Index
Symbols
3DES (Triple DES), 323
10BASE-T, 37
100BASE-TX, 37
802.00i (WPA2), 258
802.11g, 255
802.3. See Ethernet
1000BASE-T, 37
A
access attacks, 272
access control lists. See ACLs
access layer switches, 4
acknowledgment (ACK) packets, EIGRP, 213
ACLs (access control lists), 279
adding comments to named or numbered ACLs, 287-288
complex ACLs, 288
configuring extended numbered ACLs, 284-285
deny FTP from subnets, 285
deny only Telnet from subnets, 285-286
configuring named ACLs, 286-287
configuring standard numbered ACLs, 282
deny a specific host, 283
deny a specific subnet, 283-284
deny Telnet access to routers, 284
permit specific network, 282-283
defining, 279
design guidelines, 281-282
extended ACLs, 280
identification, 281
interface processing, 279-280
standard ACLs, 280
troubleshooting, 291
denied protocols, 292-293
host has no connectivity, 291-292
Telnet is allowed #1, 293
Telnet is allowed #2, 294
Telnet is allowed #3, 294-295
types of, 280-281
verifying, 289-290
AD (administrative distance), 153-154
ad hoc mode, wireless operations, 254
adding comments to named or numbered ACLs, 287-288
Address Resolution Protocol (ARP), 16, 148
addresses
broadcast addresses, 38
Ethernet, 38
IPv4, 109
classes of addresses, 110-111
header formats, 109-110
subnet masks, 111-112
IPv6
conventions for writing, 139
loopback addresses, 141
managing, 142
private addresses, 141
reserved addresses, 141
link-local addresses, 141
multicast addresses, 38
private IP addressing, 119-120
public IP addressing, 119-120
site-local addresses, 141
static addresses, 123
subnet addresses, summarizing, 118-119
addressing devices, 123
addressing schemes, 354
EIGRP, 215
OSPF, 233-234
RIPv1, 198
administrative distance (AD), 153-154
EIGRP, 214
Advanced Encryption Standard (AES), 323
advertisement request message, VTP, 78
AES (Advanced Encryption Standard), 323
AH (Authentication Header), 325
algorithms, OSPF, 231-232
analog dialup, circuit-switched connections (WAN), 314-315
ANDing, 112
antivirus software, 273
application layer (TCP/IP), 21
applications, network-based applications, 17
impact of voice and video, 18
increased network usage, 17
QoS (quality of service), 17
ARP (Address Resolution Protocol), 16, 124-126, 148
Frame Relay, 339
AS (autonomous system), 150
to interfaces, 89
asymmetric switching, 46
ATM, packet-switched connections (WAN), 317
attacker terminology, 267-268
attackers, thinking like, 268-269
authentication
PPP, LCP, 333
VPNs, 325
wireless security, 257
Authentication Header (AH), 325
auto-cost reference-bandwidth, 236
automatic summarization
EIGRP, 216-217
RIPv1, 204-205
autonomous system (AS), 150
autosummarization, disabling in RIPv2, 208
availability, balancing with security, 269
B
backing up IOS images, 184
backup DR (BDR), 230
backward explicitly congestion notification (BECN), Frame Relay, 339
balancing security and availability, 269
Basic Rate Interface (BRI), 315
basic router configuration, 167-174
BDR (backup designated router), 230
BECN (backward explicit congestion notification), Frame Relay, 339
BID (bridge ID), configuring, 82-84
binary values, subnet masks, 112
black hats, 268
black hole VLAN, 73
boot system command, 186
bootup process, routers, 162-163
BRI (Basic Rate Interface), 315
broadband wireless, Internet connections (WAN), 319
broadcast addresses, 38
subnetting, 114
broadcast domains, 45
broadcast storms, STP, 78
broadcasts, 43
C
cable modems, Internet connections (WAN), 318
cables
straight-through cables, 6, 165
calculating Dijkstra algorithm (link-state routing protocols), 157-158
carrier protocols, 323
CDP, troubleshooting tools, 68-69
central office (CO), WAN, 309
channel service unit (CSU), 310
CHAP, configuring PPP, 335, 356, 362
cHDLC (Cisco HDLC), 329
CIR (committed information rate), Frame Relay, 339
circuit-switched connections, WAN, 314
analog dialup, 314-315
ISDN, 315-316
Cisco devices, configuring, 47
Cisco Enterprise Architecture, 10
Cisco HDLC (cHDLC), 329
Cisco Interim Solution, 258
Cisco IOS (Internetwork Operating System), 46. See also IOS
CLI EXEC sessions, 47
CLI navigation and shortcuts, 48
command history, 49-50
connecting to Cisco devices, 46-47
examination commands, 50
file naming conventions, 182-183
help facility, 48
storing and erasing configuration files, 51
subconfiguration modes, 50
Cisco IOS Integrated File System. See IFS
Cisco IOS OSPF cost values, 236
classes of addresses, IPv4 addressing, 110-111
classful routing protocols, 151-152
classifying dynamic routing protocols, 150
classful routing protocols, 151-152
classless routing protocols, 152
distance vector routing protocols, 150-151
EGP, 150
IGP, 150
link-state routing protocols, 151
classless routing protocols, 152
CLI (command-line interface), 162, 261
navigation and shortcuts, 48-49
CLI EXEC sessions, Cisco IOS, 47
clock rate command, 350
CO (central office), WAN, 309
codes, interface status codes, 65, 171
LAN switches, 65-66
collision domains, 45
command history, Cisco IOS, 49-50
command syntax help, 48
command-line interface (CLI), 162, 261
commands
auto-cost reference-bandwidth, 236
bandwidth, 236
EIGRP, 220
boot system, 186
clock rate, 350
command history buffer commands, 49-50
configure terminal, 50
copy, 51
managing configuration files, 182
copy run start, 182
debug eigrp fsm, 224
debug frame-relay lmi, 348
debug ip nat, 305
debug ip rip, 247
debug ppp authentication, 351
default-information originate, 206, 238
dir, 180
dynamic auto, 91
dynamic desirable, 91
enable password, 55
enable password password, 169
enable secret, 55
encapsulation ppp, 334
erase startup-config, 51
examination commands, Cisco IOS, 50
frame-relay interface-dlci, 348
interface range command, 55
ip helper-address, 131
ip ospf cost, 236
ip ospf priority interface, 237
ip route, static routes, 191
ipconfig/release, 131
ipconfig/renew, 131
for managing configuration files, IFS, 182
no debug ip rip, 248
no keepalives, 351
no service dhcp, 129
passive-interface, disabling updates, 203
ppp authentication chap, 335
ppp authentication pap, 335
range, 89
redistribute static, 219
router ospf, 234
show access-lists, 289
show cdp, 68
show cdp interface, 69
show cdp neighbors detail, 69
show controllers, 350
show file systems, 179-181
show flash, 185
show frame-relay map, 348
show frame-relay pvc, 348
show interface status, 67
show interfaces, 66, 172-174, 351
show interfaces serial, 349
show interfaces status, 66
show ip eigrp interfaces, 248
show ip eigrp neighbors, 245, 249
show ip interface, 290
show ip interface brief, 11, 170, 239
show ip nat statistics, 304
show ip nat translations, 304
show ip ospf, 241
show ip ospf interface, 242-243
show ip ospf interface brief, 248
show ip ospf neighbor, 240, 249
show ip ospf neighbor commands, 245
show ip protocols, 153, 239-240, 245, 248
RIPv1, 200
show ip route, 11, 152, 170, 199, 239, 245
RIPv1, 200
show port-security, 57
show port-security interface, 57, 94
show run, 304
show spanning-tree, 83
show version, 162-163
show vlan brief, 88-90
show vtp status, 98
spanning-tree mode rapid-pvst, 84
spanning-tree portfast default, 84
switch configuration commands, 53-54
switchport mode access, 103
switchport mode dynamic desirable, 75
switchport mode trunk, 75
switchport mode trunk dynamic auto, 75
switchport nonegotiate, 75, 103
switchport port-security violation, 56
telnet, 11
tftpdnld, 187
undebug all, 248
username, 335
vtp pruning, 98
vtp version 2, 98
write erase, 51
xmodem, 187
comments, adding to named or numbered ACLs, 287-288
committed information rate (CIR), Frame Relay, 339
complex ACLs, 288
components
of Frame Relay, 338-339
of routers, internal components, 161-162
for teleworker connectivity, 7
of VPNs, 322
of WAN, 309
configuration files
Cisco IOS, 51
commands for managing, 182
configurations, ISP, 355-356
configure terminal command, 50
configuring
ACLs
extended numbered ACLs, 284-286
named ACLs, 286-287
standard numbered ACLs, 282-284
Cisco devices, 47
dynamic NAT, 301-302
EIGRP, 214-215
automatic summarization, 216-217
default routes, 219
manual summarization, 217-218
modifying EIGRP metrics, 219-220
modifying hello intervals and hold times, 220-221
network command, 215-216
Frame Relay, 343-344
full mesh with one subnet, 344-347
hub-and-spoke topology, 356, 360-362
partial mesh with one subnet per PVC, 347-348
HDLC, 330
inter-VLAN routing, 103-105, 357, 364-365
NAT overload, 303
OSPF, 233
controlling DR/BDR election, 237-238
modifying Hello intervals and hold times, 238-239
modifying metrics, 236-237
network command, 234-235
redistributing default routes, 238
router ID, 235-236
router ospf command, 234
port security, 56-58, 358, 369-370
PPP, 334
PAP, 335-336
RIPv1, 198-199
RIPv2, 207-208
disabling autosummarization, 208
routers, as DHCP servers, 128-132
RSTP, 84
SSH access, 55-56
static NAT, 301
static routes, 191-193
default static routes, 194-197
with “Next Hop” parameter, 193
with exit interface parameter, 193-194
BID (bridge ID), 82-84
PortFast, 84
trunking, 91-93
VTP, 97-100
Windows PC to use DHCP, 123
Connecting Cisco IOS to Cisco devices, 46-47
connection establishment, TCP/IP, 25
connection-oriented systems, WAN, 313
connectionless protocols, 26
connectionless systems, WAN, 313
connections
routers, 164-165
verifying network connectivity, 62-65, 175-176
WAN
circuit-switched connections, 314-316
dedicated connections, 314
Internet connections, 317-319
packet-switched connections, 315-317
WAN link options, 319-320
conventions
for writing IPv6 addresses, 139
for writing IPv6 prefixes, 139-140
converging with link-state protocols, link-state routing protocols, 158
copy run start command, 182
core layer switches, 4
CPE (Customer Premises Equipment), 309
CPU, 161
crackers, 268
CSMA/CA (carrier sense multiple access with collision avoidance), 256-257
CSMA/CD (carrier sense multiple access with collision detection), 34-35
CSU (channel service unit), 310
Customer Premises Equipment (CPE), 309
cut-through switching, 46
D
Data Communications Equipment (DCE), 309, 337
data encapsulation
MAC sublayer, 34
TCP/IP, 28
Data Encryption Standard (DES), 323
data service unit (DSU), 310
Data Terminal Equipment (DTE), 309, 337
data VLAN, 72
data-link connection identifier (DLCI), Frame Relay, 338
data-link protocols, WAN, 312
DBD (database description) packets, OSPF, 228
DCE (Data Communications Equipment), 309, 337
DDoS (distributed denial-of-service) attacks, 272
debug eigrp fsm, 224
debug frame-relay lmi, 348
debug ip nat command, 305
debug ip rip commands, 247
debug ppp authentication, 351
dedicated connections, WAN, 314
default file systems, 180
default routes
EIGRP, 219
redistributing in OSPF, 238
RIPv1, 206-207
default routing, configuring, 357, 364
default static routes, configuring, 194-197
default VLAN, 72
default-information originate command, 206, 238
demarcation point, WAN, 309
denial-of-service (DoS) attacks, 272
deny any statements, 279
DES (Data Encryption Standard), 323
design guidelines, ACLs, 281-282
designated router (DR), 230-231
device hardening, 273
devices, 3
Cisco devices, configuring, 47
connecting Cisco IOS to Cisco devices, 46-47
hubs, 3
switches. See switches
of WAN, 310
DHCP (Dynamic Host Configuration Protocol), 15, 127
configuring Windows PC to use, 123
verifying operations, 130
DHCP servers, configuring routers as, 128-132
DHCPv6, 142
Dijkstra algorithm, calculating, 157-158
dir command, 180
Direct Sequence Spread Spectrum (DSSS), 255
disabling
autosummarization, RIPv2, 208
updates, passive-interface command, 203
discontiguous networks, 246-247
distance vector routing protocols, 150-151
distance vectors, EIGRP versus, 211
distributed DoS attacks, 272
distribution layer switches, 4
DLCI (data-link connection identifier), Frame Relay, 338
DNS (Domain Name System), 15, 126-127
documentation for networks, 11
domains
broadcast domains, 45
collision domains, 45
top-level domains, 126
DoS (denial-of-service) attacks, 272
DR (designated router), 230-231
DR/BDR election, OSPF controlling, 237-238
DSL, Internet connections (WAN), 317-318
DSSS (Direct Sequence Spread Spectrum), 255
DSU (data service unit), 310
DTE (Data Terminal Equipment), 309, 337
DTP (Dynamic Trunking Protocol), 75
DUAL, EIGRP, 214
dual stacking, IPv6, 143
duplexes, switches, 66-67
dynamic 6to4 tunnels, 143
dynamic auto, 91
dynamic desirable, 91
Dynamic Host Configuration Protocol (DHCP), 15
dynamic NAT, 299-302
dynamic routing, 191
static routing versus, 149
dynamic routing metrics, 152-153
dynamic routing protocols, classifying, 150
classful routing protocols, 151-152
classless routing protocols, 152
distance vector routing protocols, 150-151
EGP, 150
IGP, 150
link-state routing protocols, 151
Dynamic Trunking Protocol (DTP), 75
E
E1 (External Type 1), 240
E2 (External Type 2), 240
EAP (Extensible Authentication Protocol), 264
EGP (Exterior Gateway Protocols), 150
EIA (Electronics Industry Alliance), 36
EIA/TIA-232, 311
EIA/TIA-449/530, 311
EIA/TIA-612/613, 311
EIGRP (Enhanced Interior Gateway Routing Protocol), 211
addressing schemes, 215
administrative distance, 214
configuring, 214-215
automatic summarization, 216-217
default routes, 219
manual summarization, 217-218
modifying EIGRP metrics, 219-220
modifying hello intervals and hold times, 220-221
network command, 215-216
distance vectors versus, 211
DUAL, 214
dynamic routing metrics, 153
message formats, 212
neighbor requirements, 249
packet types, 212-213
troubleshooting, 248
verifying
with show ip eigrp neighbors, 222-224
with show ip protocols, 221
EIGRP routing, configuring, 357, 365-366
electrical threats, 271
Electronics Industry Alliance (EIA), 36
eliminating routing loops, 155-156
employees, wireless security risks, 257
enable password command, 55
enable password password command, 169
enable secret command, 55
encapsulating protocols, 323
Encapsulating Security Payload (ESP), 325
encapsulation, 322
HDLC, 329-330
OSI models, 16
encapsulation ppp command, 334
encapsulation process, 16
encoding channels, wireless encoding channels, 255
encryption algorithms, VPNs, 323
Enhanced Interior Gateway Routing Protocol. See EIGRP
Enterprirse Architecture, 10
Enterprise Branch Architecture, 10
Enterprise Campus Architecture, 10
Enterprise Data Center Architecture, 10
Enterprise Edge Architecture, 10
Enterprise Teleworker Architecture, 10
environmental threats, 271
erase startup-config command, 51
erasing configuration files, Cisco IIOS, 51
error detection, LCP, 332
error recovery, TCP/IP, 24
ESP (Encapsulating Security Payload), 325
establishing VPN connections, 322
authentication, 325
encryption algorithms, 323
hashes, 324-325
IPsec Security Protocols, 325
tunneling, 323
Ethernet, 16
addresses, 38
current Ethernet technologies, 36
framing, 39
Gigabit Ethernet, 37
legacy Ethernet technologies, 34-36
CSMA/CD, 35
overview, 33-34
physical layer, role of, 40
switches, 37-38
UTP cabling, 36-37
EtherType field, 74
EUI-64 format, IPv6, 141-142
examinations
exam day information, 377
post-exam information
career options, 379-380
receiving your certificate, 379
retesting, 380
examination commands, Cisco IOS, 50
exit interface parameter, configuring static routes, 193-194
extended ACLs, 280
extended numbered ACLs, configuring, 284
deny FTP from subnets, 285
deny only Telnet from subnets, 285-286
Extensible Authentication Protocol (EAP), 264
Exterior Gateway Protocols (EGP), 150
external threats, 271
External Type 1 (E1), 240
External Type 2 (E2), 240
F
FC (Feasibility Condition), 223
FCC (Federal Communications Commission), 253-254
FD (Feasible Distance), 223
Feasible Successor (FS), 223
FECN (forward explicit congestion notification), Frame Relay, 339
FHSS (Frequency Hopping Spread Spectrum), 255
file naming conventions, IOS, 182-183
file systems, default file systems, 180
File Transfer Protocol (FTP), 15
firewall ACLs, configuring, 359, 372-373
firewalls, 273
flash memory, 162
flow control, TCP/IP, 25
forward explicit congestion notification (FECN), Frame Relay, 339
forwarding, frame forwarding, 45
asymmetric switching, 46
Layer 2 switching, 46
Layer 3 switching, 46
memory buffering, 46
switch forwarding methods, 45
symmetric switching, 46
FRAD (Frame Relay Access Devices), 337
frame format, PPP, 331-332
frame forwarding, 45-46
backward explicity congestion notification (BECN), 339
committed information rate (CIR), 339
components of, 338-339
configuring, 344
full mesh with one subnet, 344-347
hub-and-spoke topology, 356, 360-362
partial mesh with one subnet per PVC, 347-348
configuring and verifying, 343
data-link connection identifier (DLCI), 338
DCE, 337
DTE, 337
forward explicit congestion notification (FECN), 339
Inverse Address Resolution Protocol (ARP), 339
Inverse ARP, 341-343
LMI, 341-343
local access rate, 338
Local Management Interface (LMI), 339
NBMA (nonbroadcast multi-access), 340
packet-switched connections, WAN, 317
permanent virtual circuit (PVC), 338
switched virtual circuit (SVC), 338
topologies, 339
verifying, 348
virtual circuit (VC), 338
Frame Relay Access Devices (FRAD), 337
frame-relay interface-dlci command, 348
framing, Ethernet, 39
Frequency Hopping Spread Spectrum (FHSS), 255
FS (Feasible Successor), 223
FTP (File Transfer Protocol), 15
full-mesh topology, Frame Relay, 339
G
Gigabit Ethernet, 37
global unicast addresses, IPv6, 140-141
GUI (graphical user interface), 162, 261
H
hardware threats, 271
hashes, VPNs, 324-325
HDLC
configuring, 330
encapsulation, 329-330
verifying, 331
HDLC (High-Level Data Link Control), 329
header formats, IPv4 addressing, 109-110
hello intervals and hold times
modifying (EIGRP), 220-221
modifying (OSPF), 238-239
Hello packets
EIGRP, 213
OSPF, 228
neighbor adjacency, 228-229
help facilities, Cisco IOS, 48
hierarchical network models, 9
High-Level Data Link Control (HDLC), 329
HIPS (host-based intrusion prevention), 273
history of commands, Cisco IOS, 49-50
HMAC (hashed message authentication code), 324-325
hold-down timers, preventing routing loops, 155
host and server security, mitigation techniques, 273
host ranges, subnetting, 114
host-based intrusion prevention (HIPS), 273
HTTP (Hypertext Transfer Protocol), 15
HTTP request, 21
HTTP response, 21
hub-and-spoke configuration, Frame Relay, 340
hub-and-spoke topology, Frame Relay (configuring), 356, 360-362
hubs, 3
Hypertext Transfer Protocol (HTTP), 15
I
ICMP (Internet Control Message Protocol), 16, 147
identification, ACLs, 281
IDS (intrusion detection systems), 273
IEEE, 253
IETF (Internet Engineering Task Force), 137, 227
commands, 179-181
commands for managing configuration files, 182
URL prefixes for specifying file locations, 181
IGP (Interior Gateway Protocols), 150
comparison summary, 154
images, IOS images, 183
backing up, 184
recovering with TFTP servers, 186-187
recovering with Xmodem, 187-188
restoring, 185-186
IMAP (Internet Message Access Protocol), 15
implementing WLAN, 261
checklist for implementing, 262-264
infrastructure mode, wireless operations, 254
inside global address, NAT, 297
inside local address, NAT, 297
Integrated File System. See IFS
Inter-Switch Link (ISL), 103
inter-VLAN routing
configuring, 103-105, 357, 364-365
troubleshooting, 105
verifying, 105
interface ID, IPv6, 141-142
interface processing, ACLs, 279-280
interface range command, 55
interface status codes, 65-66, 171
interfaces
assigning VLANs to, 89
passive interfaces, RIPv1, 203-204
routers, 164
unused interfaces, shutting down and securing, 58
up interfaces, layer 1 problems, 67
Interior Gateway Protocols. See IGP
internal threats, 271
Internet connections, WAN
broadband wireless, 319
cable modems, 318
DSL, 317-318
Metro Ethernet, 319
Internet Control Message Protocol (ICMP), 16, 147
Internet Engineering Task Force (IETF), 137
internet information queries, 271
Internet layer, TCP/IP, 26
Internet Message Access Protocol (IMAP), 15
Internet Protocol (IP), 16
Internetwork Operating System. See Cisco IOS
Intrasite Automatic Tunnel Addressing Protocol (ISATAP), 143
intrusion detection and prevention, mitigation techniques, 273
intrusion detection systems (IDS), 273
intrustion tools, wireless security, 257
Inverse Address Resolution Protocol (ARP), Frame Relay, 339
Inverse ARP, Frame Relay, 341-343
IOS (Internetwork Operating System), 162
file naming conventions, 182-183
IOS images
managing, 183
backing up, 184
restoring, 185-186
recovering with TFTP servers, 186-187
recovering with Xmodem, 187-188
IP (Internet Protocol), 16
IP addressing, 119-120
ip helper-address command, 131
IP multicast, 72
ip ospf cost command, 236
ip ospf priority interface command, 237
ip route command, static routes, 191
IP telephony, 72
ipconfig/release commands, 131
ipconfig/renew command, 131
IPsec Security Protocols, VPNs, 325
IPv4
addresses
classes of addresses, 110-111
header formats, 109-110
subnet masks, 111-112
versus IPv6, 137
IPv6
addresses
conventions for writing, 139
global unicast addresses, 140-141
loopback addresses, 141
managing, 142
private addresses, 141
reserved addresses, 141
interface ID and EUI-64 format, 141-142
versus IPv4, 137
overview of, 137-138
prefixes, conventions for writing, 139-140
transitioning to, 142-143
ISATAP (Intrasite Automatic Tunnel Addressing Protocol), 143
ISDN, circuit-switched connections (WAN), 315-316
ISL (Inter-Switch Link), 103
ISP (Internet service provider), configurations, 355-356
ITU-R, 253
J–K–L
jitter, 18
LAN cabling, standards for, 6
LAN switches, 45
interface status codes, 65-66
LANs (local-area networks), 7
Layer 1 problems, troubleshooting, 350
Layer 1 problems, up interfaces, 67
Layer 2 problems, troubleshooting, 350-351
Layer 2 switching, 46
Layer 3 problems, troubleshooting, 351-352
Layer 3 switching, 46
layers
OSI models, 14-15
TCP/IP models, 15-16
troubleshooting with, 29
LCP (PPP Link Control Protocol), 332-333
legacy Ethernet technologies, 34-36
CSMA/CD, 35
link-local addresses, 141
link-state advertisements (LSA), 228
link-state database (LSDB), building, 156-157
link-state protocols, converging with link-state routing protocols, 158
link-state routing process, OSPF, 232-233
link-state routing protocols, 151, 156
calculating Dijkstra algorithms, 157-158
convergence with link-state protocols, 158
LSDB, building, 156-157
LLC (Logical Link Control) sublayer, 34
LMI (Local Management Interface)
Frame Relay, 339-343
local access rate, Frame Relay, 338
local loop, 309
Local Management Interface (LMI), Frame Relay, 339
Logical Link Control (LLC) sublayer, 34
logical switching, 44-45
logical topologies, 9
loopback addresses, IPv6, 141
loopback configurations, OSPF, 235
looped link detection, LCP, 332
loss, 18
low delay, 18
LSA (link-state advertisements), 156, 228-229
LSack (link-state acknowledgment) packets, OSPF, 228
LSDB (link-state database), building, 156-157
LSR (link-state request) packets, OSPF, 228
LSU (link-state update) packets, OSPF, 228-229
M
MAC (Media Access Control) sublayer, 34
MAC addresses, switch forwarding, 45
MAC database instability, STP, 79
MAC sublayer, 34
maintaining security, 275-276
maintenance threats, 271
malicious code attacks, 272
man-in-the-middle attacks, 272
management VLAN, 73
managing
addresses, IPv6, 142
IOS images, 183
backing up, 184
restoring, 185-186
manual summarization, EIGRP, 217-218
MCT (manually configured tunnels), 143
media, 5-6
networking, 5
standards for LAN cabling, 6
Media Access Control (MAC) sublayer, 34
memory, 162
memory buffering, 46
message-of-the-day (MOTD), 169
messages
EIGRP, 212
OSPF, 227-228
RIPv1, 197
methodologies, troubleshooting, 61-62
metrics, dynamic routing metrics, 152-153
Metro Ethernet, Internet connections (WAN), 319
MIST (Multiple Instances of Spanning Tree), 82
mitigation techniques, 273
host and server security, 273
intrusion detection and prevention, 273
security appliances and applications, 273-274
models
network models, benefits of, 13
OSI models, 13
layers, 14-15
PDUs and encapsulation, 16
TCP/IP models, 13-16
modes of VTP, 77
modifying
EIGRP metrics, 219-220
Hello intervals and hold times
EIGRP, 220-221
OSPF, 238-239
OSPF metrics, 236-237
MOTD (message-of-the-day), 169
multicast addresses, 38
multilink PPP, LCP, 333
multiple frame transmission, STP, 79
Multiple Instances of Spanning Tree (MIST), 82
municipal Wi-Fi, 319
mutual authentication, wireless security, 257
N
named ACLs, configuring, 286-287
naming conventions, IOS, 182-183
NAT (Network Address Translation), 297
benefits of, 300
dynamic NAT, 299-302
example of PC1 sending traffic to Internet, 298-299
inside global address, 297
inside local address, 297
limitations of, 300
outside global address, 297
outside local address, 297
overloading, 300
static NAT, 299-301
troubleshooting, 304-305
verifying, 303-304
native VLAN, 73
navigation, CLI, 48-49
NBMA (nonbroadcast multi-access), Frame Relay, 340
NCPs (Network Control Protocols), 332
neighbor adjacency issues, troubleshooting, 248-250
neighbors, OSPF
Hello packets, 228-229
verifying, 240
network access layer, TCP/IP, 27-28
Network Address Translation. See NAT
network admission control, 274
network command, 215-216, 234-235
network connectivity, verifying, 62-65, 175-176
Network Control Protocols (NCPs), 332
network documentation, 11
network interface card (NIC), 261
network layer testing tools
ping, 132-133
traceroute, 133-134
network management, 72
network models, benefits of, 13
network usage, network-based applications, 17
network-based applications, 17-18
networking, media, 5
networking icons, 7
networks
discontiguous networks, 246-247
OSPF, 230
threats to, 271
networks attacks, types of, 271-272
“Next Hop” parameter, configuring static routes, 193
NIC (network interface card), 261
no auto-summary command, 208, 216
no debug ip rip, 248
no keepalives command, 351
no service dhcp command, 129
nonbroadcast multi-access (NBMA), 340
normal data, 72
NVRAM (nonvolatile random-access memory), 162
O
OFDM (Orthogonal Frequency Division Multiplexing), 255
Open Shortest Path First. See OSPF
operating system patches, 273
organizationally unique identifier (OUI), 38
Orthogonal Frequency Division Multiplexing (OFDM), 255
OSI models, 13
OSI layers, 14-15
PDUs (protocol data units), 16
OSPF (Open Shortest Path First), 227
addressing schemes, 233-234
algorithms, 231-232
configuring, 233
controlling DR/BDR election, 237-238
modifying Hello intervals and hold times, 238-239
modifying metrics, 236-237
network command, 234-235
redistributing default routes, 238
router ID, 235-236
router ospf command, 234
DR/BDR election, 230-231
Hello packets, neighbor adjacency, 228-229
link-state routing process, 232-233
loopback configurations, 235
LSA packets, 229
LSU packets, 229
message format, 227-228
neighbor requirements, 249-250
network types, 230
packet types, 228
verifying, 240-243
OUI (organizationally unique identifier), 38
outside global address, NAT, 297
outside local address, 297
overloading NAT, 299-300
P
packet capturing sniffers, 271
packet forwarding, 147
path determination and switching function example, 148-149
packet-switched connections, WAN, 315
ATM, 317
Frame Relay, 317
X.25, 315
packets
EIGRP, 212-213
OSPF, 228
RTP, 212-213
PAP, configuring PPP, 335-336
parameters
exit interface, configuring static routes, 193-194
“Next Hop”, configuring static routes, 193
partial-mesh topology, Frame Relay, 339
passenger protocols, 323
passive interfaces, RIPv1, 203-204
passive-interface command, disabling updates, 203
password attacks, 272
passwords, recovering, 188
PAT (Port Address Translation), 299
path determination, packet forwarding, 148-149
PDUs (protocol data units), OSI models, 16
Per-VLAN Rapid Spanning Tree (PVRST), 82
permanent virtual circuit (PVC), Frame Relay, 338
personal firewalls, 273
phishers, 268
phreakers, 268
physical (MAC) addresses, ARP, 125
physical infrastructures, threats to, 271
physical layer
Ethernet, 40
WAN, 311
physical topologies, 8
verifying network connectivity, 175
ping sweeps, 271
ping-of-death attacks, 272
Point-to-Point Protocol. See PPP
policies, developing security policies, 269-270
POP3 (Post Office Protocol), 15
Port Address Translation (PAT), 299
port mappings, VLAN, 355
port numbers, 23
port redirection, 272
port roles, RSTP and STP, 81
port scans, 271
port security, configuring, 56-58, 358, 370
port states, RSTP and STP, 81
port examination, post-exam information (receiving your certificate), 379
port-based memory, 46
PortFast, 84
ports, routers, 164
Post Office Protocol (POP3), 15
PPP (Point-to-Point Protocol), 329-330
configuring, 334
CHAP, 335
PAP, 335-336
frame format, 331-332
LCP (Link Control Protocol), 332-333
ppp authentication chap command, 335
ppp authentication pap command, 335
PPP Link Control Protocol. See LCP
prefixes
IPv6, conventions for writing, 139-140
URL prefixes for specifying file locations, 181
preshared key (PSK), 325
preventing routing loops, 155-156
PRI (Primary Rate Interface), 315
private addresses, IPv6, 141
private IP addressing, 119-120
privileged EXEC mode, 47
pruning, VTP, 78
PSK (preshared key), 325
PSTN (public switched telephone network), 310
public IP addressing, 119-120
PVC (permanent virtual circuit)
Frame Relay, 338
WAN, 313
PVRST (Per-VLAN Rapid Spanning Tree), 82
Q
QoS (Quality of Service), network-based applications, 17
quad-zero routes, 194
quartets, 139
query packets, EIGRP, 213
R
RAM, 161
range command, 89
Rapid Per-VLAN Spanning Tree (RPVST), 82
Rapid STP. See RSTP
reconnaissance attacks, 271
recovering
IOS images
with TFTP servers, 186-187
with Xmodem, 187-188
passwords, 188
redistribute static command, 219
redistributing default routes, OSPF, 238
reference bandwidth, 236
Reliable Transport Protocol. See RTP
remote-access VPNs, 321
reply packets, EIGRP, 213
reserved addresses, IPv6, 141
restoring IOS images, 185-186
RIP, 197
routes, interpreting, 200
troubleshooting, 247-248
RIPv1, 198
addressing schemes, 198
automatic summarization, 204-205
configuring, 198-199
default routing, 206-207
message format, 197
passive interfaces, 203-204
verifying, 199-202
RIPv2
configuring, 207-208
verifying, 208-209
Rivest, Shamir, and Adleman (RSA), 323
rogue AP, wireless security risks, 257
ROM, 161
router ID, configuring OSPF, 235-236
router ospf command, 234
routers, 5
AD (administrative distance), 153-154
basic router configuration, 167-174
bootup process, 162-163
configuring as DHCP servers, 128-132
connections, 164-165
internal components of, 161-162
ports and interfaces, 164
routes, tracing from Windows PC, 65
routing
EIGRP. See EIGRP
inter-VLAN routing, configuring and verifying, 103-105
OSPF. See OSPF
troubleshooting, 245
routing loop prevention, 155-156
routing methods, 149
dynamic routing protocols, classifying, 150-152
dynamic versus static routing, 149
RPVST (Rapid Per-VLAN Spanning Tree), 82
RSA (Rivest, Shamir, and Adleman), 323
RSTP (Rapid STP), 80-81
configuring, 84
port roles, 81
port states, 81
RTP (Reliable Transport Protocol), 212
packets, 212-213
S
satellite Internet, 319
scavenger class, 72
securing unused interfaces, 58
security, 267
attacker terminology, 267-268
balancing security and availability, 269
common threats
to networks, 271
to physical infrastructures, 271
vulnerabilities, 270
configuring, 369
developing security policies, 269-270
importance of, 267
maintaining, 275-276
mitigation techniques, 273-274
network attacks, 271-272
port security, configuring, 56-58
thinking like attackers, 268-269
wireless security risks, 257
wireless security standards, 258
security appliances and applications, mitigation techniques, 273-274
security communications, 274
security violations, 57
service set identifier (SSID), 261
shared memory, 46
shortcuts, CLI, 48-49
show access-lists command, 289
show cdp commands, 68
show cdp interface command, 69
show cdp neighbor detail, 11, 69
show controllers command, 350
show file systems command, 179-181
show flash command, 185
show frame-relay map command, 348
show frame-relay pvc command, 348
show interface status, 67
show interfaces command, 351
show interfaces serial command, 349
show interfaces status, 66
show ip eigrp interfaces, 248
show ip eigrp neighbors, 222-224, 245, 249
show ip interface brief, 11, 170, 239
show ip interface command, 290
show ip interface e0 command, 290
show ip nat statistics command, 304
show ip nat translations command, 304
show ip ospf command, 241
show ip ospf interface brief, 242-243, 248
show ip ospf neighbor, 240, 245, 249
show ip protocols, 153, 239-240, 245, 248
EIGRP, 221
RIPv1, 200
show ip route, 11, 152, 170, 199, 239, 245
RIPv1, 200
show port-security command, 57
show port-security interface command, 57
show portsecurity interface, 94
show run command, 304
show running-config command, 170, 290
show spanning-tree command, 83
show version command, 162-163
show vlan brief, 88-90
show vtp status command, 98
shutting down unused interfaces, 58
site-local addresses, 141
site-to-site VPNs, 320
SMTP (Simple Mail Transfer Protocol), 15
SNMP (Simple Network Management Protocol), 15
spammers, 268
Spanning Tree Protocol. See STP
spanning-tree mode rapid-pvst, 84
spanning-tree portfast default, 84
speed mismatches, switches, 66-67
split horizons, preventing routing loops, 155
SSH, configuring access, 55-56
SSID (service set identifier), 261
standard ACLs, 280
standard numbered ACLs, configuring, 282
deny a specific host, 283
deny a specific subnet, 283-284
deny Telnet access to routers, 284
permit specific network, 282-283
star topology, Frame Relay, 340
stateless autoconfiguration, IPv6, 142
statements
deny any, 279
network, 247
static addresses, 123
static NAT, 299-301
static routes
configuring, 191-192
default static routes, 194-197
with exit interface parameter, 193-194
with “Next Hop” parameter, 193
static routing, dynamic routing versus, 149
store-and-forward switching, 46
storing configuration files, Cisco IOS, 51
STP (Spanning Tree Protocol), 79-80
broadcast storms, 78
BID (bridge ID), 82-84
PortFast, 84
MAC database instability, 79
multiple frame transmission, 79
port roles, 81
troubleshooting, 84
straight-through cables, 6, 165
structured threats, 271
Structured Wireless-Aware Network (SWAN), 257
subconfiguration modes, Cisco IOS, 50
subnet addresses, summarizing, 118-119
subnet masks, IPv4 addresses, 111-112
subnet multipliers, 114
subnets, subnetting, 114
subnetting, 112-113
determining how many bits to borrow, 113
determining net subnet masks, 114
determining subnet multipliers, 114
examples, 114-116
listing subnets, host ranges and broadcast addresses, 114
VLSM. See VLSM
subset advertisement, VTP, 78
successor, EIGRP, 223
summarization
automatic summarization
EIGRP, 217
RIPv1, 204-205
manual summarization, EIGRP, 217-218
summary advertisement, VTP, 78
SVC (switched virtual circuit)
Frame Relay, 338
WAN, 313
SWAN (Structured Wireless-Aware Network), 257
switch configuration commands, 53-54
switch forwarding methods
based on MAC addresses, 45
frame forwarding, 45
switched virtual circuit (SVC), Frame Relay, 338
access layer switches, 4
broadcast domains, 45
collision domains, 45
core layer switches, 4
distribution layer switches, 4
duplex and speed mismatches, 66-67
frame forwarding, 45-46
layer 1 problems on up interfaces, 67
VTP, 102
WAN switches, 310
switching
evolution to, 43-44
logical switching, 44-45
WAN, 312-313
switching function, packet forwarding, 148-149
switchport mode access, 103
switchport mode dynamic desirable command, 75
switchport mode trunk, 75
switchport mode trunk dynamic auto command, 75
switchport nonegotiate, 75, 103
switchport port-security violation command, 56
symmetric switching, 46
SYN flood attacks, 272
T
TCP (Transmission Control Protocol), 15
TCP header, 22
TCP/IP
application layer, 21
data encapsulation, 28
Internet layer, 26
layers, troubleshooting with, 29
network access layer, 27-28
transport layer, 21
connection establishment and termination, 25
error recovery, 24
flow control, 25
port numbers, 23
TCP header, 22
UDP, 26
TCP/IP models, 13-16
TCP/IP protocols, 15-16
TCP/IP stacks, testing on Windows PC, 63
Telecommunications Industry Association (TIA), 36
telnet command, 11
Temporal Key Integrity Protocol (TKIP), 264
Teredo tunneling, IPv6, 143
termination, TCP/IP, 25
testing
connectivity
to default gateways on Windows PC, 63
to destinations on Windows PC, 64
TCP/IP stacks on Windows PC, 63
TFTP servers, recovering IOS images, 186-187
tftpdnld command, 187
threat control, 274
threats
to networks, 271-272
to physical infrastructures, 271
vulnerabilities, 270
TIA (Telecommunications Industry Association), 36
TKIP (Temporal Key Integrity Protocol), 264
tools for troubleshooting, CDP, 68-69
top-level domains, 126
tracert, 132-134
tracing routes from Windows PC, 65
traffic types, VLANs, 72
transitioning to IPv6, 142-143
Transmission Control Protocol (TCP), 15
transport layer (TCP/IP), 21-22
connection establishment and termination, 25
error recovery, 24
flow control, 25
port numbers, 23
TCP header, 22
UDP, 26
Triple DES (3DES), 323
Trojan horses, 272
troubleshooting
ACLs, 291
denied protocols, 292-293
host has no connectivity, 291-292
Telnet is allowed #1, 293
Telnet is allowed #2, 294
Telnet is allowed #3, 294-295
EIGRP, 248
inter-VLAN routing, 105
with layers, 29
methodology, 61-62
NAT, 304-305
neighbor adjacency issues, 248-250
RIP, 247-248
RIPv2, 208-209
routing, 245
STP, 84
tools, CDP, 68-69
trunking, 93-94
VLAN, 93-94
VLSM, 246
VTP, 102-103
WAN implementations, 349
Layer 1 problems, 350
Layer 2 problems, 350-351
Layer 3 problems, 351-352
WLAN, 264
trunking
configuring, 91-93
troubleshooting, 93-94
verifying, 91-93
trunking VLANs, 74-75
trust exploitation, 272
tunneling, 322. See also encapsulation
IPv6, 143
Teredo tunneling, IPv6, 143
VPNs, 323
U
UDP (User Datagram Protocol), 15
TCP/IP, 26
undebug all, 248
unshielded twisted-pair (UTP), 164
unstructured threats, 271
up interfaces, layer 1 problems, 67
update packets, EIGRP, 213
URL prefixes for specifying file locations, IFS, 181
usage of networks, network-based applications, 17
User Datagram Protocol (UDP), 15
user EXEC mode, 47
username command, 335
UTP (unshielded twisted-pair), 164
UTP cabling, 36-37
V
V.35, 311
variable-length subnet masking. See VLSM
VC (virtual circuit), Frame Relay, 338
verifying
ACLs, 289-290
BID, 82-84
DHCP operations, 130
EIGRP
show ip eigrp neighbors, 222-224
show ip protocols, 221
HDLC, 331
inter-VLAN routing configurations, 105
NAT, 303-304
network connectivity, 62-65
OSPF, 240-243
RIPv1, 199-202
RIPv2, 208-209
speed and duplex settings, 66-67
trunking, 91-93
VLAN, 88-91
VTP, 99-100
synchronized databases, 101-102
VLAN configurations on VTP servers, 100-101
verifying network connectivity, 175-176
video, impact on network-based applications, 18
virtual circuit (VC), Frame Relay, 338
virtual private networks. See VPNs
viruses, 272
VLAN configurations and port mappings, 355
VLAN tag fields, 74
VLAN Trunking Protocol. See VTP
VLANs (virtual local-area networks)
to interfaces, 89
benefits of, 71-72
black hole VLAN, 73
configuring, 88-91, 357, 367-369
creating, 88
data VLAN, 72
default VLAN, 72
DTP (Dynamic Trunking Protocol), 75
management VLAN, 73
native VLAN, 73
overview, 71
traffic types, 72
troubleshooting, 93-94
trunking VLANs, 74-75
verification commands, 88-91
voice VLAN, 73-74
VLSM (variable-length subnet masking), 116-118, 246
troubleshooting, 246
voice, impact on network-based applications, 18
voice VLAN, 73-74
VoIP (voice over IP), 18
VPNs (virtual private networks), 320
benefits of, 320
components of, 322
establishing connections, 322
authentication, 325
encryption algorithms, 323
hashes, 324-325
IPsec Security Protocols, 325
tunneling, 323
types of access, 320
remote-access VPNs, 321
site-to-site VPNs, 320
VTP (VLAN Trunking Protocol), 76-77, 97
advertisement request message, 78
configuring, 97-100
modes, 77
pruning, 78
subset advertisement, 78
summary advertisement, 78
switches, 102
troubleshooting, 102-103
verifying, 99
synchronized databases, 101-102
VLAN on VTP servers, 100-101
VTP operation, 77-78
vtp pruning, 98
vtp version 2, 98
vulnerabilities, 270
W
WAN
components of, 309
connections, 165
circuit-switched connections, 314-316
dedicated connections, 314
Internet connections, 317-319
packet-switched connections, 315-317
WAN link options, 319-320
data-link protocols, 312
devices, 310
physical layer standards, 311
PVC, 313
SVC, 313
switching, 312-313
WAN implementations, troubleshooting, 349
Layer 1 problems, 350
Layer 2 problems, 350-351
Layer 3 problems, 351-352
WAN link options, 319-320
WAN switches, 310
WANs (wide-area networks), 7
war drivers, wireless security risks, 257
WEP (Wired Equivalent Privacy), 258, 261
white hats, 267
Wi-Fi Alliance, 253
Wi-Fi Protected Access (WPA), 258, 261
WiMAX (Worldwide Interoperability for Microwave Access), 319
windowing, 25
Windows PC
configuring to use DHCP, 123
testing
connectivity to default gateways, 63
connectivity to destinations, 64
TCP/IP stacks, 63
tracing routes, 65
Wired Equivalent Privacy (WEP), 258, 261
wireless access points, 261
wireless coverage areas, 256
wireless encoding channels, 255
wireless frequencies, 254
wireless LAN. See WLAN
wireless modes of operation, 254
wireless security risks, 257
wireless security standards, 258
wireless standards, 253
implementing, 261
checklist for, 262-264
modes of operation, 254
speed and frequency reference, 256
standards for, 254
troubleshooting, 264
word help, 48
Worldwide Interoperability for Microwave Access (WiMAX), 319
worms, 272
WPA (Wi-Fi Protected Access), 258, 261
write erase command, 51
X–Y–Z
X.21, 311
X.25, packet-switched connections (WAN), 315
Xmodem, recovering IOS images, 187-188
xmodem command, 187