Index
SYMBOLS
3DES (Triple DES), 338
10BASE-T, 35
pin pairs, 36
10GBASE-S, 35
10GBASE-T, 35
100BASE-TX, 35
pin pairs, 36
802.1X/EAP, 160
802.3. See Ethernet
1000BASE-LX, 35
1000BASE-T, 35
A
AAA (authentication, authorization, and accounting), 178–179
access attacks, 290
access control, 175
switch port hardening, 178
access layer (hierarchical campus design), 25
access layer switches, 14
ACI (Application Centric Infrastructure), 386
ACLs (access control lists)
defining, 295
design guidelines, 299
extended named IPv4
adding comments, 306
configuring, 306
extended numbered IPv4
adding comments, 306
IPv6 ACLs
operational overview, 295
standard named IPv4
adding comments, 306
standard numbered IPv4
adding comments, 306
types of, 298
ad hoc mode, 154
addressing (IPv4). See IPv4 addressing
addressing (IPv6). See IPv6 addressing
administrative distance, 201–203
advanced certifications, 410
adware, 288
AES (Advanced Encryption Standard), 161, 338
AF (Assured Forwarding), 346–347
AH (Authentication Header), 340
allowing. See permitting
AMP (Advanced Malware Protection), 173
amplification and reflection attacks, 292
Ansible, 403
anycast addresses, 75
APIC (Application Policy Infrastructure Controller), 386
APIC-EM (APIC Enterprise Module), 387–388
Application Centric Infrastructure (ACI), 386
application layer (OSI), 2
application layer (TCP/IP), 3, 5
Application Policy Infrastructure Controller (APIC), 386
APs (wireless access points), 18–20
ARP (Address Resolution Protocol), 4
assets, 285
assigned multicast addresses, 73–74
Assured Forwarding (AF), 346–347
asymmetric switching, 32
attack vectors, 286
attacks. See also threat mitigation
access attacks, 290
DoS and DDoS attacks, 291
reconnaissance attacks, 289
social engineering attacks, 290–291
transport layer attacks, 292
authentication
VPNs, 340
Authentication Header (AH), 340
auto-cost reference-bandwidth command, 269
automation. See network automation
autonomous AP architecture, 155
B
backing up Cisco IOS images, 376
baiting, 291
bandwidth, 343
bandwidth command, 270
banner command, 210
BDR (backup designated router), 259, 279–281
BID (bridge ID)
configuring and verifying, 108–110
binary, converting to/from decimal, 57
botnet, 291
BPDU Guard, configuring, 110–111
BRI (Basic Rate Interface), 328
bridges, 29
broadcast addresses, 38
broadcast domains, 31
BSA (basic service area), 153
BSS (basic service set), 153
BSSID (basic service set identifier), 153
buffer overflow attacks, 290
C
cable modems, 331
cabling
connection guidelines, 22
copper, 21
fiber-optic, 21
standards, 22
wireless, 21
CAPWAP (Control and Provisioning of Wireless Access Points), 157–158
CBWFQ (Class-Based Weighted Fair Queueing), 347
CDP (Cisco Discovery Protocol)
cdp holdtime command, 354
cdp time command, 354
cellular service, 332
certificate, receiving, 409
certifications
advanced, 410
certified score report, 407
Chef, 405
choosing
network media, 21
routers, 15
switches, 14
WAN connections, 332
circuit-switched WAN connections, 328–329
Cisco DNA Center
network management platform, 394–395
Cisco IOS
basic configuration commands, 45–47
command history, 44
console error messages, 43
EXEC sessions, 42
IFS (Integrated File System), 371
configuration file management, 374–375
images, 375
backing up, 376
navigating and editing commands, 43–44
subconfiguration modes, 45
Class-Based Weighted Fair Queueing (CBWFQ), 347
classes (IPv4 addressing), 56–57
classful routing protocols, 200
classless routing protocols, 200
clear ip nat translation command, 323
clear ip ospf process command, 281, 283
clients (DHCPv4), configuring, 133–134
cloud computing
benefits of, 379
virtual network infrastructure, 382–383
cloud-based AP architecture, 155–156
collision domains, 31
commands (Cisco IOS)
basic configuration commands, 45–47
command history, 44
subconfiguration modes, 45
comments, adding to IPv4 ACLs, 306
community clouds, 382
compromised-key attacks, 288
configuration management tools, 402
Ansible, 403
Chef, 405
comparison of, 405
configure terminal command, 45
configuring
ACLs
extended named IPv4, 306
extended numbered IPv4, 303–305
standard numbered IPv4, 301–303
default routing
IPv6, 252
DHCPv4
options, 128
DHCPv6
options, 137
as stateful server, 139
dynamic ARP inspection (DAI), 192–193
Layer 3 routed ports, 240
multilayer switching, 238
Rapid PVST+, 111
routers
EUI-64 configuration, 218
link-local addresses, 219
passive interfaces, 268
router ospf command, 266
SNMP, 364
static routing
IPv6, 251
STP, 108
PortFast and BPDU Guard, 110–111
summary routing
IPv6, 253
switches, 41
basic configuration commands, 45–47
command history, 44
EXEC sessions, 42
half duplex, full duplex, port speed, 47
navigating and editing commands, 43–44
subconfiguration modes, 45
WLANs, 165
RADIUS server, 166
congestion management, 347
connection establishment (TCP), 9
connection termination (TCP), 9
connectionless protocols, 9–10
connections
choosing, 332
connectivity, verifying, 48–51, 220–223
console error messages, 43
convergence
with link-state protocols, 206–207
converting binary/decimal numbers, 57
copy run start command, 212
copy running-config startup-config command, 210, 212
core layer (hierarchical campus design), 25
cut-through switching, 31
D
DAI (dynamic ARP inspection), 191–193
data encapsulation. See encapsulation
Data Encryption Standard (DES), 338
data exfiltration, 286
data formats
data link layer (OSI), 2
data modification attacks, 287
data VLANs, 84
DDoS (distributed denial of service) attacks, 291
dead intervals, modifying, 278
debuggers, 287
decimal, converting to/from binary, 57
dedicated WAN connections, 327–328
default gateways, troubleshooting, 224–225
default IEEE port costs, 101–102
default routing
IPv6, configuring, 252
operational overview, 241
redistribution, 277
default VLANs, 84
default-information originate command, 277
denial of service (DoS) attacks, 287, 291
denying
FTP, 304
SSH, 303
subnets, 303
DES (Data Encryption Standard), 338
description command, 210
designated router (DR), 259, 279–281
device hardening. See security
devices
connection guidelines, 22
firewalls, 16
hubs versus switches, 13
IDS/IPS, 17
next-generation firewalls, 17–18
physical connections, 20
routers. See routers
switches. See switches
wireless access points/LAN controllers, 18–20
DHCP (Dynamic Host Configuration Protocol), 3
attacks
types of, 188
troubleshooting, 140
DHCPv4
configuring
options, 128
DHCPv6
stateful, 136
configuring, 139
stateless, 136
Differentiated Services Code Point (DSCP), 345–346
Digital Subscriber Line (DSL), 330–331
disabling VLANs, 96
distance vector protocols, 198–199
administrative distance, 201–203
IGP comparison summary, 203
distributed denial of service (DDoS) attacks, 291
distribution layer (hierarchical campus design), 25
distribution layer switches, 14
distribution system (DS), 153
DMVPN (Dynamic Multipoint VPN), 335–336
DNS (Domain Name System), 3
DoS (denial of service) attacks, 287, 291
DR (designated router), 259, 279–281
DS (distribution system), 153
DSCP (Differentiated Services Code Point), 345–346
DSL (Digital Subscriber Line), 330–331
DTP (Dynamic Trunking Protocol), 87–88
dual-homed WANs, 325
dumpster diving, 291
duplicate IP addresses, troubleshooting, 225
dynamic ARP inspection (DAI), 191–193
Dynamic Host Configuration Protocol. See DHCP (Dynamic Host Configuration Protocol)
Dynamic Multipoint VPN (DMVPN), 335–336
dynamic NAT, 318
dynamic routing
administrative distance, 201–203
classful protocols, 200
classless protocols, 200
distance vector protocols, 198–199
IGP and EGP, 198
IGP comparison summary, 203
link-state protocols, 199, 204–207
protocol types, 198
routing loop prevention, 203–204
static routing versus, 197
E
eavesdropping attacks, 287
edge ports, RSTP, 107
editing Cisco IOS commands, 43–44
EF (Expedited Forwarding), 346–347
EGP (exterior gateway protocols), 198
EIGRP (Enhanced Interior Gateway Routing Protocol), 203
enable secret command, 210
encryption
tools, 287
VPNs, 338
endpoint security, 173
ESP (Encapsulating Security Payload), 341
ESS (extended service set), 154
EtherChannel
benefits of, 114
restrictions, 114
troubleshooting, 119
Ethernet, 4
current technologies, 35
switches. See switches
EUI-64 configuration, 78–79, 218
exam
after completion, 407
certified score report, 407
failed, 410
receiving certificate, 409
what to bring, 407
EXEC sessions, 42
exit-interface parameter, IPv4 static routing, 244–245
Expedited Forwarding (EF), 346–347
exploits, 285
extended IPv6 ACLs, configuring, 310–311
extended named IPv4 ACLs
adding comments, 306
configuring, 306
extended numbered IPv4 ACLs
adding comments, 306
extended service set (ESS), 154
extended system ID, PVST+, 104–105
exterior gateway protocols (EGP), 198
F
fabric, 390
failed exam, 410
Fast Ethernet, 35
FHRPs (first-hop redundancy protocols), 119–120
firewalls, 16
flow control, 8
forensic tools, 287
fragment-free mode, 32
FTP (File Transfer Protocol), 3
denying, 304
full duplex, 47
full mesh WANs, 325
G
GCMP (Galois/Counter Mode Protocol), 161
Gigabit Ethernet, 35
GLBP (Gateway Load Balancing Protocol), 120
global unicast addresses, 68–70
GRE (Generic Routing Encapsulation), 334
H
hacking operating systems, 287
half duplex, 47
header (TCP), 6
header format (IPv4), 55
hello intervals, modifying, 278
help facilities in Cisco IOS, 42–43
hierarchical campus designs, 25–27
host ID (IPv4), 55
host IP settings, 143
hostname command, 210
hot keys for Cisco IOS commands, 43–44
HSRP (Hot Standby Router Protocol), 120
configuring and verifying, 122–123
operational overview, 121
priority and preemption, 122
troubleshooting, 126
versions, 121
HTTP (Hypertext Transfer Protocol), 3
HTTP methods, RESTful APIs and, 400
hub-and-spoke WANs, 325
hubs
limitations, 29
switches versus, 13
hybrid clouds, 382
I
IaaS (Infrastructure as a Service), 382
IBSS (Independent Basic Service Set), 154
ICMP (Internet Control Message Protocol), 4
ICMP attacks, 292
icons for networking diagrams, 13
IDS (intrusion detection systems), 17
IFS (Integrated File System), 371
configuration file management, 374–375
IGP (interior gateway protocols), 198, 203
IMAP (Internet Message Access Protocol), 3
impersonation, 291
interface command, 210
interface IDs, subnetting, 78
interface rance command, 47
interface status codes, 52, 213–214
Internet layer (TCP/IP), 3, 10
Internet Protocol (IP), 4
Internet WAN connections, 330–332
internetworks, 23
inter-VLAN routing
Layer 3 routed port configuration, 240
legacy inter-VLAN routing, 233–234
multilayer switching, 235
configuring and verifying, 238
router on a stick, 234
configuring and verifying, 235–238
types of, 233
intranets, 23
intrusion detection systems (IDS), 17
intrusion prevention systems (IPS), 17
IP (Internet Protocol), 4
ip address command, 210
IP address spoofing attacks, 287, 292
ip helper-address command, 132–133
IP host settings. See host IP settings
ip ospf cost command, 270
ip ospf priority command, 279
ip route command, 242
IPS (intrusion prevention systems), 17
IPv4 addressing
ACLs
adding comments, 306
extended named configuration, 306
extended numbered configuration, 303–305
standard named configuration, 305–306
standard numbered configuration, 301–303
default routing, configuring, 245–248
header format, 55
IPv6 addressing versus, 66
JSON format, 399
private/public addressing, 58
resolving conflicts, 140
command syntax, 210
verifying connectivity, 220–223
static routing
exit-interface parameter, 244–245
next-hop parameter, 244
subnetting
addressing scheme, listing, 60–61
bits to borrow, determining, 59–60
purpose of subnet masks, 57–58
subnet masks, determining new, 60
subnet multiplier, determining, 60
summary routing, configuring, 248–249
IPv4 embedded addresses, 72–73
ipv6 access-list command, 309
ipv6 address autoconfig command, 138
ipv6 address dhcp command, 139
IPv6 addressing
ACLs
address conventions, 76
anycast addresses, 75
default routing, configuring, 252
IPv4 addressing versus, 66
EUI-64 configuration, 218
link-local addresses, 219
verifying connectivity, 220–223
routing table, 230
static routing
configuring, 251
summary routing, configuring, 253
link-local, 71
loopback, 71
unique local, 72
unspecified, 71
ipv6 route command, 251
J
jitter, 343
L
LACP (Link Aggregation Control Protocol), 115–116
LANs (local-area networks)
components of, 23
threat mitigation
latency (delay), 343
Layer 1 problem indicators, 54
Layer 2 switching, 32
Layer 3 routed ports, configuring, 240
Layer 3 switching, 32
layers (hierarchical campus design), 25–27
layers (OSI)
layers (TCP/IP)
application, 5
encapsulation summary, 12
Internet, 10
list of, 3
legacy Ethernet technologies, 33–35
legacy inter-VLAN routing, 233–234
lightweight AP architecture, 156–157
line console command, 210
line vty 0 15 command, 210
Link Aggregation Control Protocol (LACP), 115–116
link-state advertisements (LSAs), 258–261, 278–279
link-state database (LSDB), 204–205
link-state protocols, 199, 204–207
link-state routing process, OSPF, 260–261
Linux, verifying host IP settings, 146–148
LLC (Logical Link Control) sublayer, 32–33
LLDP (Link Layer Discovery Protocol)
operational overview, 357
lldp holdtime command, 357
lldp reinit command, 357
lldp run command, 357
lldp timer command, 357
LLQ (Low Latency Queueing), 347
local-area networks. See LANs (local-area networks)
login command, 210
login local command, 210
loopback addresses, 71
loss, 343
M
MAC (Media Access Control) sublayer, 32, 33
macOS, verifying host IP settings, 145–146
man-in-the-middle attacks, 288, 290, 292
media issues, troubleshooting, 51–52
memory buffering, 32
mesh topology, 154
metrics
Metro Ethernet, 329
MIB (Management Information Base), 362–363
mitigation. See threat mitigation
modifying OSPFv2
default route redistribution, 277
hello and dead intervals, 278
MPLS (Multiprotocol Label Switching), 330
MST (Multiple Spanning Tree), 102
MSTP (Multiple Spanning Tree Protocol), 102
multiarea OSPF, 262
performance, 264
multicast addresses, 38, 73–75
multilayer switching, 235
configuring and verifying, 238
municipal Wi-Fi, 332
N
named IPv4 ACLs
adding comments, 306
extended configuration, 306
standard configuration, 305–306
NAT (Network Address Translation)
benefits of, 319
dynamic, 318
limitations, 319
process overview, 317
static, 318
navigating Cisco IOS commands, 43–44
Neighbor Solicitation (NS) messages, 134
network access layer (TCP/IP), 3, 10–12
Network Address Translation. See NAT (Network Address Translation)
network attacks, 289
access attacks, 290
DoS and DDoS attacks, 291
reconnaissance attacks, 289
social engineering attacks, 290–291
transport layer attacks, 292
network automation
configuration management tools, 402
Ansible, 403
Chef, 405
comparison of, 405
data formats
network ID (IPv4), 55
network layer (OSI), 2
choosing, 21
copper, 21
fiber-optic, 21
standards, 22
wireless, 21
network scanning/hacking tools, 286
networking icons, 13
networks, permitting, 302
next-hop parameter, IPv4 static routing, 244
NGFWs (next-generation firewalls), 17–18
no cdp enable command, 353–354
no cdp run command, 353
no lldp receive command, 357
no lldp transmit command, 357
no service dhcp command, 130
no shutdown command, 210
NS (Neighbor Solicitation) messages, 134
NTP (Network Time Protocol), 370–371
ntp server command, 370
numbered IPv4 ACLs
adding comments, 306
extended configuration, 303–305
O
Open Shortest Path First. See OSPF (Open Shortest Path First)
open system authentication, 159
OpFlex, 386
OSI (Open Systems Interconnection) model, 1–2
layers
OSPF (Open Shortest Path First), 203
multiarea, 262
performance, 264
OSPFv2, OSPFv3 versus, 261–262
single-area, 255
DR and BDR, 259
link-state advertisements, 258–261
link-state routing process, 260–261
neighbor establishment, 256–258
packet types, 256
OSPFv2
configuration example, 275–277
modifying
default route redistribution, 277
hello and dead intervals, 278
single-area
P
PaaS (Platform as a Service), 382
packet crafting tools, 287
path determination and switching functions, 196–197
packet sniffers, 287
packet-switched WAN connections, 329–330
PAgP (Port Aggregation Protocol), 115
passive interfaces, OSPF, 268
passive-interface command, 268
password command, 210
password crackers, 286
password-based attacks, 287, 290
path determination and switching functions, 196–197
PDUs (protocol data units), 4–5
penetration testing tools, 286–287
permitting
networks, 302
SSH, 310
Per-VLAN Spanning Tree Plus. See PVST+ (Per-VLAN Spanning Tree Plus)
phishing, 290
physical connections, 20
physical layer (OSI), 2, 39–40
unsuccessful, 221
Platform as a Service (PaaS), 382
point-to-point WANs, 325
POP3 (Post Office Protocol), 3
Port Aggregation Protocol (PAgP), 115
port hardening, 178
port numbers, 7
port redirection, 290
port security, 181
port speed, 47
port states
PVST+, 104
port-based memory, 32
PortFast, configuring, 110–111
positive acknowledgment, 7
positive acknowledgment with retransmission, 8
Post Office Protocol (POP3), 3
preemption, HSRP, 122
presentation layer (OSI), 2
pretexting, 290
PRI (Primary Rate Interface), 328
priority, HSRP, 122
private clouds, 382
private IP addressing, 58
protocol data units (PDUs), 4–5
protocols (TCP/IP), list of, 3–4
public clouds, 382
public IP addressing, 58
PVST+ (Per-VLAN Spanning Tree Plus), 102
port states, 104
Q
QoS (quality of service)
classification and marking, 344–347
congestion management, 347
TCP discards, 349
tools, 344
quid pro quo attacks, 291
R
RA (Router Advertisement) messages, 134
radio frequencies. See RF spectrum
RADIUS (Remote Authentication Dial-In User Service), 178–179
RADIUS server, configuring, 166
ransomware, 288
Rapid PVST+, 102
configuring, 111
edge ports, 107
interface behavior, 105
operational overview, 105
Rapid STP. See RSTP (Rapid STP)
receiving certificate, 409
reconnaissance attacks, 289
relaying requests, DHCPv4, 132–133
remote access with SSH, 222–223
remote-access VPNs, 334
restoring
resumé, certifications on, 409–410
RIPv2 (Routing Information Protocol version 2), 203
risk, 285
Rivest, Shamir, and Adleman (RSA), 338
rootkit detectors, 287
rootkits, 289
Router Advertisement (RA) messages, 134
router on a stick, 234
configuring and verifying, 235–238
router ospf command, 266
Router Solicitation (RS) messages, 134
routers, 15
configuring
EUI-64 configuration, 218
link-local addresses, 219
default routing
IPv6 configuration, 252
operational overview, 241
redistribution, 277
dynamic routing
administrative distance, 201–203
classful protocols, 200
classless protocols, 200
distance vector protocols, 198–199
IGP and EGP, 198
IGP comparison summary, 203
link-state protocols, 199, 204–207
protocol types, 198
routing loop prevention, 203–204
static routing versus, 197
path determination and switching functions, 196–197
purpose of, 227
static routing
exit-interface parameter, 244–245
next-hop parameter, 244
operational overview, 241
summary routing
IPv6 configuration, 253
verifying connectivity, 220–223
Routing Information Protocol version 2 (RIPv2), 203
routing loop prevention, 203–204
routing tables
entry structure, 232
principles, 231
RS (Router Solicitation) messages, 134
RSA (Rivest, Shamir, and Adleman), 338
RSTP (Rapid STP), 102
configuring, 111
edge ports, 107
interface behavior, 105
operational overview, 105
S
SaaS (Software as a Service), 382
satellite Internet, 332
SDA (Software-Defined Access)
architecture, 389
fabric, 390
overlay, 391
SDN (software-defined networking), 383
ACI, 386
data, control, management planes, 383–384
spine and leaf design, 387
Secure Shell. See SSH (Secure Shell)
Secure Socket Layer (SSL), IPSec versus, 340
security
access control, 175
switch port hardening, 178
attack vectors, 286
data exfiltration, 286
endpoint security, 173
network attacks, 289
access attacks, 290
DoS and DDoS attacks, 291
reconnaissance attacks, 289
social engineering attacks, 290–291
transport layer attacks, 292
penetration testing tools, 286–287
port security, 181
programs, 293
terminology, 285
WLANs, 158
selecting. See choosing
server virtualization, 379–381
servers (DHCPv4), configuring, 128–132
servers (DHCPv6), configuring stateless, 137–139
service sequence-numbers command, 367
service set identifier (SSID), 153
service timestamps command, 367
service-password encryption command, 211
session hijacking, 292
session layer (OSI), 2
shared key authentication, 159–160
shared memory, 32
shortcut keys for Cisco IOS commands, 43–44
shoulder surfing, 291
show access-lists command, 307, 312
show cdp command, 353
show cdp interface command, 352, 354
show cdp neighbors command, 353
show cdp neighbors detail command, 354–356
show cdp traffic command, 356
show commands (Cisco IOS), 44–45
show etherchannel summary command, 117–118
show file systems command, 371
show flash: command, 372, 376–377
show history command, 44
show interface command output, 215–217
show interface gigabitethernet 0/0 command, 214–215
show interface GigabitEthernet0/0/0 command, 398
show interface status command, 95
show interface switchport command, 118–119
show interfaces command, 210
duplex and speed mismatches, 52–54
interface status codes, 52
interface VLAN assignment, 91–92
show interfaces status command, 52–54
show interfaces switchport command, 95, 98
show interfaces trunk command, 93–94, 97
show ip dhcp binding command, 130
show ip dhcp conflict command, 140
show ip dhcp server statistics command, 130
show ip interface brief command, 210, 213, 237–238, 270–272
show ip interface command, 307
show ip nat statistics command, 323
show ip nat translations command, 322
show ip ospf command, 266, 273–274, 283
show ip ospf interface brief command, 274
show ip ospf interface command, 283
show ip ospf interfaces command, 266
show ip ospf neighbor command, 272, 282
show ip protocols command, 202, 266, 270–272, 282
show ip route command, 200–201, 210, 212–213, 237–238, 270–272
show ip route ospf command, 283
show ipv6 access-list command, 312
show ipv6 interface command, 138, 313
show ipv6 interface gigabitethernet 0/0 command, 220
show ipv6 route command, 251
show lldp interface command, 358–360
show lldp neighbors command, 358–360
show lldp neighbors detail command, 358–360
show lldp traffic command, 358–360
show mac address-table command, 95
show ntp associations command, 370–371
show ntp status command, 370–371
show port-security command, 182–183
show port-security interface command, 184
show run command, 117, 311–312, 323
show running-config command, 210, 212, 307–308
show snmp community command, 365
show spanning-tree active command, 111
show spanning-tree bridge command, 111
show spanning-tree command, 110, 111
show spanning-tree detail command, 111
show spanning-tree interface command, 111
show spanning-tree summary command, 111
show spanning-tree vlan command, 111
show version command, 375
show vlan brief command, 88–89, 90, 91, 95
show vlan id command, 95
Simple Mail Transfer Protocol (SMTP), 3
Simple Network Management Protocol. See SNMP (Simple Network Management Protocol)
single-area OSPF, 255
passive interfaces, 268
router ospf command, 266
DR and BDR, 259
link-state advertisements, 258–261
link-state routing process, 260–261
neighbor establishment, 256–258
packet types, 256
site-to-site VPNs, 333
SLAAC (stateless address autoconfiguration), 79–80, 134–135
SMTP (Simple Mail Transfer Protocol), 3
sniffer attacks, 288
SNMP (Simple Network Management Protocol), 3, 361
components of, 361
configuring, 364
versions, 362
snmp-server community command, 364
social engineering attacks, 290–291
Software as a Service (SaaS), 382
Software-Defined Access. See SDA (Software-Defined Access)
software-defined networking. See SDN (software-defined networking)
SOHO (small office/home office), 23–24, 223–224
solicited-node multicast addresses, 74–75
something for something attacks, 291
spam, 290
Spanning Tree Protocol. See STP (Spanning Tree Protocol)
spanning-tree mode rapid-pvst command, 111
spear phishing, 290
spine and leaf design, 387
split-MAC architecture, 157–158
spoofing attacks (DHCP), 188, 290
spyware, 289
SSH (Secure Shell)
denying, 303
permitting, 310
SSID (service set identifier), 153
SSL (Secure Socket Layer), IPSec versus, 340
standard IPv6 ACLs, configuring, 310
standard named IPv4 ACLs
adding comments, 306
standard numbered IPv4 ACLs
adding comments, 306
starvation attacks (DHCP), 188
stateful DHCPv6, 136
configuring, 139
stateless address autoconfiguration (SLAAC), 79–80, 134–135
stateless DHCPv6, 136
static IP addresses, testing connectivity, 140
static NAT, 318
static routing. See also default routing; summary routing
dynamic routing versus, 197
IPv4
exit-interface parameter, 244–245
next-hop parameter, 244
IPv6
configuring, 251
operational overview, 241
store-and-forward switching, 31
STP (Spanning Tree Protocol)
configuring, 108
PortFast and BPDU Guard, 110–111
verifying, 111
subconfiguration modes (Cisco IOS), 45
subnet addresses, listing, 60–61
subnet IDs, subnetting, 78
subnet masks
determining new, 60
subnets, denying, 303
subnetting
addressing scheme, listing, 60–61
bits to borrow, determining, 59–60
subnet masks, determining new, 60
subnet multiplier, determining, 60
summary routing
IPv6, configuring, 253
SVIs (switch virtual interfaces), creating, 238–240
switches
access layer, 14
benefits of, 37
choosing, 14
collision/broadcast domains, 31
configuring, 41
basic configuration commands, 45–47
command history, 44
EXEC sessions, 42
half duplex, full duplex, port speed, 47
navigating and editing commands, 43–44
subconfiguration modes, 45
distribution layer, 14
evolution to, 29
hubs versus, 13
memory buffering, 32
port hardening, 178
symmetric/asymmetric, 32
duplex and speed mismatches, 52–54
interface status codes, 52
Layer 1 problem indicators, 54
verifying port configuration, 140
switchport port-security aging command, 183
switchport port-security violation command, 181
symmetric switching, 32
syslog
configuring and verifying, 367–369
message format, 367
severity levels, 366
T
TACACS+ (Terminal Access Controller Access Control System Plus), 178–179
tailgating, 291
TCP (Transmission Control Protocol), 3
attacks, 292
connection establishment/termination, 9
flow control, 8
header, 6
port numbers, 7
QoS and, 349
TCP/IP (Transmission Control Protocol/Internet Protocol) model, 1–2
layers
application, 5
encapsulation summary, 12
Internet, 10
list of, 3
Telnet, 3
terminal history command, 44
terminal history size 50 command, 44
terminal no history command, 44
terminal no history size command, 44
threat mitigation, 285
threats, 285
TKIP (Temporal Key Integrity Protocol), 161
WANs, 325
traceroute command
successful, 221
unsuccessful, 222
traffic types, 84
Transmission Control Protocol. See TCP (Transmission Control Protocol)
transport input ssh command, 210
transport layer attacks, 292
transport layer (OSI), 2
transport layer (TCP/IP), 3, 5–10
Triple DES (3DES), 338
Trojan horses, 288
troubleshooting
DHCP, 140
EtherChannel, 119
HSRP, 126
duplex and speed mismatches, 52–54
interface status codes, 52
Layer 1 problem indicators, 54
trunking
trust exploitation, 290
U
UDP (User Datagram Protocol), 4
attacks, 292
port numbers, 7
ULAs (unique local addresses), 72
link-local, 71
loopback, 71
unique local, 72
unspecified, 71
unspecified unicast addresses, 71
URIs (uniform resource identifiers), 400–401
User Datagram Protocol. See UDP (User Datagram Protocol)
username password command, 210
V
variable-length subnet masking (VLSM), 62–64
verifying
host IP settings
multilayer switching, 238
router configuration with IPv4, 212–217
STP, 111
switch port configuration, 140
virtual local-area networks. See VLANs (virtual local-area networks)
virtual machines (VMs), 380–381
virtual network infrastructure, 382–383
virtual private networks. See VPNs (virtual private networks)
Virtual Router Redundancy Protocol (VRRP), 120
viruses, 288
VLANs (virtual local-area networks). See also inter-VLAN routing
attacks
mitigation, 187
types of, 186
disabling, 96
traffic types, 84
VLSM (variable-length subnet masking), 62–64
VMs (virtual machines), 380–381
voice VLANs, 85
VPNs (virtual private networks), 333
benefits of, 333
VRRP (Virtual Router Redundancy Protocol), 120
vulnerability, 285
vulnerability explotation tools, 287
vulnerability scanners, 287
W
WANs (wide-area networks)
choosing, 332
topologies, 325
web traffic, permitting, 310–311
WEP (Wired Equivalent Privacy), 159
Wi-Fi Protected Access (WPA), 159, 160
WiMAX, 332
windowing, 8
Windows, verifying host IP settings, 143–145
wireless access points (APs), 18–20
wireless hacking tools, 286
wireless LAN controller. See WLC (wireless LAN controller)
wireless LANs. See WLANs (wireless LANs)
wireless network media, 20, 21
wireless protocols, 4
wireless standards
wireless topologies
IBSS, 154
mesh, 154
wireless WAN connections, 332
configuring
RADIUS server, 166
security, 158
WLC (wireless LAN controller)
configuring with WLAN, 165
RADIUS server, 166
worms, 288
WPA (Wi-Fi Protected Access), 159, 160
WPA2, 160
Z
zombies, 291