Open Systems Interconnection Model (OSI)
Created by the International Organization for Standardization (ISO)
OSI Model
Name
Protocol Data Units (PDUs)
Device
Protocols
Function
Layer 7
Application
Data
Host (PC, Server, Mobile)
HTTP, FTP, DNS, SSH, SMTP
User interface, applications, programs
Layer 6
Presentation
Data
Host (PC, Server, Mobile)
SSL, PDF, MPEG, JPG, HTML
Format, compression, encryption
Layer 5
Session
Data
Host (PC, Server, Mobile)
L2TP, RTCP, NetBIOS, PPTP
Sync & send, ports, sessions
Layer 4
Transport
Segment (Data+L4Header)
Host (PC, Server, Mobile)
TCP/UDP Ports
Service-to-Service connections
Layer 3
Network
Packets (Data+L4+L3Header)
Routers
IP address, ICMP, IPsec, IGMP
End-to-End addressing, traffic control
Layer 2
Data Link
Frames (Data+L4+L3+L2Header)
Switches, Bridges
Ethernet, MAC address, PPP
Hop-to-Hop link data transfer
Layer 1
Physical
Bits (1010101110100101010101)
Ethernet, Hubs, WiFi, Repeater
Fiber, UTP, Wireless
Raw bit streams in a physical medium
text

TCP/IP Suite

The model used in real modern networks, instead of the OSI Model
TCP/IP Suite
Name
Layer 5
Application
Layer 4
Transport
Layer 3
Network
Layer 2
Data Link
Layer 1
Physical
MAC Address
Media Access Control Address
6-byte (48-bit) physical address assigned to the device when it is made
Burn-In Address (BIA)
IP Address
IPv4 Address Format (Dotted Decimal Notation)
(4,294,967,296) of them (2^32)
IP Address
First Octet
Range
Purpose
Private
Reservation (Mask/CIDR)
Addresses p Network
Class A
0xxxxxxx
0.0.0.0 - 127.255.255.255
Hosts addresses
10.0.0.0 - 10.255.255.255
255.0.0.0 or /8
16,777,216 (2^24)
Class B
10xxxxxx
128.0.0.0 - 191.255.255.255
Hosts addresses
172.16.0.0 - 172.31.255.255
255.240.0.0 or /12
1,048,576 (2^20)
Class C
110xxxxx
192.0.0.0 - 223.255.255.255
Hosts addresses
192.168.0.0 - 192.168.255.255
255.255.0.0 or /16
65,536 (2^16)
Class D
1110xxxx
224.0.0.0 - 239.255.255.255
Multicast
-
-
-
Class E
1111xxxx
240.0.0.0 - 255.255.255.255
Experimental
-
-
-
x.x.x.0 Network address
x.x.x.1 Default Gateway (Router address usually)
x.x.x.255 Broadcast address

Subnetting

128 64 32 16 8 4 2 1 Group Size
128 192 224 240 248 252 254 255 Subnet Mask
/1 /2 /3 /4 /5 /6 /7 /8 CIDR Notation
/9 /10 /11 /12 /13 /14 /15 /16 CIDR Notation
/17 /18 /19 /20 /21 /22 /23 /24 CIDR Notation
/25 /26 /27 /28 /29 /30 /31 /32 CIDR Notation
ex. 10.1.1.37/29 (.0, .8, .16, .24, .32, .40…)
Network ID 10.1.1.32
First Host IP 10.1.1.33
Last Host IP 10.1.1.38
Broadcast IP 10.1.1.39
Next Network 10.1.1.40
Number of IP Addresses 8 (6 usable)
CIDR/Subnet 255.255.255.248
Fixed-Length Subnet Mask (FLSM)
Variable-Length Subnet Mask (VLSM)
Supernetting - IP Aggregation
L1 Physical Mediums

Ethernet Standards (copper)

Speed
Common Name
IEEE Standard
Informal Name
Max Length
Num of Pairs Used
10 Mbps
Ethernet
802.3i
10BASE-T
100 m
2 pairs (4 wires)
100 Mbps
Fast Ethernet
802.3u
100BASE-T
100 m
2 pairs (4 wires)
1 Gbps
Gigabit Ethernet
802.3ab
1000BASE-T
100 m
4 pairs (8 wires)
10 Gbps
10 Gig Ethernet
802.3an
10GBASE-T
100 m
4 pairs (8 wires)
Defined in the IEEE 802.3 Standard in 1983
IEEE = Institute of Electrical and Electronic Engineers
BASE = refers to baseband signaling
T = twisted pair

Fiber-Optic Cable Standards

SFP Transceiver (Small Form-Factor Pluggable)
Speed
Cable Type
IEEE Standard
Informal Name
Max Length
1 Gbps
Multimode or Single-Mode
802.3z
1000BASE-LX
500 m (MM) 5 km (SM)
10 Gbps
Multimode
802.3ae
10GBASE-SR
400 m
10 Gbps
Single-Mode
802.3ae
10GBASE-LR
10 km
10 Gbps
Single-Mode
802.3ae
10GBASE-ER
30 km
L2 Data Link Protocols (Switching)

Dinamic Trunking Protocol (DTP)

Cisco proprietary protocol that allow Cisco switches to dynamically determine their status (access or trunk) without manual configuration. It is enabled by default on all Cisco switch interfaces.
## Manually configuration switchport mode access switchport mode trunk
For security purposes, manual configuration is recommended. DTP should be disabled on all switchports.

VLAN Trunking Protocol (VTP)

It allows to configure VLANs on a central VTP server switch, and other switches (VTP clients) will synchronize their VLAN database to the server.
It is designed for large networks with many VLANs, so that you don’t have to configure each VLAN on every switch.

Spanning Tree Protocol (STP)

(Industry standard IEEE 802.1D protocol)
L2 protocol is predominantly used to prevent loops and broadcast storms in network redundancy
Loops and broadcast storms and MAC address Flapping:
Switches form ALL vendors run STP by default
STP works by designating a single "root bridge" within the network, and then blocking redundant paths.
By selecting which ports are forwarding and which port are blocking, STP creates a single path to/from each point in the network.
STP-enabled switches send/receive Hello Bridge Protocol Data Units (BPDUs) out of all interfaces every 2 seconds
If a switch receives a Hello BPDU on an interface, it knows that interface is connected to another switch
Types of STP
STP / 801.D Original STP
PVST+ Cisco improvement of STP adding per VLAN feature
RSTP / 802.1w Improved STP with much faster convergence
Rapid PVST+ Cisco improvement of RSTP adding per VLAN feature
Speed
STP Cost
RSTP Cost
10 Mbps
100
2,000,000
100 Mbps
19
200,000
1 Gbps
4
20,000
10 Gbps
2
2,000
100 Gbps
x
200
1 Tbps
x
20
Classic STP Port State
Send/Receive BPDUs
Frame forwarding
MAC address learning
Stable/Transitional
Blocking
NO/YES
NO
NO
Stable
Listening
YES/YES
NO
NO
Transitional
Learning
YES/YES
NO
YES
Transitional
Forwarding
YES/YES
YES
YES
Stable
Disabled
NO/NO
NO
NO
Stable
Rapid STP Port State
Send/Receive BPDUs
Frame forwarding
MAC address learning
Stable/Transitional
Discarding
NO/YES
NO
NO
Stable
Learning
YES/YES
NO
YES
Transitional
Forwarding
YES/YES
YES
YES
Stable

EtherChannel

a.k.a. Port Channel or Link Aggregation Group
EtherChannel groups multiple physical interfaces together to act as a single logical interface to reduce congestion.
Access Switch 1 → Distribution Switch 1:
STP will treat this group as a single interface
EtherChannel methods
PAgP (Port Aggregation Protocol) - Cisco proprietary protocol {Desirable/Auto}
LACP (Link Aggregation Control Protocol) - Industry standard protocol IEEE 802.3ad {Active/Passive}
Dynamically negotiates the creation/maintenance of the EtherChannel (Like DTP does for trunks)
Static EtherChannel (No protocol) - Interfaces are statically configured to form an EtherChannel (Not recommended)

Layer 2 Discovery Protocols

Cisco Discovery Protocol (CDP)
Cisco proprietary protocol
Link Layer Discovery Protocol (LLDP)
Industry standard protocol (IEEE 802.1AB)
Because these protocols share information about the devices in the network, they can be considered a security risk and are often disabled.
L3 Network Layer (Routing)

Static Routing

R1# show ip route
L - local # A route to the actual IP address configured on the interface, with a /32 netmask (the address of the interface)
C - connected # A route to the network the interface is connected to, with the actual netmask (the network connected to the interface)
S - static

Dynamic Routing

Routing Protocols

Interior Gateway Protocol (IGP) - used to share resources within a single autonomous system (AS), which is a single organization (ie. a company)
Exterior Gateway Protocol (EGP) - used to share resources between different autonomous systems (Company A to ISP A to ISP B to Company B, etc)

Dynamic Routing Protocol Metrics

Interior Gateway Protocol
Metric
Explanation
RIP
Hop Count
Each router in the path counts as one ‘hop’. The total metric is the total number of hops to the destination. Links of all speeds are equal.
EIGRP
Bandwidth & delay
Complex formula that can take into account many values. By default, the bandwidth of the slowest link in the route and the total delay of all links in the route are used.
OSPF
Cost
The cost of each link is calculated based on bandwidth. The total metric is the total cost of each link in the route.
IS-IS
Cost
The total metric is the total cost of each link in the route. The cost of each link is not automatically calculated by default. All links have a cost of 10 by default.

Administrative Distance

Route Source (Protocol)
Default AD
Connected interface
0
Static route to a next hop
1
EIGRP summary route
5
External BGP
20
Internal EIGRP
90
IGRP
100
OSPF
110
IS-IS
115
RIP
120
EGP
140
External EIGRP
170
Internal BGP
200
Unknown
255

Route Precedence

Routers compare three items to determine the best path:
1.
Route Specificity (more specific is better)
2.
Administrative Distance (lower is better)
3.
Metric (lower is better)
If all three items are identical, Routers will load balance across multiple paths (Equal Cost Multi-Path ECMP)

Link State Routing Protocols

When using a link state routing protocol, every router creates a “connectivity map” of the network.
Each router advertises information about its interfaces (connected networks) to its neighbours.
Link state protocols tend to be faster in reacting to changes in the network than distance vector protocols.

Open Shortest Path First (OSPF)

(aka Dijkstra’s algorithm)
L3 protocol, is one of a family of IP Routing protocols, and is an Interior Gateway Protocol (IGP) for the Internet, used to distribute IP routing information throughout a single Autonomous System (AS) in an IP network
Three versions:
OSPFv1 (1989) - Old, not in use anymore
OSPFv2 (1998) - Used for IPv4
OSPFv3 (2008) - Used for IPv6 (can also be used for IPv4, but usually v2 is used)
OSPF areas, LSAs and LSDBs
Routers store information about the network in Link State Advertisements (LSAs), which are organized in a structure called the Link State Database (LSDB).
Routers will flood LSAs until all routers in the OSPF area develop the same map of the network (LSDB).
An area is a set of routers and links that share the same LSDB.
The backbone area (area 0) is that all other areas must connect to.
Routers with all interfaces in the same area are called internal routers.
Routers with interfaces in multiple areas are called area border routers (ABRs) (3 in the picture)
Routers connected to the backbone area (area 0) are called backbone routers (4 in the picture)
An intra-area route is a route to a destination inside the same OSPF area.
An interarea route is a route to a destination in a different OSPF area.
The Autonomous System Boundary Router (ASBR) connect the System to the Internet (1 in the picture)
LSA RID: 4.4.4.4 IP: 192.168.4.0/24 Cost: 1
Three steps in OSPF
1.
Become neighbours with other routers in the same segment
2.
Exchange LSAs with neighbour routers
3.
Calculate the best routes to each destination, and insert them into the routing table
Router ID order of priority
1.
Manual configuration
2.
Highest IP address on a loopback interface
3.
Highest IP address on a physical interface
Neighbor Adjacency
To configure an OSPFv2 neighbor adjacency, certain parameters must match between the routers for them to form an adjacency, while other parameters must be unique.
Must match:
1.
Area ID: All OSPF routers within the same area must have the same Area ID to form an adjacency.
2.
Netmask: The subnet masks on the interfaces connecting the OSPF routers must match.
3.
Timers: The hello and dead interval timers must be the same on both routers to form an adjacency.
Must be unique:
1.
Router ID: Each OSPF router must have a unique Router ID within the OSPF domain.
2.
IP Address: Each interface must have a unique IP address within the subnet.
3.
OSPF Process ID: This is locally significant and can be different on each router, so it does not need to match for adjacency.
OSPF Cost
OSPF’s metric is called cost
It is calculated by dividing a reference bandwidth value by the interface’s bandwidth
R1(config-router)# auto-cost reference-bandwidth 100000 # Megabits per second
You should configure a reference bandwidth much greater than the fastest links in your network (to allow for future upgrades)
The reference bandwidth must be consistent across all routers.
DR, DBR, DROther
Designated Router
Designated Backup Router
First Hope Redundancy Protocols

Access Control Lists ACLs

Standard ACLs: Match based on Source IP address only
Standard Numbered ACLs
Standard Named ACLs
Standard ACLs (Standard IP) range: 1-99 and 1300-1999
Extended ACLs: Match based on Source/Destination IP, Source/Destination port, etc
Extended Numbered ACLs
Extended Named ACLs
Extended ACLs (Extended IP) range: 100-199 and 2000-2699
L4 Transport Layer

TCP Header

3-Way Handshake

It happens over the Layer 4 of the OSI model
1.
Client sends an SYN segment, asking for synchronization/connection
2.
Server replies with SYN-ACK (Synchronization Acknowledgement). It also asks the client to open a connection too
3.
Client replies with ACK, which is like “Yes”
TCP: Sequencing/Acknowledgement

UDP Datagram Header

TCP/UDP ports

Well-known port numbers: 0 - 1023
Registered port numbers: 1024 - 49151
Ephemeral/private/dynamic port numbers: 49152 - 65535
TCP
UDP
TCP & UDP
20 FTP File Transfer Protocol (data)
67 DHCP Dynamic Host Configuration Protocol (server)
53 DNS Domain Name System
21 FTP File Transfer Protocol (control)
68 DHCP Dynamic Host Configuration Protocol (client)
22 SSH Secure Shell
69 TFTP Trivial File Transfer Protocol
23 TELNET Telecommunication Network
123 NTP Network Time Protocol
25 SMTP Simple Mail Transfer Protocol
161 SNMP Simple Network Management Protocol (agent/queries)
49 TACACS+ Terminal Access Controller Access-Control System
162 SNMP Simple Network Management Protocol (manager/traps)
80 HTTP Hypertext Transfer Protocol
514 Syslog System Logging Protocol
110 POP3 Post Office Protocol version 3
143 IMAP Internet Message Access Protocol
1812 RADIUS Remote Authentication Dial-In User Service (Authentication)
179 BGP Border Gateway Protocol
1813 RADIUS Remote Authentication Dial-In User Service (Accounting)
389 LDAP Lightweight Directory Access Protocol
5004 RTP Real-time Transport Protocol (VoIP)
443 HTTPS Hypertext Transfer Protocol Secure
445 SMB Server Message Block
554 RTSP Real-Time Streaming Protocol
6379 Redis
3306 MySQL
3389 RDP Remote Desktop Protocol
5432 PostgreSQL
IPv6

IPv6 Address Types

Unicast: a unique address for a single interface (equivalent to IPv4's static IP and DHCP-assigned IPs).
Global Unicast Address (GUA) (2000::/3): Globally unique addresses that are routable on the internet. (Similar to public IPv4)
Link-Local Address (fe80::/10): Non-routable addresses used for single specific network segment or link. (Similar to auto configuration 169.254.0.0/16 IPv4)
Loopback Address (::1/128): Address used by a host to send a packet to itself.
Unspecified Address (::/128): Address used to denote the absence of an address.
Unique Local Address (ULA) (fc00::/7)(fd00::/8): Private routable Addresses intended for local communications, not routable on the global internet. (Similar to Private 10.0.0.0/8 IPv4)
Embedded IPv4 (::/80): IPv6 addresses that carry an IPv4 address within them, facilitating IPv4 to IPv6 transition.
Multicast: Addresses used to deliver packets to multiple interfaces. (equivalent to IPv4's broadcast and multicast)
Assigned (ff00::/8): Addresses used to deliver packets to multiple interfaces.
Solicited Node (ff02::1:ff00:0000/104): Special multicast addresses used for address resolution.
Anycast: Unique address shared by multiple interfaces, allowing for load balancing and redundancy. (no direct equivalent in IPv4)
IPv6 does not have a “broadcast” address

Hexadecimal

Decimal
Binary
Hexadecimal
0
0000
0
1
0001
1
2
0010
2
3
0011
3
4
0100
4
5
0101
5
6
0110
6
7
0111
7
8
1000
8
9
1001
9
10
1010
a
11
1011
b
12
1100
c
13
1101
d
14
1110
e
15
1111
f
(Every Hexadecimal is a 4-bit long number)
0b1101 = 0xd

Finding the IPv6 prefix

(global unicast addresses)
IPv6 = 32Hexadecimals = 128bits
Typically, an enterprise requesting IPv6 addresses from their ISP will receive a /48 block
Typically, IPv6 subnets use a /64 prefix length
That means an enterprise has 16 bits to use to make subnets
The remaining 64 bits can be used for hosts

64-Bit Extended Unique Identifier (EUI-64)

Used in link-local addresses (fe80::/10)
Uses the MAC address of an interface to create a 64-bit interface ID
Network Time Protocol (NTP)
Manually configuring the time on devices is not scalable. The manually configured clocks will drift, resulting in inaccurate time.
NTP allows accuracy of time within ~1 millisecond if the NTP server is in the same LAN, ~50 milliseconds if connecting to the NTP server over WAN/Internet.
Reference Clocks
They are usually a very accurate time device like an atomic clock or a GPS clock
Reference clocks are stratum 0 within the NTP hierarchy
NTP servers directly connected to reference clocks are stratum 1
Stratum 15 is the maximum, anything above is considered unreliable
Device can also ‘peer’ with devices at the same stratum to provide more accurate time (Server mode, client mode, symmetric active mode.)
C:\Users\user>nslookup time.google.com Server: dns.google.com Address: 8.8.8.8 Non-authoritative answer: Name: time.google.com Addresses: 2001:4860:4806:: 2001:4860:4806:c:: 2001:4860:4806:8:: 2001:4860:4806:4:: 216.239.35.12 216.239.35.8 216.239.35.4 216.239.35.0
Application Layer

Address Resolution Protocol (ARP)

Mapping of L3 address (IP) to L2 address (MAC)
Executed in hosts
Consists of two messages:
ARP Request is broadcast = sent to all hosts on the network
ARP REQUEST
Src IP: 192.168.1.1
Dst IP: 192.168.1.3
Src MAC: 0C2F.B011.9D00
Dst MAC: FFFF.FFFF.FFFF
ARP Reply is unicast = sent only to one host (the host that sent the request)
ARP REPLY
Src IP: 192.168.1.3
Dst IP: 192.168.1.1
Src MAC: 0C2F.B06A.3900
Dst MAC: 0C2F.B011.9D00
C:\Users\user> arp -a # Show ARP table in Windows user@Macbook ~ % arp -a # Show ARP table in macOS $ arp -a # Show ARP table in Linux

ICMP Ping

A network utility that is used to test reachability
I measures round-trip time
Uses two messages:
ICMP Echo Request
ICMP Echo Reply

Domain Name Server DNS

DNS is used to resolve human-readable names (google.com) to IP addresses
DNS Records
A record - The most basic type of record, also known as address record. That record points the domain or sub-domain name to an IPv4 address. Learn more about the A record.
AAAA record - Maps the hostname to a 128-bit IPv6 address of the given domain name. Learn more about the AAAA record.
CNAME record - Forwards one domain or subdomain to another domain, does NOT provide an IP address. Learn more about the CNAME record.
MX record - Directs mail to an email server. Learn more about the MX record.
TXT record - Lets an admin store arbitrary text notes in the record. Often used for email security. Some examples are SPF, DKIM, and DMARC Learn more about the TXT record.
NS record - Stores the name server for a DNS entry. Learn more about the NS record.
SOA record - Stores admin information about a domain. Learn more about the SOA record.
SRV record - Specifies a port for specific services. Learn more about the SRV record.
PTR record - Provides a domain name in reverse-lookups. Learn more about the PTR record.
Public Servers
-1.1.1.1, 1.0.0.1 Cloudflare
-8.8.8.8, 8.8.4.4 Google
-9.9.9.9, 149.112.112.112 Quad9
-208.67.222.222, 208.67.222.220 OpenDNS
NSlookup
% nslookup domain.com
Terminal Command
C:\Users\user>ipconfig /all C:\Users\user>ipconfig /displaydns C:\Users\user>ipconfig /flushdns
Host File
C:\Windows\System32\drivers\etc> hosts

Dynamic Host Configuration Protocol (DHCP)

L7 protocol, is a client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information such as the subnet mask and default gateway.
DORA Process
(UDP ports 67 & 68)
1.
Discover: Client broadcast to the local subnet requesting a response from any available DHCP server
2.
Offer: Server responds with an offer and reserves an IP address for the requesting device
3.
Request: Client sends a request message indicating that it accepts the offered IP address and other configuration (Subnet mask, default gateway, DNS server address)
4.
Acknowledgement: Server sends a message confirming the IP address has been assigned. The requesting device can now use this configuration to communicate on the network.
C:\Users\user>ipconfig /all C:\Users\user>ipconfig /release C:\Users\user>ipconfig /renew
DHCP Relay
Broadcast messages don’t leave the local subnet.
Centralized DHCP server requires routers act as a DHCP relay agents.

Simple Network Management Protocol SNMP

SNMP can be used to monitor the status of devices, make configurations changes, etc.
Two main type of devices:
1.
Managed devices (Routers, Switches, etc)
2.
Network Management Station/System/Server (NMS)

Syslog

Industry standard protocol for message logging.
Syslog Severity Levels

Secure Shell SSH

Developed in 1995 to replace less secure protocols like Telnet.

FTP & TFPT

File Transfer Protocol, Trivial File Transfer Protocol
Network Address Translation (NAT)
IPv4 is not enough for the amount of devices in the internet now.
The long-term solution for the IPv4 shortage of addresses is to switch to IPv6.
There are three main short-term solutions:
1.
Classless Inter-Domain Routing (CIDR)
2.
Private IPv4 addresses
3.
Network Address Translation (NAT)
Network Address Translation (NAT)
1.
Static NAT
2.
Dynamic NAT
3.
Port Address Translation (PAT)
Voice VLANs
Traditional phones operate over the Public Switched Telephone Network (PSTN) or Plain Old Telephone Service (POTS)
IP phones use Voice Over IP (VoIP) technologies to enable calls over an IP network or Internet
Power Over Ethernet (PoE)
Quality of Service (QoS)
The purpose of QoS is to prioritize certain kinds of network traffic during congestion
Quality parameters in network traffic:
Bandwidth - Capacity measured in Kbps, Mbps, Gbps (Reserve link’s bandwidth for specific data traffic)
Delay - The amount of time it takes traffic to go from source to destination (one-way delay, two-way delay)
Jitter - The variation in one-way delay between packets (IP phones have a ‘jitter buffer’ to provide a fixed delay to audio packets)
Loss - The % of packets sent that do not reach their destination
Standards for acceptable interactive audio quality:
One-way delay: 150ms or less
Jitter: 30ms or less
Loss: 1% or less
Network Authentication
AAA Server
RADIUS vs TACACS+
Network Architectures
Topologies

LAN Architectures

Layers
Access Layer
The layer that end hosts connect to (PCs, printers, cameras,AP’s, etc)
Typically Access Layer Switches have lots of ports for end hosts to connect to
QoS marking and security services like port security, DAI, etc are typically done here
Switchports might be PoE-enabled for wireless AP’s, IP phones, etc
Distribution Layer (Aggregation Layer)
Aggregates connections from the Access Layer Switches
Typically is the border between Layer 2 and Layer 3
Connects to services such as Internet, WAN, etc (in a two-tier design)
Core Layer
Connects Distribution Layers together in large LAN networks
The focus is speed (’fast transport’)
CPU-intensive operations such as security, QoS marking/classification, etc. should be avoided at this layer
Connections are all Layer 3 (No spanning tree)

2-Tier LAN

3-Tier LAN

Spine-Leaf (Data Center)

Small Office/Home Office (SOHO)

WAN Architectures

Network Automation
There are various tools/methods that can be used to automate tasks in the network
Software-Defined Networking (SDN)
Ansible, Puppet, Chef
Python scripts (traditional network architectures)
Scripts to push commands to many devices at once.
Python with Regular Expressions can parse through show commands to gather information about network devices.

Configuration Provisioning

It refers to how configuration changes are applied to devices, including new devices.
Traditionally, configuration provisioning is done by connecting to devices one-by-one via SSH, this is not practical in large networks.
Configuration management tools like Ansible, Puppet, and Chef allow us to make changes to devices on a mass scale with a fraction of the time/effort.
Two essential components:
Template
hostname {{hostname}} ! interface GigabitEthernet0/0 ip address {{address}} {{mask}} ip ospf {{process_id}} area {{area}}
Variable
--- hostname: R1 address: 192.168.1.1 mask: 255.255.255.0 process_id: 1 area: 0

Ansible

Ansible is a configuration management tool written in Python and owned by Red Hat.
It is agentless (It doesn’t require any special software to run on the managed devices). It uses SSH to connect to devices, make configuration changes, extract information, etc.
Ansible uses a push model, the Ansible server (Control node) uses SSH to connect to managed devices and push configuration changes to them (Puppet and Chef use a pull model).
Ansible requires several text files:
Playbooks: These ‘blueprints of automation tasks’, outline the logic and actions of the tasks that Ansible should do (written in YAML).
Inventory: These files list the devices, their characteristics and role (access switch, core switch, WAN router, firewall, etc) (written in INI or YAML).
Templates: These files represent a device’s configuration file without specific values for variables (written in Jinja2).
Variables: These variables and their values are substituted into the templates to create complete configuration files (written in YAML).
Ansible vs Puppet vs Chef

Logical Planes

What does a router do?
It forwards messages between networks by examining information in the Layer 3 header.
It uses a routing protocol like OSPF to share route information with other routers and build a routing table.
It uses ARP to build an ARP table, mapping IP addresses to MAC addresses.
It uses Syslog to keep logs of events that occur.
It allows a user to connect to it via SSH and manage it.
What does a switch do?
It forwards messages within a LAN by examining information in the Layer 2 header.
It uses STP to ensure there are no Layer 2 loops in the network.
It builds a MAC address table by examining the source MAC address of frames.
It uses Syslog to keep logs of events that occur.
It allows a user to connect to it via SSH and manage it.
The various functions of network devices can be logically divided up (categorized) into planes:
Data plane
Control plane
Management plane
The operations of the Management and Control plane are usually managed by the CPU of the device (relatively slow).
The data traffic of the Data plane is processed by specialized hardware called Application-Specific Integrated Circuit (ASIC) for maximum speed.

Software-Defined Networking (SDN)

SDN also called Software-Defined Architecture (SDA) or Controller-Based Networking, is an approach to networking to centralize the Control plane into an application called ‘controller’.

Soutbound Interface (SBI)

The SBI is used for communication between the controller and the network devices it controls using a communication protocol and the Application Programming Interface (API).
Examples of SBIs:
OpenFlow
Cisco OpFlex
Cisco onePK
NETCONF

Northbound Interface (NBI)

The NBI is what allows us to interact with the controller, access the data it gathers about the network, program it, and make changes in the network via the SBI.
A Representational State Transfer API (REST API) is used on the controller as an interface for apps to interact with it.
Data is sent in a structured (serialized) format such as Javascript Object Notation (JSON) or Extensible Markup Language (XML)

SDN Architecture

Cisco SDN Solutions

SD-Access for automating campus LANs.
Application Centric Infrastructure (ACI) for automating data center networks.
SD-WAN for automating WANs.
Cisco Digital Network Architecture (DNA) Center is the controller at the center of SD-Access.
Console Port Security
By default, no password is needed to access the CLI of a Cisco IOS device via the console port.

Cisco IOS console to Laptop

(Common configuration) Serial Line: COM1 Speed: 9600 Data bits: 8 Stop bits: 1 Parity: None Flow Control: None ## Macbook macOS through Serial Console Cable ## % cd /dev % ls -l | grep usb # grep tty devices result % screen tty.usbserial-xxxxxxxx 9600 Switch> # or: % ls /dev/*usb* # ls tty devices result % screen /dev/tty.usbserial-xxxxxxx 9600 Switch> ## Windows PC through Serial Console Cable ## # download PuTTY # Serial Line COMX (Check Device Manager) # Speed 9600 Switch> Switch tty1 is now available Press RETURN to get started # Option 1 Router> enable Router# configure terminal Router(config)# line console 0 Router(config-line)# password Password123! Router(config-line)# login Router(config-line)# end Router# exit # Option 2 (preferred) Router> enable Router# configure terminal Router(config)# username myuser secret Password123! Router(config)# line console 0 Router(config-line)# login local # Require username and password to login Router(config-line)# logging synchronous # Logging messages Router(config-line)# exec-time out 3 30 # 3 minutes, 30 seconds Router(config-line)# end Router# exit Router con0 is now available Press RETURN to get started. User Access Verification Password: Router>
Appendix 1: Cisco IOS Commands
Switch tty1 is now available Press RETURN to get started Switch> enable Switch# show ? # Available options for show command Switch# show clock ? # Available options for show clock command Switch# show clock de # Press Tab to Autocomplete Switch# show clock detail Switch# show version # Version of Cisco IOS Software Switch# show flash Switch# show file systems Switch# show running-config # Show whole device configuration Switch# show interface description Switch# show run interface fastEthernet 0/48 Switch# show run interface gi4/0/39 Switch# show ip interface brief #Interface IP-Address OK? Method Status Protocol #GigabitEthernet0/0 unassigned YES unset administratively down down #GigabitEthernet0/1 unassigned YES unset administratively down down #GigabitEthernet0/2 unassigned YES unset administratively down down #GigabitEthernet0/3 unassigned YES unset administratively down down Switch# show interfaces status # Works only in Switches (Not Routers) #Port Name Status Vlan Duplex Speed Type #Fa0/1 connected 1 auto auto 10/100BaseTX #Fa0/2 notconnected 1 auto auto 10/100BaseTX #Gig0/1 connected 1 auto auto 10/100/1000BaseTX Switch# sh interfaces # Detailed view of each of all interfaces Switch# sh interfaces g0/0 # Detailed view of g0/0 interface Switch# sh interfaces | include address # Filter by "address" (mac address) Switch# sh ip int brief | inc down # Filter by "down" Switch# sh port-security # Show port-security configuration on interfaces Switch# sh port-security address # Show mac address attached on port interfaces Switch# sh mac address-table # Show Mac Address Table in the Switch # MAC Address Table #------------------------------------------------ #Vlan Mac Address Type Ports #---- -------------- ------- ----- # 1 0c2f.b011.9d00 DYNAMIC Gi0/0 # 1 0c2f.b06a.3900 DYNAMIC Gi0/2 Switch# clear mac address-table dynamic # Clear the Mac Address Table in the Switch Switch# show cdp neighbors Switch# show interfaces trunk # Configure IP address Switch# configure terminal Switch(config)# interface vlan1 # Configure Switch Virtual Interface (SVI) Switch(config-if)# ip address 192.168.1.253 255.255.255.0 # Assign IP address to switch (for remote access and management) Switch(config-if)# no shutdown Switch(config)# ip default-gateway 192.168.1.254 # Hostname Switch(config)# hostname SW3750 # Change hostname to "SW3750" SW3750(config)# do show clock # Force show global command to work in Config mode # Secure Shell SSH CISCO# show ip ssh CISCO# configure terminal CISCO(config)# ip domain-name networkdirection.com # The FQDN of the device is used to name the RSA keys. CISCO(config)# crypto key generate rsa #The name for the keys will be: CISCO.networkdirection.com #Choose the size of the key modulus... #How many bits in the modulus [512]: 2048 #%Generating 2048 bits RSA keys... #* Feb 21 00:23:40: %SSH-5-ENABLED: SSH 1.99 has been enabled # Virtual Tele Type (VTY) Telnet/SSH Switch/Router ## CISCO(config)# enable secret P4$$w0rd # Set P4$$w0rd to enable in the device CISCO(config)# username myusername privilege 15 secret P4$$w0rd # Create user "myusername" with full access and assign P4$$w0rd CISCO(config)# access-list 1 permit host 192.168.2.1 # Optional ACL to allow only certain host to login CISCO(config)# line vty 0 15 # Enable Virtual Terminal Lines (remote login) CISCO(config)# ip ssh version 2 CISCO(config-line)# login local CISCO(config-line)# exec-timeout 5 0 CISCO(config-line)# transport input ssh # Allow only SSH connections CISCO(config-line)# access-class 1 in # Apply ACL in VTY (different from ip access-group to apply an ACL to an Interface) CISCO(config-line)# exit #Virtual Local Area Network (VLAN) Switch# show vlan Switch# sh vlan brief # VLAN Name Status Ports # ---- ----------------------- ------- --------------------------- # 1 default active Gi0/0, Gi0/1, Gi0/2, Gi0/3 # Gi2/3 # 10 VLAN0010 active Gi1/0, Gi1/1, Gi1/2, Gi1/3 # 20 VLAN0020 active Gi2/0, Gi2/1, Gi2/2 # 30 VLAN0030 active Gi3/0, Gi3/1, Gi3/2, Gi3/3 SW3750(config)# vlan 123 # Create VLAN SW3750(config-vlan)# name Vlan_Name # Name VLAN SW3750(config)# interface fastEthernet 0/48 SW3750(config)# interface gi4/0/39 SW3750(config-if)# switchport mode access # (Access port vs Trunk port) SW3750(config-if)# switchport access vlan 123 # Assign port to VLAN SW3750(config)# interface range g1/0 - 3 # Select a range of interfaces SW3750(config-if-range)# switchport mode access Sw3750(config-if-range)# switchport access vlan 123 # Trunks SW3750(config-if)# switchport trunk encapsulation dot1q # IEEE 802.1Q encapsulation standard SW3750(config-if)# switchport mode trunk # (Access port vs Trunk port) SW3750(config-if)# switchport trunk allowed vlan 10,30 SW3750(config-if)# switchport trunk allowed vlan add 20 SW3750(config-if)# switchport trunk allowed vlan remove 20 SW3750(config-if)# switchport trunk native vlan 1001 # Change native vlan 1 to 1001 (security purposes) SW3750(config-if)# do show interfaces trunk SW3750(config-if)# switchport port-security # Enable Port Security (is enabled but not configured) SW3750(config-if)# switchport port-security maximum 1 # Allow just 1 mac address in the interface SW3750(config-if)# sw port-security mac-address sticky # Allow just the first mac address connected to the interface SW3750(config-if)# sw port-security violation ? # protect, restrict, or shutdown SW3750(config-if)# shutdown # Shutdown the interface SW3750(config-if)# no shutdown # Turn on the interface #*Feb 20 23:40:40: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up SW3750(config-if)# exit SW3750(config)# exit # Or keyboard shortcut Ctrl+Z to go back in prompt #* Feb 20 23:25:40: %sys-5-CONFIG: Configured from console by console # Timestamp config log record SW3750# copy running-config startup-config # Save configuration in the Switch or Router SW3750# copy run start # Same (Short version) Sw3750# write memory # Same (Short version) ## Multilayer Switch ## L3SW# show redundancy L3SW# show environment L3SW(config)# default interface g0/1 # Reset to default interface configuration L3SW(config)# ip routing # Enable Layer 3 routing functionality on the switch L3SW(config)# interface g0/1 L3SW(config-if)# no switchport # Configure interface as 'routed port' (L3 port not L2 Switchport) L3SW(config-if)# ip address 192.168.1.193 255.255.255.252 L3SW# show ip interface brief L3SW(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.194 # Default route to next hop (to router) L3SW# show ip route # Gateway of last resort is 192.168.1.194 to network 0.0.0.0 # S* 0.0.0.0/0 [1/0] via 192.168.1.194 # 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks # C 192.168.1.192/30 is directly connected, GigabitEthernet0/1 # L 192.168.1.193/32 is directly connected, GigabitEthernet0/1 ## Inter-VLAN Routing via Switch Virtual Interfaces SVI ## L3SW(config)# interface vlan10 L3SW(config-if)# ip address 192.168.1.62 255.255.255.192 L3SW(config-if)# no shutdown L3SW(config)# interface vlan20 L3SW(config-if)# ip address 192.168.1.126 255.255.255.192 L3SW(config-if)# no shutdown L3SW# show interfaces status ## Spanning Tree Protocol STP L3SW# show spanning-tree L3SW(config)# spanning-tree mode ? # mst Multiple spanning tree mode # pvst Per-Vlan spanning tree mode # rapid-pvst Per-Vlan rapid spanning tree mode ## EthernetChannel ASW1# show ethernetchannel load-balance # Show EthernetChannel load balancing configuration ASW1(config)# port-channel load-balance <method> # Configure EthernetChannel load balancing method ASW1(config)# interface range g0/0 - 3 ASW1(config-if-range)# channel-group 1 mode <mode> # Configure EtherChannel ASW1# show etherchannel summary ASW1# show etherchannel port-channel ## SHOW Router # Router# show running-config # Or show run (Show whole device configuration) Router# show ip interface brief Router# show ip route ## DHCP Router ## Router# conf t Router(config)# ip dhcp pool <name> # Create pool (new network) Router(dhcp-config)# network 10.1.1.0 255.255.255.0 # New network address and subnetmask Router(dhcp-config)# default-router 10.1.1.254 # Specify default gateway (Same of the router) Router(dhcp-config)# dns-server 10.1.1.254 Router(dhcp-config)# lease <days> Router(dhcp-config)# domain-name <domain.com> Router(config)# ip dhcp excluded-address <ip> Router# show ip dhcp pool # Pool (DHCP Scope configuration) #Pool <name>: # Utilization mark (high/low) : 100 / 0 # Subnet size (first/next) : 0 / 0 # Total addresses : 254 # Leased addresses : 0 # Pending event : none # 1 subnet is currently in the pool : # Current index IP address range Leased addresses # 10.1.1.1 10.1.1.1 - 10.1.1.254 0 Router# sh ip dhcp binding # ip addresses allocated #Binding from all pools not associated with VRF: # IP address Client-ID/ Lease expiration Type # Hardware address/ # User name # 10.1.1.101 0100.0c29.bd80.b0 Mar 27 2023 03:49 PM Automatic Router# sh ip dhcp server statistics ## INTERFACE Router ## Router# conf t Router(config)# interface gigabit 0/1 Router(config-if)# description Corporate Network # Description "Corporate Network" Router(config-if)# ip address 192.168.0.1 255.255.255.0 # Set IP Address Router(config-if)# speed 1000 # Interface speed 1Gb/s (Default Auto) Router(config-if)# duplex full # Duplex mode (Default Auto) Router(config-if)# shutdown # Shutdown the interface Router(config-if)# no shutdown # Turn on the interface #*Feb 20 23:40:40: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up Router# show ip interface brief #Interface IP-Address OK? Method Status Protocol #GigabitEthernet0/0 10.255.5.91 YES NVRAM administratively down down #GigabitEthernet0/1 unassigned YES unset administratively down down ## INTERFACE LOOPBACK - ## Router(config)# interface loopback0 # Create a loopback interface #*Feb 20 23:51:40: %LINK-3-UPDOWN: Line protocol on Interface Loopback0, changed state to up Router# show ip interface brief #Interface IP-Address OK? Method Status Protocol #GigabitEthernet0/0 10.255.5.91 YES NVRAM administratively down down #GigabitEthernet0/1 192.168.0.1 YES manual up up #Loopback0 172.16.0.1 YES manual up up ## Router on a Stick (ROAS) - Multiple VLANs on a single interface ## R1(config)# interface g0/0 R1(config-if)# no shutdown R1(config-if)# interface g0/0.10 R1(config-subif)# encapsulation dot1q 10 # Attach VLAN 10 to the interface R1(config-subif)# ip address 192.168.1.62 255.255.255.192 R1(config-subif)# encapsulation dot1q 10 native # Make 10 the native VLAN on the Router sub-interface (Method 1 for native VLAN) R1(config)# no interface g0/0.10 # Delete sub-interface R1(config)# interface g0/0 R1(config-if)# ip address 192.168.1.62 255.255.255.192 # Configure IP address on the Router's physical interface (Method 2 for native VLAN) R1(config-subif)# interface g0/0.20 R1(config-subif)# encapsulation dot1q 20 # Attach VLAN 20 to the interface R1(config-subif)# ip address 192.168.1.126 255.255.255.192 R1(config)# no interface g0/0.10 # Delete sub-interface R1(config)# default interface g0/0 # Reset to default the interface ## IP ROUTE Router Static ## R1(config)# ip route <ip-address> <netmask> <next-hop> # Static Route method 1 R1(config)# ip route <ip-address> <netmask> <exit-interface> # Static Route method 2 R1(config)# ip route <ip-address> <netmask> <exit-interface> <next-hop> # Static Route method 3 R1(config)# ip route 192.168.4.0 255.255.255.0 192.168.13.3 # Static Route R2(config)# ip route 192.168.1.0 255.255.255.0 g0/0 # Static Route R2(config)# ip route 192.168.4.0 255.255.255.0 g0/1 192.168.24.4 # Static Route R1(config)# ip route 0.0.0.0 0.0.0.0 <next-hop-to-internet> # Default Route R1(config)# ip route 0.0.0.0 0.0.0.0 203.0.113.2 R1# show ip route #Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP # D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area # N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 # E1 - OSPF external type 1, E2 - OSPF external type 2 # * - candidate default #Gateway of last resort is 203.0.113.2 to network 0.0.0.0 # S* 0.0.0.0/0 [1/0] via 203.0.113.2 # 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks # C 192.168.1.0/24 is directly connected, GigabitEthernet0/2 # L 192.168.1.1/32 is directly connected, GigabitEthernet0/2 # S 192.168.4.0/24 [1/0] via 192.168.13.3 ## OSPF Routing ## show ip route show ip protocols show running-config | section ospf show ip ospf neighbor show ip ospf database debug ip ospf adj debug ip ospf events clear ip ospf process clear ip ospf neighbor R1(config)# router ospf 1 # Enable OSPF on a router with the process ID 1 R1(config-router)# network 10.0.12.0 0.0.0.3 area 0 # Configure OSPF in all interfaces within that network R1(config-router)# network 10.0.13.0 0.0.0.3 area 0 R1(config-router)# network 172.16.1.0 0.0.0.15 area 0 R1(config)# interface [interface-id] R1(config-if)# ip ospf [process-id] area [area-id] # Configure OSPF directly on an interface R1(config-router)# passive-interface g2/0 # Stop sending OSPF 'hello' messages out of the interface (if the interface is not connected to another router) R1(config)# ip route 0.0.0.0 0.0.0.0 203.0.113.2 # Connect to internet R1(config-router)# default-information originate # The router will become an ASBR router R1(config-router)# router-id ? # A.B.C.D OSPF router-id in IP address format R1(config-router)# router-id 1.1.1.1 R1# clear ip ospf process # Two ways to modify the OSPF cost R1(config-router)# auto-cost reference-bandwith <megabits-per-second> # Change reference bandwidth (much greater than the fastest interface) R1(config-if)# ip ospf cost <cost> # Manual configuation in the interface R1# show ip ospf interface brief R1# show ip ospf interface g0/0 ## Access Controls Lists ACLs ## ## Standard Numbered ACLs ## R1(config)# access-list number {deny | permit} ip wildcard-mask R1(config)# access-list 1 permit 192.168.1.1 # Permit only that host R1(config)# access-list 1 deny 192.168.1.0 0.0.0.255 # Deny network with the wild card /24 R1(config)# access-list 1 permit any # To avoid the default configuration "deny all" in any other network R1(config)# interface g0/2 R1(config-if)# ip access-group 1 out # Outbound (Standard ACLs should be applied as close to the destination as possible) ## Standard Named ACLs ## R1(config)# ip access-list standard acl-name R1(config-std-nacl)# [entry-number] {deny | permit} ip wildcard-mask R1(config)# ip access-list standard BLOCK_BOB R1(config-std-nacl)# 5 deny 1.1.1.1 R1(config-std-nacl)# 10 permit any R1(config-std-nacl)# remark ## CONFIGURED NOV 21 2020 ## R1(config)# interface g0/0 R1(config-if)# ip access-group BLOCK_BOB in ## Extended Numbered ACLs ## R1(config)# access-list number {permit | deny} protocol src-ip dest-ip ## Extended Named ACLs ## R1(config)# ip access-list extended {name | number} R1(config-ext-nacl)# [seq-number] {deny | permit} protocol src-ip dest-ip R1(config-ext-nacl)# deny udp 10.0.0.0 0.0.255.255 host 192.168.1.1 R1(config-ext-nacl)# deny icmp host 172.16.1.1 192.168.0.0 0.0.255.255 R1# show access-list R1# show running-config | section access-list ## Network Time Protocol NTP ## R1(config)# ntp server 216.239.35.0 # Google's address R1(config)# ntp server 216.239.35.4 R1(config)# ntp server 216.239.35.8 R1(config)# ntp server 216.239.35.12 R1# show ntp associations R1# show ntp status R1# show clock R1# show clock detail ## DNS in Cisco IOS ## R1(config)# ip name-server 8.8.8.8 R1(config)# ip domain lookup ## Dynamic Host Configuration Protocol DHCP ## # Router as a server R1(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.10 # Specify a range of addresses that won't be given R1(config)# ip dhcp pool LAB_POOL # Create pool R1(dhcp-config)# network 192.168.1.0 /24 R1(dhcp-config)# dns-server 8.8.8.8 # Specify the DNS server that DHCP clients should use R1(dhcp-config)# domain-name mydomain.com # Specify the domain name of the network (ie. PC1 = pc1.mydomain.com) R1(dhcp-config)# default-router 192.168.1.1 # Specify the default gateway R1(dhcp-config)# lease 0 5 30 # Specify the lease time (days hours minutes) R1# show ip dhcp binding # Show allocated address to clients # Router as a Relay Agent R1(config)# interface g0/1 R1(config-if)# ip helper-address 192.168.10.10 R1# show ip interface g0/1 ## Syslog ## R1# show logging R1(config)# logging 192.168.1.100 # Configure a logging server R1# terminal monitor # Enable Syslog messages when connecting via Telnet or SSH R1(config)# line console 0 R1(config-line)# logging synchronous CISCO(config)# banner login # # Configure Banners CISCO(config)# banner motd # ******************************************************* WARNING - PRIVATE ELECTRONIC DEVICE - ACCESS PROHIBITED Access to this device is not authorized. Any attempt for unauthorized access will be logged and appropriate legal action will be taken. *******************************************************# # Write Memory CISCO# copy running-config startup-config # Save configuration in the Switch or Router CISCO# copy run start # Same (Short version) CISCO# write memory # Same (Short version) # Update Firmware FTP or TFTP R1(config)# ip ftp username myusername R1(config)# ip ftp password Password123! R1# copy ftp: flash: # Copy FTP source destination # Address or name of remote host []? 192.168.1.1 # Source filename []? # File_name.bin # Destination filename []? # return to use same name R1# copy tftp: flash: # Copy TFTP source destination # Address or name of remote host []? 192.168.1.1 # Source filename []? # File_name.bin # Destination filename []? # return to use same name R1# show flash R1(config)# boot system flash:File_name.bin R1(config)# exit R1# write memory R1# reload R1# delete flash:OldFile_name.bin # Network Address Tranlation (NAT) PAT: R1(config)# interface g0/1 R1(config-if)# ip nat inside R1(config)# interface g0/0 R1(config-if)# ip nat outside R1(config)# access-list 1 permit 192.168.0.0 0.0.0.255 #PAT 1: R1(config)# ip nat pool POOL1 100.0.0.0 100.0.0.3 prefix-length 24 R1(config)# ip nat inside source list 1 pool POOL1 overload # Configure Port Address Translation (PAT) #PAT 2: (preferred) R1(config)# ip nat inside source list 1 interface g0/0 overload # Configure Port Address Translation (PAT) R1# show ip nat translations # PAT is widely used instead of static or dynamic R1# show ip nat statistics ## Voice VLANs SW1(config)# interface g0/0 SW1(config-if)# switchport mode access SW1(config-if)# switchport access vlan 10 SW1(config-if)# switchport voice vlan 11 SW1# show interfaces g0/0 switchport ## Port Security SW1(config-if)# switchport mode access SW1(config-if)# switchport port-security # Enable Port security with default (shutdown) SW1(config-if)# switchport port-security mac-address A.A.A. # Manually attach mac address to port Sw1(config-if)# switchport port-security mac-address sticky. # Port learns mac address automatically SW1(config-if)# switchport port-security violation shutdown # Default SW1(config-if)# switchport port-security violation restrict # Dropp packets without turning off the interface SW1# show port-security int g0/1 SW1# show mac address-table secure
Appendix 2: CCNA Mega Lab
Router> enable Router# configure terminal ## Hostname Router(config)# hostname R1 R1(config)# do write memory ## Enable password R1(config)# enable ? # To see the options available # password Assign the privileged level password # secret Assign the privileged level secret. # Type 5 (MD5) R1(config)# enable secret Password123! R1(config)# do show run | include secret # enable secret 5 $UQSVhFFvZCpdZnhsECDjG9jn98tR/ CSW1(config)# enable ? # To see the options available # algorithm-type Algorithm to use for hashing the plaintext 'enable' secret # Type 9 Hashing # password Assign the privileged level password # secret Assign the privileged level secret. # Type 5 (MD5) CSW1(config)# enable algorithm-type scrypt secret Password123! CSW1(config)# do sh run | i secret # enable secret 9 $9$CU6vC5NasL2FH$ApaMpir4WhZH.58RqGsGNJn2UVSFo6zwzSLcZFhB5.MTg ## Local user password R1(config)# username cisco secret ccna CSW1(config)# username cisco algorithm-type scrypt secret ccna ## Console access R1(config)# line console 0 R1(config-line)# login local # Require local user to login R1(config-line)# logging synchronous R1(config-line)# exec-timeout 30 # 30 minutes ## Etherchannel DSW-A1# show cdp neighbors DSW-A1(config)#int range g1/0/4-5 DSW-A1(config-if-range)# channel-group 1 mode desirable # Cisco Port Aggregation Protocol (PAgP) DSW-B2(config-if-range)# channel-group 1 mode active # Open Standard Link Aggregation Control Protocol (LACP) DSW-A1# show etherchannel summary ## Trunks DSW-A1# show cdp neighbors DSW-A1(config)# int range g1/0/1-3 # To access switches DSW-A1(config-if-range)# switchport mode trunk DSW-A1(config-if-range)# switchport nonegotiate # Disable Dynamic Trunking Protocol DTP DSW-A1(config-if-range)# sw trunk native vlan 1000 # Native unused vlan (security purposes) DSW-A1(config-if-range)# sw tr allowed vlan 10,20,40,99 DSW-B2(config-if-range)# sw tr allowed vlan 10,20,30,99 DSW-A1(config)# int port-channel1 # To the other distribution switch DSW-A1(config-if)# sw mode trunk DSW-A1(config-if)# sw nonegotiate DSW-A1(config-if)# sw trunk native vlan 1000 DSW-A1(config-if)# sw tr allowed vlan 10,20,40,99 DSW-B2(config-if)# sw tr allowed vlan 10,20,30,99 ASW-A1(config)# interface range g0/1-2 ASW-A1(config-if-range)# switchport mode trunk ASW-A1(config-if-range)# switchport nonegotiate ASW-A1(config-if-range)# switchport trunk native vlan 1000 ASW-A1(config-if-range)# switchport trunk allowed vlan 10,20,40,99 ASW-B2(config-if-range)# switchport trunk allowed vlan 10,20,30,99 ## VLAN Trunking Protocol VTPv2 Server DSW-A1# show vtp status DSW-A1(config)# vtp domain JeremysITLab DSW-A1(config)# vtp version 2 # Server ASW-A3(config)# vtp mode client # Client ## VLANs DSW-A1# show vlan brief DSW-A1(config)# vlan 10 DSW-A1(config-vlan)# name PCs DSW-A1(config-vlan)# vlan 20 DSW-A1(config-vlan)# name Phones DSW-A1(config-vlan)# vlan 40 DSW-A1(config-vlan)# name Wi-Fi DSW-A1(config-vlan)# vlan 99 DSW-A1(config-vlan)# name Management DSW-B1(config)# vlan 10 DSW-B1(config-vlan)# name PCs DSW-B1(config-vlan)# vlan 20 DSW-B1(config-vlan)# name Phones DSW-B1(config-vlan)# vlan 30 DSW-B1(config-vlan)# name Servers DSW-B1(config-vlan)# vlan 99 DSW-B1(config-vlan)# name Management ## Access Switches ASW-A1# sh cdp neig ASW-A1# sh ip int brief ASW-A1# sh vlan brief ASW-A1(config)# int f0/1 ASW-A1(config-if)# sw mode access # It automatically disable DTP ASW-A1(config-if)# sw nonegotiate # It explicity disable DTP ASW-A1(config-if)# sw acc vlan 99 ASW-A1(config)# int f0/2 ASW-A1(config-if)# sw mode trunk ASW-A1(config-if)# sw trunk allowed vlan 40,99 ASW-A1(config-if)# sw trunk native vlan 99 ASW-A1(config-if)# sw nonegotiate ASW-A2(config)# int f0/1 ASW-A2(config-if)# sw mode access ASW-A2(config-if)# sw nonegotiate ASW-A2(config-if)# sw access vlan 10 ASW-A2(config-if)# sw voice vlan 20 ## Disable unused ports (security) DSW-A1(config)# int range g1/0/6-24,g1/1/3-4 DSW-A1(config-if-range)# shutdown ASW-A2(config)# int range f0/2-24 ASW-A2(config-if-range)# shutdown ## R1 - ISP interfaces (DHCP Client) R1(config)# int range g0/0/0,g0/1/0 R1(config-if-range)# ip address dhcp R1(config-if-range)# no shutdown ## R1 - Core Switches R1(config)# int g0/0 R1(config-if)# ip address 10.0.0.33 255.255.255.252 R1(config-if)# no shutdown R1(config)# int g0/1 R1(config-if)# ip address 10.0.0.37 255.255.255.252 R1(config-if)# no shutdown ## R1 Interface Loopback0 R1(config)# interface loopback0 R1(config-if)# ip address 10.0.0.76 255.255.255.255 ## IPv4 Routing Core and Distribution Switches CSW1(config)# ip routing DSW-A1(config)# ip routing ## EtherChannel Core Switches CSW1# sh cdp neig CSW1(config)# int range g1/0/2-3 CSW1(config-if-range)# no switchport # Convert to L3 Routing ports CSW1(config-if-range)# channel-group 1 mode desirable # Cisco Port Aggregation Protocol (PAgP) CSW1(config)# do sh ip int brief CSW1(config)# int p1 CSW1(config-if)# ip address 10.0.0.41 255.255.255.252 CSW1# sh etherchannel summary ## IP addresses Core Switches CSW1(config)# int g1/0/1 CSW1(config-if)# no switchport CSW1(config-if)# ip address 10.0.0.34 255.255.255.252 configure terminal interface g1/1/1 no switchport ip address 10.0.0.45 255.255.255.252 interface g1/1/2 no switchport ip address 10.0.0.49 255.255.255.252 interface g1/1/3 no switchport ip address 10.0.0.53 255.255.255.252 interface g1/1/4 no switchport ip address 10.0.0.57 255.255.255.252 interface loopback0 ip address 10.0.0.77 255.255.255.255 interface range g1/0/4-24 shutdown exit ## IP addresses Distribution Switches DSW-A1(config)# int g1/1/1 DSW-A1(config-if)# no switchport DSW-A1(config-if)# ip address 10.0.0.46 255.255.255.252 DSW-A1(config)# int g1/1/2 DSW-A1(config-if)# no switchport DSW-A1(config-if)# ip address 10.0.0.62 255.255.255.252 DSW-A1(config)# int loopback0 DSW-A1(config-if)# ip address 10.0.0.79 255.255.255.255 ## IP management Access Switches ASW-A1(config)# ip default-gateway 10.0.0.1 ASW-A1(config)# interface vlan 99 ASW-A1(config-if)# ip address 10.0.0.4 255.255.255.240 ASW-B1(config)# ip default-gateway 10.0.0.17 ASW-B1(config)# int vlan 99 ASW-B1(config-if)# ip address 10.0.0.20 255.255.255.240 ## Hot Standby Router Protocol HSRP (Distribution Redundancy) DSW-A1(config)# int vlan 99 DSW-A1(config-if)# ip address 10.0.0.2 255.255.255.240 DSW-A1(config-if)# standby version 2 # Activate HSRPv2 DSW-A1(config-if)# standby 1 ip 10.0.0.1 # Virtual IP address DSW-A1(config-if)# standby 1 priority 105 # Increase priority to become the active switch DSW-A1(config-if)# standby 1 preempt # It will become the active sw as long is up and running DSW-A1# show standby DSW-A1(config)# int vlan 10 # It should be done in every vlan DSW-A1(config-if)# ip address 10.1.0.2 255.255.255.0 DSW-A1(config-if)# standby version 2 # Activate HSRPv2 DSW-A1(config-if)# standby 2 ip 10.0.0.1 # Virtual IP address DSW-A1(config-if)# standby 2 priority 105 # Increase priority to become the active switch DSW-A1(config-if)# standby 2 preempt # It will become the active sw as long is up and running DSW-A1# show standby ## Rapid Per Vlan Spanning Tree PVST+ Protocol DSW-A1# show spanning-tree # Spanning tree enabled protocol ieee # Regular STP running DSW-A1(config)# spanning-tree mode rapid-pvst # Activate Rapid PVST+ ASW-A1(config)# spanning-tree mode rapid-pvst DSW-A1(config)# spanning-tree vlan 10,99 priority 0 # Make it the root bridge (lowest priority) DSW-A1(config)# spanning-tree vlan 20,40 priority 4096 # Matching HRSP Active/Standby router DSW-A2(config)# spanning-tree vlan 20,40 priority 0 DSW-A2(config)# spanning-tree vlan 10,99 priority 4096 ASW-A1(config)# int f0/1 # Connected to LWAP1 ASW-A1(config-if)# spanning-tree portfast # To avoid 30sec delay in ports connected to endpoints ASW-A1(config-if)# spanning-tree bduguard enable # To disable port if a switch is connected ## Dynamic Routing (OSPF) R1# show ip ospf R1(config)# router ospf 1 # Process ID R1(config-router)# router-id 10.0.0.76 # The IP address of its Loopback interface R1(config-router)# passive-interface l0 R1(config-router)# interface loopback0 R1(config-if)# ip ospf 1 area 0 R1# show ip int brief R1(config)# int range g0/0-1 # Select Core Switches interfaces R1(config-if-range)# ip ospf 1 area 0 # Activate OSPF in Core Switches interfaces R1(config-if-range)# ip ospf network point-to-point # Network type CSW1(config)# router ospf 1 CSW1(config-router)# router-id 10.0.0.77 # Same IP address of its loopback interface CSW1(config-router)# passive-interface loopback0 CSW1(config-router)# do sh ip int brief | exclude un # Show only active interfaces CSW1(config-router)# network 10.0.0.41 0.0.0.0 area 0 # Activate area 0 in port-channel int CSW1(config-router)# network 10.0.0.34 0.0.0.0 area 0 # Activate area 0 in R1 int CSW1(config-router)# network 10.0.0.45 0.0.0.0 area 0 # Activate area 0 in DSW-A1 int CSW1(config-router)# network 10.0.0.49 0.0.0.0 area 0 # Activate area 0 in DSW-A2 int CSW1(config-router)# network 10.0.0.53 0.0.0.0 area 0 # Activate area 0 in DSW-B1 int CSW1(config-router)# network 10.0.0.57 0.0.0.0 area 0 # Activate area 0 in DSW-B2 int CSW1(config-router)# network 10.0.0.77 0.0.0.0 area 0 # Activate area 0 in loopback0 int CSW1(config)# int range g1/0/1,g1/1/1-4 CSW1(config-if-range)# ip ospf network point-to-point # Network type in all physical interfaces DSW-A1(config)# router ospf 1 DSW-A1(config-router)# router-id 10.0.0.79 DSW-A1(config-router)# passive-interface loopback0 DSW-A1(config-router)# passive-interface vlan 10 DSW-A1(config-router)# passive-interface vlan 20 DSW-A1(config-router)# passive-interface vlan 40 DSW-A1(config-router)# network 10.0.0.46 0.0.0.0 area 0 DSW-A1(config-router)# network 10.0.0.62 0.0.0.0 area 0 DSW-A1(config-router)# network 10.0.0.79 0.0.0.0 area 0 DSW-A1(config-router)# network 10.0.0.2 0.0.0.0 area 0 DSW-A1(config-router)# network 10.1.0.2 0.0.0.0 area 0 DSW-A1(config-router)# network 10.2.0.2 0.0.0.0 area 0 DSW-A1(config-router)# network 10.6.0.2 0.0.0.0 area 0 DSW-A1(config)# interface range g1/1/1-2 DSW-A1(config-if-range)# ip ospf network point-to-point DSW-A2# show ip ospf neighbor ## Static Routing (Default gateway to Internet) R1# sh cdp neighbor detail R1# sh ip ospf neighbor R1# sh ip int brief R1(config)# ip route 0.0.0.0 0.0.0.0 203.0.113.1 # Static route to next hop "Internet" (Default gateway) R1(config)# ip route 0.0.0.0 0.0.0.0 203.0.113.5 2 # AD of 2 (default of 1 for static routes) (Redundancy) R1(config)# router ospf 1 R1(config-router)# default-information originate # Autonomous System Boundary Router (ASBR), to advertize the connection to internet to the other routers in the ospf area ## DHCP R1(config)# ip dhcp excluded-address 10.0.0.1 10.0.0.10. # Range of IP excluded of dhcp pool R1(config)# ip dhcp pool sales # Create the "sales" dhcp pool R1(dhcp-config)# network 10.0.0.0 255.255.255.240 # network address /28 for dhcp pool R1(dhcp-config)# default-router 10.0.0.1 R1(dhcp-config)# domain-name abrstudio.net R1(dhcp-config)# dns-server 10.5.0.4 R1(dhcp-config)# option 43 ip 10.0.0.7 # Option 43 code (WLC) DSW1(config)# int vlan 10 DSW1(config-if)# ip helper-address 10.0.0.76 # Relay dhcp agent point to R1 L0 address DSW1(config)# int vlan 99 # Relay agent on each vlan DSW1(config-if)# ip helper-address 10.0.0.76 R1# show ip dhcp binding R1# show ip dhcp pool ## DNS (Server1) @ records # Add all the DNS translations in Server 1 CNAME records ## Domain Name and DNS server (all devices) R1(config)# ip domain name abrstudio.net R1(config)# ip name-server 10.5.0.4 CSW1(config)# ip domain name abrstudio.net CSW1(config)# ip name-server 10.5.0.4 DSW-A1(config)# ip domain name abrstudio.net DSW-A1(config)# ip name-server 10.5.0.4 ASW-A1(config)# ip domain name abrstudio.net ASW-A1(config)# ip name-server 10.5.0.4 ## Network Time Protocol NTP R1(config)# ntp master 5 # Make R1 a stratum 5 NTP server R1(config)# ntp server 216.239.35.0 # (not sure about the IP address) R1(config)# ntp authentication-key 1 md5 ccna # Create ntp auth key (for switches) R1(config)# ntp trusted-key 1 # Create trusted key 1 CSW1(config)# ntp authentication-key 1 md5 ccna # Same key for access CSW1(config)# ntp trusted-key 1 CSW1(config)# ntp server 10.0.0.76 key 1 # Using key 1 to connect to R1 ntp server ASW-A1# show ntp status ## Simple Network Message Protocol SNMP R1(config)# snmp-server community SNMPSTRING ro # Join SNMPSTRING snmp community (read-only) (all devices) ## Syslog R1(config)# logging 10.5.0.4 # Send logs to server1 R1(config)# trap debugging # Send SNMP traps (alerts) for debugging events R1(config)# logging buffered 8192 # Store syslog messages in a buffer (a local temporary storage area of 8192 bytes) R1# show logging ## File Transport Protocol FTP R1(config)# ip ftp username cisco # ftp credentials R1(config)# ip ftp password cisco R1(config)# do ping 10.5.0.4 R1(config)# do copy ftp flash # Address or name of remote host[]? 10.5.0.4 # Source filename []? c2900-universalk9-mz.SPA.155-3.M4a.bin # Destination filename [c2900-universalk9-mz.SPA.155-3.M4a.bin]? enter # Accessing ftp://10.5.0.4/c2900-universalk9-mz.SPA.155-3.M4a.bin... # It doesn't show anything, but it is working R1(config)# do show flash R1(config)# boot system flash:c2900-universalk9-mz.SPA.155-3.M4a.bin R1(config)# do wr R1(config)# do reload R1# show version R1# delete flash:c2900-universalk9-mz.SPA.151-4.M4.bin ## Secure Shell SSH R1# show ip ssh R1(config)# crypto key generate rsa # Generate SSH key pair (4096 bits) R1(config)# ip ssh version 2 R1(config)# access-list 1 permit 10.1.0.0 0.0.0.255 # Create ACL to allow traffic only from 10.1.0.0 network R1(config)# line vty 0 15 R1(config-line)# access-class 1 in # Apply ACL 1 to the vty line (ssh) R1(config-line)# transport input ssh R1(config-line)# login local R1(config-line)# logging synchronous R1(config-line)# exit C:\>ssh -l cisco 10.0.0.76 # Older way to access ssh in old devices (instead of "ssh cisco@10.0.0.76") Password123! ## Static Network Address Translation NAT R1(config)# ip nat inside source static 10.5.0.4 203.0.113.113 # Static NAT to enable hosts on the Internet to access 10.5.0.4 (SRV1) via the IP address 203.0.113.113 R1(config)# int range g0/0/0,g0/1/0 R1(config-if-range)# ip nat outside # Define outbound interfaces R1(config)# int range g0/0-1 R1(config-if-range)# ip nat inside # Define inbound interfaces ## Dynamic Port Address Translation (PAT) R1(config)# access-list 2 permit 10.1.0.0 0.0.0.255 # Standard ACLs to inside local addresses (to use them in Dynamic PAT) R1(config)# access-list 2 permit 10.2.0.0 0.0.0.255 R1(config)# access-list 2 permit 10.3.0.0 0.0.0.255 R1(config)# access-list 2 permit 10.4.0.0 0.0.0.255 R1(config)# access-list 2 permit 10.6.0.0 0.0.0.255 R1(config)# ip nat pool POOL1 203.0.113.200 203.0.113.207 netmask 255.255.255.248 R1(config)# ip nat inside source list 2 pool POOL1 overload C:\>ping google.com ## Cisco Discovery Protocol CPD vs Link Layer Discovery Protocol LLDP R1(config)# no cdp run R1(config)# lldp run ASW-A1(config)# no cdp run ASW-A1(config)# lldp run ASW-A1(config)# int f0/1 ASW-A1(config-if)# no lldp transmit ## Extended Access Control Lists ACLs # Extended ACLs should be applied close to the source # Standard ACLs should be applied close to the destination DSW-A1(config)# ip access-list extended OfficeA_to_OfficeB DSW-A1(config-ext-nacl)# permit icmp 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 DSW-A1(config-ext-nacl)# deny ip 10.1.0.0 0.0.0.255 10.3.0.0 0.0.0.255 DSW-A1(config-ext-nacl)# permit ip any any DSW-A1(config-ext-nacl)# int vlan 10 DSW-A1(config-if)# ip access-group OfficeA_to_OfficeB in ## Port Security ASW-A1(config)# int f0/1 ASW-A1(config-if)# switchport port-security ASW-A1(config-if)# switchport port-security mac-address sticky ASW-A1(config-if)# switchport port-security violation restrict ASW-B2(config)# int f0/1 ASW-B2(config-if)# switchport port-security ASW-B2(config-if)# switchport port-security maximum 2 # When a PC and a Phone is connected to the same interface ASW-B2(config-if)# switchport port-security mac-address sticky ASW-B2(config-if)# switchport port-security violation restrict ## DHCP Snooping ASW-A1(config)# ip dhcp snooping ASW-A1(config)# ip dhcp snooping vlan 10,20,40,99 ASW-A1(config)# no ip dhcp snooping information option ASW-A1(config)# int range g0/1-2 ASW-A1(config-if-range)# ip dhcp snooping trust # Trusted ports (DSWs) ASW-A1(config-if-range)# int f0/1 ASW-A1(config-if)# ip dhcp snooping limit rate 15 # Untrusted port (PCs) ASW-A1(config-if-range)# int f0/2 ASW-A1(config-if)# ip dhcp snooping limit rate 100 # Untrusted port (WLC1) ## Dynamic ARP Inspection DAI ASW-A1(config)# ip arp inspection vlan 10,20,40,99 ASW-A1(config)# ip arp inspection validate src-mac dst-mac ip ASW-A1(config)# int range g0/1-2 ASW-A1(config-if-range)# ip arp inspection trust ## IPv6 R1(config)# ipv6 unicast-routing # Enable IPv6 routing R1(config)# int g0/0/0 R1(config-if)# ipv6 address 2001:db8:a::2/64 # Assign IPv6 to outside interfaces R1(config)# int g0/1/0 R1(config-if)# ipv6 address 2001:db8:b::2/64 # 2001:db8 is a prefix allocated by the Internet Assigned Numbers Authority (IANA) for documentation and example purposes (RFC 3849) R1(config)# int g0/0 R1(config-if)# ipv6 address 2001:db8:a1::/64 eui-64 # Assign IPv6 to inside interfaces R1(config)# int g0/1 R1(config-if)# ipv6 address 2001:db8:a2::/64 eui-64 # EUI-64 is a 64-bit identifier that is generated from the MAC address of an interface. It is used to create a unique IPv6 interface ID CSW1(config)# ipv6 unicast-routing CSW1(config)# int g1/0/1 CSW1(config-if)# ipv6 address 2001:db8:a1::/64 eui-64 CSW2(config)# ipv6 unicast-routing CSW2(config)# int g1/0/1 CSW2(config-if)# ipv6 address 2001:db8:a2::/64 eui-64 CSW1(config)# int port-channel CSW1(config-if)# ipv6 enable CSW2(config)# int port-channel CSW2(config-if)# ipv6 enable R1(config)# ipv6 route ::/0 2001:db8:a::1 # Recursive route via next hop R1(config)# ipv6 route ::/0 g0/1/0 2001:db8:b::1 2 # Fully-specidied floating route with AD of 2 R1# show ipv6 int brief ## Wireless Lan Controller WLC C:\> ping 10.0.0.7 https://10.0.0.7 admin adminPW12 Controller>Interfaces New Interface Name: Wi-Fi VLAN Id: 40 <Apply> Controller>Interfaces>Edit Physical Information Port Number: 1 Interface Address VLAN Identifier: 40 IP Address: 10.6.0.2 Netmask: 255.255.255.0 Gateway: 10.6.0.1 DHCP Information Primary DHCP Server: 10.0.0.76 <Apply> WLANs Create new>Go Type: WLAN Profile Name: Wi-Fi SSID: Wi-Fi ID: 1 <Apply> WLANs>Edit>'Wi-Fi' General Enabled: Check Interface Group: Wi-Fi Security Layer 2 Security: WPA+WPA2 WPA2 Policy: Check WPA2 Encryption: AES Authentication Key Mgmt: PSK PSK Format (ASCII): cisco123 <Apply>