, all great, we could be neighbors. Everything matches awesome. So first, they're going to go ahead and select a master and a slave That just is saying which one ends up talking first. And then when they decide who talks first, that he's gonna go ahead and send a database to Scripture packet. That's this little list here of just all of the routes that he knows about. So that this router over here, let's call this one and two. So that route or two, go ahead and take a look at this database to Scripture and be like, Ah, there's this one and this one that I do not know about the others. I'm good already know about those. So then he can send back an LS or a link state request. As we see here, we've got links State request, and then this guy will be like, All right, great. I will send you an L s u two that l S R. So he sends the ls use on. They go ahead in exchange these database descriptors, uh, and make sure that they are aware of all of the networks each other knows about. So they go through this continually going on. You know, I need to know about this one. All right, Here you go. I need to know about that one. All right, Here you go. And then no, go ahead. And I need to know about this one, and he'll send back the information he needs so on so forth until they both have all the information that they I need to be ableto have the full database descriptor here. And then at the end, they end up sending each other. It is an acknowledgement saying, Great. Acknowledge. I received all the information. Everything's good to go and that they're all happy. And now that they're all sync up and they have all the information together and their neighbor ship is formed, then they just they just send hellos. It goes, Hello? Hello. And they just do that on their hello timers. Uh, and they'll do it at that frequency forever until some change happens. And then there will be a link state update sent out to, uh, as an update, notification for the that the topology has changed. So let's talk a little bit about how we configure. Oh, SPF and some of the pieces that aren't needed One of the needed pieces are a router. I d Is that every Oh, SPF router must have a rid a router I d on. This is the thing that goes into your database descriptor that this is the router I d that knows about these networks. Or was the advertising router i d. For these networks, the router i d is selected in the following order. First, it will take a statically configured router I d that you can go into router. Oh, SPF 100 to get to your process 100 for SPF and that you can configure the router hyphen I d command and that will statically set around her i d next if you don't have that configured . But you do have a look back interface configured, it will take the highest I p address of a loop back interface. Now what do we mean by highest? If you were to take your i p address right, let's go. 192.168 I want one. Now If you were to go ahead and think about this just in pure decimal instead of like, dotted decimal. Then this would be a really large number, right? This would be like Kama and Kama, like 19,216,811. Uh, that's cool. So if we have, like 1 72.16 1.1 is that 1 90 to 1 68? That is a larger number. That's 19 million. Whereas this is 17 million, Right? So this one up here, this is a larger number. If this were to belong to loop back zero and this were to belong to loop back one, then the 1 92 the loop back zero would win because that is the larger number and then the seam. Ah, logic here applies. If you do not have a look back interface configured, then it will take the highest I p address of a regularly configured interface. Eso if you have all of your interfaces are 10 dot something and then you have one interface say fast 00 that is Ah 192 dot something 99 Whatever one I do not something. Then it will take that 192 as the router I d and it will use that The router i d is in the form of an I P. V four address and that's something to Noah's. Well, for OS PF version three, which is also oh SPF four i p version six that the router i d is still an attribute that exists and it is in the same form in the form of an I P V four address. It's just the form of the router I d. That it's It looks like an I P version for address, but it is not necessarily Ah valid I p address that you can just configure the router I d. So don't necessarily take as it as an address that the router is accessible on. So the interface is when you configure Oh, SPF The interfaces must be configured to participate in oh, SPF In one of two ways, you can either use the network command in your router configuration mode eso in order to create your oh SPF process in global config mode, you go router Oh SPF and then a process number On this process number is uniquely I'm sorry locally unique. Only it does not matter if the process number matches between your routers, Shukan. But it's a good idea and best practice to go ahead and keep it matching just so that you don't confuse yourself while you're going through your routers and configuring this something you could do like 100 marrow SPF 100. Great. Now you're in router configuration mode on that you can use the network command network, and then you give the network, and then you tell it what area that that is in. And what that actually does is that network command actually causes the router toe. Look for any interfaces whose I P addresses or whose networks that they are in our part of that network. So let's say you know you have router and you've got three interfaces here, and this one is the 10.1 dot 0.0, and this one is 10 dot to 10.0.0 dot zero and this one's 10.3 dot 0.0. Let's say this is like just 0.1 on each of these networks here, right? And that in our network configuration in our router configuration mode, when we put in the network command, let's say we go ahead and put in 10.0 and make it the no slash eight. Uh, it's gonna ask for a wildcard mask, I believe. So. It's it's get B zero dot to 55 to 55 to 55 etcetera, then that network command, because the 10 000 slash eight here, this actually includes all three of these interfaces. So when you use that one network command, it will cause a SPF to run on all three of these interfaces because all of them are included in the network that you provided in the network command. Now, what you can do, alternatively, is configure Oh, SPF to run on the interface directly in interface configuration mode using the i P O S P f command. So it would be I p o S p f and then give process number and an area and an area number. So it's I p o S P f say 100 then go area area, uh zero. And that this would be your command at interface configuration mode to go ahead and set that interface to run Oh, SPF and to be part of this particular area. Excellent. Well, thank you for running through that with me here, just like the others. Let's go through a couple of practice questions before we end off, and I do promise in the next video, we're gonna go through ah, lab of setting up a SPF. I just want to run through the theory here first as faras, how it's configured and what kind of attributes it works with and things of that sort so that we can go into the lab. Ah, little more informed and be able to do that a little quicker here. So first up, a no SPF router has the following interface I p addresses configured and no specified router I d. What will the router use as it's a West PF router? I d. Now we did mention two things here Is that the big one that's the take away is that it will use, you know, the highest i p address and that the highest I p addresses really like if you take away your dots here on you, just use it as decimal notation. Is that a dotted decimal than the highest one? The highest number there is the one that it would use, but what it will use over a regular interface is that it will use a loop back interface, and it's the highest loop back that wins. So the answer here is actually look back. Zero at $7.7.7 dollars. Seven. The answer is C. And this is because even though fast Ethernet 01 has a higher I p address of 1 91 682.7 that we do have a loop back here so it will use that over any other regular interface. And then we'll use the highest loop back if there are multiple and then finally, given the blow topology and interface configurations, will the routers for Manno SPF neighbor relationship. So we've got just two routers Rounder six in Router seven and that they're connected with fast 01 on each of their interfaces, and they're both supposed to be in area zero. We do have here at the interface level the configuration, its I p O SPF 100 area zero that they are in the correct area and they both have the same process number. But that is not something that needed to match and that they both have an i p address configured so they will have a router, I d But a problem here is that our sub net mask does not match this guy over here on route er six, this is a slash 25 whereas on Router seven, this is a slash 24 Because their sub net masks do not match, they will not form a oh SPF neighbor ship. So the answer here is be No. I hope that this has been informative for you and I would like to thank you for viewing.
26. 3.5 OSPFv2 part 2: Oh SPF part to broadcast and point to point networks. Wes PF handles broadcast networks like your regular Ethernet network a little differently than it handles a point to point. And in order to understand that we need to go over what a. D r and a BDR ISS that designated router and the backup designated router. And, you might wonder, was a Disney and router kind of like a designated driver? And in a sense, well, it sort of is. But we'll end up talking about what that is and the situation where this becomes useful in upcoming slides here. And then we'll go into the lab and take a look and specifically what we're talking about and how low SPF handles this and where you could end up seeing this in that configuration. So let's first talk about the D. R and the BDR, so a. D. R and a beauty are come into play when you're on a broadcast network like your Ethernet network. So let's first talk about this is that when a topology change occurs, so a network is no longer accessible link state changes. What have you Oh, SPF floods that change out to all full neighbors within L S U A link state update. So if we did not have a designated router than all updates would be sent to all routers by all other routers. Let's talk about what that means, right? All right, So let's say we've got router, router, router, router and let's say this guy over got router and this guy, we've got Network. And let's say there's just a switch here, and, uh, the's routers are all connected over to this switch, right? All right, So if God rather one router to router three, Router four and rather five. All right, so Router five, Let's say this network right here, let's say this goes down. Boom catches fire. This is no good. Router. Five is part of this Oh, SPF domain here, and it goes ahead and sends out to its oh SPF neighbor to Router four, saying with a Link state update that this network down here is no longer accessible and it should remove it from its routing table. Awesome. It's a router for receives that it processes it. So Router four goes ahead and sends that notification out to all of its full neighbors, which without a D, R or BDR would be all of these guys. So it sends it out to Router to and Router three and router for saying that this network over here is no longer accessible router to receives that update, and it sends it out to all of its full neighbors. And then router one sends it out to all of its full neighbors, and Router three sends it out to all of its neighbors. And you could see that we suddenly have this storm off traffic where these guys are sending all these notifications suddenly to each other that are just not necessarily needed on that . We really need to be able to control this and specify that on Lee, you know, certain routers should notify the rest of the network here that something is down. So this is where a D. R and a BDR comes into play is that what will happen is that let's say router one is our diar and let's say router to is our BDR. So what will happen is Router four will receive this notification that the network is down and that it will go ahead and let Router one and router to know about it, and that's all. And Router one in router to will let everyone else know it specifically, Router one. Will the D R will let everyone else know that as long as the BDR is, is there as a BTR backup designated router? It doesn't really do much except just sit there and is ready to act as a backup in case the D. R goes down. That's actually a d. Not be. So. Then Router one will go ahead and notify the other guys, and then that's it. It's over with. So the way this ends up working in the reason why I specified here that it floods to all full neighbors specifically is because you will only see a full neighbor ship form between a router and it's Dior or BDR. Or if there is no D R or BDR, such as with a point to point link will get to that in a moment. Then it will go ahead and flood it Teoh its neighbor there, which is a full neighbor but not a D R or BDR relationship, and that with your other neighbors that are not d ours or beat ers you'll end up seeing this type of relationship. That's called a two way is that it has a two way relationship with it, and it will be of the type D R D r other. There you go, uh, and that that's the type of relationship it has with these other routers that are not a D R or a BDR, and that the D R and BDR will have full relationships. Full neighbor ships with all of their neighbors, with all the guys that are not d ours or bgr's. So the way a D, R or BDR comes into play is that they are elected the designated rounder and backup designated router that they use the router i d. Using the highest router i d. By default eyes elected as the D. R. Or you can manually set the priority of your router, where you can go in there and set the router priority to be able to specify which router is your D R and which is your BTR. In smaller networks, this really doesn't have a whole lot of play. If you've only got 5 10 routers, all right, it's not gonna be a big deal But if you have, you know, a bunch of routers 10 51 100 You know, in the same network here to where you could really cause yourself a storm of traffic in the event that there's a topology change, then this is where it will come into play and that you'll probably want to pick your beef, your routers as your D r or BDR to make sure that they are the ones that are receiving all that traffic and the ones that are responsible for sending out the notifications to their neighbors. So in the case off a point to point network here kind of like a serial network, right is that you can go ahead and say that there are only two routers connected and the notation we're gonna end up using for this kind of looks like a lightning bolt line like that, that that's your serial link here. And since it is cereal Oh, SPF is smart enough to realize that on a serial link, there can Onley exist two devices that is a point to point link, and because of that, it does not elect a D. R or BDR. It just says that there are only two devices here. We can only communicate with each other, and so be it that they're just in a full relationship with each other. They'll notify each other of all changes on that there is no d, r or BDR, and it will automatically set the network type two point to point. If you have a static here that I listed here in your show I P O S P f interface output, you can see that the state it will let you know it's a point to point. Or it might let you know that is a broadcast. We can also set this statically using the I. P. O S P F network command and this is an interface level configuration command and be able to tell it specifically what type of network it is if it's coming up is a point to point. But in reality it's kind of a broadcast. You just have a serial connection to your multi access to your broadcaster multi point connection from your I S P. Then you can go ahead and set it as a broadcast instead. Where this ends up coming into play a little more is when you deal with N b m A Networks. Kind of like, uh, Mpls or frame relay. Really? Mpls is more of a broadcast, but in frame relay you end up with an N b m a network that, uh or a point to multi point network that those end up affecting Oh SPF in different ways that we're just not really concerned with right now, The CCN A is not concerned with this on the exam topics, so it won't go into those in detail. But I would be aware of the fact that that is a configuration item available. So let's move on over into what our lab set up is gonna be here and what we're gonna end up covering with that. The next slide is a little busy, but we're going to run through this a little slow here. I want to go ahead and try and clean this up a little. So what we've got is that we've got you know, our main broadcast network over here, where we have four total routers in this broadcast domain, right, is that we've got r one R two r three and I decided to add after everything else are six now. Uh, I have gone ahead. Enlisted the networks here is that we've got the 10.1 dot 23 network down here, the 10.1 dot five network up here and the 10.1 dot four network across this serial link here. And that Router four here is across the serial link from Router One and that router five years across the broadcast link that there's only two devices here, but they're directly connected via their fast Internet zero slash one interfaces. So those are broadcast interfaces that what I wanted to show is that right now I have the i p addresses configured on all these interfaces, and I have all the interfaces brought up. So I've got fast 00 on all of our routers down here. We've got fast your zero on our router up here. Cereal to zero here and fast 01 up here. And what I want to do is to go ahead and configure a SPF for all of these with all their interfaces, get all of these guys in one big area. Zero for O SPF process number 100. And I already have the I p addresses configured. I have those listed here that router to is dot to router sixes 0.0.6 without threes 0.3 etcetera. Keep things you nice insane for us. And I want to show what our relationship types are. Neighbor ship types are like from the perspective of different routers here. So from router one, when we do a show, I p o s p f neighbor, what are we going to see? And from Router three If we go ahead and do a show I p o s p f neighbor, what are we going to see? And I would also like to go ahead and set our our priorities so that we can specify router one, as our d are on. And then we can specify one of our other routers down here as our BDR since really in this larger broadcast domain here between routers, 1 to 6 and three, that's really where that's gonna have any effect and that we're actually really going to see the changes here. So with that, since we have the I P addresses already configured, let's go ahead and get oh, SPF configured. I'm going to do this in a little bit of a way that's not best practice, but just so we can get this going nice and quickly. So let's jump on over to Router one first. So rather one we're gonna go ahead enable If we do show i p o S p f there's nothing here because the SPF is not yet configured. So we're gonna go ahead and do conflict e router. Oh, SPF 100. And then here, let's go ahead and see that I want to set our router I d ah, and set this one really high so that we can make sure that this guy is our is indeed our Dior is that we're gonna go ahead and do router I d 101 100. I want to get out awesome. And then let's go ahead and make it so all of our interfaces participate in Oh, SPF sort is going to do the whole 10 dot And remember, this is a wild card mask. So is the inverse of what your sub net mask would be, and it's gonna be in area zero. Awesome. So then that should bring up a SPF on all of our interfaces. If we do a show I p O S P f interface that we have cereal to zero Fast 01 and fast 00 are all appearing here and that here, as a quick thing, we see that our fast year zero is of type broadcast and that up here fast 01 It is also of type broadcast and up here. Our cereal to zero is of type point to point that that is our network type here and that that's gonna end up having no d, r or BDR on the serial link here, and we'll see that in just a little bit. So let's go ahead and add the are set up Oh, SPF on the other routers here real quick. And then we'll take a look at what the neighbor adjacent seas look like. Let me get a SPF set up real quick here. - Alrighty . So now that we've got this all set up between our guys here and that, we made sure that Router One is going to be the d. R. Because we set a very high router, I d. Then let's take a look at what our neighbor ships look like. So if you do a show? I p o S p f neighbor. And here's some interesting things. So first up your serial interface we are in a full state and we don't have a d, r or BDR listed at all that it is just there because it's on a serial. It's on a point to point link, So there is no d r or BDR election. Now this shows what the other device is or what the other router is So on our fast Internet 01 where we had Router five. Let's go ahead and take a quick look back here. So in our fast Internet 01 we have router five up at the top there. And that router five is actually the d. R for this link for this link right here. And that router one is the BDR for that link. Cool. So then, if we jump back over here to router one Roque fast, then we see that on our fast Ethernet 00 We have BDR relationship with this guy with router to and that we have a d are other with Router three and Router six. Now we do have a for full relationship though a full neighbor ship, which means that we are going to be sending our updates because we are the BDR. I'm sorry we are the d r but these guys are not a BDR or D r. So they show up as a D are other and that if we go over to say Router three or router six here, that let's go over to Router Six and do a show i p O S p f neighbor looks Then here we really see where this comes into play, right? Is that this guy Router one. The one hundreds is the router I D. That he's RDR and we've got a full relationship with him and router to He's our BTR for this segment. But that router three is not a b a, d, r or BDR and that it has a two way relationship and that it is a d are other and that this is where the rule of saying that link state updates on Lee go to full neighbor ships really comes into play that we see from the DRS perspective, everybody is a full neighbor, but from a non d R or BTR that on Lee. We only get two way relationship with our other non di RBD R neighbors so we don't send them updates. And just to show from the perspective of the BDR here, if we jump over to router to real quick and do a show I p O S P f neighbor, then we also have full relationships with everyone, but that we also have the d r other for our non d R or BDR neighbors. Awesome. Appreciate you going through that with me here now, just like the others. Let's run through a few practice questions before we end off. First up, when it's a policy, change occurs which routers doesn't owe. SPF neighbor notify. Is it a all oh SPF neighbors be all to way and full neighbors, is it? See full neighbors only? Or Dean No notifications. Air sent the changes reflected in the next ls a exchange. Now I've been drilling this into your head quite a bit. The answer. Here it's see full Labour's only which is why we have the full and two way. And then finally, what is the command used to manually set the SPF network type two point to point now. I only touched on this briefly, but this is something that might come up. Is it from the interface level? Is the I P. O S P f network point to point? Is it from the router configuration? So this would be if you go into router. Oh, SPF 100 is a interface. Give your interface name, network point The point is it a global configuration command for router? Oh, SPF network point to point Or is it also from an interface configuration level I p o s p f network type P two p. Now, you could probably tell here the answer is probably from the interface level configuration command and that it is either i p o S p f network point to point or I P O S p f network type pita pee on. The answer here is a that it is something that specified on the individual interface and that it is I p o S p f. That is for configuring. Oh, SPF items on your interface And then it is the network point to point command for i p o S p f. I hope that this has been informative for you and I would like to thank you for viewing
27. 3.6 FHRPs: first hop redundancy protocols. This video is meant to cover the exam topic 3.5 specifically which says to describe the purpose of first hop redundancy protocol. Now, I did want Teoh go a little deeper than that and let you not only be able to describe the overall purpose of an f h r p, but to give you a sense of what FH r p s air out there, what protocols air out there on how their configured and how they differ and a couple of features of each there are only three. Where this video is gonna only be theory. Here, we're not gonna go into the lab and configure any of these, But I will have some screenshots of the command line here. You can see how these air configured. They are all pretty easy to get going in the basic sense. At least they all have some extra features that are able to be configured, just like with any of the other protocols. Like oh, SPF as we saw, there's a lot of features available, but the exam at the CCN a level is not really concerned with all those features and getting things configured in a more advanced level. There is concerned that you know the basics here on what the general configuration looks like and be able to set this up and more of a small or medium sized business environment and rather than tackle a larger kind of environment that might have these more advanced features configured. Now, starting up with this, Let's go ahead. Just talk about what a first hop redundancy protocol is and why it's there. So this provides hardware redundancy for an end points gateway. What does that mean? All right, so let's say you've got your servers down here now. Notice. I mean, these are listens pc 123 But I'm taking them a servers, you know? So we have them usually dual homed so that they're connected to two different switches at the same time, using two different Knicks on your server to get optimal redundancy here knows, would likely be in the same feeling. So they're connected to different circuits That way of one. These switches goes down. You're still connected of one of these links. Go down. You're still connected. When these Knicks go down, you're still connected. And in this case, If one of these routers go down, you are still connected because of our first hop redundancy. This provides redundancy for your gateway that when you configure your default gateway on your windows server here, you're gonna point it. Teoh. You know your 10.1 dot 1.1 and that will be your I p address here. Now, the way these first hop redundancy protocols work is that you generally have this kind of virtual router right here, right, is that you've got your to physical routers here, But then they end up creating this virtual router that's here and that that virtual router is really the one that's forward in your traffic, right? Is that when you are up for this I p address, it's going to whichever router right now is active because thes generally work in an active passive format except for one g l BP. But we'll get to that later that Onley, the one that's active, will go ahead and respond to the AARP with a virtual Mac address, a a Mac address that was generated for the purpose of using the f. H R. P here and that in the event that this active router goes down, catches on fire. These two routers will have ah, keep alive timer going between them. So in the event that you're active, one goes down, your passive one will come up and start responding on that virtual Mac address. Because remember at layer two here, Right, Because this is layer to use your default gateway. You're trying to get outside of your network. So what's gonna happen when PC one sends its packet out? Right? Is that you have a destination address? Let's say you're trying to get over here, you know, to Google. Teoh a 0.8. Renee, you know you got cloud boom connected in the clouds connected to these two guys on this. Looks like a mess. That clouds kind of these. These guys okay? And that PC one when PC one is sending ah, packet out 28.8. What's it going to do? Right in that packet? It's got the source. I p and that's gonna be like its I p address. Right? And the source Mac address. Just gonna call that smack, and then it's gonna have the destination. I p right. So what's not source? Have your destination i p. And what's that gonna be? That's gonna be our 8.8 that that's where our packet is destined for. But in order to get to that destination, I p it needs to send this traffic to its default gateway, which is going to be this virtual router up here. So the destination Mac is going to be that Virtual Mac address, right? So that when our eight year our active router, when that goes down and are nine, takes over as being the active, it's going to send out what's called a gratuitous ARP. It's going to say, Hey, by the way, this Mac addresses now resided over here. So then that way our switches can update there can tables and be able to know that this Virtual Mac address this virtual router now lives out these ports here right? Rather than the's ports. Because our nine is now active in that group instead of our eight, and that that's how these protocols generally work. G o. P P works a little differently on. We're gonna go over that as the last protocol here. But this is generally how they work. They operate on the premise of a keep alive and virtual eyepiece. And Max that in the case of H S r p that your virtual Mac here I mean your virtual i p or 10 11.1 that this I p address actually cannot be assigned to either of these routers. It needs to be just a virtual i p address that this virtual mech is assigned to and that that's how that works. So let's let's talk a little bit more about hs RP here and show how that's configured so Ages R P It's the hot spare redundancy protocol. This one is actually a Cisco proprietary protocol. This came out before V. R P did, which is the industry standard flavor off H SRP went said. And done that just RP requires that we use three I p addresses. Like I said, that the virtual I p here cannot be assigned to either of your routers. So, in a circumstance like this, right is that in our $10 Wanda one network OK, do zero slash 24 in our 10 11 network, Let's say, are eight has dot to and are nine has 90.3 and then our virtual router right here has 0.1. And that virtual router will have a virtual Mac address that looks like this or this, depending on your version of H S R P that you're using. Version one has the former here, version two looks like the ladder and that the x x on the end here This is the group number of your hs RP fail over group of your standby group in Hexi Decimal. So one would be 01 10 would be zero a. Because remember that Hexi decimal go zero through nine a through f. So that would be 10 11 b one A. I'm sorry, no one A or B B zero b. So on so forth. So the way this is configured is at the interface level, as configured with the standby command. It's actually really easy to get H srp running in. Ah, in a simple manner here is that you just use the standby command to stand by your group number. This is an arbitrary number that just seems to be the same between the routers that you're running. And then you give your i p command and state what the virtual I p address is so this would end up being the 10 121 Really? I mean, I have 10 123 here in this configuration as totally valid. If you had maybe one and two for your two routers and then three is your virtual. But if you want to go ahead and follow best practice as far as I numbering your default gateway, the best practice is to either use the first or the last I p address in your available sub net there. Then you would want to go ahead and do This is 10 1 to 1 or 10. 12254 what have you? But that's all you need to be able to get hs RP configured here. Now, as you can tell, the way this ends up working is you. It's standby, right? Is it's an active, passive configuration and what you can do and this has always come up in previous Cisco exams is you know, how do you get H S r P set up in an active, active configuration is that Let me go ahead and and erase some of this here is that if you've got your two routers here and you've got your agents RP group one right and are eight is your active and are nine is your passive than what you can do is you can actually create a second group, create group to right and have our nine b your active and are eight beer passive. And you're gonna have a different I p address for that standby group. Ah, different virtual I p address and you can do that on you can have half of your machines down here. Be pointed over to your stand by group to say this is 0.4 as your virtual I p for your group two. Then you can have half of your machines pointed to 20.4 as their default gateway and half of your machines pointed out three as a default. Gateway is a really cumbersome and kind of a roundabout way of getting an active, active configuration out of ages. RP. But it is a valid and supported configuration topology. I just want to bring that up. In case that was, that was a question there. So let's talk about the industry standard flavor off our f. H r p here and that is V. R. P. The virtual router Redundancy protocol. This works almost exactly the same way as H S R. P with the keep alive and having your virtual router and virtual Mac address and your virtual i p address. This is defined in RFC 5798 as the most recent version of the R. P. Now the R P does have the special feature where only requires two i ps and this might be a defining factor as to when you're able to use hs RPs. Supposed to v. R p is that if you don't have ah lot of I P addresses available and you only have to I p is than you might have to to go ahead and use V R. P instead of h S R. P. It does have a virtual Mac that starts and looks like this in the very same way the X X here is the group number in Hexi Decimal and that when I see it only requires to eyepieces because the virtual i p can be the I p address of one of the routers that it doesn't need to be an unused I p address it could be the one of one of the routers. So in that way, if the router goes down or stops working, then the other one will just take over as having that I p address. It's configured with the V R P Command and very much the same way as thes standby command. We have V R P group number, the I P Command, and then the virtual I P address you want to use for that group there. So then that your V R P works almost exactly the same with the keep alive between the tude , so it knows when to fail over and sends the gratuitous Arps and everything like that. Now let's go ahead and take a look at the one that acts a little different here and that That's G L B P now g o b p the Gateway load balancing protocol. This is also a Cisco proprietary protocol, and it's the Onley FH r p two natively support an active, active topology. What does this mean is that you actually have these two different type off routers in your G L B P configuration is you've got an A V g and an a V f. So what does this mean is that you're a V G is your active virtual gateway. Now you're TVG will respond to all AARP requests. So let's go ahead and draw out our topology here. Let's actually say that we've got We've got three guys here on. Just make things simple. Let's go ahead and do a single switch. Boom, boom. Let's but cloud very go. You guys are connected that way. Awesome. And then let's go ahead and draw our workstation and our workstation and one more cool. And these are all connected to the switch, Michael. So let's say we've got Router one router to on Router three already. So let's say Router one gets elected as our a V G. And that all of the others, all of the participating routers in G. O. B. P will be a VFW's on including your A V G can also be an A V F. So an active virtual full order is a router that's handling client traffic. It's it's forwarding client traffic for you. So this guy's in a VF, and this guy's in a VF right? So when I send out on AARP When? When PC one down here. I would say pc to PC three when PC one sends out AARP, the A V G is gonna respond and it will respond with its own virtual Mac address. You know the A V. G ah signs or gives out virtual Mac addresses to each of our routers here that they don't use their own Mac address. They use virtual Mac addresses and that the A V G here will respond to that AARP and respond with its own Virtual Mac address. Great. So then now, because of my AARP cash, my PC one is gonna go ahead and begin forwarding all of its traffic out the A V F Year out Router one. And that's what's gonna happen now pc to when he sends out on our request. A V g router One is also going to reply, but it's gonna reply with router twos. Virtual Mac address. So then that way PC two will now send all of its traffic throughout or two. And then one PC three goes ahead and Arps out for its default. Gateway A. V G again is gonna respond with router threes, virtual Mac address and so PC three will send all of its traffic. So it does this. It doesn't in a round robin kind of fashion toe, where it distributes the load across your routers in in round robin so that each successive AARP request ends up replying with the Virtual Mac address of the next router in line of the next. A VF in line, and that will end up happening is that these guys all have keep alive timers between each other, so they all know which one or which ones are alive or not. So if one goes down, router to hear just goes down, then router three or rather, one that whichever one's in line here with the priorities, will go ahead and take over that Virtual Mac address. It'll send out a gratuitous ARP and take over that Virtual Mac address So that PC one here or I'm sorry PC to, since that was using router to PC To doesn't need to send out another AARP and get another reply from the A V G know is that it's Virtual Mac address it was using for the gateway is still the same, and that Router three is just replying to this now. And so the switch now knows that that Virtual Mac address lives off of that port instead of overall router to, and that's how that will end up working. Now it does require three i. P's minimum. It does need a virtual i p and also have an I p address assigned to each router as configured with the G L B P Command. It's just like the others really here. That to get the basic configuration going, all you gotta do is g o B P group number I P and the virtual I P address you want to use. This does mean that if you were to look at the AARP table for your individual PCs, you're gonna end up seeing your different Mac addresses for the same I p address on That's valid. That's the way it's supposed to be is that you end up getting the Virtual Mac address of the virtual router. That, or of the virtual forwarder that you're using as your gateway there. Thanks so much for run through this with me here. I know it's been a lot of theory, but just like the others, let's run through a couple of practice questions before we end off here. So first up in the bolo V R P topology, what Mac address will appear in PC ones are table for 10.0 dot 0.1. So this is saying we have a V R p topology set up here that we've got rather one router to as our physical routers and that we've got virtual router here as our virtual router. So this is 10 001 up here now. Router one is also 10 001 and router to is tens years, year or two. So we can use, you know, the same I p address here as one of our physical routers for our virtual router. You won the features of the R P. Now, when PC one does send out on our request for 10 001 you know how what? What? Mac address actually shows up. What does router one here? If that's the active router in this V r. P topology, what is router? One reply with. Is it our virtual Mac or the burned in back? The physical Mac there and the answer here? Although we didn't say it explicitly. The answer is going to be our Virtual Mac address. So the answer is gonna B C. And that's just how you know the V. R P ends up working. So then, that way, when Router one goes down, if that's the active here, when Router one goes down router to just assumes the Virtual Mac address here and it sends out a gratuitous ARP set, you have really minimal downtime and really minimal interruption. When that does occur in the veil over occurs that it uses thieve, Virtual Mac address and up. Next is what is the purpose of an F. H. R P isn't to provide dynamic land routing, is it to increase the default gateway bandwidth? Is it to provide hardware redundancy for a land gateway? Or is it to complicate the layer to communication? Now, I'm sure you could tell immediately that D here is just to make sure you're paying attention. That is not the answer, and that I wanted to make sure that it really came across as to what the purpose of an F H R P is that it's really there to provide fail over to provide hardware redundancy for our first hump for our land Gateway. So the answer here would be seat to provide hardware redundancy for a land gateway. And I hope that this has been informative for you. I'd like to thank you for viewing.
28. 4.1 Configuring source NAT: translating the Source Network address. Net is something that has become extremely relevant due to our usage for accessing the Internet off. Translating our source i p address from some internal address that we're using being an RFC 1918 private address space or a public address space that I've seen done before and translating into a separate public address space going to the outside that this hides your internal network. But it can also be very helpful when you need to do this for routing reasons that if your destination doesn't know how to get to your internal network or cannot possibly do so because it's an RFC 1918 Andros space, a private address space, then you may need to translate the source. This could also be helpful in VP ends, where you have an overlapping network space. If you have the same network on both sides, you might have to translate the source on create a pseudo network so that everything's row doble and you can actually get communication between the two. Source. Net is often abbreviated as SS necked that's S and a T source net, and then there's also destination netware translate the destination network address of D Net. So let's first talk about the differences between these. So sourcing A and D net, you know, you translate the source i p address and sourcing and the destination for destination. That, of course. Right. So just the way this works here, right is that we've got 10.1 dot to 0.0 slash 24 here on this side and that I would say we've got ah, you know 1.1 dot 1.0 slash 24 on this side and that here, that this guy is dot to and that this guy's 0.0.1 say that this PC over here wants to access this server. Say this is 1.1 dot one dot two and that this is 20.1 over here and that way. Want to go ahead and access the server over here? We send our packet over, you know, with the destination of 1.1 dot 1.2 and our source of 10.1 dot to dot to, and it reaches the router here. Now, if we didn't have net, then the router will go ahead and forward that over to our server here but the server would receive it. Be like, Oh, I don't know how to get to 10.1 dot two. Eso is just gonna drop it, not do anything. Whereas if we have source net available here and we're translating that 10.1 dot two into a 1.1 dot one. And in the case of port address translation used, the interface here used the 1.1 dot 1.1 address and that that's what the new source I p looks like. So then, when the server here receives that it sees a source address of this interface, it knows how to get there. So it'll send its reply back to this router with the destination that interface the router . In the case of port address translation will look up in its table. So it's gonna have a net table here where it has the source address and port numbers with the translation and what they're translated to on the outside. So it knows when that response traffic comes back. What that is translating, Teoh, It'll no. Oh, well, that is $10.1 dot to dot to that sent that. So it'll know untranslated It'll translate that destination back to this PC here so that it can receive the response traffic. And that's how source networks destination net, you know, ends up working where it's much often used for outbound arms are inbound access to some internal device. Is that we say? You know the 1.1 dot one dot to address translates always to 10.1 dot to dot to so that any traffic inbound with the source address arms are with the destination address of Wanda Wanda, 1.2 will be translated to this internal address is to allow you inbound access to some internal resource from the outside. So let's talk about the types of source net. Here is that there's three main flavors we have stateless and state ful. Source. Net Now stateless. Your static source. Net. This is just saying that this inbound address translates to this outside address. I'm sorry this inside address translate to this outside address. That 10.1 dot 1.2 translates to 203.0 dot 113.2. That's it. That's a static net translation that any outbound traffic will just use that role there's no need for a state table is that it's just a static translation now with pool net or dynamic nuts. Say we have a handful addresses on the outside that we can use here say we can use to 3.0 dot 113.2 through 0.5. Say that we have three available I P addresses there and that we don't want to create a static net entry for each one of them. Because while we only have three computers on the inside here that could possibly get to the outside and we don't really want to specify that each one has to use a specific I p address. So you just let it choose dynamically. And you just allow the router to know that it has this poll off three addresses available and that as these machines, which are allowed that the we need to specify that these addresses are allowed to be narrated and that when the traffic going outbound is received. If that address say, the 10 111 address is allowed to, Bean added, than the router will look at its pull off addresses and choose one that is not being used right now. And a sign that as a net translation for that source address and that it is just a 1 to 1. There's no port address. Translation happening is this all outbound traffic will end up using whichever public I p that the router selected here and that that entry goes into the state table right as we get our table back and we have here that the 10 111 matches up to the 1110.3, the two or 30113.3 address. And that's just how it's going translate as long as that entry remains in the state table and now for the exam topics, we don't need to know about poor address translation or also called net overload due to the command that's used. But I didn't want to brush on that briefly here. That's actually what this diagram to the right here is showing is port address. Translation. If you follow the steps here that our 10 111 is sending traffic out outbound toe the host over here, it's specifically sending it to our host. Be here we can see in our state table. It's the second entry. So when our 10 111 inside host here sends it out and it gets to the router, the router creates an entry in its net table here in the state table. And that's the bottom entry here is that it is sending to the destination port of 23 over TCP sources tell Net right is trying to telnet toe host be and that the router is gonna make a note of this and understand that the source port that our computer over here chose, which is just a random port number that is available on that computer, the source port that it choses 1024. It's gonna map that to be that the source port and source i p addresses source Net. That's actually translating the source address to be this public i p. And that the source port which was available is 1024. It's gonna keep our destination. I p import the same so that when host be receives that it can go ahead and reply. So Step three, you know, is when this has been translated and send it out to host be step fours when host be replies as sends it with a destination I p address of the two or 301132 Right, because that was the source address that we had translated that to. And then when the router receives that response traffic Step five here. Is that it? Annette's it. That's after the process of it where it had this state table entry. It receives that response. It sees that the source addresses this I p here and the destination is this I p and port here. So it knows that it goes to this entry in the state table and we'll Annette it so that the new destination address is this 10 111 along with the destination port number here so that it is appropriately ingested by this computer. And then when you attend 112 here tries to do the same and reach host, see, then the router receives it creates a new entry in its state table. Here it's this top entry here to where we have 10 112 as our original source and an arbitrary, randomly generated port number there, as well as a sore sport. It's trying to telnet toe host, see, So it just creates a new entry in its state table, and both of these entries exist in the state table simultaneously. So these air both looking like they're coming from the same public I p address here and that it's just with a different source port number. And this is where Port Address translation comes into play is that we're translating the port into the source address so that we can go ahead and have multiple entries in our state table and allow multiple machines on our inside network to access the outside network using a single outside address. And then here I just listed the differences between the state full and stateless. Net is that you know, when you create a net table like this, a state table that is state fel, that you need to have this table maintained by your router, whereas with the static net here that's just stateless, you create a rule boom, no tables created. You just have the rules saying this Inside addresses translated this outside address the end. So let's talk a little bit more about the two types of net that are covered in the exam here which is the static net and pull net that those are too. We're gonna go through what their configuration looks like, and then we're gonna go into the lab and actually configured those and show what happens. So first up, static neck. So, like I said, this assigns a single inside I p to a single outside I p. And the terminology will want to use is a single inside local I p toe a single inside global I p All right, so, like the outside I p is the one that is belonging to your server or your host on the outside you're trying to connect to the outside Local is how the outside servers address looks from the reference point of your inside device. So if you're doing destination net than that, I p address may be different than the actual outside I P address and then you're outside. Global is how this looks like to the outside the actual outside address of that host there . So the way static net is configured is that we need to define which interfaces are our inside and outside interfaces. And then we need to set our rule. So the way this ends up going is that you'll want to set your rules first. You say I p net inside. Source static. So it's source net and is a static flavor off that this is our inside address that is translated to our outside address. After you create your rule, you can go to your interfaces and specify you have i p net inside an I p net outside for your inside and outside interface. And that's all you got to dio. We just have our rule for the static net, Specify which interfaces it is and boom, we're done. That's all we gotta do know with Pool Net. It gets to be a little more complicated is that we have multiple outside addresses that we can use, which means that we should have multiple inside hosts that are able to use those multiple outside addresses. But we need to specify who those hosts are, and we do that with an access list here, not the standard access less your Onley specifying the source i p address. I created a named standard access list here that is called inside hosts, and it is the entire 10 000 slash 24 network, And then you need also create your poll off outside addresses that are able to be used. And you do that with the I. P. Net pool command. You name your poll, I named it outside pool here. Then you specify your starting address in the range and your ending address in the range and then also your net mask. For those addresses, they'll be the net mask for the outside interface here. And these are just be public addresses that you have available for your organization assigned from your I s P that you are allowed to use. And then once you have your pole and your access list defining your inside hosted are allowed to use that pool. Then you create your rule saying that you have i peanut inside source net and that you specify a list of hosts the inside hosts that are allowed to use your pool and then your pull up outside addresses that they're allowed to use. And then you can go ahead and specify your inside and outside interfaces for your net. Now this does go ahead and create an envy. I Annette virtual interface. You'll end up seeing that in the log items here in the CIS lob as we're going through the configuration of the lab. So let's jump into our lab and get static and pull neck configured here and show what that looks like. So here's our lab, this area here, our inside, that this is the 10 110 slash 24 network. The router here has 240.1 PC one is dot to PC three. I'm sorry PC two is 20.3 and then our outside. Here. The router has an outside interface I P address of 1.1 dot 2.1 and is a slash 29 network. The gateway it is using is 1.1 dot to 0.6. This leaves for our outside static and pull net that the usable addresses for that are 1.1 dot to 0.2 through five. That those are our available addresses for our static and pull net on the outside and will be trying to access ah server here that has the address of 10 dot to dot to dot to nail. In reality, there's a router right here that is 10 dot to dot to 10.0.0.1 and that the server has a default. Gateway pointed to that router and that this router here has Ah, no default Gateway. But our router one here has a gateway here of this router that this router here is 1.1 dot to 0.6 so that think about it. When PC one tries to access the server here, our traffic is going to go over the router one. It's gonna have our source address of 10 112 Now, Router one is gonna go ahead and translate that to have a source address of 1.1 dot to dot to Let's just say it uses that address. And then it's going to Ford that over to our router here to its gateway, because Router one doesn't really know how to get to 10 dot to dot to network. So it just forwards it to its gateway, which is the router here. Now, this network is directly connected for him. So afforded to the server for server will reply back, sending it to its gateway, which is also this router here. And then since the source address looked like 1.1 dot to dot to then this router knows how to get there, because that's in its network right here in this connection between that router and router one, it'll forward it back over to router one. Rather, one will Annette that traffic because it was translated and forward that response over to PC one. Now I hope you stayed with me there. Let's go ahead and jump into GNS Tree on and take a look. I've gone through and configured all the interface I P addresses here, and I've configured the default gateway on PC one and PC to to be routed. One have configured the default gateway on the server here to be this router that I have represented by the Internet cloud here. So the only thing that we need to do is to configure our net on router one. Now also want to go through and do some wire shark captures so you can see that the traffic is being translated and then we can also do some show commands in Router one so you can see how to verify that our net is indeed working. So let's jump on over to router one here, and we will get that configured. So if I go to Router one, it's go enable First, let's do a show run. So we have fast. Unit 00 is our inside interface there with 10.1 dot 1.1. I know it's spent 2/2 duplex and 10 megabits eyes just because the layer to switch Ingenious three is an Ethernet switch that operates at 10 megabits half duplex. Eso I put that there so we don't get spammed by a bunch of log messages. And that's really about all the configuration we have. There's our default round here, appointed over 21.1 dot to 0.6 for our gateway. And that's about all we got. So let's go ahead and configure net. Do convict E. I will first do our static net rule. We're gonna do I p net inside Static. I'm sorry. Inside source static. Excellent. And then we will set our inside local I p address. So we're gonna allow PC one to go ahead and access our server here. Since we only have one net Commander one source static Nat here They were going to do well . Just allow pc once will do 10 112 that I p address and that we want to translate. This will translate it toe 1.1 dot to dot to. And that's all we gotta do. There's our net rule. So now let's go to interface fast euro zero. Now this is gonna be our insides. We do. I p net inside, and there's the creation of our envy. I right there that takes a few moments. Excellent interface. Fast. You're one. I'll set this as I p net outside. Excellent. And then now that we do that, if we go and just to show i p Nat statistics and then here we have one active, static translation that because we have this configured, this rule configured, there is a static translation there. Now this does say there's a few hits and misses is because I was experimenting with this a little bit before, but we go over to PC one now and let's just go ping 10 dot to dot to dot to, and that is successful. Now let's find out what is happening there is that Let's run on over to G in history and let's run a capture right here and then also right here. Let's move that out of the way so I can actually get to the link and go start capture and go, OK? And then I'm gonna go ahead and wait for a wire shark to load up. And then let's go ahead and paying one more time. There we go. All right. You know, let me go ahead. Move these captures over interview here. First up is the capture between the switch and the router. Here is that we see we've got our source. 10 112 and our destination tend to to to And that we haven't echo request sending out. And then we get our response. And it looks like, as a source of 10 to 2 to our server that we tried to ping. And the destination is 10 112 PC one. Now, if we take a look at what this same traffic looks like on the outside of our one, then we see that our source address got translated. Here are source address is 1.1 dot to dot to now, and our destination is 10 to 22 and then the response here the same is that our sources tend to to to our destination is 1.1 dot to dot to so that got anat id on the response here that we see our response ends up having the destination look like 10 112 And that's what our source net does is it translates it going out and unanswered coming back in. Excellent. So now let's go ahead and remove that configuration and take a look at what that of what happens when we do, uh, pull net that first. I want to show you here real quick if we do a show I p. Net translations. Now this has listed here because this is a static translation and that our inside global is our 1.1 dot to dot to that. This is our outside interface I P address that is being translated to our inside local is the PC one i p. Address of 10.1 dot 1.2. If I go convict E and let's remove our net rule. Oops, let's go no and remove Arnett rule and let's do a do show I p. Net translations is that now we don't have any translations because our rule is no longer there. So Let's go on over to our interface Fast Year zero. And you know I p nat Inside and Interferes is fast. You're such one. And do you know I p outside? Awesome. So now that we're starting back from the beginning here, let's go ahead and set up our dynamic net are pulled that. So the first thing we need to do here is to create an access list that the standard access list that defines our inside network addresses that are allowed to be in added, Let's do I p. That's a stash list. It's a standard access list. We're gonna call this inside hosts awesome. And then we're gonna have this be a permit statement. Now, just to make sure the common entry that you usually end up having at the end of access list is permit any any to go ahead and make sure that anything is allowed. You will not want to do that here because we're only permitting the addresses or the networks that are allowed to be an added. So we're gonna go ahead and permit the 10 110 slash 24 network. So 10 110 and then this is wild card bits. So we got 0.0 dot zero dot to 55 Since it is the inverse of a net mask, and then that's all we need. Awesome is now that we've created our access list called inside host. Let's go ahead and create our net pool. So do I. P net pool. Maria called this that cool, and the start address year is gonna be 1.1 dot to dot to. And remember, the last available I P address we could use on the outside was 1.1 dot to 0.5 and that the net mask on the outside here is gonna be 29 bits says 25525555248 Whoops. I got to write the net mass command and then give it as a net mask. I could have specified the prefix length command and given 29 instead by figure. Writing in dotted decimal is a little better for practice here and there would go. We've got our net pool configured. So now let's go ahead and create our dynamic net rule. Could be i p net inside source. And here is where we do list. And this is an access list describing local addresses that this is inside hosts inside hyphen hosts. Let's just make sure that's correct. Yes, inside hyphen hosts and then our pool and our poll name here is net hyphen pool. Excellent. And now we've created our dynamic net poll or neck dynamic net rule here. So now let's go over to our interface fast euro zero and do I p net inside. There we go and do interface fast year one. Do I p net outside. Excellent. Now, if you go ahead and do a show I p net statistics. Now, this looks a little different here, right? Is that what's happening is we got our outside interface and fast year one inside interface fast 00 and that we have, you know, some of the hits and misses here from when we had our static net configured. But really, we've got our dynamic map ings here for inside source net is that we've got our poll here that is listed as Nat Pool and the net mask for that pool is slash 29. It begins at 10. 112 I'm sorry. 1122 and ends at 1125 It was generic type. We don't really need to know what that means. And this tells us the number of addresses available in our pool, the number of addresses that have been allocated and then the number of Mrs So if it receives a translation request your outbound traffic. But it misses that. Then that would list here and then here It lists the number of expired translations that this was when we had our static net that those translations ended up expiring. And here we'll see. As we go ahead and create our translations by sending outbound traffic, our number of dynamic active translations will increase and our number of allocated I P addresses in our pool will increase. And same thing if we do show I p. Net translations. But we don't have any translations right now. So then let's go over to PC one and then Ping 10 dot to dot to dot to again. And that is successful. Let's go back over to our one show I peanut translations bone. We have our translation now, so this had created a dynamic translation for our port here, saying ICMP that there's a connection there that will time out eventually. Our I'm sorry will expire eventually. But there's also created just a static translation for us and that with that, if we jump on over to PC to here, check real fast, we do show I p interviews Brief. Excellent. That's configured Show I wrote. Excellent! That's configured most coping 10 dot to dot to dot to it's gonna have to AARP around, and then it is successful. Now let's go ahead and jump back over to our one here. Let's do a show I peanut translations that we now have two translations listed here. Mind you, these air both for icmp showing the protocol. But we've we've got these static translations here. They're not static, their dynamic. But these were dynamically created that we did 1.1 dot to dot to is our first available 1.1 dot 2.3 as our second available that it it used the next address available in our pool. Would you show I p. Net statistics that we now have two allocated addresses and that we have three dynamic translations and one extended that this is due to our mix between allocated I P addresses and our poor translation here that it's actually paying attention to the layer for information, saying that this protocol is ICMP Great. Now I know that this has been a little long here and thanks for taking the time to go through this with me, just like the others. Let's jump through a few practice questions before we end off here, so let's go back over to our power point. First up is a net pull configuration state ful or stateless. Now, this should be pretty quickly. Obvious is that you realize that we needed to create our translations in that state full table in that net table and that because of that, our poll configuration is state fel that it does need to create this dynamic table the state table for the inside outside mapping czar. Answer is a and then finally, in the below output of show I p. Net statistics, what type of net is being used now? Here we see that we do have some active translations and that we do have two dynamic translations. So this alone would kind of tell you that we're not doing static net and that this could be port address translation, or it could be a pool net. And down here we see that we do have a poll configured and that we have our access less inside host. Pull outside pool. This is our dynamic map ings here that it is doing pull net rather than port address translation. So the answer here would be I hope that this has been informative for you and I would like to thank you for viewing.
29. 4.2 Configuring NTP: network, time protocol configuring servers and clients. Network time protocol where NTP was created back in the eighties. And it was when you owned networks were just in their infancy, and a lot of the different particles and standards that we use today were being developed, created and revised. And this allowed for network devices to go ahead and synchronized their clocks with relatively good precision. There was additional, uh, modifications made to NTP for high precision time synchronization. But NTP definitely gets the job done for us here with Cisco Iowa's. We have the ability to configure our devices as NTP servers, such that they act as a master where other devices can synchronize their clocks against it , or NTP clients where we synchronize our clock against some other NTP server. Being an external source may be on the Internet or internal source, perhaps another router or a server within our environment, or we can also configure them as an NTP. Pierre, which is basically just a server and client, were synchronizing our clocks against each other. So just as a quick illustration of that, see got to routers here and they're connected if they are NTP piers with each other than this guy Router one and this guy router to they are synchronizing their clocks with each other. That one is a server and client. The other is a server in client there, synchronizing against each other. Now we also have the ability for authentication, and we'll talk about that a little more once we get into that in a few slides here. So first up, let's just talk about NTP network time protocol that, as I just said, it allows devices to synchronize their clocks. The current revision is NTP version for, and this is defined in RFC 59 05 You don't necessarily need to know this, but some little tidbit of information that might be helpful later. It generally operates in the client server model rather than our peering. As I just explained where the client either pulls the server, it can request an update from the server by pulling it or the server can be configured such that it is just broadcasting time updates periodically that after a certain number of seconds or minutes, it goes ahead and broadcasts ah, time update and that your client can just be configured toe listen for that broadcast rather than pull the actual server for a time update in this lab here. When we get to that, we're gonna end up setting this up in the polling method with the client server Such that were actually pulling our server. And this operates over UDP 123 port 123 by default. This is connection lists, As you can see that it does operate over UDP. We can change that port number, but this is how it operates by default. Now, one of the words used in NTP is stratum and the concept of a stratum level now a stratum level is how many hops you are from a reference clock are from the most trusted clock. So up here. No, this stratum zero reference clock. This is gonna be your atomic clock or your cesium Adam Fountain, where you know, this is over in Denver, Colorado, in the United States or other various areas in the world where they have, you know, this highly guarded atomic clock that is defined to be the time source on that. That is a stratum zero clock. You cannot configure a Cisco device to be a stratum zero you can set it to be a ah stratum level specific one. But it will not accept a stratum zero as a configuration item there because it knows that it is not a stratum zero clock that this is gonna be like our atomic clock and other various reference clocks that are most trusted. Every hop you get down adds a number on there, so the ones that are connected directly to those clocks are gonna be stratum. One devices that are connected to those servers are gonna be stratum. Two devices connected to those are gonna be stratum three so on and so forth. And we'll see where that comes up in our configuration and our verification commands in a little while here. So for our NTP server, if you want to go ahead and configure a device as NTP server, the in IOS, it must either be defined as an NTP master or it has to sink its clock from another time source in order to be a server. So, in order for clients to be able to pull your device, say we've got our router here and we've got another router here and that these guys are connected and that we want this to be our client and we want this guy to be our server. We're gonna call this one and two and our client here is polling our server. If our server is not defined as an NTP master and it is not sinking its clock against some outside time source than this just won't work, it will not allow you to sink that clock Because Number two's clock here is not considered to be trustworthy at all. It's not sinking from some source and not defined as being a master. So we do need to go ahead and do that. Our default polling interval for our clients will end up seeing that in our configuration it ends up being 64 seconds and that three successful polls are needed to synchronize our clock. This is why when people say that NTP is not a fast protocol, as you can tell right now, it is not takes upwards of three minutes to go ahead and sink your clock the first time here. And from there little adjustments are made during each polling. But our default interval is is one minute or just over that at 64 seconds. There's no configuration needed to be a server if the time is already being sink from another source, as we can tell here that if you're already sinking and you're using the you know NTP server Command that you'll see in the next slide that this command is what allows us and will you you know, an I P address here that this is what tells our device to be an NTP client to sink from a server. With this I p address that if you're already sinking from some other server than great, you are a server now you can now accept NTP client polling messages, and you'll respond to it that you are a server now. By default. There's no additional configuration needed. You don't need to specify your device to be an NTP server on. As I said, use the NTP master. It command. It's a Global configuration command to set this device as a server without sinking it from an outside time source to say that our clock is considered trustworthy, even though it's not being sink from another source. I'm considering this to be trustworthy, and I will serve out this time as a trusted source. As far as authentication goes for the server to configure authentication on that side, you'll need to specify on authentication key with the NTP authentication Key Command. And this actually takes the form of NTP authentication key. You give a key number here specified. That is an MD five hash that it will be using to transmit that key. Other versions perhaps, have other methods, but as you'll see in our configuration, we will only have the option for MD five. And then we're gonna specify some string here as our key on that. That's actually the format of the whole command. Here is we give NTP authentication hyphen key. Give a key number specified. Use MD five to transmit and that we specify our actual key here and then by default. NTP authentication is disabled both on the client and on the server, so we need to enable anti P authentication by specifying NTP. Authenticate. Now That's how he's configure our server right? Is that either needs to sink from outside or be an NTP master, and then we can configure our authentication in this manner here. Now for our client configuration, there's a little more that needs to be done for our authentication, but is beyond that there's only one command really that's needed to configure our device as an NTP client. And that's the NTP server command that if you don't want to use any authentication, great. Just specify NTP server and give the I p address of your NTP server and that's it. Uh, you don't need to do anything else in order to synchronize your clock. We can go ahead and verify our and TP configuration synchronization using the commands down here, show NTP status and show NTP associations our first output here. This is show and TP associations. I'll explain the rest of this output in just a moment here and down here. This is show NTP status. So first, our configuration for our authentication just a little more involved. We need to specify our NTP authentication key just like what? The server. And then we also need to specify that we want to use this key for authenticating the server that were trying to synchronize with. So we do that with NTP trusted key command to authenticate the server and then, of course, we also need to enable NTP authentication with the NTP authenticate command as well. Now, if you're doing the pier configuration, remember that where if we go ahead and have two devices here, they're connected and they're actually synchronizing against each other. Then in order to do that with authentication, we also need to specify our authentication key in our NTP server command. So it's actually NTP server, and you give the I P address and then you specify key and give your key number here that it will be using for your peer authentication. We won't be doing the pier configuration or authentication here. Just the client server by that may come up in the exams. I'm going to cover that briefly. So our verification commands. Let's go over these real quick. So the show NTP associations, that's our first output here that first up down here, the first column is the address. This is the I. P. Address of the NTP server that we are using to synchronize ourselves. So this is the I. P address. We are polling to try and synchronize the reference clock Ref clock. This is the I P address off the server that our server the one we're trying to pull. This is the I. P address that it is synchronizing from this 1 to 71277.1. That is a look back address that that indicates that it is synchronizing from itself that it is actually configured as the NTP master will see that in the lab in a few minutes here when we go into that. But this is just saying that this is the our server here that we're synchronizing with is specified as an NTP master. That's synchronizing against itself. The S T column. This is the stratum. The stratum number off the server were synchronizing with It is stratum 16 when this is saying how many seconds ago did we last poll the server poll. This is the frequency in seconds that we pull that server and the last four here reach, delay, offset and dispersion. These are just some specifications about the time difference between our clock and the server there that we don't really need to pay attention to that, that Ah, these CCN exam is only going to cover configuration and the verification commands where you would find certain information that this gets a little deep into the theory here of how NTP works on how it ends up actually synchronizing your clock. So the second Verification Command here is your show and TP status. So show NTP status. This gives you a lot of information as well. Not all of it. Most of it you actually just don't need. So first up in our first line here we see our clock is synchronized. In the event that we were not synchronized, this would say clock is a Nzinga in ized and since it is synchronized, it's telling us at what stratum level it is and what the reference clock is. So this reference clock is different than this column here. This reference clock is the address we are sinking against. Since we are synchronized, this is the one we are sinking against. Ah, and it matches the address number up here the 68.1 34 not 1 21 down here. Most of the other information is just giving you information about the clock frequency, the hardware clock and also our dispersion and pure dispersion. The delay and offset Thea other information from the NTP Association Command that I was saying we don't really need Teoh. Pay attention. Teoh are referenced time. It gives it here in Hexi Decimal. Aziz. Well, as a standard time format here for United States of day, month, year, day, the week etcetera on This is in UTC time Universal coordinated time on also what the precision is in the frequency. You don't really need to know how this applies on. In general, you won't ever use that The items that you'll want to notice or take note off that this is where you see whether your clock is synchronized or not and who it's synchronized against. When you showed that in your show NTP associations as well something as well in our show NTP Associations Command If we come back to that for just a minute, here is the legend down here that the in the event we have multiple, uh, NTP servers configured here, which we can that it will go ahead and pull each one and end up determining which is the most accurate on be able to choose that server as the one to synchronize against. So the server with the asterisk next to it that this is the one that we're sync with if it has a pound sign next to it, it's a master, but we are not sink against it. It could be selected with the plus sign. But that's if we have multiples. Then it will select whichever one is the most accurate on. And then the asterisk ends up confirming that we are actually sink with that, uh, the minus or the hyphen. Sign here that this is a candidate. This would also show if we had a multiple NTP servers configured and then also as well. Whether it's configured is with the tilde sign here. As we could see, we configured this NTP server and it is our master and sink eso It has the asterisk and the tilde next to it there and then lastly, on this side, the last thing before we jump into the lab real quick. I want to take a look at the wire shark capture off an NTP polling here. So the first bit is that we can see that our source this is our NTP client here, and this is our NTP server. The 0.129 is the server 0.131 is the client that we send out our poll and we end up getting it back. And if you notice here, 64 seconds went by between when our first polling happened in our second polling happened that that is our default poll interval here and that the type of information that is included in this. This is first saying that we're using NTP version three and that we have a client message and a server message in response and that this gives us ah whole bunch of information. Here we are using authentication and we're using key number one with our authentication that when I said, we specify the key number that this is actually saying in our NTP packet here which key I d that we're using. Here's the information about the time the reference timestamp origin received transmit timestamp the reference i d the route dispersion, delay, etcetera and also the clock stratum number that that's uninterested one to know there as well, going back to that stratum and how far away we are from a master clock or from a most trusted clock already. Cool. So let's go ahead and jump into the lab here. Let's take a look at what our topology is gonna be. And we will get NTP server and client configuration going and configure the authentication between them as well. And this will be pretty quick here for us. So let's go ahead and take a look. Our lab here, we're gonna have three total devices. Got are three rather one and are for I know the naming is not awesome that I ended up playing with this lab for a little while here, and this is what I settled on. So, of course, going with our usual convention is that our network between our three and router one is gonna be 10.3 dot one as a slash 24 and between router one and router for its could be 10.1 dot for its also a slash 24. Also staying with convention is that router one is 10.1 on its interfaces around. Forced out for round three is 30.3 etcetera. On that, what we're gonna do is we're gonna set Router four to be an NTP master. It's gonna be a master router. One is gonna go ahead and sink with router for, and Router three is going to sink with router one. That router one is going to be both a server and a client. And Router three is just going to be a client and router for is just going to be a server. It's gonna be configured as an NTP master, so it does not need to synchronize against an outside time source. So let's go ahead and first jump into router for and get that configured. We are going to dio authentication between all these guys here that will need to go ahead and configure router for to have a authentication key and to enable authentication on. We'll need to configure router one with a trusted key for what to use coming from Router four and then also with an authentication key and to enable authentication and then router three with the trusted key as well. Very similar router one. It's gonna end up being about the same. So it's first jump over the router four and get that configured. I have already configured the I P addresses on our interfaces here and the host names, but that is it will just need to go ahead and configure and teepee and the authentication, so it's going over router for here throughout her four. We're gonna go ahead and enable no convict e First, let's do a show. Do show run include MTP We do not have any NTP configuration commands in our running config . Now, if I do a do Show NTP association that we don't have any NTP associations if I do a do show NTP status, our clock is a NSYNC rin ized where at stratum 16 were considered the least trusted possible and that we do not have a reference clock, we'd have no reference clock were a NSYNC Rin ized. So let's go ahead and set ourselves as a master. But actually, before we do that, let's configure our authentication. No, quick, let's do NTP authentication key. And then here, we specify, are key number do key number one. It's gonna nd five hashing that will use to transmit that key, and our key heroes is Call it anti peaky. And that's all we need. Awesome. So and let's go ahead, enable authentication with NTP authenticate. Actually, before we do that, let's take a look here at the options here for NTP is that we've got your access group. We can control access to specify that only certain clients can be able to access this. We can enable NTP authentication and specify the key. Satisfy our clock, period. Whether we want to do message. Logging Act is a master to peer, said a NTP server, etcetera. So it's to NTP authenticate. Awesome, and we'll set. This is an NTP master. Great. So now that we've done that, let's do a show NTP Association. So now we can see that we have an association with our self on that we are instantly sink our address. Here is a look back in our reference clock is the same loop back. If I do a show and tp status, our clock is synchronized with stratum. Eight. That the one that we're synchronizing against is stratum seven. So I know that's a little confusing, but we end up as a stratum eight here, and our reference is the loop back address, and we can see that they're awesome. So let's go on over the router one, and we'll configure our authentication and set up that as an NTP client to synchronize against router for awesome. Let's do NTP authentication. Key Key number one use MD five to transmit and NTPC but and DPP? Excellent, already said. Now we need to go ahead and specify the trusted key for to identify our server that we configured authentication overall are four. We need to tell this the only synchronize with servers that supply the NTP trusted keep. So NTP trusted key is key number one. Excellent. And then we need to go ahead enable and tp authentication with NTP authenticate Great. And then we can go ahead and specify we want to synchronize against an NTP server. So NTP server router fours address years could be 10 doubt one dot ford up for, and we don't need to specify anything else here. And then there we go. Let's go end. Let's do show and TP association. This is not going to be synchronized yet, but I want to show you what this looks like when it's not synchronized, that the address here that we're synchronizing against is 10.1 dot four dot for we do not have a reference clock yet. And when the when, uh, column just shows a hyphen here, it means that we have not pulled this server yet. I remember it pulls every 64 seconds on that. We need at least three successful pollings in order to synchronize our clock, Let go ahead and refresh this. We could see that we have sent a polling and it's gotten a fair bit of information here that it has actually already synchronized. That happened a little extra quick here. I don't usually do not see that happening quite that fast. I did have this configured to synchronize previously. So the fact that our clocks may have been very close already is what may have allowed this to go ahead and synchronize very quickly for us. But we now see that the reference clock off the other side is it's Luke back since it is an NTP master, and that our server were synchronizing against is a stratum eight server. We last pulled it eight seconds ago on that were pulling every 64 seconds. We go and do that again. We last polled 54 seconds ago. Let's do a show NTP status, and there are clock is synchronized. We are stratum nine and that our reference clock is 10.1 dot for dot fourth. Awesome. Let's go ahead and head over to Router three here now and configured that as a client. So it's enable convict t and let's dont p authentication key. He won used empty five to transmit. Anarchy is going to be NTP key and our NTP trusted key is going to be key one. We'll have to enable NTP authentication excellent and then our NTP server is going to be Router one, which is $10.3.1 dot one. And that's all we got to do. Let's go end must you show NTP Association And there we go. We see that we've got 10.3 dot 1.1 there on that. We have not pulled it yet. Go ahead and refresh this boom. It pulled it. And again, this did synchronize after the first polling. I am thinking that because this was synchronized us a little earlier here when I was setting up this lab that the clocks are very close to each other. So we probably are synchronizing very fast because the clocks are already very close to each other. But here we see that our address that were sinking against his 10.3 dot 1.1 and that router one is sinking against throughout her four right So router ones Reference Clock is 10.1 dot four dot for and that router one is a stratum nine clock. So if we do a show NTP status that we are now a stratum 10 because we are rather for its internal clock has stratum seven. So it's sinking against its internal clock, So it is a stratum eight on then Batter one is a stratum nine because it's sinking against the stratum eight and we the router three are stratum 10 because it's singing against the stratum. Nine. So on. Awesome. And then that's NTP on those of the verification commands that you used to show that you are sinking on. Be able to troubleshoot from there. So thanks for 10 through that with me, just like the others. Let's jump through a couple of practice questions before we end off here. First up, referencing the below output From what source is the NTP server referencing its clock? Is it 68.1 34.1 21.1 29? Or is it the clock is not synchronised or the NTP servers, Internal clock or rather, woman So this is saying from what source is the NTP server referencing its clock? So we are on a client here which looks like Browder one, and that we are associate ID with an outside time source the 68.1 34.1 21.1 29. And that that NTP server is synchronizing it's clock with itself. The 1 to 71 to 77.1. That is a loop back. So that is the NTP servers Internal clock. The answer here is C and finally, given the client and server configuration below what configuration is needed for NTP to successfully synchronize assume unencrypted authentication key is identical. So first up on router one here, we've got router to so router one, Let me grab my pen here again. Router one. We've got our interfaces here configured. This is 10.1 29 on this socked it and this is not 1 31 of the last octave, uh, and that these guys are trying to synchronize with each other. So router to is actually a client here trying to synchronize with Router one. No router. One is the NTP master here. We do have an authentication key configured, and we do have NTP authentication enabled. We do also have an authentication key configured here we are to assume that our authentication keys are identical even though these strings here are a little different. That's just because of the encryption that the router uses to encrypt its keys in the running config that is a type seven encrypted strength. The does show up a little different depending on the router. We're on here. We do also have NTP authentication enabled. And we are also configured to accept trusted key one to use that from our servers to synchronize on the NTP clock period. Here is something we did not cover, but we don't necessarily need to care about. So given this configuration here, this should work. There's nothing that actually needs toe happen that we do not need to set the clock period . Our set NTP trust a key all rounder, one that's not needed because that is defining what key we are expecting from the NTP server that we are sinking with. We we could disable NTP authenticate on both routers and that would allow it to successfully synchronize. But there's just no need Teoh because they are already sinking successfully. Or at least they should be. The answer here is de Now I hope that this has been informative for you and I'd like to thank you for viewing.
30. 4.3 DHCP and DNS: de HCP and DNS. This video is going to be a little shorter than the others that this is just going to go over the theory of how d HCP and DNS work and the role that they play within the network. And actually the exam topic that this video is meant to address eyes actually 4.3. It's specifically says to explain the role of D HCP and DNS within the network s We're not gonna go through, Ah, any configuration in this particular video Here we are going to go through the configuration of D h C P server arms are DHB client NDFB Relay in the next video here. But let's go over the theory of how d HCP and DNS work. So without further ado, let's jump on it first up D HCP So DHC P stands for the dynamic host configuration protocol . So a lot of you probably know d HCP as the method by which your clients automatically obtain an I P address that they'll send out a discovery and that process is down here and they'll end up getting an offer back and we'll go through this four step process to go ahead and get an I P address now. D. H C P can be used for a lot more than that. It can give pixie boot addresses. That's pre execution environment. Boot address. That's the address and information used to tell your client where to go get its initial boot disk from and boot image From that, you can actually boot from the network with information given in your d HCP or you can give your V I p configuration information. This actually is a very common method that I've found to set up. Your view I P phones is You end up giving your configuration information through D HCP, be it the server address that it's trying to connect to the V Land that the bones should be tagging its traffic with or the name of the file it should use for its configuration. So on and so forth, you can include a lot of information and do almost your full configuration through just d HCP. DBCP also just doesn't give you an address an I. P address to use. It also tells you where your DNS servers are that the servers you should use for resolving i p addresses from your host names is might be an internal DNS server. It could be an external Deanna server. Maybe you're in a domain, and it's pointing over to your active directory domain controller for your DNS to be able to resolve your internal resource is and then off course, Jandi HCP is used to give your I P address and Gateway assignments that this is the method for dynamically assigning your I P addresses and telling your clients where the routers are that it should use to get outside of the network it is in immediately and going over that here you d HCP happens before the client is aware of what network it's on that say you have your client. It's connected over here to some switch, and that's connected over here to some other switch as guys connected to a router. Ah, and then the routers connected over to the cloud here, and the routers also connected Teoh another switch. And over here, maybe you've got a server kind of thing going on, and that kind of topology and it doesn't know that it's on this network because it doesn't have an I P address assigned it doesn't know that this router exists. It can't find that automatically. Unlike I p Version six, where it can just do a router, solicitation and router advertisement back in i p. Version four. We can't do that. So we go through this process of, you know, either automatic self assignment I P addresses, which cannot be used to get outside of your network. That's the A P I. P. A addresses the 169 address space that you end up seeing. If your machine is not obtaining an I P address correctly, it will usually self assign this address space to it's interface. But that really can't be used here. That means that you know something's not working. So since it's unaware of the network here at the moment, this D HCP four step process these are earned broadcasts that it is working at Layer two here, which would generally mean that your D H C P server needs to be in the scene broadcast domain in order to receive this discover and request. And this is actually interesting point that I would make sure that you are very well aware and familiar with this process right here and Also which ones of these are client to server communication and which are server to client communication that we've got the request. Be inclined to server the acknowledge being server to client on the discover. Being inclined to server the offer being server to client that you don't really need to know the details of what these packets look like. But just know that there is this four step process the D o r a discover offer requested, acknowledge and which ones? Air server to client and client to server. Now continuing here a little bit is that teach CPI is actually a little newer. It replaced the bootstrap protocol boot p Ah, and it didn't actually fully replaces Boo P is still in existence out there a little bit, but in general it replaced boot P, and it operates over UDP port 67 for a client to server and 68 for server to client. The Discover broadcast. I'm sorry, the discover packets, as we just mentioned. Those are broadcast. They require layer to adjacency. Now this can be overcome with the help of a D HCP relay. Also called an I p helper. It's called an I P helper due to the configuration command that is used to configure your d HDP relay on Cisco devices. We'll go over that in the next video here, but you're DBCP relay. What it does is it listens for these client to server broadcasts on an interface, and when it receives one, it goes ahead and forwards that as a unit cast to your D H C P server and your when your server responds and it sends those unit cast responses back, it goes ahead and relays those responses back to the client. So now you know we have this server. I'm sorry, this router here, we've got this workstation here, right? And And this routers another router and this router, there's some switch. Go like that for a switch and then over here, we've got server our D h c P server is right here. D h c p is right here Now when our workstation down here sends the d HCP broadcast to go ahead and get an I p address this router here. If it has i p help are configured, it will receive that on that interface. And this is usually an interface level command that you go ahead, receive that on that interface and it will forward that as a unit cast to this I p address the i p address of the D h c P server here and that it uses the interface address here where it received that that broadcast. It uses that as thesaurus address for that unit cast package that's being sent over to our D H C P server. Now here. I wanted to show a screenshot of what? Ah, pixie boot. Looks like they here. We can see at the very beginning, we've got our network boot going on. This looks like a work station where we got monitor here. And this is your pre boot environment where you end up getting your bios, information, stuff like that. We've got our network of boot process going on here is telling us what our client Mac addresses. We've got you a selfish Don't do it here and we've got a client. I p it actually got an I p address by D h c p uh, the D h c P server. I p is here and our client i p and it's trying to pixie boot right now eyes that it was given on address for its P XY server to go ahead and reach out to. And it was trying to down here, trying to obtain by D by t ftp to this address the 0.23 the 1 72 16 50 23 trying to download this default dot i p xy Now that connection did time out. But this is your kind of what you would see if you are doing P XY booting. All right, so that's d HCP here. Now let's go through DNS and what that purpose is on the network and how that ends up working. So DNS, the domain name system so DNS is primary function is to translate domain names. Teoh i p version four or I p Version six addresses, Right. So, like, say, here we've got a domain hierarchy that we've got the root of the domain and then we've got the top level domains. Your dot com dot net dot gov dot org's etcetera. Your second level is just like google dot com or example dot com, our facebook dot com and then your sub domains would be anything passed a period on the left hand side here toe, where you have www dot google dot com that is actually a sub domain of google dot com or cluster dot google dot com. That is a sub domain and then an individual host down there. Now you can have another sub domain beyond that, maybe you have, you know, us down here like you eso it ends up being like node one dot U. S stock clustered example dot com on, And you can have that you continue going on for as long as you want to be. Ableto have as many sub domains as you would like, but you're the primary function of this. Is that when you have this host name here node one dot clustered at example dot com that if you want to translate that into an I P address, you know something that we can actually give to our computer to our router to say, route this over there because the Internet doesn't work by routing names, it works by routing I P addresses because the Internet is Internet. Protocol is what it runs off. So we need to be able to route these I P addresses around I p version four or version six. So we need to translate this name into that. So that's what DNS does is we end up setting a query to a DNS server, saying I have this name, Please give me the address for it on That would be an A record specifically or a quad a record for I p Version six Quad A. Meaning quadruple a record or for I P Version four is just an a record, which turns a host name into an I. P Address or IP version six address. So DNS was first defined in RFC 1034 and 1035 There's been many additions and revisions since then. Generally, you'll see it operate over you TP 53 that if you do a capture on your network and you see you tp 53 traffic as the destination that that is gonna be DNS. There are specifications for doing DNS over TCP on also DNS over https to try and secure your DNS queries a little more that those have been more recently defined. But generally you're going to see it over UDP 53. So not only does it provide I P version for 90 Version six addresses. But there are also special types of records as well. Some of these are the MX records, mail exchanger records that when you request, say you have google dot com, right or example dot com, and you request the mail exchanger record the MX record For that, there's a special record where the system administrator of example dot com has said we have a mail server and for other organizations out there to be able to find that mail server, they will request the MX record the mail exchanger record for our domains. So for the example dot com domain, our MX record would contain something like mail dot example dot com that that would be he content of the X record, such that when I request you, I'm doing an Ennis look up or a dig of the MX record for example dot com. I will get mail dot example dot com in response, and now from there, in order to do anything with that, I'll need the I P address, right? So I will look up the A record four mailed example dot com to be able to translate that into an I P address that the MX records is a special record saying this host name or these list of host names with a priority so that they're used in order that this list of host names are the host names for our mail servers. These air what you should use to send us mail, and then we also have text records. TXT records this store's arbitrary text data. You can store keys in there that are used for encryption. In the case of Demark or D. Kim, that's D. M. A, r c or d Kim de que. I am that these are used for encryption and store public keys for that. Or you can also store SPF records. That's center protection framework, for that's a really primitive way of trying to avoid spoofing of email addresses, such that in your text record on your DNS. You end up having an SPF there, saying I will allow Onley specific public I P addresses to send emails on behalf of my domain. So if I own the example dot com domain, and I know that my email server is on lee at 1.1 dot 1.1 Then I want to say Onley 1.1 dot 1.1 is allowed to send emails on behalf of example dot com. And if any other servers out there with different public addresses are trying to send e mails on behalf of example dot com, go ahead and denying those. And there's an RFC for that for our SPF configuration and definition and how servers should use that. Uh, you can also get your s away. Your start of authority record your authoritative name servers for a domain, you can have your N s record your name server record such that when you, uh, query some top level DNS server for the N s record for your example dot com se example dot com has its own DNA servers right there public DNS servers that they host at their campus and that you need other Dina servers out there to know that they should look towards your DNS servers for the authoritative information for DNS for your domain that that's your N s records. You can also have PTR records which are reversed records, no zmapp addresses to domain names. Say that I own 1.1 dot 1.1 and that I want one by one by one. Don't want to translate to mail dot example dot com that not only can I have a record that says mail dot example dot com translates to 1.1 dot 1.1, but I can also have a record that says Wanda Wanda. Wanda One translates to mail dot example dot com because that's something interesting with DNS is that it only really goes one way that you can only translate your but host names or domain names into I p addresses. And without the reverse record, you can't translate an I p address into, ah, hosting. You can't go the other direction. Great. Well, I appreciate you going through this with me here, just like the others. Let's run through a couple of practice questions before we end off. First up. What type of packet is a D? HCP discover? Is it a unit cast a multicast or broadcast on? This is not assuming that we're using an I p helper or DTP relay that just the regular D HCP discover is see a broadcast and finally, what protocol and port does DNS operate over by default. Is it TCP Port 80 UDP Port 43 UDP Port 53 or TCP Port 53? So although there is specifications for DNS operating over TCP, generally you'll find that it operates over UDP and the port that is well known for DNS to operate over is you tp 53. I hope that this has been informative for you and like to thank you for viewing.
31. 4.4 configuring DHCP: configuring de HCP client and relay on Iowa's. This video is going to be relatively quick. This'll section on the exam. The exam topic doesn't actually cover the creation of a D. H. C P server on a Cisco device, although I will show you how that's configured because I had to do that in order to get this lab up and running. I'll show you the commands that we used to get that going and how this ends up working, that what we're gonna do is talk about what a D HCP relay is and how that functions and also what it means to be a D HCP client recovered the D. O r A. The four step process that's involved with obtaining an I p address by D H C P from a DCP client to a server when you go ahead and configure that in the previous video. So let's go ahead and jump right on in and talk about D HCP. Relay what that is and how that works here. So D HCP relay is also known in the Siskel world as an I P helper on. That's due to the command that's used in order to configure that this is an interface level configuration command that we can see right down here that we use I p helper address on. Then we specify the I P address off our D h c P server. C D H p really does. Is it relays, right? Our DHC PR client to server de HCP messages over to the server that this is useful right when you have your d h c P server in a different sub net or in a different broadcast domain than our d HCP client. Because, you know, if we needed our d h c p server to be in every single subject, they'll be really kind of expensive, right? And difficult to maintain and manage that. Say, you have your work station here, boom workstation. And let's say we've got another workstation over here. Boom workstation Cool. And it connects over to our switch. Right and got another switch over here. Boom switch. All right. And these guys go ahead and connect there. And then let's say we've got router right here at thes switches connect over to this router and that these guys are on different sub nets. Say this is the 10.0 dot one sub net, and this is the 10.0 dot to sub net that you traditionally, if you didn't have a i P Helper or a D H d P relay, you would need a D h c P server on each of these sub minutes in order to serve addresses dynamically. Or, you know, you could just configure D h c p server on your router here. A lot of times, people choose not to put DHC pee on their router just because it's a little more difficult to manage. Typically, that may be a Windows D H C P server, or you might have phones and you're using your phone servers. D HCP what have you something like that? That people generally don't put their DTP several in their rounder. But you certainly can that there's nothing wrong with that, but still say we had, you know, some other sub net over here with our work station over here. And then he's connecting over to this router and that this router connects over to another router that happens to connect over here onto this switch. You know, you can see how this can get a little out of hand and unwieldy really quickly. That this is where D HCP relay really comes in handy is that we don't need that DHB server there or that one there and we don't need it configured on our rounder. We could have some centralized D h c p server over here. That could be some arbitrary number of sub nets away that it could just be your cross away and link what have you And we can use this D h c p server as our central server and be able to forward and relay all of our d HCP requests and responses to and from that D h C P server. So the way this ends up working is that when the router or your device here that's acting as a DTP relay When this receives our our discover packet, right, Let's just start from the beginning because remember, we've got d o R A. Our discover offer request and acknowledge packets for our requesting of a D HCP address. Say we send our discover packet over Now over here on this router, here are one he's gonna receive that, and if he has DTP relay configured here on that interface. Then he's going to relay that over to this D H C P server here and that That packet here that relayed packet will now have a source address off this interface right here. So one. That's kind of important, because that means that this server needs to know how to get back to this sub net, that there needs to be routes you know, in between in this path here so that that packet can both get to that server and get back because it's going to have a source address off that interface here. But then as well, that's how the D two p server here knows what sub net that you're requesting an address for because right this workstation here, this guy, he doesn't know what sub net he's in. He doesn't know that he's in the 10.0 dot to sub net. He just knows he's connected to some broadcast domain that he's broadcasting out there. Hello. Any D h c P server, please offer me an address and that's what it will do. It'll go ahead and receive that, seeing that it has a source address of that interface, and then it will send back an appropriate response. Inappropriate offer for this sub net. And that's how it knows what sub net it is. Same thing with here, if it receives it here, it's gonna use this interface address as the source address to forward that over Awesome. So then it receives that it relays it back. Our router here you keeps track of those relays of those forwarded messages so that it can forward the responses back appropriately on a switch often switches air set up with the HP relay that uses a switch virtual interface as the interface that you would receive that broadcast on and relay that from we can verify our configuration here with Show I p Helper address that once you have this configured at your interface level, we do a show i p helper address. And that's what the output of that looks like down here as this will show that on this interface on Gig 10 we've got a helper address of one by $1.1 configured. Now there is some other information here available that we don't really need to pay attention to right now. But that's how we verify that this is configured without doing a show running config. Ah, lot of times in the CCN A exams, they'll go ahead and tell you, you know, determine what the I P Helper address is or they'll ask you to look up some information, but they will deny you access to the running configuration for various reasons. That the security measure in a lot of companies that they don't want to just give anybody access to view the running configuration. But through role based access control, you could go ahead and allow access to certain commands. Then you Congar there the information that you need without having to do ah, show running configuration and just view the configuration and also the running config. Unless you know what you're looking for, could be a bit unwieldy. It could be a bit large, and you're looking through a forest of commands here, trying to find one individual one there that could be a little difficult to do. So that's how did she P Relay works in Antalya. Configure. It's the interface level configuration command of I P Helper address and then giving the I P address off the D H C P server that it should be forwarded to. You can also do this for VR F. That's virtual routing and forwarding. Instance on. That's you know, when you have virtual routers inside of your router, we're not covering that here in the ccn A. It could also set it as a global I p helper address already. So then, as far as configuring a D HCP client, that's actually really simple on IOS. So here's an interface level configuration command, and it's simply just i p address d HCP that here in the configuration when we do I p address question Mark Weaken Dio either just manually and statically set r i p address or we can go ahead and tell it obtain it automatically by D HCP where its I p address negotiated via de HCP. Awesome. Really simple, really easy. We can go ahead and verify this in one of two ways so we can do a show i p interface brief and will end up seeing here the our method it will say, d HCP This might have an I P address right now. This does not have an I P address have signed it has not received one from a D H C P server , but it is set to receive one by d HCP or attempt to receive one. It'll periodically send out these d HCP discover broadcast packets, trying to look for a D h C P server to receive an address from if it hasn't gotten one yet . And then we can also verify this in a show interface that here we have that our Internet address will be negotiated using D HCP. That's another place where you can see that as well. There are additional client configuration options that you can set. We can set the host name that should be transmitted with your D HCP through the I P. D. HCP client interface configuration commands that when you do I p d. HCP client and do a question mark will do that in the lab here very shortly and show that there are many options available that you can go ahead and specify to really drill down specifically how you want de HCP to behave here. Awesome. So that's the only two things we're gonna cover in this lab. So let's take a look at our lab configuration here and go through that. So our lab is gonna consist of three devices. Got R one R two and the server where this is really just another router here and here. I have listed that are one is 10.1 in reality, this interface this is going to be a D HCP client, right? And that here on our to this interface, this is gonna be I p Helber awesome. And then here on the server, this is just another router I wanna hadn't configured. Ah D h c p server there, and I'll show you briefly how that was done. It's a very, very bare minimum. D H c p server. I'll show you how to get that up and running that there's only just a few commands that are needed in order to specify your poll of addresses that it can pull from on. Also, the additional information, like the default router or the Depo gateway that it'll provide on that. That's all I have there. We don't have any DNS servers configured, but we can go through and show how that would be done briefly, anyway, you don't really need to spend any time on that. That is just not covered in the exam topics, but it's something good to know in case you ever encounter that in the future. I have already configured the I P addresses on this side here the 10 1 to 2 here on router to 10 to 32 on Router two and 10 to 33 here on the server, and we'll go ahead and verify that briefly as well. This fast 00 on Router one is currently shut down, and there's no I p address configured at all. We will be configuring it as a D h c p client that that time will also go through the I p. D HCP client options as well. And take a brief look at that. So first up, let's start over on the server side here. Oh, and also, I don't think I mentioned this. I have not yet configured the I P Helper address here on router, too. So we'll go ahead and do that. Let's start from the right here and move our way to the left. We'll take a look at the D H c P server here on the server. Get our I p helper configured on router to on. Then I'd also like to go ahead and just do a quick capture here on the line while we do the d HCP negotiation. So we can take a look at what that looks like here as well. So let's jump on over to server and then we'll go to router to and then the router one. So here on server to go ahead and just enable I'd like to do a show I p d HCP And here we could do server. What's statistics? This is all the information we have here. We do have one address poll configured. I did do a test with this. So we have received a Discover and a request. We also received a DTP release because I went ahead and did no i p address on our client. So it released its address saying, I don't need this anymore. We could do a show. I p d HCP pool. We have one poll configured here it is the 10.1 dot 2.1 real quick. I want to show you remember that the server here is in the 10 dot to 10.0.3 sub net. But I have a poll configured. Let's clean some of this up here, but I have a pool configured for the 10.1 dot two sub net that that remember that the d HCP relate it relays this using that interface as the source address. That does mean that in order, the server here needed to know how to get back to the 10.1 dot two sub net that I did put a static route on our server here to go ahead and resolve that here, in reality, you would probably have some dynamic routing in your environment to ensure that no, your server can get back to the needed sub net here. So going back over to our server real quick, let's go ahead and just do a show run and take a look at our configuration items for our d HCP. So we have an I P. D. HCP pool and it is called DHT P hyphen pool. It is using the 10.1 dot to slash 24 network and is setting the default router, which is a default gateway. You know your default gateway that your client will use as 10.1 dot to dot to. That's the interface address of router to now. I did go ahead and exclude that address from the pool so that we don't accidentally hand out our default router address as a client address to one of our d HCP clients. And then that's really all you got to Dio. And then I went ahead to set a static route here to make sure that we know how to get back over to the 10.1 dot two sub net. Awesome. Let's go back over to Browder to here. Then let's go enable us to a show i p interface brief. So we've got 10.1 dot to dot to that is configured in up 10 dot to 10.0.3 dot two. That's the interface facing over to the server. So if I do a show I p helper address, we do not have one configured yet. Let's go ahead and configure that year. Big T interface Fast 00 Let's get the I P helper address. Remember, this is the address of our d HDP service is to be 10 dot to 10.0.3 dot three bam! That's all we got to dio now. Let's go ahead and jump into G. M s. Three real fast here. I want to dio a capture on this interface here before we go ahead and configure THC P client on router one and enable that interface there so that we can take a look at that there. And then also, we could do a capture over here as well to take a look at what those relay packets look like as well. And why're sharks just gonna do its thing here? So let's go ahead and jump back over the router to that's already configured the interfaces up. Excellent. So let's go over to router one, then go enable Show I p interface brief. What's I can't type today. There we go. So we are administratively down on fast 00 We do not have an i p address assigned. Let's go config t interface fast 00 Let's go. I p address de HCP. Excellent. We could do I p d HCP client and here we have a lot of options here for specifying ideas and items in our client. Specify a class idea client. I d specify the host name on and give information like that or dynamically update information. You don't necessarily need to know this for the c. C. A. N exam. Just how to configure a de HCP client. But good to know that these options are here. So we have i p address d HCP there. And now we can do no shot. Let's go and als to a show i p interface brief. And then, actually, we're gonna end up getting a log message here. That'll pop up when we receive an I P address. And there we go. We got di HCP six Address a sign interface assigned DTP address 10.1 dot 2.3 with the 24 bit mask. Our host name is our one. Excellent. So now let's go over to wire shark here real quick. And let's stop that capture. We sent out a discover. Now, this is actually coming from our two right now. So on are two. So are two received that discover broadcast, and it's forwarding it over to 10 dot to 10.0.3 dot three with the source address of 10.1 dot to dot to that. That's that source address I was talking about Right There is that we can go ahead and and know what network that were actually requesting an address for because of that source address. And this is, you know, a unit cast de HCP discover being sent. And then here's the offer being sent back and the request being sent back. And there we go. If we come back over the router one for just a few moments into a show i p interface brief . We see that we do have an i p. Address here and that it is set by D HDP. If we do a show interface fast 00 that we have our Internet address is set here and then real quick over on router to if we do a show i p helper address, we see that we have our fast 00 configured with helper address of tend attitude out $3.3 And then lastly, before we end off here, I just want to show that we do a show i p d HCP binding by type correctly. Then we see here that we have a binding for the 10.1 dot 2.3 address and that here is the client I d or hardware address or user name that does this guy here and there's a unique identify air for that client there for that binding, and that'll do it. So just like the others, let's run through a couple of practice questions before we end off First up which of the following commands will not verify if an interface is obtaining an i p v a D h c p is it show I P interface Brief show interface, show interface, switch port or show I P interface. So here, show I P interface brief and show I P interface are essentially the same command they show this very similar information brief cuts out a lot of the extra information. So you know that A and D do show this information and so does show interface. The item that will not verify that, though, is show interface switch port. The answer here is C and finally, a D HCP relay can be in a different sub net than a D HCP client. If there's a layer three route between them now, just think about what this is asking for. A moment is this is kind of saying that if you have you know our work station here and that you've got router, that it's connected. Teoh and then Router. This is connected, Teoh. And then let's say over here is your D h c P server that if that interface has de HDP relay configured But this one does not, then, actually, that's not gonna work. This this doesn't make any sense. Is question here that the answer here is false, That this does not work? No, thanks so much for going through this with me. I hope that this is but informative. I'd like to thank you for viewing.
32. 4.5 SNMP and syslogging: SIS Log and S and M P. Monitoring your network devices is a really crucial part of network operations. It's one thing to go ahead and get your devices configured, but without monitoring them and having a sense of what the actual performance of your devices are. Then you're stuck at the mercy of your end users in your organization telling you whether there's a problem or not. And at that point you might not even know where the issue is on did. Sometimes your end users might exaggerate a little bit, which causes some problems with trying to actually troubleshoot. This is where monitoring protocols like SIS Log and S and M P come into play and says Long is an awesome way for devices to tell you what's going on. Ah, lot of times, if there's an issue, it's going to be sending out red flags with CeCe log messages saying that it's having a problem. If it's overheating, it's gonna end up telling you so if there's a spanning tree convergence issue or if there are a lot of events going on, then sis log messages are probably gonna be generated and you'll be able to reference those to see what's going on even after the fact evaluating a situation after it's already resolved. You can go back and review your monitoring and your log messages to understand more closely what actually happened. So you can help prevent that in the future and similarly with S and M P. That is actually a very flexible and useful protocol where you can not only just monitor your devices but actually do configuration remotely. And since it is programmatic, you could actually set up to applications to where things could be automatically adjusted and changed based upon certain conditions. So with that, let's go ahead and jump in and take a closer look at how S and MP and sis log protocols work and how they're used here and how they apply to the CCN. A exam topics. So first up, let's talk about S and M p. The sip Simple network management protocol, So S and MP is a defined particle and it typically uses UDP won 61 for S and MP and UDP won 62 for S and M P traps. And we'll explain the difference between those in just a moment here. Generally, you'll see three versions in use, version one version to see and version three version one is hardly used at all anymore just because it offers essentially no security whatsoever. The version to see is much more commonly used. There is a version two on other subsets of version two. Aversion to see ended up being the primarily used version here and is most widely implemented that generally, if you see version two on your device, it's actually talking about version to see. A lot of people might reference it as version two, but in reality their devices air probably running version to see. And then there's Version three, which introduced ah lot of security features into S and M. P. C S and M P. Used to have this funny nickname of security is not my problem. And that's because there's just not really any security built into S and M P Version one and Version two that it's expected that the management line, the interface or the circuit that's used to exchange s and MP messages that that line is secure rather than having in band management and expecting that the protocol will provide our security there. And that's where a version three added a lot of excellent features here for encryption and authentication on both sides, so that you can actually secure the protocol here and not have to worry about having an out of band management line that you must secure in order to declare your protocol communications secure. There is some terminology used with S and M p that we should go over here that you'll end up seeing pretty often and that you want to know what these are. An M i B. You'll see this referenced a lot. That's a management information base. C. A S and MP works in object. Identify IRS fluids or oh, I DS that oh I ds are our numbers in a dotted decimal kind of notation that you'll see you know 1.1 dot to 0.6 dot 7.4 dot 1.1, and these could be arbitrary length. Things could be very long, and they are no separated by periods. And what the's are is it's ah, hierarchical tree structure, and we'll take a look at that in a visualization in the next slide here. But what the management information base is, is this translates our it woods into the actual information that's being queried from the device where you go ahead and have a network management server here, which is some computer or some server that is hosting monitoring software that is actually doing S and M P polls is doing get operations for your S and M P and is telling your manage device, your router or switch and specifically the S and M P agent, which is the S and M P software running on your manage device, that it is telling it to gather the value for a particular do it and that the M. I B tells us that this would is representational off the traffic inbound on a particular interface or of the particular configuration of oh, SPF or of the neighbors currently there or off the I P address, configured on an interface, etcetera, that it's telling us what these numbers and what this hierarchical structure actually represents, that that's the M I B. And that unfortunately, there's not actually a standard out there for the oh I d structure that it is dependent on the vendor to go ahead and develop their own. Oh, I d structure for their devices and then go ahead and release an M. I. B. The management information base to be able to Coralie those two together to understand what these oh, ideas actually are how many? Oh, ideas there are and the formatting syntax of them so that we can understand what information were actually querying. And then the last two items here we had just you mentioned. These is the S and M P manager that that is your S and M p server. Your device. It's actually performing your get and set operations. That's telling your manage device, your router or switch to go ahead and set a specific value to a new it or to get the value of a new it and that it is on your network management server. You're an M s that also traps traps are messages that are originated from your manage device and sent to your network management server. These air generally alerts of some kind notifying of an emergency situation in some way. Usually it might also be just some arbitrary information that's being sent over, but it is a trap and that on your manage device on your router, or switch. You need to direct those traps to somewhere. It has a destination i p address because it's using, You know UDP won 62 by default to go ahead and send thes traps, and it needs to have a destination. I P address in that destination will be your network management server, also known as your S and M P Manager. And that's an important distinction to make. And I mentioned this. Is that your manage devices? One thing that's that's your router or your switch. But the S and M P agent is actually software running on your manage device that it's receiving these get or set messages. And it is querying some information, gathering some information from the operating system of your manage device and then sending that back or setting it as appropriate, given the message that's received from your network management server. And I did mention this year a couple of times is that it is possible to set information with S and M P that I can go ahead and set the I P address on an interface by S and M P by sending an S and M P set message over to my manage device, which is great because that allows for potential automation in your network to go ahead and use S and MP Teoh, configure your devices as long as you have S and MP set up on your devices in that connection there to be able to do that. So moving into the next slide here is this is the A sample hierarchical structure off an M I B of a management information base. So we have just, you know, the root of the tree here, and then we go down the tree. If we want to go to, uh the TP link specifically down here that you know, this is one dot 3.6 dot one dive 4.1 on. And then there's some number here the 11863 And we see that here. It's 1.3 dot 6.1 dot 4.1 dot 11863 and and you see, there's there's not really any defined structure here. It is arbitrary on it is set by the vendor that they're the ones who go ahead and create this structure and define what our woods actually mean. So the difference between the S and M P versions here SMP version one and to see Onley support really minimal security, they only validate the source with a community string Eso You'll see that reference to a lot of community string where in your device in your switch or your router, you'll need to go ahead and set s and MP and set it to be a certain community string and then typical. You can also set that Onley specific source I p addresses are allowed to pull the device for S and MP information and then you continue. Klay also set whether it's, you know, read on Lee or read write access whether they can do get and set or only get operations and that the community string all it really does is it validates the source is it tells our network management server that this, you know device is actually the S and M P agent that we're looking to communicate with. It's just a clear text string that is sent across version one and version to see Actually don't even encrypt that community string at all. They just included in their communication version three introduced authentication and encryption, so you can use user name and password, and it will also encrypt its communication. On this is defined his off and priv that priv is for encryption, that in your Cisco configuration, you'll see off upriver off. No priv, no off, no priv to say that there's no authentication, no encryption or that we want to authenticate but not encrypt. Or we want to both authenticate and encrypt that, uh, that's how you end up seeing reference in the Cisco configuration and the S and M P. Like I said, it's most commonly used for monitoring that you generally are pulling your devices. You can get a whole wealth and slew of information from polling your devices for S and MP that the typically just about any bit of information that you can get out of a show command from your device. You can go ahead and poll with S and M P and get that information back almost. There's some that you can't, and it depends, of course, entirely on the vendors implementation and whether they have decided to implement the S and M P fluids to allow for polling of that information. But this can give you ah, lot of visibility into your network and allow you to alarm and alert you the network admin of certain conditions if things are outside of norms or outside of the expected values. But it can be used for management that you do have the ability to set values by S and M p. So you could have automated remediation off certain situations by sending an S and M P set back typically in my environments. I don't see that we use S and MP for management. There are other, more robust protocols and methods out there for managing your devices in a centralized fashion that using S and MP is a little cumbersome and will vary a lot from vendor to vendor eso It's just not something that I see implemented often, but it does happen and it is out there and that's specifically for the ccn A exam topics here you talk about how this ties into your studying is that we just need to explain the function of S and M P in network operations. And that's what we should be able to describe here. Moving on over into sis log. So sis log is logging, But specifically sis log is a protocol that is defined in RFC 54 to 4. Or at least the most recent revision is defined their that by default, Cisco devices use UDP 514 to transmit sis log messages that it is a connection less protocol I have down here a wire shark capture off a CIS log message that sys Lok transmits plain text unstructured message data, and it does also transmit a facility and level. We'll talk about what that is in a few moments here in the next slide. But what do I mean by plain text? Unstructured message data is that we see down here the last line here, the message. So it tells us how long the messages is 71 and that here is the CIS log message that was sent that this is just a text. Oring. This is not a structured data. This is not giving variables, and their values is that this is just a texture in that we have here the time stamp and we have the level here that this is a level five. Now, mind you, this is from a Cisco device. Eso sis log messages will look different based upon the vendor that is sending them that the actual message content is not defined in the RFC. That just the protocol here for sending the CIS log is defined in the RFC and including the , you know, time stamp. Here. You don't have to include that in your sis log message, but you can and same thing in the text here as well. But this assault message this is telling us that we have interface fast 01 that change state to administratively down that I went into that router here and went into the interface Fast Unit zero slash one and did shut. And that generated ASIS log message here it generate a message off level five saying it is a notice level and we'll see how that matches up to the other available levels in a moment here. And it is telling us like what kind of message it is here and as well that it is a link message and that it is a link level five messages to notice and that specifically it's saying that it changed that this could be helpful when monitoring sis log for Cisco devices to know what kind of messages being received you can alert based on certain text strings and be able to be aware of when important things come through. And then you have the actual text of your sis log message there, of course. So moving into our facilities and levels here is that the facility is actually something that tells you, you know, from what source what? What? Software on the device actually generated this message and going back here to the wire shark capture real quick. We see this is facility Local seven that's used for reserved for local use in Cisco Devices . It does not change the facility that the facility is a user configurable item that all messages originating from that device will use the facility that is configured and by default it uses the local seven facility and that this is something that you can configure . Local seven is the facility number 23 down here. Some devices will go ahead and use these facility numbers. Thes facility numbers are actually defined in the RFC and as well as the levels here as that these descriptions are are taken from Cisco here, but the facilities are defined in the RFC, but not all devices use them. Like I said, Cisco Devices will default here to local seven, but that you can configure that to others. Your levels here, the lower level is more urgent. That level zero is an emergency. This is typically a trap or an alert that sent out saying that it's a last little cry for help that something urgent really just happened. I am no longer usable. It's an emergency. A new alert is level one critical level two errors level three warnings of before I would make sure that you know this table, Uh, at least the keywords and their level, how they match up there. I see these questions on the Cisco exams all the time, you know, asking the level three. What does that correspond Teoh on It ends up being an error. So I would know these in order to make sure that you are aware of this. And the order does also Matt matter as well, because when you set for logging off, you know, level for then all messages with a level four or lower will be logged that when you set that in a Cisco device it's off the logging level and lower will be longed. So if you set logging level to debugging great all of your debugging, informational notifications, warnings, errors critical. All of that will be logged and show up in your sis log and that that could be very important because that could be a lot of logs on and you can overload your system logs server. Typically, sis logs are sent to a CIS low collector on. That's what we saw here that our system collector here is at 10 1 to 2. On that. The device that this is originating from is, you know, 10 121 thes Both happened to be Cisco Devices that they are in GNs three and I was just generating this log as a example, but that these will be sent to a CIS log collector. You don't necessarily have to use UDP. It can be TCP and a connection oriented sense on, and that there are other ports you can use as well that this is a configurable items, but that this will go to a system collector. So if you are longing at the debugging level, that could be thousands of logs a minute. It could be hundreds of longest second or more that you could be seriously overloading your system collector. And you might want to be aware of that before you set. You're logging level here that generally the types of items that are long is something that is configurable. But we won't be going over that here today. Thanks so much for going through this with me, just like the others. Let's run through a couple of practice questions before we end off. First up. What is the name for software running on a network management server that polls s and MP from managed devices? Is it an S and M p agent, the management information base, the S and M P Manager, or is it just S and M. P, now S and MP agent. This is the software running on your managed device that is gathering the information from your manage device and sending that back to your network management server. The management information base is what correlates your oh I ds to your actual information on the manage device. And that s and M P is just these simple network management protocol and that the software running on your network management server is the S and M P manager software. See? And finally what, sis? Log level corresponds to one alert level. Message is this is a global one, 23 or four. Well, I just want to bring up the table here real quick that here we have our emergency is level zero and alert is level one. So the answer here is a level one. I hope that this has been informative for you, and I'd like to thank you for viewing.
33. 4.6 QoS: quality of service. Quality of service is a feature that most routers support, that it allows for the prioritization of certain traffic, so that during times of congestion we could make sure that our most important traffic is allowed through first and guaranteed that certain amount of bandwidth that's needed things like our mission critical applications are voice and video communications. Now we want to make sure that these very a sensitive applications and very sensitive traffic are allowed first or guaranteed a certain amount of bandwidth so that we maintain our quality of service. And we ensure that the things that are most important to us are actually getting through specifically the exam topic, for this asks to explain the per hop forwarding behavior, and that's what we're gonna go ahead and do. That quality of service is something that is configured per hop, that it is configured locally on each router, and that it does not necessarily act the same from router to Rounder, that although we can mark our traffic so that we can try and treat that traffic flow similarly throughout the entire line or throughout the entire circuit, it doesn't necessarily get handled in the same manner at every hop down the road. So let's go ahead and jump right on him. So quality of service, as I said, it allows for the prioritization of traffic to before two during times of congestion. So that is to note that quality of service generally does not have any effect if there is no congestion on the line that if we're never getting into the software Q. Then our traffic flows are going to generally be handled in a first in first out basis. Then that quality of service, as I said, is configured per hop. And it's configured specifically with in Cisco Devices with the modular Que os cli. And that's em que si, as you'll see it abbreviated in a lot of documentation that this is the tagline that Cisco has given their method of creating your class maps and service policies of identifying and classifying or traffic and then adding some kind of action to that specific classifications off traffic and in general, on Cisco devices Que Os involves three processes is the identification of the traffic that we want to apply some special handling, too. The classifications off that traffic to say now that we've identified it in what class does this traffic now fall? And then finally, for that class, what do we want to do with it? What kind of action do we want to take? Do we want to schedule that traffic specifically and have it come out first? Do we want to shape it to make it so that traffic in the event it's trying to move too quickly, that there's too much throughput that we want to queue that traffic and Onley release it out onto the line at a specific rate? Or do we simply want to police it that policing is just dropping of the traffic that goes over the specified rate? And we'll cover that a little more in the upcoming slides here that this little animation of her no animation but figure here kind of shows a little bit of what we're doing? That each of these colors can represent different traffic flows. You know, the green might represent a voice traffic flow, and red might represent our regular Web surfing. Traffic or purple might represent that, and so on that in the beginning here we have our policing and are marked down that you know it will go ahead and drop traffic that's coming through too quickly, like thes green flows right here and that the purple flows here looks like that These just didn't even match against an A C. L through our admission control that, you know, that's just not even allowed and that we can go ahead and schedule our traffic to queue or drop it, that we can cue up this traffic if it's moving too quickly, or we can order it so that it is flowing out onto the line in a specific order to make sure we get our most important traffic out on the line first. But we can shape it, which will end up being the same thing. Is queuing here that it's we shape it on. Cue it such that it's on Lee, released at a certain rate and then link specific mechanisms will really just apply to your hardware que that for your individual interfaces on your router here, right, so you've got several interfaces. Each of these interfaces does have a hardware que as well on that. That Q generally works in a first in first out mechanism and that Q is very small. It's really a hardware buffer for your interface toe, where the traffic is placed before it is actually transmitted directly out onto the line. So let's start off with our first process here off identification and let's move into the next slide with that. So our identification and classification so traffic can be identified using several different properties that you could use your source and destination addresses. You could use the protocol that's being used, for example, for sip for your voice over I p or your RTP real time protocol for your voice of rye P or or video traffic on. And then we could use our d SCP marking. Maybe our traffic has already flowed through a router or a device which has marked that traffic that our DCP marking is something in our I p header Here, we've got the T. O s field, an eight bit field where we have our d SCP domain. That's against for Differentiated Services Co point and this is a table here indicating the different levels of D. S, C P that we have available and the binary equivalent for the six bits that are right here in the four hour voice traffic. Our best practice is going to be to mark that with E F. That's expedited forward the CS zero here that that is the equivalent of best effort that is B E for the all zeros. And then you have you, Ah, whole lot of different intermediate levels here to where we can go ahead and mark our traffic that this is mostly useful for our identification and classification. Using downstream devices or upstream devices, see the identification and marking off your traffic. Changing this D S C P value here that that takes CPU cycles. And that is a software driven process that you'll if you have a lot of traffic to go through to identify into mark that can really put a strain on your CPU. You'll want to make sure that the device that you're doing this on is capable off of handling that amount of CPU load. This is also generally why it is best practice to mark your traffic as close to the source as possible. For one, you're going to be dealing with less traffic because it's not all aggregated together. It's not all of your business traffic that's aggregated together, and you're trying to market all Onley at your fireable at the edge, but instead at the phones or at the individual routers at your departments that you can go ahead and mark your traffic there, such that you have less to deal with. Your process for marking this is more distributed, but then also so that you can go ahead and handle that appropriately throughout your organization that you can just use your D SCP marking to go ahead and choose how you want to handle that traffic. Perhaps your E f. You're expedited forwarding traffic that that is actually your mission. Critical application Traffic. That's four. Your transactional database, maybe your e commerce website and that you have these transactional database traffic that needs to be really insured. That's going to get to its destination appropriately. The things that are higher here in your table that these are generally four routing protocols and routing information that your control information your control plane traffic for your routers, that that is very, very important traffic even more so than your voice or video or mission. Critical application traffic, because if you don't have routing information going throughout your network, Well, then, nothing is going to work. Say, yo, somebody hacked into your database and it's just flooding your network with an incredible amount of transactions and is making it so that you're sucking up all your bandwidth and that you can't even get your oh SPF helo messages in between your devices and nail your neighbor. Relationships are going down and you can't even route around your network. Now that that's something to consider, that that is a very important traffic flow is your routing protocol information and that you can use other things, of course, for identification of your traffic that there's a whole slew of items you could use, basically anything that's in an extended access list and extended a C L. You can go ahead and use to identify you're traffic in the modular Qs Seelye. So now that we've gone over our identification classification here, I would be aware of this table you don't need. Teoh necessarily know all of these guys. But at least be aware that expedited boarding is the decimal 46 and that I p precedents five. So the I P precedence, by the way, is is the precedence value here it is the two lowest arm Sorry. Three bits right here that that defines the i p precedence on that. The decimal value is the decimal value off the whole D SCP binary. Six bits here on that, the binary here that you can see that we've got 101 and that is five and 101 And that's five. And then we've got 100 and that's four, etcetera. Uh, yet be aware that expedited forwarding is 46 on that best effort is going to be zero and that it's a good thing just to review this table to make sure you're aware of it. But I wouldn't spend the time to memorize it there, moving over to what actions we can take when we are have now marked and are taking in our traffic. What can we do with it? Well, we can shape it or police it generally that this is the first type of action. We can take that with policing. As I said, this is just dropping our traffic that's going above our specified bandwidth. That this dotted line here is representing the maximum bandwidth allowed for that traffic flow and that these peaks here are going above that specified amount. So when we police the traffic, we're just dropping anything that's over that specified amount. If it's coming in too fast, the offending traffic is going to be dropped. Whereas when we shape it is we see here, some parts are going above the specified throughput and others are below it. And that when we went above it, these end up you equaling out pretty well such that we are just releasing our traffic onto the line on Lee at our maximum throughput and that it is your queuing up this amount here and it's queuing up this amount here and queuing up this amount here and releasing this yo here, such that this is Nell released onto the line ups is now released onto the line at our specified throughput and that this cute bit here is probably being released onto the line here so that we're staying at our specified throughput here, and that when it comes back down down here, you will probably see this here start to come back down because our yo inbound traffic flow is slowing down. And this is, you know, generally, if it's faster than the interface can support. Or it can also be if you are defining the amount of throughput, say you you have your voice traffic, your view I p traffic and that you want to make sure that it is yo set with your DS C P E f . You're you're expedited forwarding. Make sure your voice traffic can get through, but you only want to give it to megabits because your voice traffic does not use that much throughput and you only have 10 employees. There's no way you're going to be using more than two megabits. And in fact, that is even pretty high just for voice traffic. And you want to make sure in the event some bad actor comes into your network, say somebody comes in and places their computer on one the desks, and that they are not employees and their ah, hacker, and that they start just throttling e f marked traffic into your network. You at 100 megabits that they could now just hose your network and make it so that you can't get any Internet traffic out because you are prioritizing this dummy traffic. This bad traffic over everything else. And now nothing is working as expected, that you want to make sure that voice traffic cannot possibly just hose your network like that. So you limit it to two megabits so that this guy who came in, who is marking all of his traffic at E. F. He can only ever end up getting two megabits. All of your voice calls might start failing because he's draw telling a bunch of dummy traffic onto the network. However, it's gonna be OK that your mission critical applications and the rest of your network will continue working all right, because you have limited your voice traffic to that amount knows for as scheduling and queuing goes that there's a few different queuing methods out there that queuing and scheduling. You allow for band with limiting off specific traffic flows and that several methods do exist for allowing a single Q or multiple cues that we can have many different cues each even with their own priorities. As I said, you can apply you a band with limit to a specific Q or even a specific type of traffic that generally that's done here with class based waited fair queuing that also l l Q. This is low Layton See queuing w f Q. Is weighted. Fair Queuing P Q. Is priority queuing and Fife O or F i F O is first in first out, first in first out. Of course, that just makes sense. That's first traffic that comes in is the first traffic that gets sent out priority queuing and waited fair Queuing these act very similarly, whereas with class based waited fair queuing. This is where it allows you to configure several different cues on with your classes that this is really what the modular qsc ally is doing eyes that you are taking your classes of traffic. You're creating a class map. You're identifying your traffic and creating a class map to classify that traffic on. Then you are applying a service policy to it to allow four waited fair queuing so that you can wait certain traffic flows higher than others to give them a higher priority, you can give them band with limits or even percentage limits off the bandwidth available. Say that you want it as a more dynamic kind of thing, such that based on which direction it's taking, say that you have a very dynamic routing protocol in your environment and that it could be taking different directions and that you have different bandwidths available. Say you have your router here and you've got three different ways that it could potentially go to get Teoh this other section of your network that this guy is a 100 megabit line, and then this guy's a one gig line and that this guy's a 10 gig line that you could just a selling percentages of your bandwidth available to your various priorities or to your various classes of traffic so that you don't end up with problems if you end up using a different line here. The one gig, as opposed to the 10 gig that I specify, want to give you two gigabits to my transactional database traffic. Then, well, I'm running into problems with my one gig line because that transactional database traffic now has the ability to use the entire bandwidth of the line and that you could cause problems in the event. There's a problem there where it is draw dealing too quickly and that you're getting too much of that traffic, their low latent see queuing this is also one I would be aware of is that little agency queuing. It works a lot like priority queuing, but also creates a separate queue for voice traffic. On that low, Layton CQ is emptied. First, that it makes sure that your voice traffic is released onto the line first. Always on that. After that, Q is emptied than your other accused. Start being emptied as well that that this figure here gives kind of a sense of what the queuing is like right is that you've got your different traffic flows here. These could be know your YouTube traffic or your general Internet traffic, your voice trafficker video traffic, your traffic from your backup server, your traffic from your security cameras so on. And then you are classifying that traffic and placing them into various cues here. And you're giving these cues different priority, such that the high priority ends up being put out onto the line first or more often that your middle priority is second or a little less often, and that your lowest is whatever's left over. Or you could guarantee a certain amount of bandwidth. Maybe just one megabit is going to your lowest priority and that you can go ahead and send that out onto the line first. And then I'm sorry, last or whatever is available that it's important to keep in mind that all of this is per hop right, that the queuing and the releasing of the traffic onto the line and at what band with that . This is what's happening at the individual router level that this doesn't necessarily impact how the upstream router or downstream router will be handling your traffic, that the QS and the scheduling and the queuing needs to be configured at the per hop level . Here. You can classify and mark your traffic once and use that marking throughout your network, which is also where the trust boundary comes in as faras who you're going to trust, what devices you're going to trust for marking your traffic, that you may want to discard any marking on your traffic that say, you've got your work station here and you've got your phone. Excuse my poor drawing of a phone and you've got your phone, your phone, your computer years connected to your phone and your phones connected over to your switch and then your switches connected to your router router connected to your far wool. Well, just get put on fire and that's over. Connected to the Internet. Let's say your phone is marking its own traffic. And let's say this is a layer three switch right and that your phone is marking its own traffic as expedited forwarding. Let's say at your switch you don't want to trust that marking. You could just choose to take that e f marking and rip it off of there and apply your own marking onto that traffic that you want to take your trust boundary. That was right here, and you want to bring that up and put it right here and make it so that you don't trust this to mark its own traffic at all. But maybe you do want to trust it. Take some of that load off of your switch that's here and go ahead and allow your phone to mark its own traffic and move your trust boundary here such that maybe you want to make sure that any traffic that's on your date of you land that's coming from your workstation here that you want to make sure you remove any marking that's there and that you don't want to trust that traffic. But perhaps you do, and you want to move your trust boundary out here and just trust everything. I wouldn't recommend it, but, hey, it's possible. Maybe your environment calls for that. Anyway, thanks so much for going through this with me here, just like the others. Let's run through a couple of practice questions before we end off. First up. What D S C P Value is recommended for voice. I did. Go ahead and put the table here just to make sure that you have this available. This was looking at the decimal representation of D. S, C. P and that the recommended value for voice we did say is E f expedite boarding that has a D S C. P. Value of 46. The answer here is C 46 and finally, when there is no congestion, how is traffic released onto the line from the hardware que And I mentioned this just a couple of times is that when there's no congestion, your hardware que generally works in a first in first out manner that it will release it out as fast as it is able to that the line allows because there's no congestion and that it'll just put it out there first. In first out. The answer here is a I hope that this has been informative for you. I'd like to thank you for viewing.
34. 4.7 SSH: secure shell management configuration. A lot of times we are managing our network devices, and generally you will ssh into them. If they are Cisco IOS devices that that's likely how you'll be managing them and you may tell Net. But if you have the option to use, ssh, you absolutely should. That that encrypts your communication from start to end. Even the user name and password that you log into your device with that will end up being encrypted through your secure shell. That, with tell Net all of your information, is sent in clear text and is not encrypted whatsoever, and that is very susceptible to attack. If somebody has access to the line between your management server, wherever you're connecting to your device from and your device that they're listening in on that and taking a capture, then they can see very plainly the credentials you're using to log into your device. And any configuration that you're doing through telnet so secure shell or ssh is the preferred method of management for our devices, and a lot of us already know how to do as a sage. You're going to use your terminal emulator like putty are secure CRT something like that, and to go ahead and connect with ssh! And it just works. But if you pull a new device out of the box or you're doing a right of race and need to go ahead and set it up for secure shell again, there are a few steps that need to be taken. So we're gonna go through that in this video, and we're gonna configure our devices for that both as an ssh server and an ssh client and show how that's set up here. First up, let's talk just a little bit about ssh. It is defined in RFC for 254 There were two versions developed as a stage version one and version to version one is generally considered outdated. Nail on is deprecate ID that you should always use version, too, if possible. But a lot of our terminal emulator programs will just throw an error, saying it's using version one on. Do you want to continue? Or you might have to explicitly add to allow connecting to version one? Ssh devices. It uses cryptographic keys for encrypted communication. And what does this really mean? Well, using public key infrastructure not really public infrastructure using public private key of known symmetrical encryption that you can encrypt communications. Using a device is public key, and it can only be decrypted using the private key that is not symmetrical. If you try and obtain the public key, it doesn't matter. You can not decrypt the communication that was encrypted with it. And that's actually something we end up doing during our configuration. Here is that we are generating our public and private keys on our device for usage that here I wanted to go ahead and show what setting up a ssh session looks like. There's a little bit of extra TCP traffic in there. Um, that is related to the ssh session here. However, that may just be some extra traffic those generated by the device that we just have a few extra acknowledgement packets here that may not have been needed necessarily that sometimes the devices in GNS three go ahead and and just act a little bit wonky Here there. It's just something to be aware of that it does operate over TCP Port 22 by default. So we see here that our client is 10 122 and our server is 10 123 that we are sending our sin over to port 22 getting our TCP connection started. And the way the sons of working is that we are negotiating our version of the protocol that were able to use were saying 1.99 and two Dato for the server. And then we're exchanging our keys were initiating the exchange of our keys were using Diffie Hellman to actually exchange our cryptographic keys that Diffie Hellman allows for the independent creation off key material to be able to securely exchange information in before you actually have a secure tunnel built that it is a little less secure than using your cryptographic keys, which is why we're building that tunnel to allow for the more secure exchange of our keys on. Then we're going ahead and actually exchanging our keys. And then we are sending encrypted packets to each other. And there we go. We have our secure lane set up and that we are now exchanging encrypted packets and each side is decrypting that when they receive it. And that's what it ends up looking like here. Is that you were negotiating our protocol level or exchanging our keys and boom, We're agreeing to go ahead and encrypt and decrypt are packets that are received during this session. So just going into that a little more here is that our client initiates the connection by connecting to the server, setting up our TCP connection doing our syn syn ack ack. And then the server sends over the public. He this is a little simplified from our wire shark capture. There we negotiate the parameters and open the secure channel, and then we go ahead and Logan, and that's just this number four here. This is an encrypted packet that we can't see that during our capture, it just shows as encrypted data in order to use Ssh, you do need a IOS image that supports cryptographic features. These are the K nine images that when you see in your image name, if it has canine at the end, that that is an image that supports cryptographic functions. If it does not, then you do not have an image that support cryptographic functions. You will not be able to generate your R s a keys at all in order to use Ssh. If you ever run into a situation where you type in the commands crypto and it just says unknown Command, then that's likely. What's going on here is that you do not have an image that supports cryptographic features . Just as a note here. This is not needed for the exam. S a stage version one was supported as off Iowa's 12.0 dot five and SSH! Version two as of 12.1 released 19. And that's on most platforms. There are some that were released a little later in the 12.1, but that's no issue here that if you have, like 12 Dato, which is very, very old or previous versions of Iowa's, then you won't be able to support ssh on and use that here in the configuration. It does require a domain name to be configured that when you go to generate your R S a keys , your cryptographic keys, if you don't have a don't meaning configured its get throwing error at you, saying that no domain name is configured on. We'll go through that in our configuration lab briefly here, and it is possible to use certificate based authentication for mutual authentication with the client and server that right now we're just doing key exchange for setting up our our secure shell here. And then we're using user name and password to log into the device. But it is possible to set up identity certificates on each side. That air signed by some trusted certificate authority eso that you can mutually authenticate the to the server can. No, that the client is allowed to connect by using the certificate. And the client knows that the server is actually who it says it is because it's selling by some trusted certificate authority. Awesome. So that's the brief overview off. Ssh. Let's go ahead and take a look at our lab here and the steps that we're going to take with that. So the all of the steps are needed for these client configuration that in order to use ssh client, we need to go ahead and generate our Arce keys on. In order to do that, we have to set a NYPD domain name. Now we can go ahead and just leave the defaults host name of router. But there does need to be a host name there that these are used in your key. That's why we need a domain name is because that's used in your cryptographic key. In order to go ahead and generate that on the server side, we're gonna go ahead and configure a local user name and password or going to something simple, just like Cisco Cisco. And then we also need to set the VT Uihlein authentication method. We just tell it log in local s so that we can actually log in with the VT Uihlein. And down here, this is what our lab set up is gonna be with. God are ssh client over on our one and ssh server over on our to and following with our convention. It's 10.1 dot to 0.0 slash 24. Is the network between them are one is 10.1 or two is dot to now, I have gone ahead and set up these I p addresses already. Ah, and I've set the host names, but that is all that. We need to go ahead and set our domain name generator keys. Set up our user name and password on the server side and set DVT Uihlein authentication method. And then we're gonna go ahead and log in from R one to R two. We're gonna ssh over there and take a look at what that is like here. So let's jump on over to our one first and set up our keys real fast. So we're just gonna pull open are one go enable The first real fastest. Your show I p interface brief. Ah, my apologies. The I P address was previously set by DHT. P from a previous lab on has not been set on our interface here, so let's go ahead and set. That's gonna be 10.1 dot 2.1 and a slash 24. Let's go config t Let's go The interface faster or zero i p Address 10.1 dot to dot warm. It's a 24 bit. There we go just to make sure it's to a due paying $10.1 dot to dot to make sure that our two is payable here. Yes, it is excellent. You have connectivity, so let's go ahead and generate our keys. Let's go exit Ellis set I p domain name and I i p domain name. And this is going to be Ben J train dot lab. Excellent. We already have our hosting configured here are one. So our full host name the full of qualified domain name of our host. Here are one dot ben J train dot Lab That doesn't actually apply anywhere because we don't have that set up in DNS settle. It's just going to be used in our key generation. So in order, generate your keys. You do Crypto key. Generate rs say actually could take a look at that here. We only have the option for our say on this image here. And then we can use the general keys and that's what we want to end up doing. We do have the option of making it exportable that if you don't set that, then the private key. So you know, the key here is a public key and a private key that anything encrypted with your public, he can only be decrypted with your private key. If you do not set it to be exportable, you will never be able to see your private key. It is hidden away in IOS in such a manner that you cannot get to it s so we can go ahead and do general keys. We don't need to be able to export that at all. So we'll go ahead and just press enter as going to ask us how many bits in the module IHS. This is how long your key is. Choosing a model is greater than 5 12 May take a few minutes, and it's gonna be fine on this platform here that I wanna had generate this earlier. It only takes a few moments, seconds at most, and generally you want to do 1024 or higher. Most modern terminal emulation software will throw an error if you're using a key length that is too short. That 1024 or higher is generally accepted. His best practice will go ahead and do 1024. And there we go. It's created as known exportable, and we actually get a log message here saying that ssh is now enabled. Great. We have our key available and ssh is enabled. Let's go ahead. Will do Exit weaken do flops. Let's go end and we could do a show Crypto key, my pub keep or essay, and we can actually take a look at our key here. We've got our one dub NJ train dot lab, our general purpose key here and that we also have our server key. Now it generates two separate keys here. And these keys you would expect, right? If you do a show run these keys do no appear in our show. Run at all that some devices will actually show your cryptographic keys in your running config in this platform, it will not. And in most of them it will not. You actually need to do that show crypto key command in order to see those. Awesome. So we've got the clients set up here. Let's run on over to our two and we'll get these server setups Will do the same thing of generating our, uh, our essay keys in the most. Set up our user name and password and set the authentication method on the VT. Wide lines. Let's go enable, uh, 50. Do I p. Domain name. What's we'll do, Ben J. Train dot lab. Awesome. And then we'll do crypto key generate or a say, General Qi's do 1024 as our key length. Excellent. So that's generated cells go ahead and create a user name. Just got a call. It Cisco password actually. Shouldn't use password. They should use secret instead. That secret will encrypt in a very weak encryption. But it will encrypt your password in the running config. So it's much more difficult for somebody to do an over the shoulder attack right where they're just standing behind your shoulder and looking into running config and you end up scrolling by. You're using the password and they see the password right there. It will make it much more difficult for that. They're just gonna set password at Cisco here and there we go also. So then let's go to line VT. Why zero through four Good. You log in local. Excellent. Let's go end. Great. So now we can run back over to our one here. We can try to ssh and log in tow are too. So that command is just ssh. And we specify what the user name is with the dash l using the Cisco user name that we just created. And then the I P address here is 10 dewan dot to dot to our to we're prompted with a password here. This means that we have negotiated our as s H tunnel here already that the encrypted communication is now set up on it has accepted that session and that we are now trying to log in with our password. If I just type in Cisco, here is the password. We're now presented with our prompt here for our to and we are now in our to now. I'm trying Teoh enable here. But there is no enable password set, so it's not allowing us to do that. But we have now successfully set up ssh on our device and connected to it from another device as well. That was set up as an ssh client. Awesome. Just like the other videos here. Let's run through a couple of practice questions before we end off. First up. What attributes must be configured by the admin before generating our essay keys used for ssh. Is it the interface name, user name, a domain name or host name. So the host name is something that is needed but that can just be left as the default router or switch host name that's on your device. So that's no problem. That the attribute that must be configured by the admin is see the host name in the event you try to create your RS AKI's without setting a domain name. It'll throw an error for you, saying there is no domain names set and that will need to go back and do that real quick. So finally, is the below IOS image capable of connecting via Ssh version two. And it's you a show version output here that for the 7200 router using the advanced Enterprise Canine dash M and version 12.4. So we did mention that ssh version two was released in 12.1 s O that that's fine for our version here. And we have the K nine here on the end of our image name. So, yes, this does have the cryptographic functions built in. So the answer here is Yes, this is capable. I hope that this has been informative for you. Now I would like to thank you for viewing
35. 4.8 FTP and TFTP: T, p and T FTP. At some point during your network engineering career, and in working with these devices, you will run into the situation where you need to either transfer files to a device or off of a device to back up the configuration to some external location, or to go ahead and update the firmware and transfer a new IOS image over to the device. This is going to happen, and Cisco wants to make sure that you understand what's used generally in order to do this . And FTP and T FTP are generally the protocols of choice when looking to do these file transfers. And most commonly, you're gonna end up doing this for software updates to go ahead and transfer a new Iowa's image over to the device. But there are also other uses and will cover a little bit of those in just a few slides here that first up, let's talk about file transfer protocol FTP so specifically, the exam topic on the ccn A Here it says to go over the function and use of FTP and T ftp in the network and that we need to describe the capabilities as well. So file transfer protocol here. It establishes two separate TCP connections for control and data transfer that what actually does is it operates over TCP 21 for control messages. So the client sends a stark command over to the server over TCP 21 here. And then the server responds to the client with a port number. Eso then this is impassive mode, though, right? Is that, uh, FTP has either active or passive mode where passive mode is where the client connects to the server for the data. But the active mode is where the server actually connects to the client. That server initiates that connection and think about right that doesn't work well with firewalls or net. Of course, either because the server is is trying to initiate a connection inbound on and during active mode, the inbound port number for the client. It ends up being a just an ephemeral port number. It's it's random. It is among a range, but you can't really specify every time what what that port number is gonna be. So it just doesn't work for having a firewalls. This is why passive mode was developed and mind you, this was made back in RFC 15 79 on and that's where passive mode was introduced. This is back in the eighties, right when firewalls were not necessarily so ubiquitous. So they were starting to be up and coming and be in most networks. So that's why passive mode was brought in to play here, and there was a standard to find for it. So, like I said, thesis er vor responds to this port 21 communication, right, giving a port number back, saying Hey, go ahead and open up a connection on this port number for that data transfer. So then, with the passive mode, the client starts the connection to the random server data port. That is not necessarily true. It does default to TCP 24 data. Uh, but that is a configurable item and is not necessarily true all the time here. That can just be a random server port for the data and then you in response, the several send the data back or the client will send data to it. That is a full interactive file transfer session. That is two way file transfer. You can upload, you can download the server, could request files from the client on the client 10 request files from the server. FTP does not provide any encryption. Eso that includes your authentication is that generally there is authentication for FTP. There is defined standard for having anonymous authentication so that there is no user name or password exchanged, but it does not encrypt that communication at all. So that is going to be sent in plain text eso. You might want to consider that that it doesn't actually secure its own communication here . So the underlying line there, the management line that's happening between the two should be secured because the protocol itself does not provide that. So that's how file transfer protocol works. And you probably touched on FTP before may be used in FTP server like file zilla or something like that to go ahead and upload documents to a Web server or something along those lines. It's pretty intuitive, right? But something not everybody has used is the trivial file transfer protocol that is t FTP. So T FTP is a really, really lightweight file transfer protocol. Its most recent definition was in RFC 13 50. It is a connection lis protocol using UDP 69 it does not care to. Actually, you'll provide reliability in the underlying transport protocol. This is why we have acknowledgements that it is providing summer liability in the actual T ftp in the protocol itself, rather than in the underlying transport protocol. It's a very simple design. It requires a really small amount of memory, which is why it's ideal for network booting. Is that in your pre execution environment, right, as your device is booting up that we only have to load this very small software into memory in order to run t ftp that it's it's very lightweight, and that makes it really great for loading into your pre execution environment and being able to boot from the network. Now Cisco Devices, you can configure FTP for network booting to wear during boot up. It will reach out to some FTP server and grab an IOS image and boot. From that image they will get that image will decompress it and boom, it will go ahead and boot from it. But T ftp is usually the protocol of choice for that just because of its simplicity and ease of use. It is Onley for uni directional transfers that the client must initiate either a A read or write. It can either obtain data from the server or put data on the server. But the server cannot request data from the client that it's one way here and for each session. It is only one way that you either request a file, and then that session is over or you put a file on that session is over. Just like FTP, there's no encryption, but with T FTP, there's actually no inherent security whatsoever. It does not authenticate anything. It doesn't provide any mechanism for that. You cannot provide a user name or password because that's just not built into T FTP. But that's no problem. Generally, for our uses here, if you just need to quickly take a backup of your configuration on your device, it's really easy to go ahead and just stand up a T FTP server. There's, you know, applications out there for Windows. Linux. Mac on. Just go ahead and stand it up real quick. Point your client, your router or switch or whatever device over to that tea FTP server and boom. Just send your file over. It's quick, it's dirty. It's easy It's gonna be nice and fast, but same four network booting. If you have your management network secured, then this is a nice option for network booting as well, as long as you don't really care about the authentication mechanism. Not being there. But of course, you could use FTP instead if you do wish to go that direction. So as far as the uses here for FTP and T FTP right is that I did touch on that a little bit is that it's used for. Don't transferring configurations you're running or your startup from or to your device. You can back up your configurations. You can restore your configurations to your device that I can go ahead and transfer ah running configuration to my device. I can copy from a T FTP server, and instead of flash here, you can do the option of running config and that will go ahead and restore a configuration directly into the running configuration of your device or same deal I could put here to start up convict and that we can go ahead and restore our configuration directly to our startup configuration or vice versa. Go ahead and do startup convict here and have this instead of flash B to an FTP server and go ahead and back up our configuration. And similarly, that's how you would do it for your IOS image as well that we use the copy command here when you're actually in your server. Uh, I'm sorry. You're actually in your device that through Roman mode or Roman, you can go ahead and configure network booting to have it reach out to some FTP or t FTP server to boot directly from an image stored on that server. And you can back up or update your system image files. As I said, your IOS images or on A S a your SDM image or your essay software that you can go ahead and transfer that around. It's just generic file transfer. Right on that your log files or sometimes you configure your device for having crash logs or other various logs that are not necessarily easily moved off of the device like sis logs . We can just export that to some sis low collector. You can go ahead and just do Ah, copy and do the file copy flash. And the syntax here is gonna be you know, like flash colon slash and then your file name here, right s so that we can dio, you know, backup log and that no, copy that over to r t ftp and that's how you would transfer that device. I'm sorry, that file off of your device and onto your file server or t FTP or FTP server? Now I know that this video here has been pretty quick. It's just a quick and dirty run down off FTP and t ftp and where you would use that and their fundamental protocol bits here that the things to really remember UDP 69 for Trivial File Transfer that is a connection less protocol and that there is no authentication on that. There's no inherent security there, and same thing for FTP. It operates over TCP 21 for the control messages. You don't necessarily need to know that's 20 for data because that is not necessarily a set port number there that the only time this would ever really come up is 21 for control messages on that it does not provide any encryption that for that you would need sftp whoops s FTP or FTP s, which we're not covering that at the moment here just because that's not gone over in the CCN exam topics. So just like the others, let's run through a couple of practice questions here before we end off over What port? Our FTP control messages sent. Now, I know I just mentioned this year, but I didn't wanna just drill it down one more time that this is a connection based transport protocol. Uh, transport protocol. I mean, TCP on that. It is TCP 21 for the control messages. The answer here would be see and finally, does t ftp use a connection based or connection less protocol for its transport? Remember, our transport protocols are our layer three protocols. I'm sorry are layer four protocols for TCP you d be etcetera. That this is going to be a connection less protocol because it is offering over UDP. Our answer is a I hope that this has been informative for you. And I'd like to thank you for viewing
36. 5.1 Defining key security concepts: security concepts. A lot of the basics in cybersecurity honestly revolves around vocabulary and having definitions for things and understanding what exactly they actually mean on this allows you to have a more intelligent conversation with your peers and other people in the field when you understand what they actually mean, when they say that this is a threat or that they've patched certain vulnerabilities. Or they found malware utilizing an exploit that what will go through in this video is some of these terms and what they actually mean and how they're relevant. Thes concepts of a threat, vulnerability and exploit a mitigation and how that applies to cybersecurity. So first up, let's talk about a threat. So a threat is anything that has the potential to cause harm to computer systems. That's really broad definition. Think about how wide that IHS that could be everything from ah, power surge all the way to natural disasters, to software bugs or vulnerabilities to legitimate manufacturer defects that these are all threats to your computer systems as they could cause harm. Now, the thing that we're going to be talking about mostly is malware, So malware is malicious software amount where are viruses, trojans those air threats, and they have the potential for an attack that hackers out there can use these and the potential for that attack. That is also a threat. The hackers being out there and having the ability do this, that's a threat. And threats are what we work to mitigate, or the lesson that we're trying to reduce or remove these threats entirely. And then over here, this graph shows a little bit about the threat landscape, right that beware of the social engineer that your threats don't all have to be digital, they can be of your employees and having a good security program and user awareness in your organization in training can help reduce this threat and ransom, where it poses a grave risk to availability, that this is a threat and has a very large risk towards availability. Specifically of your data. That ransomware, the way Ransomware works is it goes through and encrypts your data, and it holds it ransom that typically the hackers will be requesting some amount of dollars or Bitcoin or what have you a currency in exchange for the encryption keys to decrypt all of your data and the greatest threat may come from within that you having a disgruntled employee that can be one of the most dangerous things for in an organization just because they have the access, their usually unsuspected, and that they can go ahead and cause great great damage and even sometimes removed their tracks from causing that damage, really creating a problem for you in trying to figure out how this was done and being able to patch this so it doesn't happen again later. And as we just talked about that malware malware is a huge threat that that ransomware is a type of nowhere and that malware in general software. Although we're getting really good at defending against malware at identifying software that poses a threat on and being able to identify that and take it out of the equation here , either block it or remove it. That although these still do pose a significant threat, we're getting really good at identifying and mitigating that threat and denial of service tax attacks. That, fundamentally the way the Internet works can cause denial of service attacks, that it opens up that vulnerability or attack vector four organizations out there and there are certain steps you could take to mitigate that threat. But this is like sending a syn flood to your Web server, where you're opening up all these half open connections. You're sending a bunch of sins, and your server is sending back all of your sin. Act right in your TCP three way handshake here, and they're sending back all these Synnex and they're opening up this port right because it has toe. Have that connection open on the server and available to receive your AC in response to go ahead and complete that three way handshake. And if you're sending thousands hundreds of thousands millions of these sins over to your Web server, you can tie up all of the available resource is of all of the available Web servers. Make it so that legitimate traffic has a very hard time getting through. And that size really doesn't matter that often times the way hackers air. Operating in reality is that they are scanning the Internet and looking for available vulnerabilities that are known to go ahead and try and apply and exploit and see if they're able to exploit these vulnerabilities. And because of that, it really doesn't matter the size of your organization. If you have vulnerabilities in U or fundamental to your organization or to the hardware software that you're using, you are at risk here that although there are targeted attacks, of course in general, your you're still a risk size really just doesn't matter. You can't say, Well, I'm too small. I'm not at risk. That's that's not real. That's not a good argument here, and that in reality, we are slow to detect and respond to threats that it's a little difficult, you know, in reality, threats are hard to identify because if you have a hacker that's compromise your system, that's actually pretty difficult to differentiate that between legitimate traffic that's going on unless you have malware coming through. But if you just have unauthorized access, somebody is accessing the administrative consul of your devices. That shouldn't be identifying that unauthorized access as opposed to having authorized access, especially when they have compromised or taken without authorization. The credentials for an authorized user such that it looks like that the authorized user is the one who has gained access to this device or software, but that it is an unauthorized person that's taking advantage of that or using that that is extremely difficult to be able to track down and identify. And that the biggest threats are generally found in the headlines that when you're reading about the large ransomware attacks and things of that sort, there are hundreds and thousands mawr going on that are not reported either because they are confidential or they are kept secret by the FBI or government organizations. On that they're not widely publicized. And so then we need to be aware and stay on top off security best practice in order to make sure that we are limiting our vulnerabilities as best we can to reduce the potential risk off these threats that to try and mitigate the threats as best we can. So a vulnerability I've I've stated this a few times here. The vulnerability is used to cause harm or provide unauthorized access that typically a vulnerability describes a software or hardware bug which can be exploited that on exploit will get to that and then the next slide here that it's the actual command or software that causes unanticipated or unintended behavior, and that vulnerabilities don't just have to be software and hardware army don't just have to be software doesn't have to be logical. It could be physical vulnerability that your locks are vulnerable to a certain type of lock pick or many jury a voter abilities policy based vulnerabilities within your organization to allow for social engineering to be able to take place easily that in the event one individual person, your front desk coordinator, becomes compromised. Some social engineer ask them for information that they should not be giving out that in the event that person proceeds with that, that your policies may allow for that person to then gain a lot of access within your organization. Just because one person made a bit of a mistake and one that might not even seem that that terrible at the time, that might seem pretty trivial. So that's That's what vulnerability is is it's anything in your organization that can be used to cause harm or provide unauthorized access and then exploit. You had mentioned this a handful of times that you people use exploits to take advantage of vulnerabilities, that they exploit the vulnerability and that they use this to gain access or cause harm in some way through unintended or unanticipated behavior and the Attackers, they pose a threat by leveraging vulnerabilities with exploits for malicious activity. That that's that's a pretty dense sentence there that that uses our vocabulary that we've just learned here and really puts it into context as to what each of these individual items means on that, exploits are generally used to deliver malware to a device that you use and exploit to deliver malware. The ability to run malicious code arbitrarily, or that's like what a buffer overflow exploit is where you are putting too much information into a buffer and it overflows. And then arbitrary code is allowed to run on your device, that you are allowed to run malware or to deliver malware to the device through that buffer overflow, and that that's what an exploit actually is. It's the thing that allows unanticipated or unintended behavior to happen on that's generally used to deliver malware to a device now as far as mitigation. Specifically, I wanted Teoh take a look at the dictionary definition of mitigate because I know a lot of people have used this word and that you might not really know exactly what the definition is that it really means to make less severe, serious or painful to lessen the gravity off that, uh, it's it's to make it less severe that that I'm sure, makes sense here that when we say we're mitigating threats, we are making these threats less severe or less serious, and it's not saying to eliminate. But that's not what mitigate means. It means to lessen the severity of it, that the threats may still be there. They may still pose a threat, but you've done your best to mitigate them, to lessen the severity of them, to make them less painful for your organization, and that some men of it mitigation techniques are threat prevention to prevent the threats from ever occurring to have best practices and policies that protect your organization and threat identification to know what the threats are that are out there through the use of security tools and management to identify the active threats that are out there, that the things you don't know are out there will cause some of the greatest problem that you may not know whether you're secure against them or whether they have occurred or not, and threat remedy too the strategies and tolls to reduce the impact of an active attack. So to remedy a threat, something that has already posed problem to have an active attack, and that the strategies and tolls you use to reduce the impact of that that that is also a mitigation to make it less painful and to make the attack less serious or less severe through threat remedy, which is a mitigation techniques. Thanks so much for going through this with me here. I know this is a pretty short one, but just like the others, let's run through a couple of practice questions before we end off first up. Which option best describes malware? Is it an exploit vulnerability? Ah, threat or mitigation technique? Now malware is is usually delivered by an ex point, and an exploit takes advantage of a vulnerability that malware is something that causes problems. Mitigation techniques are ones that reduce the severity of problems. So the answer here would be see, it is a threat, and finally, mitigation techniques are used to lessen the impact or chance of being impacted by what, by malware, vulnerability, exploit or threat. And that, you know, like I just said, is that typically exploits use a vulnerability to deliver malware and that malware is a threat. So the answer here would be a mitigation. Techniques are used to lessen the impact off or chance of being impacted by a threat. I hope that this has been informative for you. I'd like to thank you for viewing.
37. 5.2 Elements of a security program: elements of a security program in this video, you're gonna get a little break from the hard technical information because this information that we're covering is really high level. Overview off on organizational security Program the elements off a organizational security program that you should be aware of that you can implement in your organization to help enhance the security within your organization. That ah lot of your risk comes from your end users and making them more aware and training them in how to identify potential threats and how to avoid them. How to handle them can be one of the cheapest actions that you can take. A Forest Security is concerned within your organization and also have the greatest reward. So this video is gonna be a little short. We're going to run through these elements here and take a look at what they actually mean and go from there. So, first up, an overview of a security program. So technical security measures such as your firewall and your log in credentials and you know, having out of band management to your devices that these air really just a single part of your organization security program that down here we see the at the base of our security program. We have policies and procedures and then above that we have user awareness training. The's are really the foundation off your security program. If you don't have proper policies and procedures within your organization, you can really be putting yourself at a high risk or higher risk and that lack of user awareness of the potential threats out there and effective policies They put your business at risk that your users need to be aware of the fact that they might get spam. Or they might get phishing emails that when they go to websites or their banking website, or if they get a withdrawal request from their boss and it seems a little out of ordinary than they should double check on this and make sure that this is actually correct. Now, I have seen circumstances where this happens, where the CEOs or controllers email gets hacked and is the hacker has control of this and sends ah withdrawal request and them they wait for the response of saying, Are you sure you want to do this? It sounds a little out of ordinary, and then they go ahead and reply. Yes, I want to do this. Your users need to be aware that this is a potential problem. This is a potential threat out there and that they should follow up with a phone call or email to another person who has the ability to physically walk to that person and verify. Or you can use email encryption methods like S mine to go ahead and verify that this is actually the person that the hacker would have need to take control of that workstation toe . Have access to that certificate to be able to send the encrypted email, and that the three parts of our security program here are awareness, training and access control. And we're gonna go through each of those momentarily here. And first up is user awareness, so awareness training provides really the greatest benefit at the least. Cost that through just a few seminars with your end users. You can show them a lot off the potential risks and potential threats out there and what their risks are to the organization. That something I wanted to show here is that this has been around for a while but used to be understood that when you don't have this little lock icon here that you're not in a good place and that you need to go away on. And that's not good advice anymore. That as you can see, we are not at PayPal's website here and we are being prompted to log in to pay power and that this is definitely a fishing website and that we are secured by https that all https does or all the certificates. Generally, Dio are verified that you do indeed own the domain name and that the domain name presented matches what is on the certificate here, and that's all it cares about. There are some certificate providers out there that do much more investigation into the actual business and make sure the business is legitimate and riel, and they will check the website, and that exists. But they're not many off them. That generally revolves around the insurance uh, that they provide with their certificates. And the security awareness is really about understanding the threats that exist and their risk to understand that there are things such as fishing and social engineering that when you receive a phone call and it's asking for some information asking you to just do them a favor and maybe circumvent some policy or exploit some policy to provide more information than you would usually provide or provide access that you may not generally provide that this is something that exists and that you're end. Users should be aware that they need to be very cautious about providing information or access to their network to their computers or potentially useful information that they have , which I know that that's very broad in generic, potentially useful. But to help them have, looking at things with a cautious eye and to always raise their hand and check that when something doesn't seem quite right that they should say something. You know that classic United States we have with the Department of Homeland Security. They have coined this term of see something, say something and that that's really what your end users should be doing. If they feel that they're seeing something that's a little out of the ordinary and a little weird, they should say something that that's something worth investigating, at least a bit, and that user awareness is increased through training, so user awareness is a part of your organization security policy imposture here, but that it is increased by training your end users and the types of threats just to briefly go over this, that this can help mitigate our fishing threats, social engineering and malware that you can help prevent malware from coming onto your network by training and users a bit into what into not going to unknown websites terribly often, unless they know what they're looking at. That in the event they get the, uh certificate warning on their page here of saying this certificate is not valid or that this ah websites domain doesn't match it to certificate. Don't continue to that website on if they start getting pop up saying that your computers infected click here. Don't click there on that. If they run into problems of their computer, starts acting strange. Turn it off to make it so that you cannot continue spreading your virus around that. Perhaps they suddenly got ransomware on their computer, and the computer's acting very slow and a little strange that they should go ahead and just turn it off. Contact. I t let them come over, turn it on what's disconnected from the network and see what's going on. There might be nothing, and all you did was waste one employees time for a little while and that I t ended up confirming that this was OK rather than potentially there was ransomware and that you could have brought down a significant portion of the company because they didn't do anything. No, as far as your training program goes, that training not only helps increase user awareness, but it helps enforce proper responses. So with your training, you're training your users into what the proper response is to some of thes threats. That training can involve recognizing different types of phishing attempts of the standard fishing through a website or through an email visioning voice phishing that when they're calling over the phone pretending to be some other person or some of the organization asking for credentials were getting you to provide access into their network Smashing, which I know is a really fun sounding word. But that's fishing through SMS through text message of asking for credentials through that way of saying you just received an access code, please provide this or something along those lines or spear phishing. This is a common one out there. That spear fishing is when you're going after one particular person, very typically is a high level, a person in that organization the CTO, the CFO, the CEO, your high level executives at organization and trying to fish their credentials that when you do that, you have a lot of power. You can get into their email and you can send e mails out to the organization. You can probe a little bit and get more information. You can monitor their emails, their documents and things of that sort and see the types of words and phrases they use to go ahead and more effectively mount an attack that this is something to be aware of. That many executives nail are aware that they need to look at everything with a very cautious I to make sure that they aren't being spear fished and that you can identify social engineering attempts in person or through email or phone the idea of providing somebody access when they really shouldn't have it, that somebody might walk in as dressed as a engineer for a fire protection company requesting access to the server room to check out the fire protection systems that are in the server room and that in reality they are a penetration tester and that they just have a USB drive with them, that they plug into the server and that they have nail deployed malware, which is a root kit, and allows them backdoor access into that server. That this is a very real thing, that I've read several articles about that where this is a really attempt from penetration testing companies and from actual hackers to go in person to an organization dressed as somebody of authority, of a engineer for their fire protection or as a firefighter or a policeman on that they don't actually have their credentials. You don't have anything on your calendar saying this is gonna happen and because of that, you need to check it out that your end users need to know your front desk person. Your security needs to know that unless this is verifying that they should have access to this area and that you have corroborated their story from elsewhere, then they should not have access to say, I'm sorry you're gonna miss your appointment. I do apologize, but we need to verify this before we allow you access, and the training really needs to be followed with reinforcement through engagement that you can train your end users. But if you don't engage them, then you don't know how well your training really took. Hold for them. And you have really little ability to track how your training program is going that you can run internal security campaigns to test and track the training efficiency that or the training efficacy that I've seen many times. There's a large, uh, business nail around sending false phishing campaigns that you can go. And I know one of these companies is called know before they you sign up with them and you go ahead and add in there. I peas to your SPF records if you're not aware of what that is, that's the sender protection framework that that is a DNS record that says that certain I p addresses public eye peas are allowed to send emails which show to be having a source domain or showed a have a from domain of your domain. So you're allowing this company to send emails on your domains behalf on their sending phishing emails, and there fake phishing emails. The oldest, they're not actually stealing your credentials and using them for your malicious purposes, But they're sending out these phishing emails with a bunch of tracking information and code in there so you can know on an aggregate basis how many of your end users actually did go and log into papal or did go and log into Facebook from this email That was not quite right . It was a phishing email. How well did your training actually take effect? So you have engaged them and you have tested them and you track them. And then that's how you end up getting your measurements to see how well that that is actually taking effect here. Awesome. So then, finally, let's go ahead and wrap up with access control. So access control. The standard procedure is to operate in a principle of least privilege. You'll see that abbreviated, sometimes as p o. L P, that the principle of least privilege is that you should only have enough access to perform your specific job duties and no more. If you only need access to the help desk area, then you should not be given access to the server room as well, or if you only need access to the financial documents. You should only be given access to that share drive and not also to the marketing drive or to the ah technical drive with i t. Information in it that it prevents low security level accounts from accessing Mawr sensitive information that any individual in the event that their credentials are in some way compromised that you can be sure that the Onley information that could be compromised is what that individual would need access to is that level of staff member technologies like a 22.1 X can secure your internal network using device certificate authentication the 802.1 x that is pictured here, where your device is thes supplicant. Your switch is the authenticator and that it goes ahead authenticates your access with the authentication server. This is actually really cool. If you're not familiar with it, I would suggest going and taking a look and perhaps lapping that up that's not covered in the ccn A. But it allows you to, uh, connect through ah hardwire into the network and that the Onley information the only data that's allowed between you and the switch is authentication information. No data is actually allowed. No traffic eyes actually allowed, except for that authentication information until you are authenticated and allowed onto the network. Then it will open up that port and allow general traffic throughput here. I wanted to show some off access control devices that here we have a palm scanner or a hand scanner that this goes ahead and takes a look at the blood vessels in your palm and treats that as a uniquely identifiable pattern and that that's how it's identifying. Ah, person that remember that is authenticating that is matching up your person to your identity to your digital identity and saying that yes, you are actually this person and that you are then authorized to access the areas in which your position your identity, is allowed. And here this is an example of a man trap. Ah, man trap is like a vestibular area, a place where you're generally entering into a highly secured area. You go in, you authenticate yourself. It confirms authorization. In the event you are not authorized, you're trapped there and that in the event you are not authenticated, you're trapped there on, then they can go ahead and check that out and make sure that you're not allowed to just run through into a secure area or potentially out of one, either. In the event you're trying to gain unauthorized access. Awesome. Now I know that that's been a lot of just really non technical information here. But just like the others, let's run through a couple of practice questions before we end off. So, first up, what are the three parts to on organizational security program? Is it awareness training and testing, training, testing and tracking awareness, training and access control or training testing in access control? The Here we covered the three items of awareness training and access control. The answer is C. And finally, what is the purpose off user awareness training? Is it to have staff understand and comply with corporate security policy? That is a good point, but not necessarily to ensure staff are aware of consequences for violating security policy . That should be something that is included in your policy training, However, to help staff understand threats that exists and their risk to the company or for compliance with government regulations, you may need a training program for compliance, but The overall purpose here is to help staff understand the threats that exist and their risk to the company. The answer here is See, I hope that this has been informative for you, and I would like to thank you for viewing.
38. 5.3 AAA: Triple A. Now, if you reside in the United States, you might recognize Triple A as being the American Automotive Association. And, of course, that is not what we're talking about here. The Triple A in the context of cyber security and security in general, stands for authentication, authorization and accounting. It is the three A's around this concept of managing identities what those identities are allowed access and then logging what they have access to or attempted to access. So in this video, we're going to run through these concepts in a little more depth and take a look at what they actually mean and some examples, and then go through a lab with configuring privilege, privilege levels on a router and user names with privilege levels and how we perform access control using local user name and password database on the router in order to get some semblance of access control here. So first up, let's talk about authentication, So authentication is the process where you verify who you say you are is that it is matching up a person with their identity, where identity is a little bit more of an abstract concept here of the identity that is stored in your server or in your database to match up the person who is accessing the resource here with their identity that was created in the system. Typically, this is done with a user name and password. As you can imagine, you go to any website you go log in with your email, address your user name, and then you type in your password and you try to log in. And that authenticates you. That if you provide the correct single factor here, the correct password than that will allow you to log in and it matches up that user name that identity with you, the person who is logging in now passwords are highly susceptible to attack. Of course, as we know we hear about this all over the place, people gain their passwords forced, or they're being subject to phishing campaigns where maybe you are being directed to a lookalike page that looks a lot like Facebook and that you end up typing in your user name and password. But in reality it's not actually Facebook, and that you just gave your using that password to some third party. And there are other attacks that user names and passwords are susceptible to. But there are certain policies that you can put into place to help reduce the risk of these attacks or the risk of these threats. That password complexity requirements requiring, you know, upper case, lower case numbers, special characters and certain length agent history requirements, saying that you must change your password every 30 days that you cannot use the last five passwords that you have used and secure password management using a secure password management software. You know a lot of people they've go ahead and write down their password on a post it note. I have definitely personally seen before where somebody's written down their password and left it on a post it note attached to their monitor. And then all it takes is somebody walking by and a glance over at it, and there you go. Your password is now compromised, and you don't know who now has access to your account and can really cause some trouble. And to go a little further into this that what's a lot more common now is, rather than just using one factor like a password to verify your identity and to prove you are, who you say you are is that we're going in the direction of multi factor authentication that not only do you need to provide a password, we also need to provide something else as well. And very common is your SMS text message that getting a text, your phone and typing in the code that texted you, saying that if you have the ability to receive that text message that if you have the SIM card for that phone number or you have that cell phone and also your password that you must be who you say you are or a biometric scan these air getting a lot more common. You see that a lot with cell phones now, as they have fingerprint readers on them and to go ahead and use biometrics can open up your phone or also in corporate environments. Retinal scans are really common, or I've seen where they do hand scans. They very similar to how a retinal scan works, where it's scans and looks at the unique blood vessel patterns on your retina that similarly of unique blood vessel patterns on the palm of your hand and put your hand down on the scanner. It can go ahead and take a picture of that and match that up. That that is something that you have, or something that you are or a certificate stored on a fob or USB. This is a lot like the brand. You be key if you've seen those before where you're essentially providing a very, very long password a certificate on, then. Not only that, but the certificate may be signed by some specific See A that the provider gave to you that they gave that certificate. Perhaps you could do this with Gmail or other email providers as well, and then you must provide this certificate. Generally, you store it on a USB a thumb drive, and you plug that in. And it reads in that certificate to allow access or what's also very common in, ah, high security environments as well are time based one time passwords. You may have seen these before where, perhaps on your phone, or you have a little physical device. You have this little fob, right? Uh, this little thing it's got a little button here has got a little screen on it and that when you press the button down, you end up getting, ah, sequence of numbers show up on your screen. Maybe it's like six numbers eight numbers long and that that number is good for 30 seconds or something along those lines. And you have to put that in to your application in order to log in, and that these the physical ones are called hard tokens. On that, you can typically do this as well with a software that you have a software on. Your laptop on your phone is much more common where you open up your authenticator application on and generate those numbers from your authenticator application, this time based one time password that you type in. It's only good for 30 seconds or a minute, and you have to put it in and after that period of time that has now expired and that you would need to generate a new one that this has been thought to be more secure than text message, that there are some carriers that are easily allow your SIM to be transferred so that other people can be able to get access to your text messages and receive your phone calls that this has been a more common attack recently and that the time based one time passwords this physical hard token or device. You need to physically have that that you cannot call up some carrier and have them transfer you to a new time based one time password device or a new hard token or soft token . Now, of course, your internal policies that your help desk for reassigning a token would need to be sufficiently secure and that that's where policy management within your organization really comes into play, that you need to be very, very sure that the person who's calling into your help desk saying that my FOB doesn't work anymore and that they need a new one assigned to them. You need to be very short. That person is who they say they are so that you're not just providing some attacker with a new soft token to go ahead and log in to your very secure applications. So that's authentication, right? Is that you are proving that you are who you say you are. You are matching up your person with an identity. Now let's move on into authorization. The authorization is the verification that your identity is allowed to access certain resource is that authentication verifies you are who you say you are, Authorization asks. Are you allowed to do that? And that often this is performed using permission levels or role based access control and on Cisco devices. Tack Ax Plus allows for per command authorization so that when you set up tack ax plus authorization on your device, each time you type in a command show show interface show I P O S p f, or configure and configure various commands that each one of those commands before your device actually processes it. It's sending an authorization request to the tack acts server asking, Is this identity allowed to run this command? If you are not, then it will not allow you to do so. And it'll say that you don't have authorization for that and the authorization. It determines what the identity is allowed to do. That that's the difference between authentication and authorization is that when you say you are not authorized its well, you have apparently authenticated and they know your identity, and they know your identity is not allowed to do this. It is not authorized, but the authenticating is proving that you are an identity. And then, lastly, moving onto accounting the last A in our triple A accounting is just the record. Keeping of resource is accessed by an identity that it is the logging off things that your identity has done. And on a network device, it would be the commands run by an identity. Here we have a conversation with a tack ax, plus server and client to take a quick look at what that looks like, that we have our authentication process happening here, where we try to connect, we send our user name and password and that we indicate a pass or fail as to whether you are authenticated or not. And then we move into the authorization as to whether you're even allowed to get into the device or not Great, you've authenticated. I know who you are. Are you even allowed to connect to this? So we send that our services shell and that we indicate past fail status as to whether we're allowed to get to the shell or not, and get into exact mode on, indicate whether you are allowed to do that or not. And down here we have our accounting that we have the accounting for commands. Here's the command I sent and it is doing accounting for that. And then we get a response saying that it was received confirming that we have logged this command and that it has been accounted for and that that's the last A in our Triple A. So let's take a quick look here at access control and privilege levels on a Cisco device. I know this slide has a lot of text on it, but let's just run through it a little slow here is that user names on Cisco IOS can be assigned privilege levels to adjust their level of access. You see that here is that we created a user name by the name of help desk and that we assigned it the privilege level off five. Now you may or may not know that there are 16 privilege levels on a Cisco device. It is zero through 15. Zero is essentially not used. The default privilege level is privileged one. So is one through 15 that's actually used by default preference. Level 15 is what enable mode by default sets. You act when you do enable on your having your enable password. You are now at privilege level 15 before you type in enable and you're just at the execs. Prompt your at pro village level one so specific commands can be allowed at certain privileged levels by default. Since you're going to privilege level 15 that is the top privilege level. All commands are allowed at privilege level 15. You are administrator. You have the maximum amount of access. You can set the user name privilege level. As I said with the user name, name of the name, user name privilege and then the privilege level. You want to apply to it. And mind you, the user name must be created already where you have user name, name and then the secret of the password. And give the password there that you can also specify the privilege level inside that command by doing user name privilege number and then also doing secret on the end here and setting the password there that you can do that all in one command and that with the privilege command in configuration mode, you can set the privilege level off specific commands. So we want to allow level five the privilege little five to access all show commands we would use this command here is privileged exact Level five Show that we're saying in exact mode, just our regular exact prompt as here that we want to set level five and all commands that begin with show. So it's going to do, show and show anything. We can be more granular and specific in that by adding on additional command onto the end of show here in this privilege command. But we wanted to allow all show commands for Level five. Then we might not want them to be able to make changes, but we want to allow them to take a look at everything that say that's what we want. Our helped us to be able to dio, to be able to do our initial discovery of a problem that they received the coal. And they got complaints from users that certain things were happening so they can do show commands and take a look at the router. But we don't want them to actually go making changes. You want to leave that for the senior network engineers that the help desk can give them their analysis of what's going on the network engineer can hop in, verify and make the appropriate changes. So if we wanted to say allow them Teoh, configure the i P address on an interface, then we need to do a few things. So first we need to allow the level five the perfect level five to get to the configure command because, remember, enable mode is level 15 that by default level one and all levels lower than 15 do not have access to enable Note that they don't have access to configuration because of that. So we need to go ahead and specify that they are allowed to. So we say that they're allowed to access the configure terminal. Now, when you go ahead and do this and you type in the privilege exact Level five configure terminal command that it will automatically go ahead and add the configure command as well that if you Onley type in this command and you do a show, Ron, you're gonna also see this command in there too, because you have to have the configure parent command allowed before you're allowed to run configure terminal similarly rural. Go ahead and say that in the configuration mode, so This is in global configuration mode that we're allowing the Level five privilege level five to access the interface configuration mode and then from interface configuration mode , we need to say that the privilege level five is allowed to access the I. P. Address configuration command and that when we type that in, it will also allow the I P. Configuration Command. Now, I know it sounds a little complicated, and it gets a little more intuitive as you do it. We're gonna end up running through a lab here. Teoh set up a help desk account and set our enable password and set the commands here so that we are only allowed to do a shut no, shut on an interface, and then we're gonna log in. We're gonna verify that. Let's take a quick look at our lab here. So the steps here are six steps. We're gonna create a level 15 admin account, and then we're gonna create a level five help desk account. And mind you, level five was just arbitrarily trolls. And you you could be level to be level 11. It doesn't matter that I'm just saying level five because that's the number that I picked here and that you can have your multiple different levels and a sign various commands to various levels. So that, say, your routing team specifically has access to just, uh oh, SPF yeah. J r p b gp all of your routing protocol commands, but no interface commands or no awful intercept commands or no capture commands and things of that sort or that your help desk only has show commands and can do a shut no shut on an interface and that we want to allow here. So we're gonna set our enable password we're gonna allow that helped us to run all show commands except show run. We'll take a look here and see that when we allow level five to run all show commands just show commands it excludes show Run that I'll show you there that we are not able to do a show, Ron, that that is a level 15 command. Unless you specify otherwise that we can allow show run on that. That might be fun. Weaken. Try that on the end here If we still have some time to go ahead and allow help desk to run this show Run command as well. And then we will also set our help desk account to be allowed to shut. No, shut any interface that we want to allow them to be able to do basic troubleshooting off, you know, shut no shot and interface. And then we're gonna long into the help does command. We're gonna verify the effects that we created here. So let's go ahead and hump into our router here real quick. Now, this router is fresh. I have not made any changes here, so no interfaces have been set. The host name has not even been set. We don't have any user names and passwords, so we're gonna need to go ahead and create that here. So first up, let's go ahead and go enable and convict e. And we don't have any password here yet because it has not been set to create our Level 15 admin account. Usual Advil privilege 15. And then we're gonna set our secret, and I'm gonna be fancy here and just do admin. Mind you. You would not want to do that in production, of course. But you were just at a lab here, so we're gonna make it easy to make sure I don't forget this while we're doing the lab. Awesome. So let's create our profitable five helpdesk account help desk privilege five secret. Let's just you helped us. Awesome. And then we're gonna set and enable password Georgia, go enable secret and set one here. Or just get you enable awesome. And then let's go ahead and do a quick show run. Do show. Ron, I want to show you what that secret command does is that it obvious skates our passwords here that you can see that that's a lot harder to go ahead and read. And remember, mind you, it's very easy to crack that it is just encrypted in such a way that there are password crackers online. There are websites we can go and just type in this guy here, and it will show you the correct password how that matches up the plain text password. But this really just prevents the over the shoulder attack where somebody can't just come by while you're looking at the show. Run and take a look at this and be like, OK, well, I'm just going to type this in later and be able to steal your password in that way that, you know, this is far more complicated, and it would make it much more difficult for an over the shoulder attack. And same thing with our user names here is that we've got our using admin privilege 15 and are using Name Helped Us Privileged five and our secrets. Here they are type five encrypted. There's also type seven encryption that you can take a look at it sometime Here. You see that in the Cisco, A essays and such. So now step for Let's go ahead and allow help desk to run all show commands except show run . So here we're gonna go ahead and do privilege. Exactly. Level five. That's could be all show commands. And then, that's all. It's just privilege. Exact Level five show. Now let's go ahead and take a quick look at that and just verify that right now. Let's go and we'll go log out and then let's go ahead. We will again log in as our help desk user. Great. And now let's go ahead and try and just go into configure terminal boom. We cannot. Now let's go ahead. Just take a look at show well We've got a whole lot of show commands here. The whole lot. It would even seem all of them. Would you show I p interface brief? Great. We do show I p o SPF cool. It's not giving us an error. We just don't have a SPF configured show us and envy. SNP agent is not enabled. No worries. We didn't get a error because we're allowed to run that command. Let's do a show. Run now. Invalid input Detective. We are not allowed to run the show run command because that is a Level 15 command by default. But we do like show spanning tree. There's no spanning tree instance. So on so forth. Awesome. So let's go ahead and continue on to the next step here of allowing the help desk user to shut. No, shut any interface that we want to make sure this helpdesk user actually has some ability to take some troubleshooting action. So we're gonna allow them to shut no shut an interface, and then that's all. So let's go ahead and log in as our admin account and now we can get back into our configure terminal. Now we'll go privilege exact. Remember We need to allow Level five to get into the configure Terminal command so we'll do exact Level five Configure Terminal. Awesome. And then now that we're allowing them to get into global configuration mode, we need to allow them to get into Interface Configuration Road. We'll go. Privilege whips, privilege configure looks. Level five interface. Awesome. And then now that they can get into interface configuration mode, we need to allow them to run some commands. Here, right is right now. They could get into interface configuration mode but can't do anything on. Let's just go ahead and prove that real quick. Let's go back and end. Let's log in as our help desk account helped us help desk. Great. We'll go convict e Great. Now we're in global configuration. Notify Dio Ah, question Mark here, man, I do not have a whole lot of configuration options here that I do see that I have the interface configuration mode here so I'll go interface. Let's just go into interface fast your zero Awesome! If I do a question mark here, man, that's pretty sparse. I don't have any access here. It all I cant do anything eso now that they can get into interface configuration mode for any interface. They can't actually do anything there. So let's go ahead and allow the shut command and the no shut command as well. And so when you allow one command, you do allow the no version of that command by default as well that you can negate any command that you allow. So we don't need to explicitly allow no shut. Let's go. And Logan Lo back in is our admin account. Let's go privilege interface. So for the interface configuration mode, Level five and then here we're going to allow the shut down command. Awesome. Let's go end log in as our help desk account. Let's go into conflict E. Let's do ah show I P interface brief looks. You can see man. Well, they're saying this doesn't work, and it's probably because none of the interfaces are are enabled here right now that they're all administratively down. So thinking that that's what we got to do, let's jump into fast 01 on and enable that interface. So if ago convicted and go interface fast, you're a one. Awesome. And in here, we've got the shutdown command, so let's go. No. Shut! Awesome! So that now if we do a Jew show I p interface brief lips as not gonna let us from the We don't have the do command here. Let's go. And don't a show i p interface brief. And we now see that our interface is now up. We don't have an i p address assigned. We don't have the ability to assign an i p address, but that is now up because we had the shut down command allowed. Now, still, if we do a show run, we don't have access to the show. Run real quick. Let's go into our admin account. Let's allow these show running convict Command for our help desk user that we want to have them be able to confirm our config. They can't make many changes to it. They can only do a no shut or shut down on an interface, but at least we want them to be able to see our running config. So we're gonna dio privilege in a global configuration Boat privilege. Exactly. Level five show show run. Awesome. Let's go end, log in as our help desk account and do a show willing and then Now we can take a look at our running configure, but mind you still, if we go into convict E and take a look here, we don't really have a whole lot of access, but you can't go to router Oh, SPF 100 because we don't have access to the router command or these sub commands of a SPF. So that's how you do access control and privilege levels in Cisco IOS and assign them Teoh user name. You can see that you can get pretty granular with this, that it takes a little while to go ahead and get your access control set up. But as an organization, you may choose to go about access control in this manner and just have a standard set of privilege commands that you save in a document somewhere that whenever you're spinning up a new router or new switch, this is the access control commands, the base configuration that you put into your device so that you set your different departments in your different user accounts toe have the correct access for your organization and how you manage that. Awesome. So, just like the others, let's run through a couple of practice questions here before we end off first up, when a staff member tries to log into a corporate resource with a user name and password, they are then sent an email with a confirmation code that must be entered. What type of authentication method is in place is it's simple password authentication, authorization, multi factor authentication or T o T. P. Time based one time password. Now this would be an example where putting in the password was a single factor, and then getting an email was a second factor for authentications. This is an example off multi factor authentication answers, See? And finally, a help desk engineer connects to a router in your organization and runs a few show commands , then attempts to make a change but finds they are unable Teoh and need a senior engineer to perform. What does the engineers identity not have that's needed to perform the task permission, authentication, authorization or accounting. Now, remember, the help desk user obviously logged into the device because they are able to get in there, but they are unable to run the commands that are needed so they are not authorized for running those commands that the answer here would be authorization. Their identity does not have authorization needed to perform the task. Now, I hope that this has been informative for you, and I would like to thank you for viewing.
39. 5.4 S2S and RA VPN: virtual private networks. Now the CCN exam topics specifically says that we need to describe remote access and site to site VP ends so we won't be going over their configuration in Iowa's. But we will be going over what they are and generally, how they work. There's be a little bit of detail we won't go through here, but this one is going to be one of the longer videos. There's gonna be a lot of text here, so just stay with me, re watches a couple times if you need Teoh and let's jump through it. So first up, let's just talk about a virtual private network. What is that? Really? So a private network can generally be yo your land, your local area network, and usually you'll use your RFC 1918 address space in that land. You your private I p address space where the private network would be and that this is your corporate network and a virtual private network is where you are, not physically there. Say you've got your H Q over here and you've got a person's house over here, and then you've got the Internet in the middle, and then you go ahead and have them connected through the Internet over to your H. Q. Now this method of connecting to the H Q. Maybe they're using a software client to go ahead and actually get routes to route their traffic over there. That's just generic traffic. That could be anything that could be using a proprietary software that could be accessing file shares or internal Web resource. Is rdp into servers? What have you Or they could be using a client lists solution that you could have it where their entire Maybe this is a small office here, actually, instead of a house and that you nail, have you know five or six employees here and that you now have a site to site or a land to land V. P. M. That's a virtual private network where you are creating a tunnel that is reasonably secure and considered to be private, and you're connecting these two lands or these two locations through a virtual network. So first up site to site VP ends, you'll see it abbreviate a lot as S two s VP ends. Let's just do a quick overview here, sometimes also called land toe land VPN so you'll see them in devices. Perhaps some older A s, a software as l tol VPN that that's how you see that abbreviated in the configuration. Sometimes, as the name implies, it connects to networks using a VPN endpoint. So a land toe land is you're using a router. You've got router one router to your forming a tunnel between them. Such that router connects to switch and router connects to switch. And that you've got You know, these workstations over here that are connecting over to the switch and that they are using the router here where it's sending your traffic through that tunnel to this router to access. You know, some device over here, maybe a server, maybe another workstation. What have you that it is a land to land VPN. So the VPN endpoints here, which that are those are your routers and firewalls that are creating the tunnel between them that what they do is they create a security association, an essay between each other. What is a security association? It's really just agreement on the parameters for encapsulation and D caps. Elation of traffic. What does that mean? That means that when we go ahead and encapsulate traffic. We're actually adding on your additional header items onto the traffic where we are either verifying the confidentiality off the traffic. Maybe we're encrypting it to ensure confidentiality, or that we are verifying integrity and authenticity of the traffic that we are off authenticating, stating that, yes, this traffic actually originates from Router A here, that one router B and that the response traffic. We can authenticate Router B and verify that that traffic actually originated from router B and that there's not just some black hat hacker here in the middle injecting traffic into the middle for router A. To think that it's talking to router be. And so the VP ends can be built using two different logical methods here, and that's route based and policy based. So these are These are a little different. The way that route based VPN works is that you create a generic security association between the two routers here between the two endpoints. You create this tunnel that can that can have any traffic that on the router over here on route er A. It in that security association, the Route based security association. It's agreeing to encapsulate or D capsule. Eight. Any traffic that has pointed out a virtual tunnel interface. That's how you'll see Route based referenced in Cisco. A lot is as a V T I a virtual tunnel interface, such that any traffic whose exit interface is the VT. I will get encrypted or encapsulated and sent over to router. Be through that essay that the VT eyes associated with and vice versa. On router. Be any traffic that who's ingress interface? The inbound interface is the VT. I will be de caps, elated or de encrypted. It doesn't care what source or destination I P addresses in there. It's gonna go ahead and decrypt that, because the inbound interface was the VT I. Whereas with policy based, you are creating a C. L's access control lists, which will go over in another video, the next one actually that identify interesting traffic. You'll see that phrase a lot interesting traffic where it is traffic, which is interesting to this security association. The traffic which matches it, which could be a specific source or destination i p address or network that that traffic is then encrypted and sent across the line. And when, uh, router be receives that traffic that traffic must also be in. It's interesting traffic is that you actually have to weigh Security Association here is that this sends outbound, but then this is receiving as well. That's a reception security association, and there's also ascending security association. So in the traffic that router be receives, it needs to match those a c l's. It needs to be interesting for it to go ahead and decrypt that traffic or D capsule. Eight. That traffic and vice versa. Any traffic going back, any traffic going from router beat around her? A. That needs to match against a C. L's in router. Be on what that actually is. It's a crypto map that has a C. L's that match in the crypto map so that it gets encrypted and sent over a router. A and then likewise router A. That traffic needs to be interesting to router A. It needs to be in that crypto map and match against it in order for router aid to decrypt it and send it out to its destination. So let's talk a little bit about the protocols used inside. Decide VP ends so side two sites typical use the I P sec suite of protocols that I P set in and of itself is not a protocol, but it is a suite of protocols and that there are three protocols used here that it's the authentication header H encapsulating security protocol E S P and the Internet key exchange , which is more of a process than anything else. We'll talk about that in a little more detail here and how that occurs very shortly. H and E S P. These are not transport protocols. These don't ride on top off. I'm sorry. These are transport protocols. They don't ride on top of TCP or UDP that they are their own protocols. They r I P protocol number 51 50 50 for ESPN, 51 for h H. Does not provide any encryption it on Lee provides authentication, and he can verify data integrity and authenticity, but it provides no data confidentiality and that our site to say VPN it's intended to ensure C i A. You'll see that reference in some places confidentiality, integrity and authenticity that E S P provides the encryption here and allows for that to happen. So then you actually get your confidentiality off your data there. Now, over here to take a quick look at the header information and the encryption scope and authentication scope for age and E S. P that like version two. So there's actually two versions of like, there's like V one. That's just not gonna work. There's like V one and V two that version to you. There's no such thing as using a H with BSP. It's just using E S P four figures one face to that uh so E s P N Crips, your full I P header and TCP header and your data and it actually encapsulates. It has, ah, header and a tail on there that this is in tunnel mode, right? Rather than transport mode, there's two different modes that we can use. But tunnel mode is a site to site VPN, whereas transport mode is I P sec for host to host VPN on, although you could justify that as being a site to site with one host on each side. In reality, that's not what Cisco is talking about here that we're talking about site to site tunnel mood, VPN that I would be familiar with this graph here just to understand what's going on That near the full packet here when you send a packet, Say you've got you know, this guy here at 10.1 dot 1.1 and he's sending a packet over here to this guy 1 72 dots 16.1 dot one and that we've got our routers in between with a security association built between them that when this guy sends a packet over to 1 72 1 16 11 remember that packet that's gonna have in the I P header here? That's gonna have these source I p. Address of 10 111 and the destination i p. Address of 1 72 16 11 And that whole header there is actually encrypted that those private I P addresses and the TCP header or UDP header or any other protocol that you're using and the data all inside of it, that all gets encrypted so you cannot see or at least not easily without decrypting the packet. You can't see this information in that packet that we are adding a new I P header onto the outside here, where it's using the source I p addresses is traveling across the Internet, right? Or some other? Maybe internal networking. You want to use a VPN internally because you don't trust those marketing guys. And you really think they're trying to snoop in on your traffic when this has to go and traverse through their network or their router and it's using the source I p address right of this interface off this router and the destination I p destination I p address of this interface here and that when it receives it, it will go ahead and decrypt it and be able to check. Now, GSP does have an authentication scope where you are authenticating this encrypted traffic here with the E S P header and that that authentication also provides confident I'm sorry, integrity, where you are doing a check sum to make sure and your hashing on including that hash to make sure that when it's decrypted and hashed that the other side can confirm that the data is actually indeed the same on that it has not been tampered with at some point in the middle between it being transmitted and received now continuing along with the protocols, a little bit here. I said, We're going to talk about like and the phases a little more eso like is the Internet key exchange. Uh, and something that's heavily used by Ike is the Diffie Hellman algorithm. You'll see that reference quite a lot in the Diffie Hellman groups that Diffie Hellman were two different people and that they developed this algorithm, which is used four secure key exchange and generation. It does not provide any security or encryption. It's just used for key exchange for creating a secret key to use during encryption and being able to transmit that, making sure that both sides have this when they're talking over unsecure channel. Now, when you have a router here and a router here and they're connected over the Internet, right that this connection that's over the public Internet and that you're not encrypting any traffic that is called an unsecure channel is a public transport that anybody could be looking in on that that you don't know. It could be that all of your traffic is being routed through some router and somebody's home somewhere you don't know. Your traffic just gets to the other side, and they could be snooping in on everything just as an unsecure channel, and that you need a way of creating a secure channel on the fly without walking over there and handing them a secret key to use for the encryption. And the way that's done is with Davey Hellman. And then you can see the simplification. Or the idea of how Diffie Hellman works here is that you start with some common key. You go ahead and an exchange that you can exchange that key without problem and you create for yourself a secret key are a secret color here and that you mix Thies too, and that you make it so that, uh, you, when they're mixed on mixing these kind of like using paint, right as you're mixing the paint and you're creating a new color and that it's very expensive to, uh, try and unmixed these and and find out what the secret is and the two colors that are contained within this mixed color and think that it's like no mixing yellow and green that you end up getting blue here apparently, and that it's really hard to go ahead and actually get yellow and green out of that. So you go ahead and transport Thies to the other side and that they end up adding their own secret color to it again. And that that creates nail. Our common secret that ends up with the same color are the same secret here on each side that it was very difficult to figure out what this common secret is because you don't know what this color is, what this secret color is on, that you end up getting the scene color on each side here. So that's a way off, exchanging secret keys and creating them without having a secure channel. And then you can now create a secure channel using those secret keys. And that's what's done during phase one. So I p sec tunnels are built using like the Internet key exchange in two phases that in Phase one, the unencrypted channel for Diffie Hellman exchange that the keys are exchanged using or exchanged, are used for building the encrypted channel. Is that your common secret here now the brown that this is now used for creating a secure channel and that this channel, the Phase One Security Association, is called an ice a camp security Association. That's the Internet Security Association and key management protocol. That's a specific protocol used to go ahead and create the security association, and that now that you have a secure channel, you can go ahead and exchange secret keys again and go ahead and create new ones and create a new secret channel are secure channel using that other secure channel. And that makes it so that you could be relatively sure that this cannot be compromised. That even if one side of this were compromised, that since we're using Diffie Hellman again within our security and all, you can be reasonably sure that the phase to secure channel is now actually secure. That it is called perfect forward secrecy or PF s that Diffie Hellman could be used in the Phase one encrypted channel to create the Phase two encrypted channel and that this face to is an I. P. SEC essay your i p SEC Security Association. That's what the Phase two Security Association is called now to go over the algorithms a little bit. Here is that things that you'll see your encryption algorithms that are used in site to site VP ends that these are your data encryption standard, or Dez or your triple data encryption standard, which is really just Dez run three times, which is why it's called Triple Dez or the advanced encryption Standard E s. This is what is the standard right now and is what is recommended to be used. The use of Dez to standard Dez is discouraged in one, the RFC sort of see 48 35 if you absolutely have to to make a legacy devices work. All right, so be it. But you really should not. You should just upgrade that device and get something that can support ah, more advanced encryption standard like a yes and go from there on triple Dez is just not recommended that Cisco doesn't recommend using it, that it suffers from the same potential problems as Dez. Although because you're running the same thing three times, it makes it significantly more difficult. And it's just not recommended that you use that now for your message, authentication and integrity check. We use H Mac hash based message authentication, and the algorithms that are used are H. Mac MD five H Mex Shahwan, Rachmat Shah to 56 there are many others as well that you can use. But the one to point out here is the MD five. Although it's considered safe, it is legacy and is not recommended that you continue using it, that you should use Shaw on some high bit. Level off Shaw like Shah to 56 On the way. This the hash works, right? Is it a hash is recreate a message digest and a hash is a one way algorithm. This means that given the hash value here, that I cannot get my message out of this hash value. This is not an encryption where it's two way where you can decrypt this. No, it's creating a digest of it where you can say that each message here will generally create a unique hash value. Now, of course, it does not always say that you have, you know the message and just says that were Bob in it. And that creates a hash that looks like this. Well, you know, this is where a rainbow attack comes in is where you can go ahead and find that you know the message. 16 12 b 72 that this, by chance because of the way that your hashing algorithm works ends up creating the same hash value and that now you're message could contain this or it could contain Bob and that both will end up giving you the same hash value so both of them will end up being equivalent and saying, Yep, the integrity is just fine, even though, obviously the actual contents are not the same the way the hashing algorithms work. Very small changes in your messages will create very large changes in your hash so that you can be reasonably sure that your message is not changed. A zall about being reasonably sure here, right, so that's the overview. Off site to site VP ends or land toe land VPN. So let's talk a little bit about remote access fee peons there often abbreviated as our a v p m. So they're also sometimes called point to cite VPN because typically you are using a new individual computer to connect into a network and that you can access many devices in that network from your single point. So it's point to site rather than a site to site, and that connects a single host to the corporate network or resource is securely, and it can be deployed using one or both of two different models, and it's either client based or client lis. We'll talk a little bit about what each of those are starting. First up with a client lists remote access VPN solution. So the way a client lists VPN solution works as it's done through a Web interface, your authenticating through a Web portal, right? And that from here we can go ahead and access, you know, internal addresses or internal devices or the Internet on through a Web interface. You can also deploy Web applications through Java script and things like that. I've seen where you can actually dio remote desktop through a Web interface here and be able to access or V N. C. To be able to get the Lennox boxes or your Windows boxes. What have you and that uses https toe access Resource is securely https. The S on there, right is actually S S l and more, uh, recently it's you know, TLS actually is what's used the transport layer security, and it's the hypertext transfer protocol that this is the protocol that's being used to actually give you the data that you're looking to obtain from your remote network from your corporate resource is and that you could browse the network or get to files and things of that sort and do that through your client list. VPN here that it's all through a Web interface. Now that's fine, but it doesn't work for everything. And also, it can be a little cumbersome that accessing all of your corporate resource is through a Web interface like this. That that is not just like being at the office. That's not opening up your Windows Explorer and go into your S drive and getting to your files that way and saving your documents that you need or printing them to the printer by just clicking the print button. No, you gotta change your your method of working a little bit here that this is just not quite the same. And that's where client based VPNs come into place. That they are typically quote just like being at the office. And that's your quote from Cisco that that's how they describe client based VPN and that they utilize a software client installed on the user's machine to enhance the VP and experience toe actually add a virtual interface onto your computer, typically, along with injecting routes into the route table on your computer so that you traffic destined for certain. I PS ends up getting put through your virtual tunnel interface on your computer and encrypted and sent over to your office and the return traffic gets decrypted accordingly, of course, and that these can operate using either i, p SEC or SSL. The SSL is actually a little bit of a newer feature for remote access. VP ends by a little bit. I mean, it's a handful of years, but still as to sell remote access. VPNs had not been around for the longest time at least client based SSL VPN that for a long time SSL VPN really meant client less VPN and that you know any client base was all I P sec . But now they've been able to go ahead and create client based SSL VPN which use the SSL tunnel, as in https, the S S L. From that to tunnel other traffic, then just hypertext transfer protocol to tunnel all their protocols like TCP and UDP across using SSL and that I p sec in this case, I uses UDP Port 500 E. S P. O Vernet traverse away because most of your work stations your end users, they're gonna be at home using their client based VPN and that they're gonna be behind a nat device because they don't have a public I p address directly assigned to their workstation at home. So it has to traverse a gnat device, and it uses UDP 4500. So if you ever have a firewall problem where they're not able to connect, you might want to go ahead and double check that 545 100 are allowed outbound through their firewall. And it's because remote users are typically behind net. Awesome. Now I know that that was a little intense and that there's a lot of information there. If you need to run back through it, of course, go ahead and do so. But just like the others, let's run through a couple of practice questions before we end off first up. What I p protocol is encapsulating security protocol. Is it over TCP is it i p protocol 50 over UDP or I P protocol 51. Now this was really just meant to drive home the point that E S P and H r their own I p protocol. They don't operate over TCP or UDP by default. That e S p is I p protocol number 50 And finally what security associations air created during each phase Phase one ice a camp and face to his i p sec Phase one i p second face to his like is phase one ice a camp and face to his like or is phase one Ike and face to his i p. Sec. The Phase One Security association is called on ice a camp security association, the Internet Security Association, Key Management protocol and then the Phase two Security Association. Here is an I. P. SEC essay. This also comes from the fact that when you're in a router right and that you're checking your security associations to see if they're actually X available, if they've actually been built, that you would do show crypto ice a camp essay and show crypto i p sec essay and that that will show you the information about your Phase one and your Phase two Tuttle's, respectively. Now, I hope that this has been informative for you, and I would like to thank you for viewing
40. 5.5 ACLs: access control lists. Most people abbreviate access control lists as a C. L's both when saying them verbally, and also when writing them down on referencing them in documentation. You'll see it as a C L. This a c l that a c l creator HCL etcetera A. C L's are one of Cisco's most versatile feature sets that a seal's air used generally to just identify traffic. So we're going to run through what a seal's air used for how to create standard and extended a c l's and what the difference between them are. And we're going to go through a lab of creating a couple of A C. L's and testing to show what the effect is here and make that very visible for us. So first up listens to a brief overview of what a C L's are and why they're used. So, like I said, at the heart, a seals are used to identify interesting traffic, so that can be used in any circumstance where we need to identify traffic. And this could be in access groups, which is blocking and allowing traffic on an interface, inbound or outbound crypto map identifying traffic for our VP ends and what should be encrypted and what should not. Class maps. Identifying traffic just for traffic classes. To be able to put them into policy maps. To be able to do policy based routing, or perhaps token buckets for shaping or policing route maps to go ahead and specify policy based routing, or be able to identify what traffic should be distributed into a routing protocol or packet captures, we use a C. L's to identify the traffic that should be captured in a packet capture to do troubleshooting on our network and view what's going on. There are so many uses for a C. L's, you will almost not see all of them, but you certainly can. And there might be a few more interesting topics here. There where you end up finding Oh, man, we end up using an A C L for this. So access control us. There are two different types. There are standard and extended, so the standard range, as you can see here when you just do at global configuration, just access dash list. There are two different standard ranges for numbered A, C. L's and two different extended ranges for number a seals. The standard range is 1 to 99 for Standard and then also 1300 to 1999 for the number A, C. L's and as the expanded range. Down here, the 1300 to 1999 and the regular range for standard A. C. L's is 1 to 99 then similarly for extended. You've got 100 to 1 99 and then up here, you've got your 2000 to 26 99. Now that's for doing access. Nationalist, that's a numbered A CEO. You don't have to do number days eels that you could use a named A C. L. Instead. I prefer this personally just because you can give your A C. L. A name, which helps you identify what it was used for. You do have the ability to put remarks in your A seals, and I would highly recommend you do that so you can understand what the hell was used for or what a particular entry is used for. But even if you don't do that, creating a named a C L. By using the I P access list access dash list command, you can create a named a seal. You can also creating numbered a C l in that same fashion on I'll show you that during our lab briefly. But with this you end up specifying whether you want to create an extended or standard A c . L. And then from there you have the option to specify a name or you can specify a number, and it will give you the range is available for your numbered A c l. If you so choose so standard and extended a c l's use what's called a wildcard mask instead of a sub net mask. Wildcard mask is a bit inversion off a sub net mask. What I mean by that if we take a look down here, right is that we've got our sub net mask. Now this guy is a slash 26. So we've got 255255255192 on We see here that we've got 24 bits of ones and the rest being zeros. Now, if you do a bit inversion, flip everyone to a zero in every zero to a one, then we end up with these six guys down here that are ones instead of zeros. Our wild card mask is the inversion of our sub net mascot 0.0 dot 0.63. This number here, this dotted decimal notation is your wild card mask. This is what you'll end up entering. Its a good thing to remember if you end up putting in a sub net mask instead, it's gonna end up either telling you it's an invalid sub net mask or if you end up getting unlucky here, you might get really improper results for the master that you put in that it's not going to behave the way that you think it will. So both statement numbers. I'm sorry. Both a c l's extended and standard use statement numbers toe order the permit, deny statements or than they seal. So that's that's what on a C L has right is it's a bunch of permit. This deny this permit source address to destination address but denied this source address to this destination address over this protocol, which we'll talk about that in a few moments here that extended a seals have the ability to identify protocol, whereas standard does not that it uses statement numbers to order the access control entries that ace, you'll see that abbreviated a lot in some graphical interfaces. You'll see where you have the option to add an ace to an A C L. And that's an access control entry. And that down here, this is what happens when you create a to entry. A C l is that First I popped into a numbered access list. Added access Nationalist number tense of doing a standard access list, not in extended. And I have a permit statement I'm permitting 10 111 and I'm doing all zeros. What does this mean? That translates to a sub net mask of all ones. So this is a host address. It is not a network at all or a range of addresses. Same thing with the second statement here. So once I pressed enter on that, I was brought back to global configuration mood, and then I just popped in another entry here I did on to access list number 10. I have a permit statement. I'm doing 10 112 some permitting. 10 111 and 10 112 Now you'll see in the next life will go over standard access lists a little more detail. Standard A. C. L's Onley allow you to define a source, address or range or a sore subject, and that it does not care about any destination. That is all it is matching on is on Lee these source address. No protocol, no destination. So then, after I added those two entries to access list number 10 because that's how I am numbering , that here is access list number 10. Then if I do a show access dash list 10 then it is going to spit it out here for me, and I see that I've got 10 and 20 year now. What is that? Those are the statement numbers that this is the entry numbers automatically. It will start at 10 and it will bump it up by 10 each time we go from lowest to highest is how it is going to process this. So we would start at statement number one and go ahead and process that and work our way up to statement number 20. If there is a one on, it'll just start in the lowest statement number and go up to the highest and then That's how it orders the operation for your access list. And it adds this automatically so that if we come back and say, Oh, man, we want to go ahead and add a statement in the middle here at 15 then we have the ability to do so. It's not just going to order these by one at a time. It's separating them by 10. So you have some flexibility to come back and edit this without having to remove your entire access list and add it back all in again, causing perhaps some downtime for your network or some effects that you don't want to see in your network something really, really important and trips everybody up when they are dealing with a C. L is the first time is that all A. C L's both standard and extended have an implicit deny at the end. This is not shown. So here, the standard access list. 10. It will permit 10 111 10 112 And up here, there's an implicit denying that denies everything, so it will permit Timmerman one and 10 112 as source addresses and deny everything else that you need to remember that it's there. I usually like to put a denying any any or a deny any statement at the end, just so that I have a visual cue there that there is, uh, rather than an implicit deny, an explicit deny that you can actually visually see that there's a deny statement there. And then, as we said, a seals are evaluated from the lowest entry two highest, and the first matching access control entry is used and evaluation stops. So let's say I have a packet coming in, right? And that this a c l this a c l number 10 is applied to the interface where that packet is coming in. And let's say that packet has a source i p address of 10 111 When that packet comes in and this access list 10 is evaluated, it will start from the lowest entry number here, Entry number 10 and work its way up. It will see that our packet matches entry number 10. Entry number 20 will not be evaluated at all. It will never go there. It hits the first matching entry and stops. And then whatever action is listed there a permit or deny. That is the action that is done to that packet. That's something important to remember that generally you want your most specific entries at the top and your least specific entries towards the bottom. And I know that this is ordered backwards here. So you're most specific entries with lowest statement numbers and your I'm sorry, most specific entries with your lowest statement numbers and your lease specific with the highest statement numbers. So our standard a c l's. As we said, they Onley match on the source i p address and it's over any I p protocol. That is something to mention that it is over i p protocol. If you have some other protocol, that is not I p. Than our access list may not match that. We might need to use an extended or another method of filtering that traffic, but it on Lee matches the source i p address. So because of that, skipping to this bottom note here is that it should be configured as close to the destination as possible for best practice. Why? Because if you are configuring this, let's say we've got our workstation here, right and that our workstation connects up to our router. Let's make that alot cleaner connects up to our router Router connects over Teoh another router. Let's say we've got a server here and let's say this connects over to another router and then this connects off into the Internet. And then this guy connects over to a router and that connects to a server. Now let's say we want to block this workstation from accessing this server, and we want to use a standard A CEO for it. Why you would do that? I'm not really sure, but Cisco might throw something like that at you. Where you going To put this standard? A. C L. In order to block this workstation from accessing this server while you're gonna put it down here as close to the destination is possible. If we put that a CEO here than we are blocking this workstation from accessing everything and if we end up putting it here, we're blocking this workstation from accessing this whole side. So on so forth. You see where I'm getting here? If we were to put it here, it's gonna block access to the Internet. If we put it here, then it will only block access to that server there eyes just because of the limitation off standard A seals that you want to put it as close to the destination as possible so that you're using the physical placement of your A C L as essentially your destination filter there. So, like I said, they can be numbered or named, and the numbering has two different ranges. There are a total of 799 numbering a C L available. It is one through 99 1300 through 1999 I would know the ranges for the standard and extended A seals. Cisco really loves to ask that question as just a little multiple choice. Now, what are the extended range for standard A. C. L's? And that would be 1300 to 1999. Maybe it will give you a few options of numbering ranges to choose from, and that when you have a standard a C l that is numbered or named here we see we have a number a C l here using number 10 and that we have a named a C l here with name standard Dash A C l and that I put actually the statement Number five on this guy here and said that I want statement over five to be permit 10 111 and then statement number 10 to be permit 10 112 is that by default it will start at 10 and increment by 10 each additional entry. But you have the ability to specify what statement number you want your entry to be in. Great. So that's standard A Seal's Let's jump into extended a c. L's here. As we said, this matches against both source and destination I p and will do over a specified protocol , right? So we have many protocols that we can choose from, and we have a lot more flexibility here because this can match over source and destination eyepiece. And because of that, let's skip down here is that it should be configured as close to the source as possible for best practice. And why is that? Because we don't really want to use our bandwidth If we go back to this slide for just a moment here and this little topology, if we've got a new extended a C. L, you could put your extended a c l over here and that it would give you the same effect of blocking access to the server. But you've now wasted all of this band with sending your traffic across the whole line here across the whole circuit in order for it to just get blocked at this guy when you could have achieved the same effect of putting that a c l right here at this router and be able to block access specifically to this servers I p. Address from this workstations i p. Address over whichever protocol that you so wish over TCP over UDP and a specific port that you can go ahead and apply that as close to the destination as possible and get the same effect. And that, just like standard a seal's remember, there is a implicit deny, right, and these can also be created as numbered or named a c. L's. Here we have numbered extended access less number 100 that it is permitting everything. There's just a permit i p any any and that with the extended named a c l. We have e x t hyphen a C l. As our named a C L We've got a few more entries here where first were permitting 10 1112 Any address over i p and then statement number two or statement 20 here or permitting 10 112 to any and that were specifically using the host keyword here where you could do 10 111 with a wildcard mask of 000 Ah, but we can use the host keyword to not have to put the wildcard mask there and is specifying that only this one i p address it just comes out a little nicer and is a little more readable. And then statement 30 We are denying 10 11 to any now. Interestingly, this you know, 10 statement number 10 will get hit first for any traffic sourcing from 10 111 to any destination over i p that we are permitting traffic. So statement 30 would never be hit here because it's first going from the top and going to the bottom and then at the bottom here, Stephen 40 we're permitting I p any any So really, this a c l This extended a c l here that's named this has no effect. It's just permitting I p any any that 100 the named here both have the same effect, even though the named has this many more entries in it that were just permitting. Everything is permitting Temelin one permitting 10 women two. And this entry 30 doesn't matter because entry 10 overlaps and then 40 is permitting everything else. So it has the same effect as a C L 100 here. Awesome. So now that we see how to or how extended and standard A C l's work, let's go through a lab and see how they're configured and apply them to interfaces so that we can go ahead and confirm and visually see what the effects are Here. So here is gonna be our lab is that we've got two routers down here and we've got to look back interfaces on each one. I have already configured the host names and the I P addresses on the interfaces and the loot backs here, and that's all Ah, that we need to go ahead and configure everything else are steps in this lab here is that we're gonna go ahead and set static routes on each router for the loop back Sub nets, right? Is that are two needs to know that we get to these Luke backs by using 10.1 dot 2.1 as the next top and same thing are, one needs to know that we get to 10 dot to to these Luke backs here by using $10.1 dot to dot to as its next hop. Right. And then we're gonna go ahead and configure each one for ssh, briefly. And remember, how we do that right is that we need to set a domain name. We need to generate our keys. Our our essay keys for use for ssh and then that will enable ssh is once we do that, it enables SS agent allows us to go ahead and do that. We will need to go ahead and create a using a password. If we actually wanted to log in, I won't really care about. We just care about actually getting that connection there, and then we're gonna go ahead and create numbered standard a C l blocking traffic from 10 100 slash 24 only and apply ingress on our two. What does that mean? That means inbound on fast 00 of our two. So for traffic coming in, we're gonna go ahead and apply this a C l blocking traffic sourcing from 10 100 slash 24. And then we're gonna go ahead and ping and verify so that we will paying with a source of 10 101 and try to paying 10 12 to try to Ping are too, from Luke, back zero and see if we're able to that I'll go ahead and do that first. Once we get our static routes in place to show that we are able to successfully ping and then we'll get our A c l in place and make sure that we are not able to ping anymore. And let's go ahead and do that first here and then we'll address the second half of the lab . So first up, let's head on over to our one. Let's get our static routes in place and then set it up for SS. Agent will head on over to our to so they go ahead and enable convict e. We're gonna go ahead and do I p ro and our destination is. Let's go ahead. Just do 10 to 00 slash 16 with a next top of 10.1 dot to dot to, and there we go. And now let's go ahead and set it up for ssh. So we're going to I p domain domain name. And we're just gonna call this Ben J Train God lab. Awesome. And let's go ahead and generate our crypto keys. Awesome. So that's been generated and it is now enabled. Ssh! So let's jump on over to our to and then, actually, you know, I didn't show here. I want to a show i d interface brief and we've got fast Year zero is 10 1 to 1 and we got our to loot backs. And then same thing over Heroes do a show. I interface brief. We've got 10 122 and our loop backs there as well. So let's go ahead and do the same. Thing is we'll set our I P route 10 100 size 16 with the next top of 10 1 to 1, and then let's go ahead and set our domain name and let's generate our crypto keys. Excellent. So ssh, has been enabled. Great. So then now let's go ahead. And overall are one. Let's do a pain and let's go ahead and paying 10 1 to 2 with a source of our look back. Zero right of our 10 10 ones. We can go ahead and do a source interface, or we can do a source address. Let's go ahead and do a source of Luke back zero. Now it had to go ahead and are about first and then every other one was successful. It's just check one more time. There we go. Our pings are successful, that we do have routes on both sides so that our two knows how to get back to the 10 10 network and that we're able to go ahead and ping that here. And just to make sure, let's go ahead and paying the loop back. Zero of are to hear that is 10 to 01 is the I. P address of that, and that is also successful here. Awesome. So then now let's just jump back here. We need to go ahead and create a numbered standard. A C l blocking traffic from 10 100 slash 24 only and apply ingress on our two. So for that, we need to go over to our to let's go to convict E. We're gonna go ahead and do access dash list. We're gonna create a standards list you number 10 and then we're going to deny 10 100 It's gonna be slashed 24. Remember, this is a wild card Basque. So it is inverse off our sub net mask. And then that's all we got Ideo. And then now we can go ahead and apply that ingress on an interface. And we do that with the access group command. So if we go to interface fast 00 oops and then do access Whoops. Sorry about that. I ran into a little bit technical difficulty there. So we're at our interface fast 00 and need to apply this access list there. So we do it the i p Access Group command, and then here we created access list 10 and then we're gonna apply it inbound on that interface, Right? Awesome. So now we need to go ahead and ping and verify that Onley 10 100 slash 24 is now blocked right is that we can go back over to Router one real quick. Let's go ahead and do that that we're gonna paying, uh, 10.1 dot to dot to with a source of loop back zero and that that is not successful. Awesome. So let's go ahead and try with the source of look back, one that is also not successful. Well, that's not good. Let's go ahead and take off our source and just paying 10 1 to 2 and that. Is that snow looking good? Okay, let's find out why. Here real quick. If we go back over here, trust you a do show I p access list. Tim, we've got deny 10 100 and it's a slash 24 that's the only entry we have. What could be the issue we're running into? And it's well, we forgot about our implicit deny at the end here, So let's go ahead and add in un implicit. I'm sorry, an explicit allow let's allow any so that any Onley the slash 24 we matched on the deny and anything else is allowed. So let's go back to global configuration mode we're gonna go access, dash list 10 permit and awesome. And then now we don't need to reapply it. That should be good to go. If we go back over to our one and we just try and paying now that is now successful, we try and ping with a source of Luke back one that is successful if we try and pin with a source of loop back zero that is not successful, that it is blocking 10 100 slash 24 network from being able to ping. That's actually blocking that from being able to do anything. Eso if we tried to ping uh, the look back zero off our are too so 10 to 1. I'm sorry. 10 to 01 that is not successful. However, if we try and ping that with a source of Lubeck one that is successful, that on that interface all traffic sourcing from 10 100 slash 24 is denied that that access list is evaluated on all traffic inbound on that interface, whether it's supposed to be rounded out somewhere else or to its loop backs or if it's too that interfaces i p address directly that the a c l on the interface is evaluated first. Awesome. So now let's go take a look at what the second half of our lab is here is that we're gonna create a named extended A C l blocking Onley ICMP traffic from 10 100 slash 16 to 10 to 00 slash 16 and apply egress on our one and ping and verify. So we're Onley blocking ICMP traffic. That's all right. So let's go ahead. And this is on our one. We're gonna create an extended A C l. And we're going to block ICMP from 10 100 slash 16 to 10 to 00 slash 16. So overall are one will go Go convict e do I p access list Just to have a different method of saying this up here and actions unnamed. Extended a c l. So we do need the i p access list command organ make an extended and then here we can go ahead and create our named a CIA. We're gonna call adjust txt a c l and go enter. And now we're in named extended name extended a C l configuration mode here and we're gonna go ahead and do our first entry on this is going to be a deny statement. And here we have the different protocols to choose from is that doesn't necessarily have to be just I p You can choose a different protocol here or just a specific I p protocol number you don't necessarily need If it doesn't match one of these guys, you could just pick the I P protocol number off the traffic. As you might know, E S P is i p protocol 50 g r e is its own I p protocol here is well, and ICMP is not, you know, TCP or UDP. It's a different I p particle. So we're gonna deny icmp from 10 100 slash 16 002 55 to 55 remembers the inverse of our sub net mask. And the destination will be 10 to 00 with the same wildcard mask. And then we can go ahead and specify the ICMP message type. Uh, but we're not going to do that. We're just going to say any ICMP traffic is denied and then we need to go ahead and allow everything else so Now we're gonna do a permit. I p any any awesome. And we're gonna apply that egress on the fast 00 interface. Let's go ahead and exit out of our extended named a c l configuration mode and go interface fast 00 i p access group and then here we're going to apply the X t a c l a c l outbound. Awesome. So now this should deny us from being able to ping anything on are, too, that if our one tries to Ping are too, it should not be able to do so. So let's go ahead and try that. Let's try just paying 10 1 to to and that is successful. Let's try it with a source of 10 101 that is not successful about 10 111 that is successful now, why might this be now? This is actually an interesting thing that applies to this kind of circumstance. Is that the interface? A. C L does not apply to traffic sourcing from the router itself. Now, this is actually showing that I create this lab a little hastily here and notice that we ran into actually what is a good point is that the outbound access list do not apply to traffic sourced from the router itself so we can get the same effect here by doing an inbound extended a C L on the art to on Go ahead and show that here. Or just do inbound on our one on reverse our A C L. Perhaps add in another entry sourcing from 10 to 16 to destination of 10 1 slash 16 on. Then we can go ahead and do it inbound and show that this does work that it's a good point that traffic sourced from the router itself does not filter through interface level A. C. L's here, and that's something to remember that you could get tripped up by that in the future as well. Let's go ahead and switch the direction here and added another entry that we go config tea . And first, let's do a do Show I P access list. So what we want to dio is we could just add in another entry, or we can remove this entry here on and then add in a new one that is reversing the source and destination. So let's go, Teoh, I p access lis configuration mode extended. That's the X t A C l access list. And then we're gonna do a new and then we're gonna add it back in of 10. Deny icmp 10 to 00 slash 16 to destination of 10 100 slash 16. Awesome. And then let's go ahead and exit. Let's go over to our interface fast. 00 most do on No i p access group e x t a c l flips out most to an I p access group e x t a c l inbound instead. Awesome. So now we can go over to router to and we should no longer be able to paying router one with a source i p address of either of our loot backs. So we go paying 10 1 to 1 pope's 10 1 to 1 with a source of our look back. Zero Oh, we got to go to a naval mode. Here we go, paying 10 1 to 1 with a source of loop back zero that that is not successful and with a source of look back, one that is also not successful, that we see with a source address of 10 to 01 and a source address of 10 to 11 that that is not successful. Whoops. And now, if we go ahead and just do paying 10 121 that has a source address of 10 1 to 2. So that is successful because that is not matching our access group there. And then we can go ahead and show that we can try to ssh with a source off Luke back zero or one and that that is not to call, although we are unable to pay ago convicted When do you ssh pumps source interface Do loop back zero. And now let's go ahead and go. Ssh! 10 1 to 1 looks we'll go dash l Whatever Cisco is just got tell us that it doesn't exist anyway or that the user name isn't there. But this should none to one. Actually, we are. We are able to connect here Ah, and is asking for our password that we are unable to ping. But we are able toe ssh and we're ssh ing with a source interface of Luke back zero. Awesome. Now, just like the other sections, let's run through a couple of practice questions here before we end off. So first up you have applied the below A c l ingress on fast 00 of our two and then suddenly lost connection to our two via as a sage from the server. Why did you lose connection? So this is the topology that we are considering here, that you are on the server and that you are ssh, into our to and that you have created this extended named a c l. And that you have applied it ingress inbound on fast 00 And that you have lost access that you are trying to block 1 72 17 1 zero slash 24 which actually you blocked 1 70 to 17 00 slash 16 inbound on fast 00 So why is this is it that the wildcard mask does not match the sub net to be blocked? That we've got a slash 24 here but you're doing a slash 16 here Is it that this is expected because the access control entry is denying access from the server sub net? Well, no, the A. C is not denying access to from the server sub net because we have 0.16 here and we're doing 0.17 here and that this is a slash 16. So this oct it is not considered when using the wildcard mask? Or is it that the servers access is being denied by the implicit deny at the end of the A C L. That certainly seems very possible if we're taking a look at the entire A CEO here, which we should assume we are than that definitely seems possible. Or is it that the A C L should have been applied egress instead of ingress on fast year of zero? That doesn't really make sense. So the answer is actually see here is that we have remember that deny any any. Here at the end. It's an implicit deny. That's why I like to put that deny their sometimes so that we can visually see that it is indeed there. So the answer here is see that you have the implicit deny at the end. So this access list is actually denying all traffic because it is not permitting anything and that you needed to add a permit any any on the end. If you wanted to permit any other traffic. Awesome. So then, lastly here, considering the below A C L which answer best describes the effect when applied that Take a look at this A c l. We've got four entries. A permit. I p host 10 1112 destination. Any permit I pose 10 112 to destination any deny host 10 woman one to destination any and then permit i p Any any is the effect that all traffic from any source is permitted to any destination or that traffic source from 10 111 is denied and all other track it Traffic is permitted Traffic source from Templeman one and 10 Malone to is permitted but nothing else because of our implicit deny at the end. Or is it that all traffic from any source to any destination is denied? Well, I'm sure that that, you know instantly doesn't make sense. S o. D is not the answer. The answer here is a that entry number 30 here will never be read because entry number 10 overlaps with it and is a permit. So that is permitted. This is permitted and then everything is permitted. So we are having no deny statements, take any effect. So all traffic from any source or destination is allowed. I hope that this has been informative for you. I'd like to thank you for viewing.
41. 5.6 Layer 2 Security: Layer two security at Layer two. We don't have a lot of the security options that we do it. Layer three right? We don't have our firewalls or zone based firewalls and doing a C. L's and be able to do layer in for inspection. And things like that were in a broadcast. Amine and we're looking for maximum speed right is that you have your switches that are basic based. They forward traffic at nearly wire speed that as soon as a frame comes in, it's going out the other interface where it's supposed to. So we do need some security measures at Layer two to prevent any unexpected or unwanted devices from coming onto our network and potentially causing some problems. So in this video here, we're gonna go over dynamic AARP inspection, de HCP snooping and Port Security. We're gonna talk about each one of them and what they do their purpose and how they're configured. And then we're gonna go through a lab and configure each of them and show what it looks like when it's actually working, and also what happens when you have a violation when they're doing their job and preventing some unwanted device coming onto the network. So just as a brief overview here at Layer two security Technologies, you're going toe, implement them at your access layer. This is where these technologies will live and that fundamentally, they prevent unwanted devices from accessing the network at Layer two. And we're going to be going over the port Security, DSP snooping and dynamic our inspection. So first up, let's talk about port Security. So port security limits the number of Mac addresses allowed on a port that think about this right is that if I've got a switch here and I've got a server here and that it's connected into the switch the server, let's say this is a physical machine right and that we only have one machine there. We don't have any virtual machines, and when it transmits traffic onto the line here, then the switch does what its primary job is right is it learns what Mac address lives off of, what ports so that it can properly forward the responses or any other traffic that's destined for that Mac address. Now, if you have port security enabled by default, it only allows one Mac address per an interface So when I send this traffic into the switch , it will learn that this Mac address this. Let's call it 1.11 more. Momo Momo one. That's the Mac address. I know that that's not a real Mac address, but it will learn that that Mac address is on that port and any additional Mac addresses that come in on that port, it will go ahead and shut that port down. It'll say that something is wrong here. Someone is putting additional traffic onto the line and that this is not OK. Now think about those. Well, if you have this enabled and you have a hyper visor here instead of just a single physical machine that you might have many virtual machines right inside of this single physical machine. And typically, the way the virtual networking works with these hyper visors is that you will have a Mac address for each of the network adaptors off the virtual machines. So all of that traffic that's being forwarded over into the switch that that's all gonna have a bunch of different Mac addresses as the sources there. So all of these machines kind of look like physical machines right that live off off this interface off the switch, and it will say that all of these physical machines, all of these Mac addresses, all live off of that interface. So when you're configuring this, you'll need to take that into consideration that you might actually have more than one Mac address living off of an interface, even though you only have a single physical device or machine. So the default violation for port security is that it shuts down the offending port, and actually, it doesn't just shut it down. It places it into error. Disabled state. Now, this is a special kind of state for a interface. When you see that interfaces an error disabled, the only way to take it out of error disabled is, well, there's one of two ways the primary method is that you need to do a shut no shut on the interface. You, the administrator, actually need to go and do a shut down and then a no shut down, and that will bring it out of error. Disabled state. However, if you haven't resolved the situation that caused it to go into error disabled to begin with, then it will likely return to that state almost immediately, anyway, with shutdown violation action here that, you see, there are three different actions that we can choose from. The shutdown action causes it to go to error disabled state, and it also logs a system log message and an S and M P trap is sent. If you have SNP configured, there are also protect and restrict. Let's say you don't want to error. Disable the interface and cause problems where you, the administrator, need to physically go and correct this that say, you wanted to just drop the frame Well, that's what protect and restrict will do. Protect will just drop the offending frames. So it'll learn what Mac address is on there for the first frame that comes in. And if additional frames come in with different source, Mac addresses those frames Air just dropped, whereas the frames from the original learned source Mac address that is allowed through because that is matching up in the Port Security database, which will show that it does list the Mac addresses that it has that are secured and calls them secure Mac addresses because they are allowed on the interface and any other non secure Mac addresses are not allowed on the interface unless Mawr are allowed to be learned dynamically or you manually entered in as a static entry. Now, with protect right is that it drops the frame, but it doesn't log anything. It just drops it. But it's not gonna tell you anything's happening. This may not be the best situation for you, in which case will go with restrict, Restrict will drop the frame, but then it also logs it in the system log, and it sends on S and M E trap very similar to shut down. But instead of placing an error disabled state, it drops the frame instead. Now we configure this with the switch Port Port Security Interface Command and show a little screenshot down here. We could end up saying the maximum secure addresses. This is where you would adjust the maximum number off, learned Mac addresses on that interface. You can also specify a static entry with the Mac address command, and then we can also specify what the violation action is. This is where you would specify that is, in your interface level configuration when you're setting or enabling port security you would specify your violation action if you don't want it to be the shutdown action. And then you could also set aging such that after a certain period of time, off in activity or a certain period of absolute time. So from the time that it was learned, rather than just off in activity of not receiving a frame from that address after a certain period of time, it will clear that address as a secure address. It'll say that another Mac addresses now allowed to take its place and be learned to dynamically because it is clearing that dynamically learned Mac address from the database for that port there. So continuing a little further here is that, like I said, port security defaults to limiting one Mac address Purport that didn't it's enabled on and that you would use the switch Port Port Security Maximum command in order to adjust that Mac addresses or learned on Mac. Addresses learned on a port are cleared after the port goes down or the switches rebooted. So there is such a thing called switch Port Port Security Mac address sticky, and you call it sticky Max for short. Typically, if you go ahead and Google this. That's usually how you would see that referenced and that that will cause the dynamically learned Mac addresses for port security to be entered in the running configuration. And specifically, it's in the running config right is that if you re boots while you're running, convict is going unless you saved that to your startup config. So if you do have sticky Max enabled, you'll want to go ahead and get all of the Mac addresses. You internal on all the machines where it's supposed to learn the Mac addresses, report security and then save your running config so that that is now persistent through switch reboots. Now, if you go ahead and unplug on interface and plug it back in or unplug cable, then the port will go down and that the learned Mac addresses on that interface are cleared . Which would mean that if you learned ah, Mac address on the interface, you unplug that cable plugs something else in that now has a new Mac address, then that will actually be allowed because it cleared that Mac address from the table because that port went down. Now, of course, this does not apply. If you use Sticky Mex because that is going into the running configuration, it's now essentially a static Mac entry for the port security database. So bringing the interface down and bring it back up will do anything for that. That's only for just dynamic. Without sticky. By default, Aging is disabled that they do not age out after any period of time. They will stay there indefinitely, and the port must be defined as an access or trunk enabled. Port or port Security will not allow you to enable it. You'll end up getting this error down here. Command rejected that it is a dynamic port that you must either specify it as an access port or a trunk port in order to enable port security. And then finally, to go ahead and verify your port security configuration is used. The's show port security or show port security interface commands. So when you do show port, security is you've got your interface here with port security enabled and that it says. What is the maximum number of addresses that are allowed to be secured and we have. It compares the default one. How many addresses are currently secured and right now there is one it has received. One Mac address on it has secured it because it is allowed one Mac address and how Maney violations has this interface encountered and it has been zero. There have been no violations, so no additional Mac addresses have tried to appear on that interface since this one address was secured. And then looking at the show Port Security Interface Command here and specifying the interfaces, this gives you a little more detail that this will show you the last source Mac address and villain that here's the Mac address. It appeared on the interface, and it was on V Liam one. And it will show you that port security is enabled and that it is secure and up, and the violation mode is set to shut down, which we sold that here, the security action, the aging time zero minutes means that is not enabled and that it is defaulting to absolute . But zero minutes is means is not aging. L. So that's fine and secure. Static address. Aging is disabled for aging out static addresses and the maximum Mac addresses the total that configured would be statically entered. Mac addresses sticky Mac addresses. Ones have been learned by sticky and the security violation count as well. Awesome. I know that. That was a lot of information here, so let's go ahead and go through G HCP snooping. We are gonna cover port Security in just a little bit when we go into the lab. So de HCP snooping. It's gonna be one of the more fun technology names you're gonna say. I really like that it has snoop in there. And at its heart, Dave CP snooping is meant to prevent rogue de HCP servers from leasing addresses. Right is that the worst thing can happen on your network is having a rogue D h C P server. At best, it is just somebody brought in a router from home because they wanted to have more interfaces at their desk. Maybe they brought in their laptop or their Xbox, and they want to plug it in. So it's like you've got John here, right? Who has his work station, and he's got his yo one little network drop here and that that plugs over into his work station. And John's here. You know, he's he's happy. He's he's sitting at his desk, and he's typing away and playing on his workstation. But he's like, Man, I really want to bring in my laptop. Say brings in his laptop. But you don't have wireless set up at your company here yet. So was he Do? He brings in his little home, links this router here, right? And goes ahead and takes that connection, plugs it into his little home Linksys router, plugs into his computer and into his laptop. And he's happy he's is going along doing these things. But little did he know is that this home Linksys router is actually a D H C P server. And that nail your home Linksys router is accidentally handing out addresses to his entire floor and that Ah, lot of people around him are now all having addresses that start with the 19 to 16 a 160.1 that his home network is, and that they are using his little lynxes rounder here as their gateway. So all of your computers on that floor are all throttling all their traffic through this one little home device sitting on John's desk, and that it's got slow everything down. It could cause problems. Your internal d HCP. I'm sorry. Internal DNS might not resolve because it's handing out, you know, itself probably is the DNS server, and it can just cause all kinds of havoc. And we really don't want that. And that's the best case scenario. Worst case scenario is this is some delicious person bad actor that has put a D. H. C P server out there that might even be handing out addresses in your same sub net, putting out, you know, the same DNS servers and just giving itself as a default gateway, and that this can really cause problems. He's taking all of your traffic and having it passed through his device, potentially looking in on all of your traffic and stealing sensitive or confidential information. So what do you see P Snooping does is it inspects de HCP messages, and specifically it allows or denies as well D. H c P server responses. And while it inspects these d HCP messages is, it allows the creation of a D HCP snooping database and what this is is it stores I, P address and Mac bindings for all computers that have received a D. H. C. P lease from a D H C P server that is on a trusted port is that you need to specify which interface on your switch has a D to be server on it and that you need to specify that interfaces being a trusted interface, that I trust D H C P server messages coming from this interface or on this interface and that the database is created and his referenced in other features is now We have trusted information for I p address to Mac address bindings and also what villain and what interface they live off off. And when DBCP snooping has enabled on a villain the server side DCP messages, they're only allowed ingress from the trust imports. So that's what makes it trusted information and by default. When you configure de HCP snooping, all interfaces are untrusted. You need to go in and specifically configure one as being trusted. But with that dough, consider this situation is that you've got your switch. Got another switch and you've got workstation, right? I would say these air connected these air connected this guy over here and we've got d h c p server. Awesome. And then let's say over here we've got rogue de HCP or just got Call it rogue Sitting over here, right? Is that the DTP server messages our workstation here. It sends out these broadcasts, right? For D HCP discovers of saying hello. Any D HCP servers Please respond to me so it will end up getting to both our road D h C P server and also our trusted d h C P server. Now the rogue D h C P server is going to respond with an offer, but since this interface right here is no a trusted interface and we have a d h d p snooping enabled here on the switch, then that frame will be dropped Is it won't do anything like disabled the port. It'll just drop that frame. That frame is not allowed because a server side d HCP frame and it is no on a trusted port . Now, when the d. H. C P server that's trusted receives this and it sends back its frame and you have this port configured as a trusted de HCP snooping port. And you have do you to be snooping enabled on this switch here? Awesome. That frame is now allowed in and it will be forwarded, and it's going to get forwarded back out and go back over this way. Now, the thing is, is that also on this switch here? This interface also needs to be a trusted interface. Because the D H C P server frame the response. The offer is still being forded out or ingress coming ingress on this interface here and that if you don't leave that as a trusted interface than that frame will end up being dropped in your GHP just won't work. So DTP snooping is configured with I p d c p snooping V Land Command, where you enable it per villain. Now it must also be enabled globally. I've run into this problem a few times. I've wondered, why do you to be snooping is not working, and I enabled it on the V lamb. But I did not enable it globally. So we actually have two commands here i p d. A teepee snooping villain and give the villain number. And then also just i p d HCP snooping and the interface trust is configured at the interface configuration level, and it's with the I P. D. HCP snooping Trust command. So the database that is created can be viewed with the show I PGP snooping data base command and that we have over here with the Do Show I p d HCP snooping that we can see that as well as the database over here. And actually, forgive me, that's not database. This is binding, and we'll go through that during the lab here very shortly. So finally, something that relies heavily on DHC be snooping is dynamic inspection that d A. I, as you'll see it abbreviated most often. It references the D A GP snooping database to verify our requests and responses and to make sure that they're valid. So since you now know what I P address and Mac address live off of each port, Then when you send an AARP right, it's the address resolution protocol. It translates Mac addresses and I p addresses or matches up the to that when you send on our request out sourcing from your Mac address an I p address saying Who owns this I p address? Tell this I p address its sourcing from you as a Mac address, then it has the ability to check and make sure that that's actually correct. Now this protects against our poisoning. Is that you have the ability, right? Let's say I've got here a switch and we've got a router, that this goes out to the Internet and that we've got a workstation here and that. We've got some bad actor here. Drawing is a hat for black hat. Whatever. That's not working. But we've got, you know, some bad actor here where does get go, like like this? And so when we try to get out to the Internet, where on our workstation here And we're trying to get out to the Internet, right is that we're going to our out for our routers, our gateways, Mac address or I p address that we know how to forward our traffic, that we're gonna have a gateway right of like 0.1. Let's say it's like 10.1 dot 1.1, and that's our gateway, and we're gonna are about for it. Saying who owns this? What? Mac address owns this I p address now. Ah, bad actor here could go ahead and respond on that behalf and say who, me? I actually own this or once. One worse is the bad actor can send out what it called gratuitous Arps is. It can say, Hey, everybody, I own 10.1 dot 1.1 and it will keep on sending that out. And that's an art poisoning attack to where now all of your traffic is being forwarded over to this guy. In the best case scenario, that's just somebody accidentally configured duplicate I p address on the network. In a worst case, this person is then fording the traffic over to the router, and he's just getting all of that traffic forwarded through him and that you are none the wiser. But he's able to take a look at potentially steal, sensitive or confidential information, and that is something we definitely don't want. Toe Haveman. So we want to verify that our requests and responses are actually valid and that they are compared against a trusted set of information which will be our D. H. Two p snooping database that was created during our d HCP snooping process. So I p AARP inspection is the command that you would use to configure dynamic AARP inspection, and it is a global configuration command and it is configured pervy Lynn much like DCP snooping. You do also need to configure interface trust. Ah, lot like with DHD be snooping that four devices that have static I p addresses assigned you can dio i p r inspection Trust such that the check for whether it's a valid AARP or not will be completely bypassed on a trusted interface So that the interface here where the router connects you can trust that interface and say, I have a statically configured i p address on that interface where I know and trust that device and that I will bypass my dynamic, our inspection process. Awesome. So now let's go through the lab here, and I know we've got a lot of words here, but let's step through this one at a time and take a look at what we're going to do. So we're gonna first go ahead and configure port security that we've got two routers here R one and R two. We've got a switch in the middle of Guy de h C P server over here. So are one is going to be a d HCP client. Are too is going to be a statically assigned I p address. Our network is the 10.1 dot to 0.0 slash 24 network and we're gonna assign 0.5 to r two and r D h c p server is gonna be 20.1. We're actually not gonna touch that guy. I've already configured the D H C P server over here that we're just going to be on the switch and on the routers here to go ahead and paying around and see what happens when we configure these layer to security measures on the switch and see what happens when we have violations and also what it looks like when it's working appropriately. So first up, we're going to do port security. We'll get a configure port security on fast one size, zero slash two of switch one. So on this interface that are one is connected. Teoh, we're gonna go ahead and configure port security. Now, I know these interface naming conventions are a little different than before. This is because I don't have the I p bass or land base image for GNs tree that I need to pull out my physical devices and go ahead and use my physical switch and routers available to go ahead and set up this lab here. So it's going to end up looking a little different on the consul here as well that before, just because we're using a different council software and that here, just as a quick note that are too, is not actually a router per se, it is a Layer three switch. That's why the naming convention for the interface is also in the same kind of switch naming convention here. But it will effectively work the same because all we're doing is sourcing some packets from the Mac address there. Awesome. So let's first go ahead and configure Port Security and take a look at what's gonna happen . Great. So we're all on switch one here, go, go, enable and convict e. Let's go to interface fast. One side she was such to, and actually let's do a do show run interface fast once last year. Such, too, is that right now we are just an access port. This was a trunk at one point, so the encapsulation is set to 1.0.1 Q But it is just an access port right now in Volume one and there's no additional configuration. So let's go ahead and configure Port Security. So if we go switch Port Port Security and that's actually all we got to Dio is now port security is enabled. Now, if we do show port security looks, then we see that we have interface fast. 102 with Port Security enabled, it is allowed one maximum i Mac address and that there is currently one Mac address there. So if I dio show port security interface fast 102 then our last Mac address here was 000 c 8508 and it's on V Liam one on that. We have Port Security enabled is secure up, and the violation mode is shut down. Cool. So what's going over to our one here? Right. And let's first enable us to a show interface fast, uh, zero slash zero, because that's the interface that's connected to our switch on the interface that we configure Port Security and just take a quick look is that we have the same Mac address here the 000 c 8508 default for zero and that we have this information right here that you may or may not have paid attention to before it is the burned in address. So the hardware Mac address that is on that interface this is there because you can actually change the Mac address that is assigned to this interface and use a different Mac address and do spoofing in that manner. So just to show right now is that we can ping our default. Gateway is that I do a show I p interface brief is I already have d HCP enabled on Fast Year Zero and that we have the address of 10.1 dot 2.100 that it is up and that I can paying 10 121 hour D h c p server and that is successful. Neil. What I want to do is I'll go convict tea and go to interface fast your zero and let's set our Mac address to something else. Let's hear it's gonna use in the four dotted manner that Cisco usually uses. So Goddio, just 1 to 11 dot will more than double for our arm one right and that that's our Mac address. Let's go ahead and actually just take a look at what happened on our switch already is that we have right here. Port security to a level two error message here. P Secure violation security violation occurred caused by Mac. Address 1 to 11 dot woman, one, double one on interface fast 102 And that the peace secure violation the port security violation error detected and is putting it into air disabled state that right now if I go to show in status that fast 102 is in air Disabled state. If I do show port security, I know have my violation count Incremental toe one. And the current address count actually went down to zero because that interface is disabled . Now, if I do a show port security interface fast 102 that port security is enabled and it is insecure shutdown status and that the last source address was this guy, the one that actually caused the violation and that the security violation count was implemented toe one nail to show what would happen here is Let's go convict tea and go to interface fast. 102 Whoops. And let's do a shut no shot. And that actually, do I have port fast enabled on this port? Uh, I might not. So it's probably gonna take us a few moments here for the for this to actually work that if I go and check real quick of Do show Port Security that actually know the current address count is one already. So if I do, you douche airport security address thistle list. He secure addresses and that we've got the configured Mac address here. And let's go ahead and just do a no Mac address to get rid of that configuration here on our one. And then, just like that, we have another port security violation because it sends out a gratuitous ARP saying My Mac addresses. Now this that this I p address now resides at my new Mac address. The 000 c 8508 d 440 Awesome. So, no, that's port security, and you can see kind of how that works. We could allow more than one Mac address here, and in fact, let's go ahead and do that real quick. Let's do switch port, Port security maximum, and let's up dissed, too. And then we got to do a shut lips shut. No shut. And bring that back up. And now if we do a show Port Security, our Max secure address count is up to two. And if we take a look at this again, there we go. The current address count is upto one. And then now we can actually go ahead and put our Mac address configuration back here, right? And give it the new Mac address because it's now going to go ahead and send out a gratuitous ARP do a show Port Security. Our current address count is now implemented to If I do, A show port security address is that now both of these Mac addresses show toe live off of this interface fast 10 to and that they are of type, secure, dynamic, where they are learned their secured and that they are dynamic and that they were learned dynamically. Awesome. So that's port security. Let's go ahead and disable port security. Let's dio a no switch. Poor port security. Great. And then let's get rid of our Mac address configuration here. No Mac address. Awesome. And the now let's go ahead and take another look at our lab here So that was part one. So we went ahead and configured Port Security. And then we pinned the D H C P server and then change the interface Mac and pinned again and we reviewed the results. So that's one and two down here. So now let's move on to 34 and five. Is that first up? Let's go ahead and configure de HCP snooping on switch one and we'll set on Lee Fast 101 as a trusted interface. Actually, let me go ahead and clear some of this off year. There we go. Is that we're only going to set fast ones. You're one as our trusted interface for D HCP snooping. And we're going to renew the D A. C P address from our one and then we'll go ahead and take a look at what the DCP snooping binding looks like on switch one and go from there as well. So let's go ahead and move on over to our council here again. Is it over on? Switch one. We're gonna go too fast ones. You're one else. Do a I p d HCP snooping trust. Now we haven't configured, do you to be snooping yet, but we went ahead and just set our interface as trusted. And then let's go ahead and go exit do I P D. HCP snooping would enable that globally and then do I p D f c p sleeping and enable it on the villain. Great. So that's that's enabled New If I do end. And if I go ahead and do show I p d HCP snoop, then we have here that there is a trusted interface and that it does not have any rate limited. It's just showing us the configuration information and that it is enabled on villain one, and that if we do show up PDD tp snooping binding that there are no bindings here. So let's go ahead. And on this interface, let's remove the I p address and have it renew this. So we're gonna go No, I p address. And then let's do a do Show i p interface brief and that we now have an unassigned on fast 00 and let's do I p address DHC p. So that might take it a few moments here to go ahead and send out that discover. And there goes It was assigned the I P. Address 10 dot to 10.0.100 with a 24 bit mask. If we go and check our switch here is that now, if we do a show I p d. A two piece snooping binding is we now have a binding is that we have our Mac address that is matched up to 10.1 dot 2.100 and it took note of the least time as well. And how it was learned what v land it is what interface that that device lives off of as well. So that's how our d HCP snooping works. That let's go ahead and do this is well, actually, remove the interface trust. Let's go to convict T interface fast one slash zero slash one us. Do No, I p d http snooping Trust awesome! And then let's go ahead and go here and do again. No, i p address and release that address here and then do I p address dcp you're gonna let's just let that sit for a little while, right? Is that we went ahead and and did this. It took it a little bit for that d HCP address to be assigned, So we went ahead and set that for DHC P. If it does obtain an address, it should show us shortly here, which going back a little bit, it still hasn't gotten an address and that the violation here for D HCP snooping is actually not logged. There's no trap sent and it's just the frames are dropped that the response frames here from the D. H. C P server are just being dropped. So we will never receive an I. P address that we need to go ahead and put our trust back on that interface. And then now that that's trusted again, let's do a no I p address and do I p address THC, P. And then momentarily, we should end up getting an I p address by D H E P. And there it is right there. Excellent. So let's take a look at our lab steps here One more time is that we now have d HCP snooping configured and it is working. We confirmed it is with the trusted interface. So now let's go ahead and configure Dynamic ARB inspection is that we will set on Lee Fast 101 as a trusted interface because this 1010.1 on the 10 dot to 10.0.1 I'm sorry, 10.1 dot 2.1 address that that is statically assigned to our d. H. C P server. So I need to set this interface as a trusted interface for dynamic our inspection as well. And then we'll go ahead and paying that from our one. And then I'm also going to go over to our to and try to ping the D. H. C P server as well and see what happens there. So let's go ahead and configure dynamic ARB inspection and set our trusted interface. It is going to be I p r Inspection villain one. And then let's go over to our interface fast 101 and do I. P R. Inspection Trust. Awesome. So no, that's there. Let's go over to our one Let's pain our D. C. P server, and that is successful. We lost one because we had our about. But that's no problem is that that is successful here. Now let's go on over to our two here. Let's go enables do a show I p interface brief. Like I said, this is actually a switch s So that's why we have so many interfaces. But our v Liam one interfaces 10.1 dot to 0.5. If I go paying $10 warn dot to 100.0.1 and enter, that is not working. And if you noticed up here, the icon changed for our switch, showing that there is some message showing their if we go back here, we've got all of these errors happening. These log messages showing up of invalid Arps and invalid AARP requests specifically that this will be our e s for a response if that was needed, that it is on fast 10 for where are two lives, right? And that it's showing us the Mac address and I p address that the AARP is claiming and that it is not in the d HCP snooping database. So it is no allowing that AARP and is just dropping it and that this type of log messages switched dynamic AARP inspection a level four log message and it is d HCP snooping. Deny. Now, interestingly enough, something to note is that if you have dynamic AARP inspection enabled without d HCP snooping enabled which it does allow you to do that, but dynamic AARP inspection will deny everything because there are no entries in the D. A. C P snooping database, so it claims that all Arps are invalid. So now that we've done that, let's go ahead and trust fast 104 and then let's paying around and check the differences there but actually could do a show I p R. That was a mistake. If we do a show I p r inspection is that this shows us information about our configuration . DBCP drops have been 29. There have been 10 forwarded and 29 dropped as a whole. And then we can also do show i p r inspection interfaces and it shows us our rate limiting our burst interval and what the trust state is for our interfaces. So let's go back to convict e algo interface fast. 104 we're gonna dio i p r Inspection trust Awesome! And now that that's placed there, let's go back over to our two. If we try and ping out, it is successful. It took a little long for the 1st 1 but from there it is successful. Awesome. So now that should show you how d HCP snooping and dynamic AARP inspection works and also how port security works and how that's configured and how you'll be able to check and confirm that as well. Awesome, thanks so much for going through this with me, just like the others. Let's run through a couple of practice questions before we end off first. If port security is enabled on a port and more than one Mac address appears as the source for frames coming into the interface, what will happen to the interface by default? So the key here is that we're talking by default and that this is kind of a long winded way of saying, What if you have more than one Mac and you have a port security violation? What is the devote action? Will it be shut down? Well, that is the action. Is it that nothing the offending frame will be dropped? That's not correct. It will enter air disable mode or it will enter peace secure, violate mode. Now, the answer here is C is that it will enter error disable mode, where you as the admin generally need to go in and clear that by doing a shut no shut on the interface. And then finally, what will happen when a frame is received on an untrusted interface with dynamic AARP inspection, which does not match an entry in the D. A teepee snooping database is the frame dropped? Is the interface shut down? The interface enters error, disabled mode or nothing will happen by default, as we just saw, the frame is dropped and that it does not go through, so our AARP will never be propagated onto the network. Now, I hope that this has been informative for you, and I'd like to thank you for viewing.
42. 5.7 Wireless Security: tireless security. In this video, we're going to go over a brief overview of the history of security protocols used in wireless specifically in WiFi. And then we'll also take a look at WP, a WiFi protected access and W P two and the newly released WP a three. And then we'll also go through a brief lab going through on a Cisco wireless controller, how to set up a new SS I D. And how to configure it for our best wireless security at the moment for W p. A. So first up, let's do an overview of some wireless security. So W. P, a wireless protected access was developed as an immediate replacement to weap when it was found to be insecure. Seem weap stands for Wired equivalent. Privacy Whip was found and even known at the time to be pretty insecure. It is vulnerable to many different types of attacks, and even particularly, it is vulnerable to offline attacks to decryption attacks. That WP a certification implements most of 802 11 i that that is the specifications that WP a certification states that your implementation has been certified to include all of the mandatory or most of the mandatory elements off a toe to toe 11 I and particularly for WP a When that was released, it introduced T Kip temporal Kee Integrity Protocol for per packet keys. And this really combated a lot of the main security concerns for weap and changes. What key is used to encrypt your A? Pack it on a per packet basis. So WiFi certified devices and WiFi, mind you is an alliance. There's the WiFi alliance, and they certify devices to be compliant with different standardization of specifically here. $802 in i is for WP A and W p a. To that WP a two is specifically it implements all mandatory elements off a toe to die. 11 i and that is that W p A. To particularly mandates support for CCMP. And we're gonna talk about that in the next slide years to what that is. And it's an A s based encryption protocol. You may remember a s when we talked about VP ends that A s is the advanced encryption standard. CCMP is an E s based encryption protocol and your wireless security just as a note here it is particularly important because anyone in range can listen into the transmission. Think about it the rather than using a physical wire as your transmission medium, you're using the air, the space around you, the electromagnetic waves that are broadcast out. If anyone is within listening distance off that transmission, they can collect that data and then say that to go and start decrypting that later and find your sensitive information. You can do a capture immediately that where we would go ahead and lock our switches behind closed doors and make sure we have good cable management up in the ceiling where it's not easily accessible. And that our switches ensure that the traffic doesn't go to the wrong devices and is only directed to the device that it is intended with wireless. Any device in range can listen in on that transmission and can potentially gain the information that was being transmitted. So let's compare a couple of these wireless security particles. So WP a implements t kip from message integrity checks, and it's stronger than the Cy Click redundancy. Check the CRC that's used in Web, that that's where T kip really improved on. I'm sorry, w P. A. Really improved on W E. P is that T KIPP is much stronger than CRC for integrity checks and better message integrity protocols existed at the time when W. P. A. Was released, but generally they were to computational e expensive for the network interface cards that that's specifically not the access point, the wireless access point but the interface cards, the Knicks that were used on the devices on our laptops and such that these protocols were generally to computational e expensive to be able to maintain the necessary amount of throughput. And so T. Kip was used rather than some other more secure or better integrity protocols. And where CRC was problematic is that it allowed for your transmissions, your frames to potentially be modified and re transmitted. And the station and the access point were none the wiser. And just as a quick note s ta here for station, that's that your client and a P. This is your wireless access point, and that this diagram down here is illustrating the four way handshake that W p A and W P A . To use in order to verify that you have the correct pre shared key that you are actually allowed to connect to this network and begin a security association with the access point so you can encrypt data being transmitted between now w p a. To does improve on t kip. And, as I said, it uses CCMP now CCMP the stands for counter mode as the first seat cipher block chaining. That's the second see message authentication code. That's the M Protocol, and that is CBC. Mac is the cipher block chaining message, authentication code section of CCMP, and that, specifically, CCMP is the counter mode off CBC, Mac, and that is even still stronger than tea kip. And like I said, both W P. A and W p A. To use a four way handshake to confirm the correct pre shared key is in possession on both sides, and it does this without ever transmitting the actual pre shared key. I would be familiar with the directions and the steps here in the four way handshake that the A nonce is transmitted from the access point to the station, which is the client. And then the station constructs the pre shared the P T. K here, and the S nonce plus Mick is transported back to the access point, and then the access point constructs its P T. K and transmits that back. And as long as everything's all in agreement, then there's an acknowledgement sent back and that we now know we have the correct pre shared key on both sides. And the actual key itself was never transmitted so it could not be. Compromiser has a much lower likelihood of being compromised. Both w p A N w P A. To also support extensions. Our Extensible Authentication Protocol, which is also known as 802.1 x. This is known as the enterprise mode that when you see WP a or B p A to personal, that is for PS K, Pre Shared Key and W P A or WP to enterprise is the deep extensions implementation or the 802.1 x implementation were. Typically you would use something like Radius or L DAP for authentication, potentially using certificate based authentication with WP a personal I'm sorry, W p A enterprise or WP to enterprise. Now both the personal and enterprise mode used the same 128 bit encryption. This is something that I would take note of Is that for WP A and W P. A. To both enterprise and personal mode for both of them. Use the same 128 bit encryption. Now let's talk a little bit about WP a three and how that differences with WP a to first up . What I had noted, where we had the same 128 bit encryption for personal and enterprise with WP and P p A to W . P. A. Three requires 192 bit equivalent encryption for enterprise mode, whereas W 1 28 bit is still OK for personal mode. Now W p a. Three. The other big change that's here is it replaces the PS K four way handshake with a new protocol called the Simultaneous Authentication of Equals typically stated as S E. And there's a diagram showing the S A E protocol overview here and the steps that are involved I wouldn't necessarily no the individual steps that are involved here, But you can see that s a e kind of has its own bit here at the top. And then it does a PS K the four way handshake here at the bottom. It sort of adds on to the PS K four way handshake with its S a eat a simultaneous authentication of equals. And as a quick note, it includes forward secrecy to prevent offline decryption attacks. This was something that WP a too was vulnerable to, that you could record the transmissions that were there and be able to brute force them offline and decrypt those excellent. So that's the main overview between W. P A. W p a two and W P A three WP a three. As a quick note, this was released in June of 2018. The actual certification for it was the devices are still being created and going through certification process, so that's gonna take some time before that actually comes out. So now let's jump into our lab here and take a look at what we're going to do with that. It's gonna be a pretty simple lab. We're gonna jump into a wireless controller, and we will add a dynamic interface using veal and 50 and we will configure an SS i d to use the new virtual interface, and we will set the S s I D to use WP a two p s k or WP to personal, and I'm going to set this actually to not broadcast and I'll show you where that option is . But I will enable the s s i d. This is because this wireless controller is actually in a production environment. And I don't want Teoh have a new SS idea just randomly pop up for people. The changes that were making here will not affect the existing SS i ds in the event that you are managing a production network that if you are adding a new SS I d. That should not have any effect to the existing ones unless you have a large configuration problem of overlapping villains or I p addresses or things of that sort. And finally, we're gonna add the S s i d to an AP group, and I will show you what that means here shortly when we go into the lab already. So let's go over to our wireless controller here. So here we are, on a 55 100 Siri's wireless controller. So first up, let's go ahead and add our new dynamic interface using veal and 50. So we're going over to the controller tab. And then we're gonna go over to our interfaces section, and we're gonna give you a new interface here in the upper right. Our interface name. I'm gonna call this B J train. Love an RV land i d. It's going to be 50. Awesome. And then we're here in our interface configuration section. So the port number, the primary port that we want this to use, which is the physical port on the wireless controller that this interface this dynamic interface will use. So where this virtual interface, the veal and 50 interface? What physical port that that is map to get Set that to port one. And we're not gonna have a backup poor. This is gonna be port zero, our villain. Identify Iris 50. Let's do an I P. Address of $10. 50.0 dot to and net mask will be astonished. 24 their gateway. Let's do $10.50.0 dot one. I do not actually have this configured on any router or switch at the moment, so this s s I d would not be functional, but this is what we're going to set up here on our wireless controller, you would need to do the appropriate villain configuration at the Layer two and layer three configuration on your router in order to get your new s I d to actually work. And we're not gonna use d HCP relay here or DCP proxy on this interface. I'm going to leave it at just layer two d HDP that the discovers will end up hitting a D h c P server that is inside that layer to domain and everything else here. We're gonna go ahead and leave the same for right now, so let's go ahead and apply on. There we go. So now if we go back over to our interfaces, we see we now have this new interface B J train lab. So let's go ahead and create our S s i d. Using the new virtual interface. Sargon, Teoh, create new and click go profile name. This could be arbitrary here for the moment, B j train love. And then I'm gonna do the same thing for the s s I d name. And now we're here in the w lan configuration section. So, like I said, I'm going to uncheck the broadcast S s I d check box here, but I am going to enable the s s i d. And then here we need to set what interface or interface group that This S s I d is a member of this is where we choose our new virtual interface that we created the B J train lab interface and then look over here to our security tab. We see that at the moment we already have W p A and W p a two layer to security selected. And then here in this section is where we select specifically that we want WP a to to be used and not w p a. And then here we have swp a to enterprise with 802.1 x enabled. At the moment, we're going to disable that and use pre shared key. And that's where it gives us the PS K down here where we can type that in. I've created my pre shared key, and that's actually all we need to do here. We could add some other types of security like layer three security for ah Splash Page or a captive portal that we end up getting where we need to log into or if we had 802.1 x selected. We can configure our authentication servers here with L DAP or Radius Here in our Triple A server section. We can also set our Q A West policies and do policy mapping with a C. L's on our wireless controller here. But we're not gonna get into any of that right now. We're just creating a new SS I D. That is W P. A. To only using PS K authentication. We'll go ahead and click. Apply. Excellent. So now that that's been created, we go back over here to our W lands. We see we have B J train lab, our new as this I d created there. And now let's go over to our aapi groups. So our aapi groups, an AP group is a group of access points where you have all of these w lands, right? All of these SS ideas, but you don't want to broadcast all of these SS ideas from all of your access points so you can group your access points into various groups, typically by location. Here we have Aurora, Detroit Jacksonville, Montreal and inside each of these groups, we have our access points at that location added to the group and then what S s I d s we want to broadcast in that group, So we're gonna go ahead and go over to our aapi groups and actually, let's broadcast this one out of the Detroit AP group. If we go add new to the W lands do BJ train lab as the interface and B J train lab as the s s I D and go ad. And there we go. And that's all you got to dio. Then in a few moments, once the provisioning takes effect through your cap wap to your access points and you'll start seeing that S s I d pop up, if you do have it set to broadcast, which we do not so excellent that was our lab here. Let's go ahead and jump back over to our presentation and run through a couple of practice questions before we end off first. What is the name of the authentication protocol used in WP A three. Is it pre shared key asynchronous authentication of equals, Simultaneous authentication of equals or temporal kee integrity Protocol Here it was s e our simultaneous authentication of equals. And finally what message? Integrity Check protocol is used by WP A two is a t kip CRC, CBC, Mac or S A T s. A eat, as we just saw, was the handshake that has used for WP a three t kipp is for W p A C R c is for weap So the answer here bc cbc, Mac or CCMP would also be an acceptable answer. Now, I hope that this has been informative for you, and I'd like to thank you for viewing.
43. 6.1 Automating Network Management: network automation. In this video, we're going to talk a little bit about how automation will change network management and its impact, how we currently manage the network in the more traditional sense and what different automation technologies can do for us. And then specifically, we're gonna go through a little bit of Cisco's DNA center and talk about what that is and how that increases network automation and changes the way that we manage our networks. So first, let's talk about traditional box by box management, so generally was, still go to each individual network device. Right is that you've got, say, like, a switch here and it's connected over to a router, and that might be connected to another switch, and that's connected to another router. And then maybe that's connected to, you know, a firewall. And I can't really draw firewall here, But anyway, you get the idea, Ah, firewall and that's connected over to the Internet, right? And that in order to make changes here in order to say that, you know, maybe we've got a handful of computers coming off a here, and we've got a handful of machines coming off a here and then Let's say we've also got, you know, ah, wireless access point coming off a here and that we've also got a wireless access point coming off a here and that say we've got, you know, door locks or security cameras or were now implementing retinal scanners at each desk or something like that, and that you need to go ahead and set up a new network for these devices, a new villain or a new security context. A new security level for these devices. What do you need to dio? You actually need to go to each of these individual devices and make that change is that you need to add a V land here switches. You need to add a virtual interface or a sub interface to your routers. You need to add a new veal in or security level to your firewall, and all of these devices need to be touched individually. I mean, in a five device network like this, that's not really very big. But imagine that you had a 500 device network that this becomes a huge administrative effort problem that this is just not scalable, that sure you can throw more people at it. You could just make your network team larger and larger to go ahead and handle these larger groups of devices. But you're going to still end up spending a lot of your time in doing this and beyond anything else as well. It's very error prone that when you're actually there at the CLI and typing in commands, there's a lot of chance that you condone. Bake a typo that say you're putting in an A C L. And that you accidentally capitalize a letter in one spot and you don't in the other. Well, that a. C L doesn't have effect anymore is that you now don't actually have the same a C L reference because one is capitalized on, the other is not. And unless you're writing out your configuration on note pad or something and then pasting that into each year, devices which ah, lot of times is not even feasible because of the different configuration that's required on many of your devices, then it's still very error prone, and I remember seeing something like a t least 40%. If Matmour that that's the number of network outages that are caused by I T people and by errors made in configuration that really a lot of our troubles are self induced. And I'm sure you've encountered this is well before you go to make a change, say you're updating your oh SPF here on your device. And it's something that you did not think was going to cause a full neighbors and reset. And it does. And all of your neighbor relationships are gone. All of your routes air gone. So you now have a network outage, at least for a short period of time, while all the neighbor relationships air rebuilt and everything comes back up because you have all your routes back or over here that you didn't realize that something that you were doing or you made a typo and accidentally block all the traffic coming in on the interface . Well, at least that business unit year that comes off of that interface, or perhaps it was this interface and that half of your company is now down and you need to physically go over there and reset the device because you don't have management access anymore. These things happen. It's it's natural to make errors, and it's OK. But with that It's just interesting to know that a lot of our network troubles are caused by ourselves, even when you have really good, really solid change management processes in place. Still, a lot of errors are made and cause some problems for us. So this is just where our traditional management kind of has a failure is that there's a scalability problem off having to touch every box when you want to make a change, and that there's also a planning issue, the fact that you do need to touch every box and that any change you make to the network and deploying a new application. Deploying voice over I P. Now you need to add quality of service to every one of your hops. Everyone of your devices or you need to do ou. I filtering for your LDP med for sending your voice villain to your individual devices and things of that sort that this is a large change, a lot of boxes need to be touched and that this is a scalability issue, with traditional box by box management so continuing a little further in traditional management. Like we said, that devices are managed manually, individually and possibly by the switch Port I prv land. It's just not scalable that once you hit a certain number of devices, too much of your network engineers. Time is spent managing day to day tasks on these devices and that you're not adding any real business value to your corporation or to your organization that you are just they're doing maintenance. You are there as a body who happens to know how to typing commands. And that's just not the way that your knowledge, your expertise, should be used, that you really should be adding more value to the business than that. And the typically inter device communication is managed at the firewall or router via a C. L's with our traditional device management. Now how how do we migrate into automation and network automation? Well, Cisco generally breaks this out into three phases. The first phase is the configuration phase, where your syntax, you're lying. Toe line syntax at the command line is abstracted. Your configuration is still done box by box, but you may have a configuration automation tool that allows you to set a configuration, and it will give you either a configuration to paste into the device or it will go ahead and push it out for you directly and that you're still setting this box by box individually . But a lot of the problem with it being error prone is now removed because that sin, taxes abstracted and that you are no longer having to run the risk of making a type O and causing everything to just know work. And then the next step here would be at the provisioned phase and at this face, this is where you start viewing the network as, ah hole that you're not really looking at individual box by box configuration and saying we need to set qs here and on that interface right there and that's gonna have to route over here. But under certain circumstances, it might come over here. We need to have the QS set up here on that interface that you're you're starting to look at the network as a whole to have your units of your network and to configure that unit to do certain things. And this fart starts with simple processes that you're going to go ahead and configure your villains out across or your routing out across your oh SPF domain will all be provisioned as a whole and that there are certain tools available for this, which will talk about in a later video that you can go ahead and use for configuration management and to be able to start configuring your network and looking at it as one whole unit instead of a bunch of individual little boxes. And as well. This is really between the provisions and the program phase. This is really where Cisco DNA Center lives, and we'll talk about that in the coming slides that you can view your network as a whole and that you can also have a P eyes where applications do directly control the network to achieve the requirements. If you were in a large enough enterprise or in a company that does a lot of developer operations that you can have internal applications that will go on provisioned different network services for your developers automatically, it can directly interact with your controller and be able to apply certain policies for new applications that are coming into play. I know it could be a little hard to visualize that, especially if you are used to the traditional device management, where it's box by box and having to go to the command line and understand exactly what's happening at that device. But you'll see soon here and, as you do, some more reading to understand how this really takes place. So that's really traditional device management how we migrate into a fully automated network. Now let's talk about Cisco's newest software defined network controller, and that's really what DNA Center is. Is an SD n controller. And let's talk about what DNA is. DNA is the digital network architecture Now. This is a bit of a marketing term coined by Cisco, and really, it's their next generation of software defined networking that devices that are Deanna compatible our devices that are compatible with DNA center that previous to this on it's a little bit of a different solution. Is the Cisco A. C. I. You may have seen this before. It's the application centric infrastructure that that's another a term coined by Cisco for software defined networking, and that the controller for this was the A pick e m. And the next generation off. This, though, is Cisco DEA Center, and it adds a lot of new features and has a lot of new functionalities that a pick and a C I just did not have. So with DNA devices are identified on your network with Ice. The identity services engine. That's another Cisco product. Very powerful identity service software that will allow you to identify devices and be able to control their identity and use it as an authentication server and integrate with your existing identity service, be it directory of some sort for active directory or Novell or things of that sort. That ice integrates and applies this to your network and devices could be placed into groups using security group tags. Remember this. That's an SG T will reference that a little more later. So this is a lot like a security group in your directory. If you're placing a user or a computer in your directory software like active directory with a security group membership, a security group tag is a lot like that, but for ice and the physical network is in segregated into virtual networks. On this will be abbreviate as V ends in the future here, and that the virtual networks are really akin to V lands. But this is just a more abstracted construct of virtual network, that it exists as an overlay network to your software defined network. Your underlay, your physical architecture, your fabric. And we'll talk a little bit more about that in future videos here as to what The Overland Underlay Network really are and how that applies, and that the security group tags they are granted certain access to and between virtual networks using contracts and policies that just as a note here as faras DNA Center is concerned. A policy is just an application off contracts. You create contracts which are really like thes access control entries. And then you apply contracts to policies which are really like your access control list but are a little more flexible than just a regular a C L that we would create at the command line and this figure here I took from Cisco's presentation on DNA Center that no before in our traditional device management veal in an I P address based for our access controlling and that we create I P based access control lists for access policy and that we deal with policy violations and errors manually for certain points when devices are accessing things that they shouldn't or are in some way moved and now violating their access policy that if you have a C L that is tied to a V land that's an access on on a single port. If somebody moves that device to a Newport, it may not be on the same veal in now and that we now might have a policy violation for that device or that type of device because it's now sitting on a new villain and in the new network architecture in the digital network architecture. We don't run into that kind of problem because we are applying our security group tags and our access to virtual networks based on the identity of the device, that there is no villain or sub net dependency for segmentation access control that is controlled by your security group tags and your virtual networks. Your policies that are applied and there's follow your device. The policy follows the identity, and we define one consistent policy for the devices and that it follows those devices. So next up we're gonna go a little bit through Cisco DNA Center. I wanted to give you some screenshots to understand what what the interface here looks like so now that we have on understanding a little bit more about how we manage access control in Cisco, D. N A. Let's see how that translates into a more practical sense. So here's a screenshot out of Cisco DNA Center. We are over in our policy section and that were in our virtual network, and we're setting which SGTS. Which security group tags or they also call them. Scalable groups apply and have access to a virtual network. So we're in our, you know, default virtual network. Here we have several different virtual networks to choose from. We have these sgts that these are our STD's are Internet of things for lighting and our Internet of things for the R M O. And then over here we also have a bunch of different security group tags as well, and that we can grant our security group tags access to virtual networks in this fashion and then up here. I want to make note that we also have access to the group based Access Control to have one group have access to another group, regardless of what virtual network it's in, and we can specify exactly what type of access. Now, this isn't to say we don't have access to the I p based access control we do, or even the application based access control. We have access to that as well and something I want to mention here briefly and you may not be has caught up with this as I was, but assurance as far as what this actually means, And Cisco DNA centers really big on assurance. And the Assurance center that what that is is the amount of auditing and information available to assure you that your policies are actually working in the fashion you expect toe where it will give details and reports to show that this is actually what's going on now, as far as the group based access control over here we are in that section. This gives a whole matrix right, and there's a bunch of default to find policies as well, and that in this particular example, we've got 11,000 policies here in our group based access control And what this is this is saying from one security group tag to another. So we have the coyote camera s GT and the Auditors s GT that we're creating a custom policy and that this contract here, we can go ahead and create an assigned a contract and that we are applying this policy toe where here, the name of this contract is blocked malware, and that this contract is being applied in this policy. And here's what this contract does is it is yo, permit, deny and what the application is. The protocol source and destination, the port on, whether we're logging or not, that these are a lot like access control entries you remember from a C l's and that the contract is like an A C L. And that we apply an A C l with a policy or we apply a contract with a policy. We can just do a straight deny policy or a permit policy to permit traffic between two different security group tags. And remember, these security group tags are following our device because that's how they are identified by ice, that when they plug in the device, it is identified by ice and that our DNA, our digital network architecture, is then applying policies to that device. Awesome. Now I know that this has been a little abstract in your head might not be quite wrapped around it yet, and that's okay. We're going to talk more about software defined networking and automation in the coming videos here. But before we end off, let's just go over a couple of practice questions. First up. What concept in Cisco's DNA center replaces villains, security group tags, policies, virtual networks, contracts? The answer. Here we mentioned that is very akin. Divvy lands it is, See virtual networks and finally, how our identities grouped to provide similar security policies to devices of the same type . Is it using security group tags using virtual networks? Is it with contracts or the digital network architecture? And we had talked that the thing that is very similar to security group membership, our security group tags the answer here would be a I hope that this has been informative for you. I'd like to thank you for viewing
44. 6.2 Controller based and SDN architectures: STN architectures in this video, we're going to talk about the difference between a controller based network and how traditional networks operate, and also go over some terminology used with software defined networks like the overlay and underlying network, and take a look and understand what that actually means now with software defined, networking is a really hot topic now, of course, and it has been for a few years, and it can be a little difficult to weed through, Ah, lot of the marketing buzzwords and and propaganda for lack of a better word that's out there from the various vendors and try and understand really what this actually means and the practical applications it has and where this ends up changing things from an architectural perspective. So with that, let's go ahead and jump in and talk a little bit about how current networks operate and what a controller based network ends up changing for us. So first, let's talk about the difference between the data plain and control plane on various devices . So on a router or a switch or other network devices, you have three distinct planes that you have the management plane, which we're not covering really here, and you have the data plane and the control plane that really these are meant to be software plains where different processing happens, either hardware level, basic processing, your application specific integrated circuit processing or your software processing where your CPU actually spends CPU cycles and running through software to process certain things . So your control plane. This is where your control traffic happens for a router. This would be where oh SPF operates or where CDP operates that I'm sorry CDP would actually be in your management plane, but your control plane are things that have to be processed by the CPU. So for routing protocols or packets originating from the device for a switch, this might end up being things revolving around your Mac, address tables and your villains and setting those V lands on the interfaces that those are all control plane operations, that the way you would do that is through the CLI or S and M P or AP eyes and that occurs on the management plane. But the other information of actually setting it, or the processing that the CPU has to do for any packets coming in if it needs to do CPU processing than that is happening at the control plane. Your data plain is where your fording table is. That this is where you're a six. Live your application specific integrated circuits. This is where traffic being actually forded through your device ends up going through the data plane and these to the data Plain and Control plane are really the operations that are relevant to our STN conversation here that as we see in the diagram here, your oh, SPF helo timers are processed by your control plane, your neighbor tables and link state database That's all processed by the control plane and that will all get put into the routing table that exists in the control plane, which then gets diluted into a fording table. And that fording table exists in the data plane. And this is where SEF Cisco Express forwarding exists is down in the data plane. But if you need to do software switching, then that packet is forwarded up into the control plane and your software switching happens up there. If it cannot do hardware switching down in the data plane. So that's how regular devices work, right? Is that you've got these three distinct planes in each individual device. Your management plain where we manage the device control plane where CPU processing happens in your data plane, where hardware switching on and a sick based fording ends up happening. Now step in controller based networks. Now controller ble based networks end up taking your control plane and move it to a central control plane that your controller is actually just a centralized control plane and the devices are Onley. Act really, as distributed data planes that they do the fording and you are doing the centralized CPU processing on the controller. And the individual devices still utilize their management planes because you do need to be able to manage them with the controller or be able to query them with S and M P to the individual devices, which you can also do from the controller. Typically, as you would see in a C. I or DNA center that you can get information about your individual devices from your controller, but your management plane is still active on your individual devices. It's your control plane that is not active on these devices that that function has been offloaded to your STN controller, right? So let's talk about some of the other terminology that you'll see with STN, the first up network fabric, so network fabric can be a little confusing. It's used in slightly different ways, depending on which documentation you're looking at. Generally, the network fabric consists of the physical connections between networking devices that this usually does not include connections to endpoint devices like your servers or your workstations or your access points, but physical connections between networking devices that it generally comes from the idea that fabrics right are these interwoven threads and that you end up having just this thread of interwoven bits that look like a fabric right and that you can kind of take a look here at this is a image depicting Facebook's newer three layer factory. Topology also called their network fabric their factory fabric. That these inter lunk interlacing lines here that are all the network connections in their data center node is looks like a fabric, and that all interweaves like a fabric, and that that's where that turn ends up. Coming from is that this is definitively say if you have a router here in a router here and the connection there. This will be a fabric connection or a switch. Teoh a switch. This would be a fabric connection. If you have a switch to a workstation, this would not be considered a fabric connection because as not part of your networking fabric, this is an endpoint connection that it's on lee your networking devices connections that are considered to be part of the network fabric. And you would see that in your controller based networks in the terminology used in those interfaces and in the AP ice that it is looking for fabric connections. And those fabric connections are connections between your network devices. Awesome. So let's talk about what an underlay network and overlay network is. You may have heard this before, but let's go ahead and clarify what this really is. So we have here our underlay and overlay network. Our overlay network is a virtual network topology that is created from our underlay, so these two terms are directly related to each other. Right is that your underlay network is similar to your network fabric, and it is theological or physical connections between your network devices, and it's typically also the management network for the software defined network. So you have here in the blue all of these physical connections here. But then, after some perhaps V landing or spanning tree blocking or a mpls what have you? Perhaps since these are virtual switches here that you have a layer to Mpls going across a V p l s and that to these virtual switches, as far as they're concerned, they are directly connected here. So that would be the overlay network. And that leads us right into the next slide here that the overlay network is the virtual network topology. There's created four client traffic, and the network is any logical topology that is created from the physical devices. So an overlay network and underlay network really don't have anything to do with software defined networking in and of itself. We've been using overlay networks for a long time. Now, V Lands are an overlay network on top of our physical network infrastructure that your V land may not actually span your entire physical network and that it is a virtual land as an overlay network on top of your physical topology. But generally what we're talking about here is more of in a software defined network context for the CCN. A exam here and that you're overlay network would be the virtual network topology created for your client traffic. Awesome. I know this one is pretty quick. Let's run through just a couple of practice questions before we end off here. First up, which network device plane handles responding to pings. Now this would be traffic that is destined to or originating from the device itself and that is handled by see the control plane. And finally, which plane is offloaded to a controller in a controller based software defined network? And it's really a dead give away from the name that it is the control plane A that is offloaded to a controller in a controller based software defined network. I hope that this has been informative for you, and I'd like to thank you for viewing
45. 6.3 REST APIs: rest a p I characteristics in this video, we're gonna go over what an A p I is, uh, and also how rest works and its characteristics and then also look into how to interpret a very common method of notated ing the data that is transferred with a rest a p I, and why this ends up being useful for us as network engineers that this seems much more like a programming thing. And honestly, the line between a network engineer and a programmer is being blurred somewhat when we're working with controller based architectures and software defined networks that most of the controllers have AP eyes built into them, and the controllers generally communicate with the network devices via an A P I and these methods of rest or what it generally uses to do that communication. So it's important to be aware of what this is and how you might read the information and to be able to recognize the information when you do see it. So first up, let's talk about AP eyes. What is an A P? I is an application programming interface, as we say here in a P I is a control interface created to allow one application to communicate with another that this is a interface that is generally command line. It is text based and it is created so that one application can easily access another to either put information to write information or to get information about the system or about a specific device. If I want to pull and something for information like S and M P that our network management server, it pulls information from the S and M P agent and that could be an A p I. That is an A P I four s and MP for to gather that information and software defined network AP eyes allow for programmatic access to the controllers functions that Muraki is a very common STN solution. And it's more of, ah, cloud controlled centralized controller architecture more than is STN, but it does have some STN qualities about it and the controller form Iraqi. The cloud controller does have a P I available to where you could go ahead and write code. You can write applications in which ever language that you would most prefer and be able to access ah, lot of features off the Iraqi controller you can make changes to your network, you can gather information about your network this way you can make on the fly changes that don't require any kind of human intervention, that you'll create applications that can go ahead and make changes to your network. If ah, certain circumstance comes to be, or if a and user ends up plugging in a specific device and you find that showing up in your client's list, which your A P I has now pulled, then you can make some change to the network that this is just a small example, of course, that you can use that information to do a wide range of tasks, and the most common in a P I implementation method is through rest. And that is the representational state transfer and these AP eyes. They are called rest ful. When they comply with the rest style, the rest architectural style. They are called rest ful AP eyes. Now what is a rest? A P I or representational state transfer is that rest AP eyes provide functions for crude crud to interact with an application, and more than that they are. It is the architectural style off AP eyes that was developed back in the early two thousands and late nineties that this is what the web is really built on, right? Is that one of the major points off the rest A p I is that it is stateless. And what does that really mean? It means that between client queries between sending and http Queary or on http message to the server and getting some response, be it that you're writing something to the server and get in okay back or your sending a get request to the server and you're getting some application data back that between those queries, nothing is cached on the server side. It is not keeping anything about the client on the server side that everything that is needed in order to process that request is included with this one request which would also stand for the clients. I'm sorry, the servers response to the client that everything that is needed in order to process that response from the server is included with that response. So it's a really quick action reaction that there's nothing else that we need in between. You don't need to store information and then use that in your next request, you could if you wanted to gather information about a device and then request more information about that device, Then you may need to parse the response from the server, gather that information they're looking for, and then send another request to the server asking about that information. So crunchy crud. What does this mean? That is create, read, update and delete. And this is implemented with the http verbs post get put and delete. Now, you might be familiar with this that when you do operations on the Internet, when you go and visit a website, you are generally doing one of these operations with http or https, they falls in the same way just over TLS instead of unencrypted. So you're get operation that is your standard. I am requesting a u R l, and it is sending back the information. If you are visiting a website, you are putting a get request to the Web server and it is responding with the content off that website. If you're submitting a form or if you are uploading a picture Ah, lot of times this is implemented with a post that this is a create request or it might be a put if you are updating something that a put is to update on existing you or I, or an existing document on the Web server and Post is to create a new document, a new picture, a new anything on the server that you would do a post. And if you're submitting a Web form that may also be sending with a post so the status code you're gonna end up getting back you. Here's a example of the client side submission off a get request to a p i dot get hub dot com This is in Lenox and that they are sending doing this with Curl See Warrell and that we are sending application type or content type application Jay's on is that is Java script object notation. We're going to talk more about that in a couple slides here, and we're sending this too. Https colon wack wack a p I dot get hub dot com and we're doing verbose output here and we see the initial TLS negotiation here to where we are getting the server certificate and verifying. We're connecting etcetera and then we have the connection open and we are doing our get to request to our host. We're sending our user agent along with our gets request in our http header so that the server knows what kind of user agent that is submitting the request. We are accepting anything back and we're requesting the response to be in Jay's on type formatting or jays on type encoding. I did not include the server response here, but the server would does end up responding here with information about other queries that weaken due to a p I docket hub dot com is that it ends up responding with a list of options saying Here are potential queries. You conduce o to a p i dot get hub dot com and this isn't really needed here, but where this would be beneficial is if you are submitting a query to the rest a p I that is on the Cisco DNA center or to Iraqi or to the A C I or I'm sorry, a Peak e m. As the controller for a C I that you can write scripts and write programs to interact with these controllers. And the method by which will be in erecting is through an A P I. And generally they have a rest a p i a rest ful a p I. All right. So let's talk about what goes into a rest AP I request is it consists of four parts the end point, the method, the headers and the data and body. And we had already looked at a couple of parts of this. The method is the crowd, right? The post get put, delete or create, read, update and delete. And the end point is the u R L that the request is sent to in the previous slide. We're just sending to a p i dot get hub dot com, and this would be the root end point to some longer end point if you are doing a P I. Docket hub dot com slash users slash a user name Generally having a colon in the beginning there that that means it is a variable and could be something different. A specific user name, perhaps slash repos. This would be the U. R L. That we would send a get request to to list out the repositories on get hub for a specific user name, and that the root and point here, it would be a p I docket hub dot com and the path would be users the user name repose and the http header our property value pairs separated by a colon and we'll go over that a little bit more in a bit here. But this is used for a lot of purposes. Like you can include credentials or meta data about the data in our body. And let's just go back One slide that we can see here. These are the http headers. We've got key value key value separated by a colon in the middle, that these are our http headers here. And we could see the content type were requesting content type application slash J zone and the arrows here, the carrots going to the right, that it indicates that it is information that was sent to the server. The carrot was going the other way, then to the left. That is information coming back to the client from the server. And this is just the notation for C or L in this distribution of Lennox that it could look very different depending on what application you're using to send the AP I request here, and the common data types are formed dash U R l encoded and applications Last days on, we're going to talk about both of those in just a moment here and speaking off that that the www dash formed as you are l encoded. That's really the fuller name here, and it's, I believe, X www Dash formed as Uriel encoded and Jay's on that these air to really common ways, you're going to see the data being encoded the U R l encoded. This is when you see your keys and values up in your URL that if you have ever submitted a form or gone to a website and you look up in the URL address bar and you see some of these values here, right, we've got something equals something ampersand. Something equals something that that is a former U. R L encoded data type being sent to the server that it is actually an A p I that you are sending some data with your state over to the server so that it can send the appropriate response back. And the data in the form Ural encoded is plainly visible in the key equals value format in the u. R L requested. Now Jay's on job JavaScript object notation that encoding is stored in the body or the data section off. The rest request. So in the body of the requests that has sent that is not in the URL that will send javascript object notation, information. We're gonna go over that in the next slide here of what that notation looks like. And how to read that that Jay's on structure is very similar to http headers in that it is key value pairs separated by a colon. And I want you to keep that in mind when we go to the next slide here that the notation opens with a Carly bracket. All right, that a curly bracket opens an object and that it consists here of key colon value. And then there are commas separating each of those in a object and that our object can have many keys and values. Our object can also include objects, right. So there is this sub object here that this is a jays on notation for describing a squad of superheroes that live in Metro City. So our members here is actually a array and Honore is an object that has several values within it. So this is an array of objects. So we do that with a square bracket and within the square bracket, we opened another object here. And that object is a person. It is molecule man. He's aged 29. Secret identity is Dan Jukes. He has an array of powers, which is three different values. Radiation resistance, comma turning, tiny comma radiation blessed. And then we close that array and that object for molecule man is now closed. We do a comma, We have another object here, Madam Uppercut, and that she is dirty nine secret identity. Jane Wilson also has on array of three powers 1,000,000 ton punch damage, resistance, superhuman reflexes. And that array is now closed. Madam Uppercut object is now closed and the array of members is now closed. And then our object for the superhero squad is now also closed. That that's how you read this? I understand. If you have zero experience with any kind of programming, this might feel really foreign to you. But this is something that you will need to know that there is on the exam topics for ccn a interpreting Jason that you'll need to understand that information is written in this format. I would review this slide a couple times if you need to, although if you have some experience in programming, then you probably won't need to that this will feel very similar to other work that you've done before. Already, things were going through this with me, just like the others. Let's run through a couple of practice questions before we end off. First up, which http verb would be used to retrieve information from an A p I. Is it the post put, get or delete and remember to retrieve would be to read information and from crude create, read, update and delete. The reed would translate to the http verb Get than our answer here would be, see, get and finally, and this one's a bit longer. Here in this excerpt from an a c i A p ay Jay's on query response. What is the SPF helo interval used in the default? Oh, SPF policy. This is an interesting thing here that we can go over what an actual response from the applications centric infrastructure. A pick e m. The controller actually looks like that when we sent this query for, oh SPF information or for routing protocol information that we've got things here for the control plane be GP configuration. And well, our question here was about oh, SPF So we don't really need that weaken. Jump down to the next object here and look at the O SPF policies now within the SPF policies were looking for the Hello Interval. My mistake there. Let's continue through this a little bit and we see here we've got the name, network type, priority interface, cost interface controls and the Hello Interval that there's our hello interval there on our hello interval is 10 and then there's a comma and then there's the dead interval below it and that is set to 40 four times a hello interval, as is standard for oh, SPF and that just briefly here we can see that the interface controls we have on array of advertised sub net MTU ignore B f d passive participation that this includes the policies used for configuring Oh, SPF that the a pick The controller will use that policy to actually implement a SPF on the device. But we see that the hello interval here is 10. So our answer will be be 10. I hope that this has been informative for you. I'd like to thank you for viewing.
46. 6.4 configuration management systems: configuration management configuration management systems are something that allows centralized management of your configuration for your devices. Now this has been used for servers for a long time by System Madman's to manage the state or configuration of very large groups of servers. So you have many Web servers and that there are several steps that need to occur and from the base operating system installation in order to get that server ready to participate as a distributed node in your server cluster that your configuration management system can go ahead and apply these steps after that initial base installation and get that server ready for you as an automation tool, but also as a method of setting your infrastructure as code, making it very repeatable. So this has been used for servers for a long time, but more recently this has come to apply to network devices and specifically, as the CCN A is concerned, we're going to be covering three different configuration management systems that Cisco wants. You be familiar with these and understand where their differences are so you could be familiar with the capabilities off each one. So with that, let's go ahead and jump right on in here. So the three management systems we're going to be covering are answerable, puppet and chef now configuration management systems. They allow for verifiable configuration states to be scaled now. Like I said, this is often referred to as infrastructure as code. And that's the whole goal of automation. Right is to do your configuration once to write it as code and then have it be applied many times is to take away any repetitive tasks like going through and actually entering commands in at the command line. And just let your configuration management take care of this. That you create your configuration, your base configuration once and then have it apply many times and that this is generally done per device role, so all of your access layer switches will have a very similar configuration. All of your distribution layer switches will have a very similar configuration. Your interdepartmental routers will have a very similar configuration, so on and so forth that you might just change. The I P addresses are the V lands a little bit here there, but that's gonna be about all the everything else for setting your as a sage server or user names, passwords, all of your security options and policies, and you're que OS and things of that sort are all very standard. And the standard configuration template that this not only allows for the automation but really allows for auditing very, very well is that you can audit your configuration drift. Say that you have admin structure organization that have a tendency to go through and just make changes on the fly without going ahead and going through your change management process. That this really allows for auditing your configurations very well in a centralized manager in a way that's re portable so that you can confirm that your configurations actually conform to your policies. And this can be very awesome in a industry where you have a lot of compliance regulations that you need to abide by and that you need to supply to your auditors from time to time samples of your configuration or samples of your policy and how you have gone through to ensure that this policy is actually being met. So that's what's also about configuration management. Right is that you have centralized configuration for each device and that it applies and king verify that your configuration is actually the one that is centralized at your central server. Now, the reason why I haven't gone into much detail here is because answerable, puppet and Chef they go about this in a slightly different way is that they pretty much performed the same task. The thing I'm talking about here of configuration management, but they really differ slightly in their capabilities and the architecture and and how they achieve this. So I'm gonna go ahead and wait until we talk about each one here to really talk about the details as to how this happens. So with that, let's move on to the next slide here on the 1st 1 we're gonna be talking about is answerable so danceable where danceable really stands out is that it's Agent Lis it on. Lee uses ssh to configure the devices. Now what this also means is that this is a system where you need to specify the individual commands that are to be run on your device. That answerable uses the concept of playbooks and that your playbook is written in jahmal, and it describes the tasks to be performed on the device. So here we have in this sample playbook that this is a playbook applying to the group of hosts called routers and that we can say whether we wanted to gather fax as well. And the tasks we have first, a one task here that is called Configure s and MP String on all devices. And we wanted to save the configuration on the device when the configuration has changed. Right, So the configuration may not necessarily changes. It's going Teoh, log into the device and try to apply this task at whatever specified Interval that you do and or on demand as a push because it actually connecting and applying these configuration commands. And in the event that these commands cause any change to the convict, If these commands were not already present, then it will go ahead and save that configuration. And then you can see. And I'm sure you're familiar with the commands that are being applied here is as an MP server community read on Lee R. O. Is that our community for S and MP is read only, and it only has aro permissions or read underscore. Right has read write permissions. We're setting the domain name I P domain name to roger dot com. We are enabling traps and that we are setting our CIS log server to 10.0 dot 100.77 here, and that's the end of our playbook. Now you can imagine we can have several tasks here, right to go ahead and apply the standard user names and passwords to apply the standard security policy to apply the Q. O s policy. And that could be on our set of hosts named switches. If we wanted, you can see how this could be very scalable is that we can have it two different sets of hosts. We could have it applied to a essays and set our standard fire walling options or wet filtering options so on and so forth and that we see here after we have applied the configuration that this is actually a different, uh, playbook That was run that this was on switches on access, which 1212 And that there are, uh, one task that was done. And the one task ended up giving us an okay that it applied successfully and that one task ended up causing a change in the device and same thing for a SW two is that the one task gave us an okay and that one task applied. A change is that none of these four devices here ended up having the commands that we specified in our playbook and that our changed increments with the number of tasks which resulted in a change. Now we don't know which of these lines specifically actually ended up in a change that it could have been any one of them or it could have been all of them. We just know this entire task is something that caused a change and therefore it would have resulted in a save. And it ended up being OK that it did not fail and it was not unreachable. Now we could have had multiple tasks here. Let's say we had three tasks and that two of them were successful and resulted in a change and one failed. Then we would have seen here. This one would have been a to this change would have been a two, and this failed would have been a one that that's how this play recap is written out here and that if all three tasks resulted in a change and all three were successful than okay and changed Would both be a three here that this is stating for each task that was applied on each of these devices. What was the result off that task? Now, you Hamel is, uh, a language that's used for yoed the explicit definition off properties here. That's something to be familiar with. If you were going to go through with using, answerable or trying it out, you might well, go ahead and look that up and do overview off the jahmal scripting language. Awesome. So that's a no overview of answerable here. And actually, I forgot to mention that until recently it will take credentials at the command line entered by the user. So when you go ahead and create your playbook here, typically as you could see, you had your hosts list of routers and that list was a list of I P addresses and then also the user names and passwords for each of those devices and that you could specify one set of user name password for the whole group of hosts or for each individual I p address. Now, of course, that means that you're saving your use names and passwords in plain text on a file on your danceable server. And that is not really awesome that what you conduce as well is instable allows you to run your playbook here and that you can specify your password at run time of the playbook. So then you can tell answerable to run the playbook and it'll ask for the password, and you can type it in then. And as you can imagine, this is not necessarily something that you would have run on a schedule. This is something that perhaps you, as the network administrator, will go ahead and run on demand that if you had configuration changes to apply, you could run that If you wanted to verify the configuration on everything, you could run that if you just wanted to see exactly which, uh, tasks here ended up, resulting in a change as to what the drift from the configuration was. You can go ahead and run this on demand, and then in your play recap. This is just a small section here of the whole play recap. The answerable gives out that it also specifies the resultant of each individual task. Awesome Let's go ahead and move on to the next configuration management system here. That's gonna be puppet. So unlike Answerable puppet requires an agent to be installed on the device to manage it. Now, really think about what that means Here is that we need a piece of software installed on our device on our network device that is running as a puppet agent in order to manage that device. Now, as you can imagine, this causes a lot of compatibility problems, right? Especially for older devices. If you have your catalyst 35 fifties or your 1941 routers that you probably don't have an agent software available that you can run on there. I'm not aware of an agent that you can run on these devices. They are getting better at creating more compatible agent Softwares that can actually apply to these. But really, what you're gonna be running this on is nexus switches on. Perhaps the Cisco A s. A firewalls is that these do allow for the agent to be installed. There is a available compatible agent and that you can manage these devices now. Puppet uses its own configuration language that was inspired by Nacchio's and it's built on ruby, so it would be good to be familiar with Ruby if you're going to utilize puppet now. Puppet also has a version available called Puppet Enterprise, and that does have a graphical interface available, however, your configuration creation. So here's an example of a manifest, and that's the term that puppet uses is that you apply a manifest to a device is the manifest. Creation is still done manually, that you do still need to code up your manifest in a text editor of sorts in order to apply that with puppet. But then your actual application and reporting and auditing can all be done through a graphical interface with puppet enterprise. Now, as you can probably tell, this manifest looks a lot different than the playbook of answerable, and that it's a declare a tive manifest where the desired state is configured rather than individual commands that we have here that we want the O S P F. V. R F configuration to have the auto cost of 46,000 and the default metric be five, and that we want our Ethernet one slash two interface to be in Area 200 have a cost of 200 were not stating the actual commands that we want applied on the device or stating the state the desired state off the device and then allowing puppet to figure out the individual commands that need to be run the interface Internet one slash two i p o S p f area 200 so on so forth that thes individual commands are left up to puppet to figure out and that we're just giving it the end result. The desired state off the device they will puppets. Architecture is that the master server manages the nodes with the agent installed. So remember the agent is installed on each of your manage devices and that you have a master server, which is the one that all of the agents check in with and can push the configuration to the agents now managed nodes check in with the master every 30 minutes by default to verify their configuration that every 30 minutes the agent will check in with the master server and it will check the declare a tive manifest here and see if it's configuration matches what is stated here. If it does not it will conform its configuration to what is stated here. So your configuration management must be done at puppet, that you cannot make changes at the individual device or else it will be reverted very shortly later, too. Whatever configuration is specified at the Puppet Master server now answerable, of course does not do this it because it does not have an agent. And it is a push on Lee system that answerable must connect to each individual device by ssh and apply the commands. And then it is recording the results of those commands so that you can do reporting and auditing on the configuration on each device. Awesome. So that's how puppet works. Now let's go on to our last of configuration management system here and that Chef So chefs architecture is very similar to puppet in that requires an agent to be installed on the device. So again, you're going to run into your compatibility problem with your older devices. And that can be OK. If you have a newer infrastructure and you're using a lot of and X O s switches, then awesome. This is great and in fact, the newer catalysts, which is I believe the 65 09 also supports the agent here as well, and that, like Puppet Chef, is also built on Ruby. So that is a benefit here as well that if you're going to go for one of these two, learning Ruby is not a bad idea that you can go ahead and be able to work with these ah, lot easier, or at least learn the basics of Ruby. Just like Puppet Chef also uses a declared of state. Now these are called Recipes and Cook Books is that they use the whole chef and cooking theme with Chef with the recipes and cook books and applying Ah cookbook. Now where Chef has a major difference is that the cookbook processing occurs at each agent . So with puppet, let me go ahead and clarify. This is that with puppet, the agent connects to the master server, and the agent sends its current state to the master server. The master server computes. The difference is if there are any between the configured state and the current state, and it will send back to the agent what the desired state is so that the agent can apply that state or will send it the commands that need to be run with chef. What happens is that the agent connects to the master server or connects to the server and that it just pulls the cookbook. It pulls the desired state and then on the agent. It is processing the desired state and comparing it to the current state to confirm whether it conforms to the desired state or not, and will make changes as needed to allow it to conform. Chef does not have a push model that you cannot push the desired state to the device or to the agents that it must pull because the configuration change is being done at the agent or the comparison is being done at the agent. This makes quick changes pretty much impossible that when you go ahead and set a new recipe in your cookbook and well, you're not, you're just gonna be waiting until the agents check in again on this may happen across your network quickly. It may not happen quickly. It depends on how often your agents are configured to pull from the server. Now, this does allow for a very distributed and extremely scalable system. Is that your central server is no longer a bottleneck point and that it is very lightly used. It's only uses a repository, really, for the agents to pull the desired state from, and then the agents are actually doing the configuration calculation. Now. This example recipe here is for an ex OS switch ports and configuring them that we see here we have the interface Internet one slash one that we are doing some configuration we are creating. We're setting the I P address, the Net mask, whether we have proxy ARP enabled or I p before redirects enabled and whether it is shut down or not. And whether this switch port mode is enabled or not. Let's switch poor or no switchboard, a layer three or a layer to interface. And then for Ethernet one slash two we're setting it as an access villain 100 that it is not shut down and that it is a access switch port, not a trunk, and that whether we want V tp turned on or not villian trucking protocol, and that you could see that this is a very similar kind of configuration is a declare it of state configuration much like puppet, but that the actual syntax for that configuration is much different. And it is something that you would need to be familiar with if you're going to be writing your own configuration. There are a lot of templates available for all three of these configuration management systems answerable, puppet and chef that if you're going to try out any one of them, they are all open source and that you can try them out for free and that you can go and get templates so you can get up and running very quickly and be able to try them out and see whether these are a good fit for your organization or not. Awesome. Thanks for hanging in there with me, everyone. Now let's go through a couple of practice questions before we end off. First up of the three configuration management solutions below, which does not require an agent on the manage device. Is that chef puppet or danceable? Now you should know by now that danceable is the one that connects via ssh and does not require an agent that the other two here do require an agent. And because of that and simple is the most compatible with older devices and the most compatible with third party devices as well. That answerable really can be used in almost any environment, whereas chef and puppet not quite so much. You need really particular devices in order to use those. But I wouldn't shy away from them anyway that they could have a good use in your organization. Anyway, I'll go ahead and check out their compatibility lists and see if it's a good fit for your network. And finally, which options below employ a declared of state structure where the device state is defined rather than specific commands to run on the device? Is it puppet and chef, chef and danceable, answerable and puppet or none of the above or a different combination now answerable because it connects via ssh! It ends up applying individual commands to each device that puppet and chef. Because they use an agent, they're able to do a declared of state structure, and therefore the answer here is a puppet and chef. Now, I hope that this has been informative for you, and I would like to thank you for viewing
Ben Jacobson
