Index

Numbers

2-tier campus design, 291-293

3G wireless, 320

3-tier campus design, 293-295

4G wireless, 320-321

5G wireless, 320

802.1Q headers, 237-238

802.11 headers, 238

A

AAA (Authentication, Authorization, Accounting), 82-83

aaS (as a Service), 339

access

Internet, 317-321

public cloud services, 342-346

security

physical access control, 84

user access, 82-83

user awareness/training, 83

access-class command, 62, 95, 105

access links

MetroE, 306

MPLS, 314

access-list 101 command, 60

access-list command, 33-35, 42, 46-50, 54, 62, 397

any keyword, 34

building ACLs with, 39-40

deny keyword, 34

examples and logic explanations, 50

extended numbered ACL configuration commands, 51

log keyword, 38

permit keyword, 31, 34

reverse engineering from ACL to address range, 40-41

tcp keyword, 48

upd keyword, 48

access switches, 291, 295

accounting (AAA), 82-83

ACE (Access Control Entries), 397-398

ACI (Application Centric Infrastructure), 369, 373

IBN, 371

leaf switches, 370

spine switches, 370

ACK flags, 12

ACLs (Access Control Lists), 397-398

ARP ACL, 159

classification, 235

comparison of ACL types, 28

controlling Telnet and SSH access with, 95

deny all statements, 31

extended numbered ACLs, 46-54

implementation considerations, 59-60

location and direction, 26-27

matching packets, 27

named ACLs, 54-58

numbered ACLs, 58-59

overview, 26

QoS tools, compared, 233

SDA, 399

SNMP security, 267

standard numbered ACLs, 29-41

troubleshooting, 222

active mode (FTP), 276

addresses. See also ACLs

any/all IP addresses, matching, 34

CIDR, 205-206

inside global, 209

inside local, 209

IP addresses

commands, 139-140

destination IP addresses, 95

DNS IP addresses, 128

origin IP addresses, 157-159, 163-164

RELEASE messages, filtering based on IP addresses, 151

IPv4, 204

CIDR, 205-206

dynamic IP address configuration with DHCP, 131

host settings, 133-140

matching addresses, 31-34

NAT, 202, 207-223

private addressing, 206

QoS marking, 237

routing, 26, 223

scalability, 204-205

IPv6, QoS marking, 237

MAC addresses, 109, 113

NAT, 202, 207-222

private addressing, 206

scalability, 204-205

spoofing attacks, 72

amplification attacks, 75

DDoS attacks, 75

DoS attacks, 73-74

Man-in-the-Middle attacks, 76-77

reflection attacks, 75

AF (Assured Forwarding), 240

AF DiffServ RFC (2597), 240

AF DSCP value marking, 240

agents, SNMP, 264-267

allocation, DHCP, 129

Amazon Web Services (AWS), 340

amplification attacks, 75

Ansible, 422, 438-439, 442

answering exam questions, 456-457

anti-replay (Internet VPNs), 321

any/all IP addresses, matching, 34

any keyword, 34

AnyConnect Secure Mobility Client, 325

APIs (Application Programming Interfaces), 364

DNA Center, 415

JSON

arrays, 424-426

beautified JSON, 426

data serialization, 418-423

key:value pairs, 423-426

minified JSON, 426

objects, 424-426

REST APIs, 418, 422-423

REST, 366

REST APIs, 408

cacheable resources, 410

client/server architecture, 409, 419-420

data structures, 411-412

dictionary variables, 411-412

DNA Center calls, 417-418

HTTP, 413-416

JSON, 422-423

key:value pairs, 412

list variables, 411-412

simple variables, 410-411

stateless operation, 410

RESTful, 366

XML, data serialization, 421-423

YAML, data serialization, 422-423

APIC (Application Policy Infrastructure Controller), 372

APIC-EM (Application Policy Infrastructure Controller-Enterprise Module), 373-374

app (application) servers, 371

Application Centric Infrastructure. See ACI

Application Programming Interfaces. See APIs

application signatures, 236

Application-Specific Integrated Circuit (ASIC), 362

architectures, SDN, 367-369, 373-375

arp -a command, 142

ARP ACL (Address Resolution Protocol Access Control Lists), 159

ARP messages

DAI, 156

filtering MAC addresses, 159

logic of, 158

gratuitous ARP as an attack vector, 157-158

origin hardware addresses, 159-160

arrays (JSON), 424-426

as a Service (-aaS), 339

ASA (Adaptive Security Appliance) firewall, 96

ASIC (Application-Specific Integrated Circuit), 362

Assured Forwarding (AF), 240

attacks (security)

amplification attacks, 75

ARP messages (gratuitous), 157-158

brute-force attacks, 80

buffer overflow attacks, 78

DDoS attacks, 75

DHCP-based attacks, 147

dictionary attacks, 80

DoS attacks, 73-74

malware, 78-79

Man-in-the-Middle attacks, 76-77

password guessing, 80

pharming attacks, 79

phishing attacks, 79

reconnaissance attacks, 77-78

reflection attacks, 75

smishing attacks, 79

social engineering attacks, 79

spear phishing attacks, 79

spoofing attacks, 72-77

Trojan horses, 78

viruses, 78

vishing attacks, 79

watering hole attacks, 79

whaling attacks, 79

worms, 78

AUTH command, 279

authentication (AAA), 82-83

Internet VPNs, 321

SNMPv3, 268

authorization (AAA), 82-83

automatic allocation, 129

automation

configuration automation files, 437

network management, 376-378

AVC (Application Visibility and Control)

NGFW, 101

NGIPS, 103

AWS (Amazon Web Services), 340

B

bandwidth, managing, 228

batch traffic, 230

beautified JSON, 426

binary wildcard masks, 33

binding tables (DHCP snooping), 150

biometric credentials (security), 81

blocks (CIDR), 206

boot system command, 281

branch offices public cloud example

email services traffic flow, 347-349

Internet connections, 349

private WAN connections, 349

broadcast flags, 125

browsing web

HTTP, 16-17, 20-21

URIs, 17-18

URLs, 17

brute-force attacks, 80

budgeting time (exams), 450-451

buffer overflow attacks, 78

C

cable Internet, 319-320

CAC (Call Admission Control) tools, 245

cacheable resources (REST API), 410

campus LANs

overview, 290

three-tier campus design, 293-295

topology design terminology, 295

two-tier campus design, 290-293

CBWFQ (Class-Based Weighted Fair Queuing), 243

CDP (Cisco Discovery Protocol)

configuration, 193-194

discovering information about neighbors, 190-193

verification, 193-194

cdp enable command, 200

cdp run command, 200

CE (Customer Edge), 313

centralized configuration files, 432

centralized control planes, 363

certificates (digital), security, 81

chapter reviews (exam preparation), 464

checklists (practice exams), 455, 459

Chef, 438, 441-442

CIDR (Classless Interdomain Routing), 205-206

CIR (Committed Information Rate), 247

Cisco Discovery Protocol. See CDP

Cisco Learning Network, exam preparation, 464

Cisco Prime management products website, 264

Class-Based Weighted Fair Queuing (CBWFQ), 243

Class of Service (CoS) field (802.1Q header), 237

Class Selector (CS), 241

classification, QoS, 233-236

clear ip nat translation command, 211, 219, 225

clear logging command, 179

clear-text passwords, SNMP, 267

CLI (Command-Line Interface), practicing with (exam preparation), 460-461

clients

NTP, 183-186

VPNs, 325

clock set command, 182-183

clock summer-time command, 183, 200

clock timezone command, 183, 200

cloud computing, 328, 336

“as a service” model, 339-342

cloud services catalogs, 338

CSRs, 344

IaaS, 339-340

PaaS, 341-342

private, 337-338

public, 337-339, 342-349

SaaS, 341

services, 336-337

cloud services catalogs, 338

Cloud Services Routers (CSRs), 344

codecs, 231

collapsed core design, 290-293

commands

access-class, 62, 95, 105

access-list, 31-35, 38-51, 54, 62, 397

access-list 101, 60

arp -a, 142

AUTH, 279

boot system, 281

cdp enable, 200

cdp run, 200

clear ip nat translation, 211, 219, 225

clear logging, 179

clock set, 182-183

clock summer-time, 183, 200

clock timezone, 183, 200

configure, 430

copy, 270-271, 274-275, 282

copy ftp flash, 274

copy running-config startup-config, 112, 428

copy tftp flash, 271

crypto key generate rsa, 105

debug, 177, 180-181, 201

debug ip nat, 219, 225

debug ip rip, 180

deny, 55-57, 62

dig, 78

dir, 272, 282

enable password, 90, 105

enable secret, 90-94

ifconfig, 134, 137-142

Interface loopback, 200

ip access-group, 36, 43, 51, 60-62

ip access-list, 55, 62

ip access-list extended, 56

ip address, 139-140

ip address dhcp, 132

ip arp inspection validate, 164

ip dhcp snooping information option, 153

ip ftp password, 281

ip ftp username, 281

ip helper-address, 125-127, 141

ip nat, 225

ip nat inside, 213, 215, 220-222

ip nat inside source, 217, 225

ip nat inside source list, 220-222

ip nat inside source list pool, 216

ip nat inside source static, 213-215, 222

ip nat outside, 213-215, 220-222

ip nat pool, 216, 225

ip nat pool netmask, 215

ip route configuration, 133

ipconfig, 134, 142

line console, 105

line vty, 105

lldp holdtime, 198

lldp receive, 201

lldp run, 197, 201

lldp timer, 198

lldp transmit, 201

logging, 200

logging buffered, 175, 179, 200

logging buffered warning, 181

logging console, 174, 200

logging host, 175

logging monitor, 175, 200

logging monitor debug, 181

logging trap, 200

logging trap 4, 181

login, 105

login local, 105

more, 270

netstat -rn, 136-142

no cdp enable, 193

no enable secret, 105

no ip access-group, 60

no ip dhcp snooping information option, 152-153

no logging console, 177

no logging monitor, 177

no service password-encryption, 90

no shutdown, 115, 121, 179

nslookup, 78

ntp master, 183-185, 188, 200

ntp server, 183, 188, 200

ntp source, 200

password, 90, 105

PASV, 278

permit, 55-57, 62

PORT, 277-278

port-security, 111

remark, 55, 62

service password-encryption, 89-90, 105

service sequence-numbers, 200

show access-lists, 35, 43, 56, 62

show arp, 142

show cdp, 193-194, 197-198, 201

show cdp entry, 190, 193

show cdp interface, 193-194

show cdp neighbors, 190-195

show cdp neighbors detail, 190-193

show cdp traffic, 193-194

show clock, 201

show dhcp lease, 131

show flash, 270-272, 282

show interfaces, 115, 121

show interfaces loopback, 201

show interfaces status, 115-116

show interfaces switchport, 377

show interfaces vlan, 131

show ip access-list, 43, 57, 59

show ip access-lists, 35, 59, 62

show ip arp, 142

show ip arp inspection, 161-163

show ip default-gateway, 132

show ip dhcp conflict, 142

show ip dhcp snooping, 153-155

show ip dhcp snooping binding, 162

show ip interface, 36, 43, 130

show ip nat statistics, 215-222, 225

show ip nat translations, 214-225

show lldp, 201

show lldp entry, 196

show lldp interface, 198

show lldp neighbors, 195

show logging, 175-178, 201

show mac address-table dynamic, 113-114, 121, 167

show mac address-table secure, 113-114, 121

show mac address-table static, 113, 121

show ntp associations, 184-186, 201

show ntp status, 184, 201

show port-security, 115-116, 121

show port-security interface, 112-121

show process cpu, 181

show running-config, 35, 56-59, 105, 121, 167, 270

show running-config | interface, 121, 167

show running-config command, 35, 89

show startup-config, 270

shutdown, 115, 121, 179, 182

ssh, 95

switchport mode, 120, 167, 377

switchport mode access, 110-111

switchport mode trunk, 110

switchport port-security, 110-111

switchport port-security mac-address, 110-111, 120

switchport port-security mac-address sticky, 110-111, 120, 167

switchport port-security maximum, 110, 120

switchport port-security violation, 110, 114, 120

telnet, 95

terminal monitor, 175, 181, 201

terminal no monitor, 201

transport input, 105

transport input ssh command, 89

username, 105

username password, 94

username secret, 94

verify, 273, 282

verify /md5, 273, 282

whois, 78

Committed Information Rate (CIR), 247

communities (SNMP), 267

Community-based SNMP Version 2 (SNMPv2c), 267

community strings (SNMP), 267

confidentiality, Internet VPNs, 321

configuration

ACLs, 34-38

Ansible, 438-439, 442

automation files, 437

CDP, 193-194

centralized configuration files, 432

Chef, 438, 441-442

DAI, 160-165

DHCP, 131

relays, 130

snooping, 152-156

drift, 430-431

extended numbered ACLs, 51-54

IPv4, 131

LLDP, 197-198

management, 428-430

monitoring, 433

named ACLs, 55-56

NAT, 214-222

NTP

client/server, 183-184

redundant configuration, 186-188

numbered ACLs, 58-59

per-device configuration model, 431

provisioning, 434-435

Puppet, 438-442

routers as DHCP clients, 132-133

switches

as DHCP clients, 130-132

interfaces, 108-113

Syslog, 178-180

templates, 435-437

variables, 435-437

VMs, 334

configure command, 430

congestion

avoidance, 250-251

management

LLQ, 243-245

multiple queues, 242

prioritization, 242

round robin scheduling, 243

strategy, 245

connectionless protocols, 13

connections

connection-oriented protocols, 13

establishment and termination (TCP), 12-13

public cloud access, 342-346

public cloud branch offices, 349

contextual awareness, NGIPS, 103

control connection (FTP), 277

control plane (networking devices), 360-363

controllers

centralized control, 363

defined, 362

networks, 375-379

NBIs, 365-366

OpenDaylight SDN controller, 368

OSC, 369

SBIs, 364

copy command, 270-271, 274-275, 282

copy ftp flash command, 274

copy running-config startup-config command, 112, 428

copy tftp flash command, 271

copying IOS images, 271-274

core design, 293-295

CoS (Class of Service) field (802.1Q header), 237-238

CRUD actions (software), 413-414

crypto key generate rsa command, 105

CS (Class Selector), 241

CS DSCP values, marking, 241

CSRs (Cloud Services Routers), 344

customer edge (CE), 313

D

DAI (Dynamic ARP Inspection), 156

configuring, 160-165

layer 2 switches, 160-163

logic of, 158

MAC addresses, filtering, 159

message checks, 164-165

message rate limits, 163-164

data application traffic, 229-230

data centers (virtual)

networking, 333

physical networks, 334-335

vendors, 333

workflow, 335-336

data connection (FTP), 277

data integrity, Internet VPNs, 321

data plane (networking devices), 359-361

data serialization

JSON, 418-422

arrays, 424-426

beautified JSON, 426

key:value pairs, 423-426

minified JSON, 426

objects, 424-426

XML, 421-423

YAML, 422-423

data structures, 411-412

databases

MIB, 264-267

signature databases and IPS, 99

DB (Database) servers, 371

DDoS (Distributed Denial-of-Service) attacks, 75

debug command, 177-181, 201

debug ip nat command, 219, 225

debug ip rip command, 180

decimal wildcard masks, 31-32

default routers, verification, 136-140

delay, managing, 229

deleting single points of failure, 258-259

demilitarized zones (DMZ), 98

denial of service (DoS) attacks, 97

deny all statements, 31

deny command, 55-57, 62

deny keyword, 28, 34

destination IP

addresses, 95

matching, 46-48

destination port numbers, 8-9

devices

hardening

controlling Telnet and SSH access with ACLs, 95

firewalls, 96-97

management protocols

CDP, 190-194

LLDP, 194-198

NTP, 181-189

Syslog, 174-181

networking, 359-363

per-device configuration model, 431

security

device hardening, 95-97

IOS passwords, 88-94

DHCP (Dynamic Host Configuration Protocol), 122

advantages of, 124

automatic allocation, 129

broadcast flags, 125

DHCP Relay, 126-127, 130

dynamic allocation, 129

information stored at DHCP server, 128

overview, 124-126

relays

configuring, 130

supporting, 126-127

troubleshooting, 130

routers, 128, 132-133

rules of, 149

servers, 128

snooping, 146

binding tables, 150

configuring, 152-156

DHCP-based attacks, 147

DHCP message rate limits, 154-156

DISCOVER messages, 150

layer 2 switches, 152-154

logic of, 148-149

RELEASE messages, 151

static allocation, 129

switches, configuring as DHCP clients, 130-132

troubleshooting, 130

dictionary attacks, 80

dictionary variables, REST APIs, 411-412

Differentiated Services Code Point (DSCP), 234

DiffServ DSCP marking values

AF, 240

CS, 241

EF, 240

dig command, 78

digital certificates (security), 81

digital subscriber lines (DSLs), 318

dir command, 272, 282

direction (ACLs), 26-27

DISCOVER messages, filtering based on MAC addresses, 150

disk file systems, 270

distributed control planes, 363

distribution switches, 291, 295

DMZ (Demilitarized Zones), 98

DNA Center, 384, 389, 395

APIs, 415

IP security, 397-398

network management, 400-401

Path Trace feature, 403

PI, 400-401

REST API calls, 417-418

scalable groups, 396

SDA

SGT, 399

user group security, 398-399

SGT, 399

topology map, 401-403

traditional management

differences with, 402-403

similarities to, 401

VXLAN tunnels, 399

DNS (Domain Name System), 11

DNS IP addresses, 128

DNS IP servers, 128

recursive DNS lookups, 19

web servers, finding, 18-20

DoS (Denial-of-Service) attacks, 73-74, 97

DSCP (Differentiated Services Code Point), 234

DSCP fields (QoS marking), 238

marking values, 240-241

DSLs (Digital Subscriber Lines), 318

DSLAMs (DSL access multiplexers), 318

dynamic allocation, 129

dynamic (ephemeral, private) ports, 9

Dynamic Host Configuration Protocol. See DHCP

dynamic IP address configuration, 131

dynamic NAT (Network Address Translation)

configuration, 215-217

overview, 210-211

troubleshooting, 222

verification, 217-219

dynamic windows, 15-16

E

earplugs (exam preparation), 451

Eclipse IDE, 341

editing named ACLs, 56-58

EF (Expedited Forwarding), 238

EF DSCP value marking, 240

EF RFC (RFC 3246), 240

EID (Endpoint Identifiers), 392

E-LAN (Ethernet LAN) service, 308, 311

elasticity, cloud computing, 337

E-Line (Ethernet Line) service, 307-310

email, public cloud branch office traffic flow, 347-349

enable password command, 90, 105

enable secret command, 90-94

encoding IOS passwords with hashes, 90-94

encryption

IOS passwords, 89-90

IPsec, 323-324

keys, 323

SNMPv3, 268

End-to-End QoS Network Design, Second Edition (Cisco Press), 232

endpoints, EPGs, 371

Enterprise QoS Solution Reference Network Design Guide, 232

enterprises, classification matching, 234

EPGs (Endpoint Groups), 371

ephemeral (dynamic, private) ports, 9

eq 21 parameters, 49

err-disabled state, 115

err-disabling recovery, troubleshooting, 117

error detection, 6

error recovery, 6, 13-14

Ethernet

802.1Q headers, 237-238

802.11 headers, 238

access links, 306

IEEE standards, 306

PoE, 297-299

Ethernet LAN (E-LAN) service, 308

Ethernet LANs

campus LANs, 290-295

physical standards, 296-297

port security, 108-113

troubleshooting, 115-119

Ethernet Line (E-Line) service, 307-310

Ethernet Tree (E-Tree) service, 309

Ethernet Virtual Connection (EVC), 307

Ethernet WANs, public cloud connections, 345

E-Tree (Ethernet LAN) service, 309

EVC (Ethernet Virtual Connection), 307

exact IP addresses, matching, 31

exams

chapter reviews, 464

failing, 463

NDAs, 454

post exam process, 453

practice exams, 454

checklists, 455, 459

PTP questions, 455

PTP software, 458-459

preparing for

24 hours before the exam, 452

30 minutes before the exam, 452-453

earplugs, 451

one week away preparation, 451-452

taking notes, 452

travel time, 452

questions

answering, 456-457

multichoice questions, 449-450, 457

Premium Edition questions, 457

PTP questions, 455

simlet questions, 450

simulation questions, 449

testlet questions, 450

reviewing for exams

answering questions, 456-457

chapter reviews, 464

Cisco Learning Network, 464

CLI practice, 460-461

knowledge gaps, 458-459

practice exams, 454-455, 458-459

Premium Edition questions, 457

second attempts at passing, 463

self-assessments, 462-463

VUE testing center, 455

time

budgeting, 450-451

time-check method, 451

video tutorials, 449

excluded (reserved) addresses, DHCP servers, 128

Expedited Forwarding (EF), 238

exploits (security), 72

extended numbered IPv4 ACLs

configuration, 51-54

matching protocol, source IP, and destination IP, 46-48

matching TCP and UDP port numbers, 48-50

overview, 46

F

fabric border node (SDA underlays), 387

fabric control node (SDA underlays), 387

fabric edge node (SDA underlays), 387

fabric SDA, 384

failing exams, 463

failover, HSRP, 261-262

FHRPs (First Hop Redundancy Protocols), 254, 257

features, 260

HSRP, 261-263

need for, 259-260

options, 260

fiber Internet, 321

FIFO (First-In, First-Out), 242

file system, 268-270

File Transfer Protocol. See FTP

files

automation configuration variables, 437

centralized configuration files, 432

managing

IOS file system, 268-270

upgrading IOS images, 270-274

transferring, 20-21

filtering

DISCOVER messages based on MAC addresses, 150

MAC addresses, DAI, 159

RELEASE messages based on IP addresses, 151

reputation-based filtering, NGIPS, 103

FIN bits, 12

finding

web servers with DNS, 18-20

wildcard masks, 33-34

firewalls

locations, 96-97

NGFW, 100-101

security zones, 97

stateful firewalls, 96

flash memory, 269

flow

control, TCP, 15-16

networking, 231

public cloud traffic, 347-349

forward acknowledgment, 14

forwarding plane. See data plane

frames, defined, 233

FTP (File Transfer Protocol), 275

active mode, 276

control connection, 277

copying IOS images with, 273-274

data connection, 277

passive mode, 276

FTPS (File Transfer Protocol Secure), 279

full drops, 251

full mesh topology, 291, 295, 308

G

Get messages

agent information, 264

RO/RW communities, 267

GET requests, 20

GitHub, 433

Google App Engine PaaS, 341

H

hardware

Cisco server, 330-331

origin hardware addresses, 159-160

hashes

coding passwords with, 90

enable secret command, 92-94

MD5 hash algorithm, 93

headers

802.1Q, 237-238

802.11, 238

IP, 237-238

MPLS Label, 238

hiding passwords for local usernames, 94

history, SNMP, 263

home office wireless LANs, 296-297

hosts

IPv4 settings, 133-140

server virtualization, 332

HSRP (Hot Standby Router Protocol)

active/passive model, 261

failover, 261-262

load balancing, 262-263

HTTP (Hypertext Transfer Protocol)

overview, 16-17, 20-21

REST APIs, 413-416

software CRUD actions, 413-414

URIs, 17-18, 414-416

hub and spoke topology (MetroE), 309

human vulnerabilities (security), 79-80

hybrid topology, 291, 295

hypervisors, 332

I

IaaS (Infrastructure as a Service), 339-340

IANA (Internet Assigned Numbers Authority), 205

IBN (Intent-Based Networking), 371, 398

IEEE, Ethernet standards, 306

ifconfig command, 134, 137-142

images (IOS), 270-274

Inform messages, 265-266

Infrastructure as a Service (IaaS), 339-340

inside global addresses, 208-210

inside local addresses, 208-210

instantiating VMs, 340

interactive data application traffic, 230

interactive voice traffic, 232

intercloud exchanges, 346

Interface loopback command, 200

interfaces

application programming. See APIs

LAN, 228

NBIs, 365-366

port security, 108-118

SBIs, 364

WANs, 228

internal processing (switches), 361-362

Internet

access, 317-321

cable Internet, 319-320

DSL, 318

fiber Internet, 321

ISPs, 317

public cloud

accessing, 342-344

computing branch office connections, 349

VPNs, 317, 321-326

as WAN service, 317

wireless WANs, 320-321

Internet Assigned Numbers Authority (IANA), 205

IOS (iPhone Operating System)

file management, 268-274

passwords, 88-94

ip access-group command, 36, 43, 51, 60-62

ip access-list command, 55, 62

ip access-list extended command, 56

IP ACLs (Access Control Lists). See ACLs

ip address dhcp command, 132

IP addresses

commands, 139-140

destination IP addresses, 95

DNS IP addresses, 128

IPv4. See also ACLs

CIDR, 205-206

dynamic IP address configuration with DHCP, 131

host settings, 133-140

matching addresses, 31-34

NAT, 202, 207-223

private addressing, 206

QoS marking, 237

routing, 26, 223

scalability, 204-205

IPv6, QoS marking, 237

origin IP addresses, 157-159, 163-164

RELEASE messages, filtering based on IP addresses, 151

IP ARP (Internet Protocol Address Control Protocol), 156-157

ip arp inspection validate command, 164

ip dhcp snooping information option command, 153

ip ftp password command, 281

ip ftp username command, 281

IP headers, QoS marking, 237-238

ip helper-address command, 125-127, 141

ip nat command, 225

ip nat inside command, 213-215, 220-222

ip nat inside source command, 217, 225

ip nat inside source list command, 220-222

ip nat inside source list pool command, 216

ip nat inside source static command, 213-215, 222

ip nat outside command, 213-215, 220-222

ip nat pool command, 216, 225

ip nat pool netmask command, 215

IPP (IP Precedence) fields (QoS marking), 238, 241

ip route configuration command, 133

ipconfig command, 134, 142

IPS (Intrusion Prevention Systems), 99

NGIPS, 100-103

signature databases, 99

IPsec

DNA Center, 397-398

encryption, 323-324

site-to-site VPNs, 322-326

IPv4 (Internet Protocol Version 4) addresses. See also ACLs

CIDR, 205-206

dynamic IP address configuration with DHCP, 131

host settings, 133-140

matching addresses, 31-34

NAT, 202, 207-223

private addressing, 206

QoS marking, 237

routing, 26, 223

scalability, 204-205

IPv6 (Internet Protocol Version 6), QoS marking, 237

ISPs (Internet Service Providers), 317

J

Jenkins continuous integration and automation tool, 341

jitter, 229

JSON (JavaScript Object Notation)

arrays, 424-426

beautified JSON, 426

data serialization, 418-423

key:value pairs, 423-426

minified JSON, 426

objects, 424-426

REST APIs, 418, 422-423

K

key:value pairs

JSON, 423-426

REST APIs, 412

keys (encryption), 323

keywords

any, 34

deny, 28, 34

log, 38

permit, 28, 34

tcp, 48

udp, 48

knowledge gaps (exam preparation), 458-459

KVM (Keyboard, Video display, or Mouse), 330

L

L4PDU (Layer 4 Protocol Data Units), 7

LANs (Local-Area Networks)

Ethernet LANs, 290-295

interfaces, 228

physical standards, 296-297

PoE, 297-299

port security, 108-117

SDA, 387

switching, port security, 108-118

wireless LANs, 296-297

layer 2 switches

DAI, 160-163

DHCP snooping, 152-154

Layer 3 design, MPLS, 313-317

Layer 3 MetroE design

E-LAN service, 311

E-Line service, 309-310

leaf switches, ACI, 370

line console command, 105

line vty command, 105

Link Layer Discovery Protocol (LLDP), 194-198

links, 17, 306, 314

Linux, host IPv4 settings, 138-140

LISP (LISt Processor), overlays (SDA), 392-393

list logic (IP ACLs), 29-31

list variables, REST APIs, 411-412

LLDP (Link Layer Discovery Protocol), 194-198

lldp holdtime command, 198

lldp receive command, 201

lldp run command, 197, 201

lldp timer command, 198

lldp transmit command, 201

LLQ (Low Latency Queuing), 243-245

load balancing, HSRP, 262-263

local usernames, hiding passwords for, 94

location (ACLs), 26-27

log keyword, 38

logging, Syslog, 174-181

logging buffered command, 175-179, 200

logging buffered warning command, 181

logging command, 200

logging console command, 174, 200

logging host command, 175

logging monitor command, 175, 200

logging monitor debug command, 181

logging trap command, 200

logging trap 4 command, 181

login command, 105

login local command, 105

Long-Term Evolution (LTE), 320

loopback interfaces, NTP, 188-189

loss, managing, 229

Low Latency Queuing (LLQ), 243-245

LTE (Long-Term Evolution), 320

M

MAC addresses

filtering

DAI, 159

DISCOVER messages, 150

port security, 113

sticky secure MAC addresses, 109

macOS, host IPv4 settings, 136-138

malware, 79

NGFW and, 101

Trojan horses, 78

viruses, 78

worms, 78

Man-in-the-Middle attacks, 76-77

Management Information Base. See MIB

management plane (networking devices), 361

managers, SNMP, 264

managing

bandwidth, 228

delay, 229

jitter, 229

loss, 229

marking, 236

with classification, 234

defined, 234

DiffServ DSCP values, 240-241

DSCP marking values, 241

Ethernet 802.1Q headers, 237-238

Ethernet 802.11 headers, 238

IP headers, 237-238

MPLS Label headers, 238

trust boundaries, 238-239

matching packets, 27

matching parameters

extended numbered ACLs, 46-50

standard numbered ACLs, 31-34

MD5 hash algorithm, 93

MD5 verification, 273

measuring cloud computing services, 337

MEF (Metro Ethernet Forum), 306

memory

flash memory, 269

TCAM, 362

messages

checks, DAI, 164-165

Get, 264, 267

Inform, 265-266

integrity, SNMPv3, 268

log messages, 175-177

rate limits

DAI, 163-164

DHCP snooping, 154-156

sending to users, 174-175

Set, 264, 267

SNMP, 265

Trap, 265-266

MetroE, 304

access links, 306

IEEE Ethernet standards, 306

Layer 3 design, 309-311

MEF, 306

physical design, 305-306

services, 306-311

topologies, 307-309

MIB (Management Information Base), 264, 267

OIDs, 266

variables

monitoring, 265

numbering/names, 266

minified JSON, 426

monitoring

configuration, 433

MIB variables, 265

more command, 270

MPBGP (Multiprotocol BGP), 316

MPLS (Multi-Protocol Label Switching), 311-312

access links, 314

Label headers, QoS marking, 238

Layer 3 design, 313

MPLS VPNs, 315-317

public cloud connections, 345

QoS, 314-315

multichoice questions (exams), 449-450, 457

multifactor credentials (security), 81

multiple queues (queuing systems), 242

multiplexing, 7-10

multithreading, 332

N

named ACLs

configuration, 55-56

editing, 56-58

overview, 54-55

names, MIB variables, 266

NAT (Network Address Translation), 202

dynamic NAT, 210-211, 215-219

overview, 207-208

PAT, 211-213, 219-222

source NAT, 208

static NAT, 208-210, 214-215, 222

troubleshooting, 222-223

NAT Overload. See PAT

National Institute of Standards and Technology (NIST), 336

NBAR (Network Based Application Recognition), 235-236

NBIs (Northbound Interfaces), 365-366

NDAs (Nondisclosure Agreements), 454

netstat -rn command, 136-142

Network Management Station (NMS), 264

networks

automation and network management, 376-378

broad access, 337

controllers, 362-366, 375-379

devices

control plane, 360-361

data plane, 359

management plane, 361

switch internal processing, 361-362

DNA Center, 400-401

file systems, 270

flow, 231

management

automation, 376-378

DNA Center, 400-401

physical data center, 334-335

programmability

ACI, 369, 373

comparisons, 375

redundancy needs, 257-259

SNMP, 254

traditional versus controller-based networks, 375-379

traffic

bandwidth, 228

characteristics, 228

delay, 229

jitter, 229

loss, 229

types, 229-232

virtual networks, 333-334

VMs, 334

Network Time Protocol. See NTP

Nexus 1000v vSwitch, 334

NGFW (Next-Generation Firewalls), 100-101

NGIPS (Next-Generation Intrusion Prevention Systems), 100-103

NICs (Network Interface Cards)

ports, 334

vNICs, 333

NIST (National Institute of Standards and Technology), 336

NMS (Network Management Station), SNMP, 264-266

no cdp enable command, 193

no enable password command, 105

no enable secret command, 105

no ip access-group command, 60

no ip dhcp snooping information option command, 152-153

no logging console command, 177

no logging monitor command, 177

no service password-encryption command, 90

no shutdown command, 115, 121, 179

noninteractive data application traffic, 230

Northbound Interfaces (NBIs), 365-366

note taking (exam preparation), 452

notifications, SNMP, 265-266

nslookup command, 78

NTP (Network Time Protocol)

client/server configuration, 183-184

loopback interfaces, 188-189

overview, 181-182

primary servers, 187

redundant configuration, 186-188

reference clocks, 184-186

secondary servers, 187

setting time and timezone, 182-183

stratum, 185-186

ntp master command, 183-185, 188, 200

ntp server command, 183, 188, 200

ntp source command, 200

numbered ACLs, 58-59

numbers

MIB variables, 266

port numbers, 9-10

sequence numbers, 56-58

NVRAM (Non-Volatile Random Access Memory) file systems, 270

O

objects, 20

objects (JSON), 424-426

ODL (OpenDaylight), 368

OIDs (object IDs), 266

on-demand self-service (cloud computing), 337

on-premise. See private cloud computing

one-way delay, 229

ONF (Open Networking Foundation), 367

opaque file systems, 270

Open SDN, 367

OpenFlow, 364, 367

OpFlex, 364

origin hardware addresses, 159-160

origin IP addresses, 157-159, 163-164

OSC (Open SDN Controllers), 369

outside global addresses, 209-210

outside local addresses, 209-210

overlays (SDA), 384

LISP, 392-393

VXLAN tunnels, 390-391, 394

overloading NAT, 211-213, 219-222

P

PaaS (Platform as a Service), 341-342

packets

classification, 233-236

congestion

avoidance, 250-251

management, 242-245

defined, 233

marking, 234-241

matching, 27

policing, 245-248

router queuing, 233

shaping, 245, 248-250

PAR (Positive Acknowledgment and Retransmission), 16

partial mesh topology, 291, 295, 308

passive mode (FTP), 276

password command, 90, 105

passwords

alternatives to, 81

brute-force attacks, 80

clear-text, 267

dictionary attacks, 80

guessing, 80

security, 88-94

vulnerabilities (security), 80

PASV command, 278

PAT (Port Address Translation)

configuration, 219-222

overview, 211-213

troubleshooting, 222

Path Trace feature (DNA Center), 403

PCP (Priority Code Point) field (802.1Q header), 237

PD (Powered Devices), 298-299

PE (Provider Edge), 313

per-device configuration model, 431

permit command, 55-57, 62

permit keyword, 28, 34

pharming attacks, 79

PHB (Per-Hop Behaviors), 226

phishing attacks, 79

physical access control (security), 84

physical data center networks, 334-335

physical design, MetroE, 305-306

physical NICs, ports, 334

physical server model, 331

physical standards, Ethernet LANs, 296-297

PI (Prime Infrastructure), 400-401

planes, networking devices, 359-361

Platform as a Service (PaaS), 341-342

PoE (Power over Ethernet), 297-299

Point-to-Point topology (MetroE), 307-308

policing (QoS), 245

discarding excess traffic, 247

edge between networks, 246-247

features, 248

rates, 246

traffic rate versus configured policing rate, 246

pooling resources, cloud computing, 337

PoP (Post Office Protocol)

MetroE, 305

POP3, 11

Port Address Translation (PAT)

configuration, 219-222

overview, 211-213

PORT command, 277-278

port-security command, 111

ports

NICs, 334

numbers

destination port numbers, 8

dynamic ports, 9

ephemeral ports, 9

matching, 48-50

private ports, 9

registered ports, 9

system ports, 9-11

user ports, 9

well known ports, 9-11

security, 108-111

err-disabled state, 115

MAC addresses, 113

protect mode, 117-119

restrict mode, 117-119

shutdown mode, 115-117

verifying, 112-113

violation modes, 114-119

trusted ports, 147

untrusted ports, 147

VMs, 334

Post Office Protocol. See POP

practice exams, 454

checklists, 455, 459

PTP questions, 455

preparing for exams

24 hours before the exam, 452

30 minutes before the exam, 452-453

earplugs, 451

one week away preparations, 451-452

post exam process, 453

taking notes, 452

travel time, 452

prioritization, congestion management, 242

Priority Code Point (PCP) field (802.1Q header), 237

priority queues, 244

private addressing, 206

private cloud computing, 337-338

private (dynamic, ephemeral) ports, 9

private Internets, 206

private WANs

MetroE, 304-311

MPLS, 311-317

public cloud, accessing, 344-346

public cloud branch office connections, 349

programmability (network)

ACI, 369, 373

comparisons, 375

protect mode (port security), 117-119

protocols

CDP

configuration, 193-194

discovering information about neighbors, 190-193

verification, 193-194

control plane, 360-363

DHCP, 122

advantages of, 124

automatic allocation, 129

broadcast flags, 125

DHCP Relay, 126-127, 130

dynamic allocation, 129

information stored at DHCP server, 128

overview, 124-126

relays, 126-127, 130

routers, 128, 132-133

rules of, 149

servers, 128

snooping, 146-156. See also snooping attacks

static allocation, 129

switches, configuring as DHCP clients, 130-132

troubleshooting, 130

FHRP, 254, 257

features, 260

HSRP, 261-263

need for, 259-260

options, 260

FTP, 275

active mode, 276

control connection, 277

copying IOS images with, 273-274

data connection, 277

passive mode, 276

FTPS, 279

HSRP

active/passive model, 261

failover, 261-262

load balancing, 262-263

HTTP

overview, 16-17, 20-21

REST APIs, 413-416

software CRUD actions, 413-414

URIs, 17-18, 414-416

management plane, 361

matching, 46-48

MPBGP, 316

SFTP, 279

SNMP, 11, 254

agents, 264

clear-text passwords, 267

communities, 267

community strings, 267

Get messages, 264, 267

history, 263

Inform messages, 265-266

managers, 264

MIB, 266-267

MIB variables, monitoring, 265

notifications, 265-266

RO communities, 267

RW communities, 267

security, 267-268

securityACLs, 267

Set messages, 264, 267

Trap messages, 265-266

SNMPv1, security, 267

SNMPv2, security, 267

SNMPv2c, 267

SNMPv3, 268

TCP

compared to UDP, 6

connection establishment and termination, 12-13

error recovery and reliability, 13-14

flow control, 15-16

multiplexing, 7-10

overview, 7

popular applications, 10-11

port numbers, 8-10, 48-50

segments, 7

sockets, 8

supported features, 6-7

windowing, 250-251

TCP/IP

IPv4, 131

networks, RFC 1065, 263

TCP, 6-16

UDP, 6-7, 16

web browsing, 16-22

TFTP, 11, 129, 274, 279-280

UDP

overview, 16

port numbers, 48-50

supported features, 6-7

provider edge (PE), 313

provisioning (configuration), 434-435

PSE (Power Sourcing Equipment), 298-299

PTP questions (exam preparation), 455

PTP software (practice exams), 458-459

public cloud computing, 337-339

accessing with Internet, 342-344

accessing with private WANs, 344-346

accessing with VPNs, 344

branch offices example, 347-349

intercloud exchanges, 346

Puppet, 438-442

Q

QoE (Quality of Experience), 230

QoS (Quality of Service), 232

bandwidth, 228

classification, 233-236

congestion avoidance, 250-251

congestion management, 242-245

defined, 226

delay, 229

jitter, 229

loss, 229

marking, 234-241

MPLS, 314-315

needs based on traffic types, 229-232

PHB, 226

policing, 245-248

shaping, 245-250

switches/routers, 233

tools, 233

VoIP, 231-232

questions (exams)

answering, 456-457

multichoice questions, 449-450, 457

Premium Edition questions, 457

PTP questions, 455

simlet questions, 450

simulation questions, 449

testlet questions, 450

queuing

congestion management, 242-245

priority queues, 244

queue starvation, 244

queuing routers, 233

R

RADIUS, 82

rapid elasticity (cloud computing), 337

read-only (RO) communities (SNMP), 267

read-write (RW) communities (SNMP), 267

reconnaissance attacks, 77-78

recovery (err-disabling), 117

recursive DNS lookups, 19

redistributing routes, MPLS VPNs, 316

redundancy

FHRP, 259-261

network needs for, 257-259

NTP configuration, 186-188

single points of failure, 257-259

reference clocks, 184-186

reflection attacks, 75

registered (user) ports, 9

RELEASE messages, filtering based on IP addresses, 151

reliability, TCP, 13-14

remark command, 55, 62

remote-access VPNs, 324-326

Representational State Transfer (REST), 366

reputation-based filtering, NGIPS, 103

requests (HTTP GET), 20

requirements, cloud computing services, 336

reserved (excluded) addresses, DHCP servers, 128

resource pooling, cloud computing, 337

REST (Representation State Transfer), 366

REST APIs, 408

cacheable resources, 410

client/server architecture, 409, 419-420

data structures, 411-412

DNA Center calls, 417-418

HTTP

software CRUD actions, 413-414

URIs, 414-416

JSON, 422-423

key:value pairs, 412

stateless operation, 410

variables

dictionary variables, 411-412

list variables, 411-412

simple variables, 410-411

RESTful APIs, 366

restrict mode (port security), 117-119

reverse engineering from ACL to address range, 40-41

reviewing for exams

answering questions, 456-457

chapter reviews, 464

Cisco Learning Network, 464

CLI practice, 460-461

knowledge gaps, 458-459

practice exams, 454

checklists, 455, 459

PTP questions, 455

PTP software, 458-459

Premium Edition questions, 457

second attempts at passing, 463

self-assessments, 462-463

VUE testing center, 455

RFC 1065, 263

RFC 4301 Security Architecture for the Internet Protocol, 323

RO (read-only) communities (SNMP), 267

round robin scheduling (queuing), 243

round-trip delay, 229

routed access layer design, SDA, 388

routers

classification, 235-236

CSRs, 344

configuring as DHCP clients, 132-133

data plane processing, 359

default routers, 128, 136-140

HSRP, 261-263

QoS, 233

queuing, 233, 242-245

redundant, 260. See also FHRP

wireless routers, 296

routes

routing. See also ACLs

IPv4 routing, 223

redistribution, 316

RW (read-write) communities (SNMP), 267

S

SaaS (Software as a Service), 341

SBIs (Southbound Interfaces), 364

scalability, IPv4 addresses, 204-205

SDA (Software-Defined Access), 382

DNA Center, 384, 389, 395

IP security, 397-398

network management, 400-401

Path Trace feature, 403

PI, 400-401

scalable groups, 396

SDA user group security, 398-399

SGT, 399

topology map, 401-403

traditional management and, 401-403

fabric, 384

LANs, 387

overlays, 384

LISP, 392-393

VXLAN, 390-391, 394

routed access layer design, 388

underlays, 384-386

fabric border node, 387

fabric control node, 387

fabric edge node, 387

new gear, 388

VXLAN, 385

user group security, 398-399

VXLAN tunnels, 394, 399

SDN (Software Defined Networking), 356-358, 363

ACI, 369, 373

architecture, 367

automation and network management, 376-378

comparisons, 375

control plane, 360-361

controllers, 363-369

data plane, 359-361

management plane, 361

ODL, 368

Open SDN, 367

OpenFlow, 367

OSC, 369

switches, 361

Secure Shell. See SSH

Secure Sockets Layer. See SSL

security, 70

AAA, 82-83

amplification attacks, 75

ARP messages (gratuitous), 157-158

authentication, 268, 321

biometric credentials, 81

brute-force attacks, 80

buffer overflow attacks, 78

DAI, 156

configuring, 160-165

filtering MAC addresses, 159

layer 2 switches, 160-163

logic of, 158

message checks, 164-165

message rate limits, 163-164

DDoS attacks, 75

device hardening, 95-97

DHCP-based attacks, 147

DHCP snooping, 146

binding tables, 150

configuring, 152-156

DHCP-based attacks, 147

DHCP message rate limits, 154-156

filtering DISCOVER messages based on MAC addresses, 150

filtering RELEASE messages based on IP addresses, 151

layer 2 switches, 152-154

logic of, 148-149

rules of, 149

dictionary attacks, 80

digital certificates, 81

DoS attacks, 73-74

encryption, 268

exploits, 72

Internet VPNs, 321

IOS passwords, 88-94

IPsec

DNA Center, 397-398

encryption, 323-324

malware, 78-79

Man-in-the-Middle attacks, 76-77

multifactor credentials, 81

passwords, 80-81

pharming attacks, 79

phishing attacks, 79

physical access control, 84

ports

err-disabled state, 115

protect mode, 117-119

restrict mode, 117-119

security, 108-119

shutdown mode, 115-117

violation modes, 114-119

reconnaissance attacks, 77-78

reflection attacks, 75

smishing attacks, 79

SNMP, 267-268

snooping attack. See DHCP, snooping

social engineering attacks, 79

spear phishing attacks, 79

spoofing attacks, 72-77

threats, 72

Trojan horses, 78

user access, 82-83

user awareness/training, 83-84

viruses, 78

vishing attacks, 79

vulnerabilities, 72

human vulnerabilities, 79-80

password vulnerabilities, 80

watering hole attacks, 79

whaling attacks, 79

worms, 78

security zones (firewalls), 97-98

segments (TCP), 7

self-assessments (exam preparation), 462-463

sending messages to users, 174-175

sequence numbers, editing ACLs, 56-58

serialization (data)

JSON, 418-422

arrays, 424-426

beautified JSON, 426

key:value pairs, 423-426

minified JSON, 426

objects, 424-426

XML, 421-423

YAML, 422-423

servers

app servers, 371

Cisco hardware, 330-331

DB servers, 371

defined, 330

NTP, 183-186

physical server model, 331

UCS servers, 370

virtualization, 332-336

web servers, 16, 371

service password-encryption command, 89-90, 105

Service Providers (SPs), 302

service sequence-numbers command, 200

services

cloud computing, 336-342

GitHub, 433

Internet as WAN, 317

MetroE, 306-311

public cloud, 342-349

session keys, 323

Set messages

RO/RW communities, 267

writing variables on agents, 264

severity levels (log messages), 177

SFTP (SSH File Transfer Protocol), 279

SGT (Scalable Group Tags), 399

shaping (QoS), 245

features, 250

slowing messages, 248

time intervals, 249

shaping rate, 248

shared keys, 323

shared session keys, 323

show access-lists command, 35, 43, 56, 62

show arp command, 142

show cdp command, 193-194, 197-198, 201

show cdp entry command, 190, 193

show cdp interface command, 193-194

show cdp neighbors command, 190-191, 194-195

show cdp neighbors detail command, 190-193

show cdp traffic command, 193-194

show clock command, 201

show dhcp lease command, 131

show flash command, 270-272, 282

show interfaces command, 115, 121

show interfaces loopback command, 201

show interfaces status command, 115-116

show interfaces switchport command, 377

show interfaces vlan command, 131

show ip access-lists command, 35, 43, 57-59, 62

show ip arp command, 142

show ip arp inspection command, 161-163

show ip default-gateway command, 132

show ip dhcp conflict command, 142

show ip dhcp snooping binding command, 162

show ip dhcp snooping command, 153-155

show ip interface command, 36, 43, 130

show ip nat statistics command, 215-222, 225

show ip nat translations command, 214-225

show lldp command, 201

show lldp entry command, 196

show lldp interface command, 198

show lldp neighbors command, 195

show logging command, 175, 178, 201

show mac address-table dynamic command, 113-114, 121, 167

show mac address-table secure command, 113-114, 121

show mac address-table static command, 113, 121

show ntp associations command, 184-186, 201

show ntp status command, 184, 201

show port-security command, 115-116, 121

show port-security interface command, 112-121

show process cpu command, 181

show running-config | interface command, 121, 167

show running-config command, 35, 56-59, 89, 105, 121, 167, 270

show startup-config command, 270

shutdown command, 115, 121, 179, 182

shutdown mode (port security), 115-117

signature databases and IPS, 99

signatures, applications, 236

simlet questions (exams), 450

simple variables, REST APIs, 410-411

simulation questions (exams), 449

single points of failure, 257-259

site-to-site VPNs, 322-326

sliding windows, 15-16

smishing attacks, 79

SMTP (Simple Mail Transfer Protocol), 11

SNMP (Simple Network Management Protocol), 11, 254

agents, 264

clear-text passwords, 267

communities, 267

community strings, 267

Get messages, 264, 267

history, 263

Inform messages, 265-266

managers, 264

MIB, 265-267

notifications, 265-266

RO communities, 267

RW communities, 267

security, 267-268

Set messages, 264, 267

Trap messages, 265-266

SNMPv1, security, 267

SNMPv2, security, 267

SNMPv2c (Community-based SNMP Version 2), 267

SNMPv3, 268

snooping attacks (DHCP)

binding tables, 150

configuring, 152-156

DHCP-based attacks, 147

DHCP message rate limits, 154-156

DISCOVER messages, 150

layer 2 switches, 152-154

logic of, 148-149

RELEASE messages, 151

social engineering attacks, 79

sockets, 8

software

CRUD actions, 413-414

PTP software (practice exams), 458-459

Software as a Service (SaaS), 341

Software Defined Networking (SDN), 356-358

control plane, 360-361

controllers, 363

data plane, 359-361

management plane, 361

switches, 361

SOHO (Small Office/Home Office), LANs, 296-297

source IP matching, 46-48

source NAT (Network Address Translation), 208

Southbound Interfaces (SBIs), 364

SPs (Service Providers), 302

spear phishing attacks, 79

speeds, LAN/WAN interfaces, 228

spine switches, ACI, 370

spinning up VMs, 340

spoofing attacks, 72

amplification attacks, 75

DDoS attacks, 75

DoS attacks, 73-74

Man-in-the-Middle attacks, 76-77

reflection attacks, 75

SSH (Secure Shell)

controlling access with ACLs, 95

management plane, 361

ssh command, 95

SSL (Secure Sockets Layer), 325

standard numbered IPv4 ACLs

access-list command, 39-40

command syntax, 31

configuration examples, 34-38

list logic, 29-31

matching

any/all addresses, 34

exact IP address, 31

subset of address, 31-32

overview, 29

reverse engineering from ACL to address range, 40-41

troubleshooting, 38-39

verification, 38-39

wildcard masks, 31-34

standards, Ethernet LANs, 296-297

star topology, 291, 295

stateful firewalls, 96

stateful inspection, 96

static allocation, 129

static NAT (Network Address Translation)

configuration, 214-215

inside global addresses, 208-210

inside local addresses, 208-210

outside global addresses, 209-210

outside local addresses, 209-210

overview, 208-210

troubleshooting, 222

sticky secure MAC addresses, 109

storing log messages, 175-176

stratum, NTP, 185-186

subnet ID, DHCP servers, 128

subnet masks, DNCP servers, 128

subnets, DHCP Relay, 126-127, 130

subset of IP address, matching, 31-32

switches

access switches, 291, 295

DHCP, 130-132

distribution switches, 291, 295

interface configuration, port security, 108-113

internal processing, 361-362

IPv4, 131

layer 2 switches

DAI, 160-163

DHCP snooping, 152-154

leaf switches, ACI, 370

management, 131

port security, 108-118

QoS, 233

SDN, 361

spine switches, ACI, 370

ToR, 335

vSwitches, 333

switchport mode access command, 110-111

switchport mode command, 120, 167, 377

switchport mode trunk command, 110

switchport port-security command, 110-111

switchport port-security mac-address command, 110-111, 120

switchport port-security mac-address sticky command, 110-111, 120, 167

switchport port-security maximum command, 110, 120

switchport port-security violation command, 110, 114, 120

SYN flags, 12

Syslog

configuration, 178-180

debug command, 180-181

log message format, 176-177

log message severity levels, 177

sending messages to users, 174-175

storing log messages for review, 175-176

verification, 178-180

system (well known) ports, 9-11

T

TACACS+, 82

tail drops, 250

TCAM (Ternary Content-Addressable Memory), 362

tcp keyword, 48

TCP (Transmission Control Protocol)

compared to UDP, 6

connection establishment and termination, 12-13

error recovery and reliability, 13-14

flow control, 15-16

multiplexing, 7-10

overview, 7

popular applications, 10-11

port numbers, 8-10, 48-50

segments, 7

sockets, 8

supported features, 6-7

windowing, 250-251

TCP/IP (Transmission Control Protocol/Internet Protocol)

IPv4, 131

networks, RFC 1065, 263

TCP, 6-16

UDP, 6-7, 16

web browsing, 16-22

telcos (telephone companies), 318

Telnet

controlling access with ACLs, 95

management plane, 361

telnet command, 95

templates (configuration), 435-437

terminal monitor command, 175, 181, 201

terminal no monitor command, 201

Ternary Content-Addressable Memory (TCAM), 362

testlet questions (exams), 450

TFTP (Trivial File Transfer Protocol), 11, 129, 274, 279-280

threads, multithreading, 332

threats (security), 72

three-tier campus design, 293-295

TID fields (QoS marking), 238

time

exams

budgeting, 450-451

time-check method, 451

intervals (QoS shaping), 249

setting, 182-183

timezone, setting, 182-183

tools, QoS, 233-251

Top of Rack (ToR) switches, 335

topologies

campus LANs, 290-295

DNA Center topology map, 401-403

full mesh, 291, 295, 308

hub and spoke, 309

hybrid, 291, 295

MetroE, 306-309

partial mesh, 291, 295, 308

star, 291, 295

ToR (Top of Rack) switches, 335

ToS (Type of Service) field (IPv4), 237

traffic

bandwidth, 228

characteristics, 228

congestion

avoidance, 250-251

management, 242-245

delay, 229

jitter, 229

loss, 229

policing, 245-248

public cloud branch office email services, 347-349

shaping, 245, 248-250

types, 229-232

voice, 315

Traffic Class field (IPv6), 237

transferring files, 20-21

Transmission Control Protocol. See TCP

transport input command, 105

transport input ssh command, 89

transport layer (TCP/IP)

TCP, 6-16

UDP, 6-7, 16

Trap messages, 265-266

travel time (exam preparation), 452

Trivial File Transfer Protocol (TFTP), 11, 129, 274, 279-280

Trojan horses, 78

troubleshooting

ACL, 222

DHCP, 130

dynamic NAT, 222

NAT, 222-223

PAL, 222

port security, 115-119

standard numbered ACLs, 38-39

static NAT, 222

trust boundaries (QoS marking), 238-239

trusted ports, DHCP messages, 147

tunnels (VPN), 321-322

tutorials (exams), 449

two-tier campus design, 290-293

Type of Service (ToS) field (IPv4), 237

U

UCS (Unified Computing System), 331, 370

UDP (User Datagram Protocol)

overview, 16

port numbers, 48-50

supported features, 6-7

underlays (SDA), 384-388

UNI (User Network Interface), 306

Unified Computing System. See UCS

Uniform Resource Identifiers. See URIs

Uniform Resource Locators. See URLs

untrusted ports, DHCP messages, 147

upd keyword, 48

upgrading IOS images, 270-274

UPoE (Universal Power over Ethernet), 299

URIs (Uniform Resource Identifiers), 17-18, 414-416

URLs (Uniform Resource Locators), 17, 102

U.S. National Institute of Standards and Technology. See NIST

usbflash, 269-270

User Datagram Protocol. See UDP

user network interface. See UNI

user (registered) ports, 9

usernames

hiding passwords for, 94

username command, 105

username password command, 94

username secret command, 94

users

access security, 82-83

awareness/training, 83-84

groups, SDA security, 398-399

sending messages to, 174-175

V

variables

configuration variables, 435-437

dictionary variables, 411-412

list variables, 411-412

MIB, 265-266

REST APIs, 410-412

simple variables, 410-411

vCPU (virtual CPU), 332

verification

CDP, 193-194

host IPv4 settings, 134-140

NAT, 215-219

standard numbered ACLs, 38-39

Syslog, 178-180

verify command, 273, 282

verify /md5 command, 273, 282

verifying

IOS code integrity, 273

port security, 112-113

video exam tutorials, 449

video traffic

QoS requirements, 232

shaping time intervals, 249

violation modes (port security), 114-119

virtual CPU (vCPU), 332

virtual NICs. See vNICS

Virtual Private LAN Service. See VPLS

Virtual Private Wire Service. See VPWS

virtual switches. See vSwitches

virtualization

data centers, 333-336

networks, 333-334

servers, 332-334

virtual machines. See VMs

viruses, 78

vishing attacks, 79

VMs (Virtual Machines), 332-333

ACI, 371

configuration (automated), 334

IaaS, 340

networking, 334

PaaS, 341-342

ports, 334

SaaS, 341

spinning up, 340

vNICs (virtual NICs), 333

voice application traffic, 231-232

Voice over IP. See VoIP

voice traffic

shaping time intervals, 249

VoIP, 315

VoIP (Voice over IP), 231-232, 315

VPLS (Virtual Private LAN Service), 307

VPNs (Virtual Private Networks)

AnyConnect Secure Mobility Client, 325

client, 325

Internet, 317, 321-322

public cloud, accessing, 344

remote-access VPNs, 324-326

site-to-site, 322-326

tunnels, 321-322

VPWS (Virtual Private Wire Service), 307

vSwitches, 333

VUE testing center, 455

vulnerabilities (security), 72

human vulnerabilities, 79-80

password vulnerabilities, 80

VXLAN tunnels, 385, 390-391, 394, 399

W

WANs (Wide-Area Networks)

Ethernet, 345

interfaces, 228

Internet access, 317

Internet as WAN service, 317

MetroE, 304-311

MPLS, 311-317

private, 344-346, 349

public cloud connections, 342-346

SPs, 302

wireless, 320-321

watering hole attacks, 79

WC masks, 31-34, 41

web browsers, 16

HTTP, 16-21

identifying receiving application, 21-22

URIs, 17-18

URLs, 17

web clients, 16

web pages, 16

web servers, 16-20, 371

websites

Cisco ACI, 373

Cisco Prime management products, 264

Eclipse IDE, 341

Google App Engine PaaS, 341

Jenkins continuous integration and automation tool, 341

MEF, 306

OpenDaylight SDN controller, 368

OpenFlow, 364

weighting, 243

well known (system) ports, 9-11

whaling attacks, 79

whois command, 78

wildcard masks, 31-34, 41

windowing, 15-16

wireless routers, 296

wireless WANs, 320-321

WLANs (Wireless LANs), 296-297

workflow, virtualized data center, 335-336

worms, 78

WWW (World Wide Web), 11

X

XML (Extensible Markup Language), data serialization, 421-423

Y - Z

YAML (YAML Ain’t Markup Language), data serialization, 422-423

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.212.242.203