ccna icnd2

CCNA ICND2

VTP

VTP With two Server

VTP Pruning

VTP FeaturesFunction Server Client Transparent

Only sends VTP messages out ISL or 802.1Q trunks

Yes Yes Yes

Supports CLI configuration of VLANs

Yes No Yes

Can use normal-range VLANs (1–1005)

Yes Yes Yes

Can use extended-range VLANs (1006–4095)

No No Yes

Synchronizes (updates) its own config database when receiving VTP messages with a higher revision number

Yes Yes No

Creates and sends periodic VTP updates every 5 minutes

Yes Yes No

Does not process received VTP updates, but does forward received VTP updates out other trunks

No No Yes

Places the VLAN ID, VLAN name, and VTP configuration into the running-config file

No No Yes

Places the VLAN ID, VLAN name, and VTP configuration into the vlan.dat file in flash

Yes Yes Yes

One Switch Three VLAN

Two Switch Three VLAN

VLAN Trunking Configuration

■ The type of trunking: IEEE 802.1Q, ISL, or negotiate which one to use

■ The administrative mode: Whether to trunk, not trunk, or negotiate

Trunking Administrative Mode

Command Option Description

access Prevents the use of trunking, making the port always act as an access (nontrunk) port

trunk Always uses trunking

dynamic desirable

Initiates negotiation messages and responds to negotiation messages to dynamically choose whether to start using trunking, and defines the trunking encapsulation

dynamic auto

Passively waits to receive trunk negotiation messages, at which point the switch will respond and negotiate whether to use trunking, and if so, the type of trunking

Expected Trunking Mode

Administrative Mode Access Dynamic Auto Trunk Dynamic Desirableaccess Access Access Access Accessdynamic auto Access Access Trunk Trunktrunk Access Trunk Trunk Trunkdynamic desirable Access Trunk Trunk Trunk

Voice VLAN

Spanning Tree Protocol(IEEE 802.1D)Problem Description

Broadcast storms

The forwarding of a frame repeatedly on the same links, consuming significant parts of the links’ capacities

MAC table instability

The continual updating of a switch’s MAC address table with incorrect entries, in reaction to looping frames, resulting in frames being sent to the wrong locations

Multiple frame transmission

A side effect of looping frames in which multiple copies of one frame are delivered to the intended host, confusing the host

STP Block

STP Forwarding State Criteria

■ STP elects a root switch. STP puts all working interfaces on the root switch inForwarding State.

■ Each nonroot switch considers one of its ports to have the least administrative costbetween itself and the root switch. STP places this least-root-cost interface, called thatswitch’s root port (RP), in Forwarding State.

■ Many switches can attach to the same Ethernet segment. The switch with the lowestadministrative cost from itself to the root bridge, as compared with the other switchesattached to the same segment, is placed in Forwarding State. The lowest-cost switch oneach segment is called the designated bridge, and that bridge’s interface, attached tothat segment, is called the designated port (DP).

STP Forwarding or BlockingCharacterization of Port STP State Description

All the root switch’s ports Forwarding The root switch is always

the designated switch on

all connected segments.Each nonroot switch’s root port Forwarding The port through which

the switch has the least

cost to reach the root

switch.Each LAN’s designated port Forwarding The switch forwarding

the lowest-cost BPDU

onto the segment is the

designated switch for

that segment.All other working ports Blocking The port is not used for

forwarding frames, norare any frames receivedon these interfacesconsidered forforwarding

STP Hello BPDU

Field Description

Root bridge ID The bridge ID of the bridge/switch that the sender of this Hello currently believes to be the root switch

Sender’s bridge ID The bridge ID of the bridge/switch sending this Hello BPDU

Cost to reach root The STP cost between this switch and the current root

Timer values on the root switch

Includes the Hello timer, MaxAge timer, and Forward Delay timer

STP Tie Breaking Decision

1. Lowest root bridge ID2. Lowest root path cost to root bridge3. Lowest sender bridge ID4. Lowest sender port ID

Electing Root Bridge

SW1 Wins Election

Switch Root Port

Spanning Tree States

State Forwards Data Frames?Learns MACs BasedonReceived Frames?

Transitory or Stable State?

Blocking No No StableListening No No TransitoryLearning No Yes TransitoryForwarding Yes Yes StableDisabled No No Stable

Default Port Cost (IEEE)

Ethernet Speed Original IEEE Cost Revised IEEE Cost10 Mbps 100 100100 Mbps 10 191 Gbps 1 410 Gbps 1 2

Steady State Condition

1. The root creates and sends a Hello BPDU, with a cost of 0, out all its workinginterfaces (those in a Forwarding State).2. The nonroot switches receive the Hello on their root ports. After changing the Hello tolist their own bridge ID as the sender’s BID, and listing that switch’s root cost, theswitch forwards the Hello out all designated ports.3. Steps 1 and 2 repeat until something changes.

STP TimersTimer Description Default Value

Hello The time period between Hellos created by the root.

2 sec.

Max AgeHow long any switch should wait, after ceasing to hear Hellos, before trying to change the STP topology.

10 times Hello

Forward Delay

Delay that affects the process that occurs when an interface changes from Blocking State to Forwarding State. A port stays in an interim Listening State, and then an interim Learning State, for the number of seconds defined by the forward delay timer.

15 sec.

Reacting To Link Failure

Etherchannel

Rapid STP(IEEE 802.1w)

RSTP (802.1w) works just like STP (802.1d) in several ways: ■ It elects the root switch using the same parameters and

tiebreakers. ■ It elects the root port on nonroot switches with the

same rules. ■ It elects designated ports on each LAN segment with

the same rules. ■ It places each port in either Forwarding or Blocking

State, although RSTP calls the Blocking State the Discarding State.

RSTP Link and Edge Type

RSTP and STP Port State

Operational State STP State (802.1d) RSTP State (802.1w) Forwards Data Frames in This State?

Enabled Blocking Discarding NoEnabled Listening Discarding NoEnabled Learning Learning NoEnabled Forwarding Forwarding YesDisabled Disabled Discarding No

RSTP Port Roles

RSTP and STP Port RolesRSTP Role STP Role Definition

Root port Root portA single port on each nonroot switch in which the switch hears the best BPDU out of all the received BPDUs

Designated port Designated port

Of all switch ports on all switches attached to the same segment/collision domain, the port that advertises the “best” BPDU

Alternate port — A port on a switch that receives a suboptimal BPDU

Backup port —

A nondesignated port on a switch that is attached to the same segment/collision domain as another port on the same switch

Disabled —A port that is administratively disabled or is not capable of working for other reasons

RSTP Convergence

Multiple Instances of STP

Three Options MST

Option Supports STP

Supports RSTP

ConfigurationEffort

Only One Instance Required for Each Redundant

PVST+ Yes No small NoPVRST No Yes small NoMIST No Yes medium Yes

Bridge Priority and System ID

Priority(0 – 65535)

System ID(MAC Address)

PriorityMultipleOf 4096

System ID(MAC Address)

System ID Extension(Typically Holds VLAN ID)

STP Configuration

Setting Default Command(s) to Change Default

Bridge ID

Priority: 32,768 + VLAN IDSystem: A burned-in MAC on theswitch

spanning-tree vlan vlan-id root{primary | secondary}spanning-tree vlan vlan-id prioritypriority

Interface cost

100 for 10 Mbps, 19 for 100 Mbps, 4 for 1 Gbps, 2 for 10 Gbps spanning-tree vlan vlan-id cost cost

PortFast Not enabled spanning-tree portfastBPDU Guard Not enabled spanning-tree bpduguard enable

STP Analysis

IP Forwarding

LAN Switching

MAC Broadcast

Unicast Traffic

IP Address Design

IP Standard and Extended ACL

Cisco Access List

■ Packets can be filtered as they enter an interface, before the routing decision.

■ Packets can be filtered before they exit an interface, after the routing decision.

■ Deny is the term used in Cisco IOS software to imply that the packet will be filtered.

■ Permit is the term used in Cisco IOS software to imply that the packet will not be filtered.

■ The filtering logic is configured in the access list. ■ At the end of every access list is an implied “deny all traffic”

statement. Therefore, if a packet does not match any of your access list statements, it is blocked.

VPN• Confidentiality (Privacy): Preventing anyone in the middle of the Internet (man in the middle) from being able to read the data

• Authentication : Verifying that the sender of the VPN packet is a legitimate device and not a device used by an attacker

• Data integrity: Verifying that the packet was not changed as the packet transited the Internet

• Anti-replay: Preventing a man in the middle from copying and later replying the packets sent by a legitimate user for the purpose of appearing to be a legitimate user

VPN Tunnel Concept for Site to site VPN

Intranet, Extranet and Access VPN

Basic IPSec Encryption Process

Steps for IPSec Encryption Process

1. The sending VPN device (like the remote office router) feeds the original packet and the session key into the encryption formula, calculating the encrypted data.2. The sending device encapsulates the encrypted data into a packet , which includes the new IP header and VPN header.3. The sending device sends this new packet to the destination VPN device 4. The receiving VPN device runs the corresponding decryption formula, using the encrypted data and session key —the same value as was used on the sending VPN device—to decrypt the data.

Comparing VPN Encryption Algorithm

Encryption AlgorithmKey Length(Bits) Comments

Data Encryption Standard(DES) 56

Older and less secure than the other list here

Triple DES(3DES) 56 * 3

Applies three different 56-bit DES key in succession, improving encryption strength compare with DES

Advanced Encryption Standard(AES) 128 and 256

Considered the current best practice, with strong encryption and less computation compared with 3DES

SSL VPN Options

Routing IP over Serial

Replacing Serial with Tunnel

Tunnel Routers Learning

Encapsulating IP Packet in GRE Packet

Routing Protocol Function

1. Learn routing information about IP subnets from other neighboring routers.2. Advertise routing information about IP subnets to other neighboring routers.3. If more than one possible route exists to reach one subnet, pick the best route based on a metric.4. If the network topology changes—for example, a link fails—react by advertising that some routes have failed, and pick a new currently best route. (This process is called convergence.)

IP IGP MetricIGP Metric Description

RIP-1, RIP-2 Hop count

The number of routers (hops) between a router and the destination subnet.

OSPF Cost

The sum of all interface cost settings for all links in a route, with the cost defaulting to be based on interface bandwidth.

EIGRP Composite ofbandwidth and delay

Calculated based on the route’s slowest link and the cumulative delay associated with each interface in the route.

Distance Vector Protocol

Link State Routing Protocol

■ Router LSA: Includes a number to identify the router (router ID), the router’s interface IP addresses and masks, the state (up or down) of each interface, and the cost (metric) associated with the interface.

■ Link LSA: Identifies each link (subnet) and the routers that are attached to that link.It also identifies the link’s state (up or down).

Dijkstra Algorithm

OSPF Neighbor

Specifically, the following must match before a pair of routers become neighbors:

■ Subnet mask used on the subnet ■ Subnet number (as derived using the subnet mask and

each router's interface IP address) ■ Hello interval ■ Dead interval ■ OSPF area ID ■ Must pass authentication checks (if used) ■ Value of the stub area flag

OSPF Early Neighbor States

OSPF Database Exchange

Step 1 Based on the OSPF interface type, the routers may or may not collectively elect aDesignated Router (DR) and Backup Designated Router (BDR).Step 2 For each pair of routers that need to become fully adjacent, mutuallyexchange the contents of their respective LSDBs.Step 3 When completed, the neighbors monitor for changes and periodicallyreflood LSAs while in the Full (fully adjacent) neighbor state.

Choosing DR

OSPF DR Prerequisites ■ The router sending the Hello with the highest OSPF priority setting

becomes the DR. ■ If two or more routers tie with the highest priority setting, the router

sending the Hello with the highest RID wins. ■ It's not always the case, but typically the router with the second-

highest priority becomes the BDR. ■ A priority setting of 0 means that the router does not participate in

the election and can never become the DR or BDR. ■ The range of priority values that allow a router to be a candidate are

1 through 255. ■ If a new, better candidate comes along after the DR and BDR have

been elected, the new candidate does not preempt the existing DR and BDR.

Two Area OSPF

OSPF Area Design Advantages

■ The smaller per-area LSDB requires less memory. ■ The router requires fewer CPU cycles to process the smaller

per-area LSDB ■ The SPF algorithm has to be run on internal routers only

when an LSA inside the area changes, so routers have to run SPF less often.

■ Less information must be advertised between areas, reducing the bandwidth required to send LSAs.

■ Manual summarization can only be configured on ABRs and ASBRs, so areas allow for smaller IP routing tables by allowing for the configuration of manual route summarization.

OSPF Single Area

OSPF Single Area Configuration

interface ethernet 0/0 ip address 10.1.1.1 255.255.255.0interface serial0/0 ip address 10.1.4.1 255.255.255.0interface serial0/1 ip address 10.1.6.1 255.255.255.0!router ospf 1 network 10.0.0.0 0.255.255.255 area 0

OSPF Multi Area

OSPF Multi Area Configuration

router ospf 1 network 10.1.1.1 0.0.0.0 area 0 network 10.1.4.1 0.0.0.0 area 1 network 10.1.6.1 0.0.0.0 area 0

EIGRP Updates

EIGRP Metric Formula

107 Metric =

Least-bandwidth+

Cumulative –delay * 256

EIGRP Metric

Feasible and Reported Distance

EIGRP Feasible Successor

A router determines if a route is a feasible successor based on the feasibility condition:

If a nonsuccessor route’s RD is less than the FD, the route is a feasible successor route.

EIGRP Successor and Feasible Successor

EIGRP Compare to OSPF

Feature EIGRP OSPFConverges quickly Yes YesBuilt-in loop prevention Yes YesSends partial routing updates, advertising only new or changed information

Yes Yes

Classless; therefore, supports manual summarization and VLSM

Yes Yes

Allows manual summarization at any router Yes NoSends routing information using IP multicast on LANs Yes Yes

EIGRP Neighbor Requirement

RequirementBest Command(s) toIsolate the Problem

Must be in the same subnet show interfacesMust pass any neighbor authentication debug eigrp packets

Must use the same ASN on the router configuration command

show ip eigrp interfaces,show protocols

K-values must match show protocols

Frame Relay Components

Frame Relay LMI Types

Name Document IOS LMI-Type ParameterCisco Proprietary ciscoAnsi T1.617 Annex D ansiITU Q.933 Annex A q933a

Frame Relay PVC

LAPF Framing

LAPF Header

Information LAPFTrailer

DLCI (Usually 10 bits)

FCS

LAPF Header

Cisco LAPFTrailer

LAPF Header

RFC1490

LAPFTrailer

Packet

Packet

Includes Protocol Type Field

Frame Relay Forwarding

Typical Frame Relay Network

Typical Partial Mesh Frame Relay Network

Inverse ARP Process

Hybrid Full Partial Mesh

Frame Relay Global Addressing

DLCI Swapping

The Frame Sent by Router

With DLCI Field

Is Delivered to Router

With DLCI Field

A 41 B 40A 42 C 40B 40 A 41C 40 A 42

SNMP

Simple Network Management Protocol is an application layer protocol that provides a message format for communication between what are termed managers and agents.

MIBISO (1)

ORG (3)

DOD (6)

INTERNET (1)

PRIVATE (4)

ENTERPRISES (1)

CISCO (9)

LOCAL VARIABLES (2)

INTERFACE GROUP (2)

CISCO MGMT (9)

CISCO FLASH GROUP (10)

SNMP Get

SNMP Trap

SNMPv3

• Message integrity: This helps ensure that a packet has not been tampered with in transit.• Authentication : This helps ensure that the packet came from a known and trusted source.• Encryption : This helps to ensure that information cannot be read if the data is captured in transit .

System Message Logging ( Syslog)

Popular destinations for syslog messages include the following :• The logging buffer (RAM in side the router or switch )• The console line• The terminal lines• A syslog server

Syslog Network

System Message Format

*Dec 18 17:10:15.079: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to downNotice that by default on this particular device we see the following :• A timestamp : * Dec 18 17:10:15.079• The facility on the router that generated the message : %LINEPROTO• The severity level : 5• A mnemonic for the message : UPDOWN• The description of the message : Line protocol on Interface Fast Ethernet0/0, changed state to down

Netflow

Netflow Key Purposes

• General network traffic accounting for baseline analysis• Usage-based network billing for consumers of network services• Network design , including redesigns to include new network devices and applications to meet the needs of growing infrastructures• General network security design• Denial of service (DoS) and distributed DoS (DDoS) detection and prevention data• Ongoing network monitoring

Types of Router Memory

RAM

(Working Memory and Running Configuration

Flash

(Cisco IOS Software)

ROM

(Bootstrap programAnd ROMMON)

NVRAM

(StartupConfiguration)

Copying IOS Image for Upgrade Process

Loading bootstrap, IOS, and Initial Configuration

ROM

Flash

Network

NVRAM

Network

Console

Bootstrap

CiscoIOS

RunningConfigFile

RAM

Step 2

Step 3

Step 4

Choices for choosing OS at boot time

BootstrapAndRommon

1st IOS files2nd IOS files..Last IOS files

Boot system(1)Boot system(2)..Last boot system command

ROMRAM

Flash

BOOT = 0

BOOT = 1

BOOT = 2..FNVRAM(Startup-config)

IP Network TFTP

Locations for Copying and Results from Copy Operations

TFTP RAM NVRAM

copy tftp running-configcopy running-configstartup-config

copy running-config tftpcopy startup-configrunning-config

copy tftp startup-config

copy startup-config tftp

Logic and Decision for Entering Setup Mode after Reload

User PowersOn Routers

Is NVRAM Empty

Do you want to enter Setup

mode ?

Users answer question in Setup mode

router copies startup-configto running-config

Complete IOS Initialization

Router moves configuration intoStartup-config and Running-config

Yes

Yes

No

No

Old IOS Image Packing

IP Base IP Base IP BaseIP Base IP BaseIP Base IP Base

Security Data Voice Security Security Security

Data

Data Voice Voice