Chapter 7

Chapter 8

Chapter 13

The IGMP message format fields are defined as follows:

• Type: This field describes five different types of IGMP messages used by routers and receivers:

  • _____________________________ (type value 0x16) is a message type alsocommonly referred to as an IGMP join; it is used by receivers to join a multicast group or to respond to a local router’s membership query message.

  • Version 1 membership report (type value 0x12) is used by receivers for backward compatibility with IGMPv1.

  • Version 2 leave group (type value 0x17) is used by receivers to indicate they want to stop receiving multicast traffic for a group they joined.

  • _____________________________ (type value 0x11) is sent periodically sent to the all-hosts group address 224.0.0.1 to see whether there are any receivers in the attached subnet. It sets the group address field to 0.0.0.0.

  • Group specific query (type value 0x11) is sent in response to a leave groupmessage to the group address the receiver requested to leave. The group addressis the destination IP address of the IP packet and the group address field.

• _____________________________: This field is set only in general and group-specific membership query messages (type value 0x11); it specifies the maximum allowed time before sending a responding report in units of one-tenth of a second. In all othermessages, it is set to 0x00 by the sender and ignored by receivers.

• _____________________________: This field is the 16-bit 1s complement of the 1s complement sum of the IGMP message. This is the standard checksum algorithm used by TCP/IP.

• _____________________________: This field is set to 0.0.0.0 in general query messages and is set to the group address in group-specific messages. Membership reportmessages carry the address of the group being reported in this field; group leavemessages carry the address of the group being left in this field.

The following list defines the common PIM terminology illustrated in Figure 13-14:

• Reverse Path Forwarding (RPF) interface: _____________________________________

  ____________________________________________________________________

  ____________________________________________________________________

  ____________________________________________________________________

• RPF neighbor: ___________________________________________________

  ________________________________________________________________

  ________________________________________________________________

• _____________________________: Toward the source of the tree, which could be the actual source in source-based trees or the RP in shared trees. A PIM join travels upstream toward the source.

• _____________________________: The interface toward the source of the tree. It is also known as the RPF interface or the incoming interface (IIF). An example of an upstream interface is R5’s Te0/1/2 interface, which can send PIM joins upstream to its RPF neighbor.

• _____________________________: Away from the source of the tree and toward the receivers.

• _____________________________: Any interface that is used to forward multicast traffic down the tree, also known as an outgoing interface (OIF). An example of a downstream interface is R1’s Te0/0/0 interface, which forwards multicast traffic to R3’s Te0/0/1 interface.

• _____________________________: The only type of interface that can accept multicast traffic coming from the source, which is the same as the RPF interface. An example of this type of interface is Te0/0/1 on R3 because the shortest path to the source is known through this interface.

• _____________________________: Any interface that is used to forward multicasttraffic down the tree, also known as the downstream interface.

• _____________________________: A group of OIFs that are forwarding multicasttraffic to the same group. An example of this is R1’s Te0/0/0 and Te0/0/1 interfaces sending multicast traffic downstream to R3 and R4 for the same multicast group.

• Last-hop router (LHR): ______________________________________________________

• ____________________________________________________________________

• First-hop router (FHR): _____________________________________________________

• ____________________________________________________________________

• _____________________________: A topology table that is also known as the multicast route table (mroute), which derives from the unicast routing table and PIM. MRIB contains the source S, group G, incoming interfaces (IIF), outgoing interfaces (OIFs), and RPF neighbor information for each multicast route as well as other multicast-related information.

• _____________________________: A forwarding table that uses the MRIB to program multicast forwarding information in hardware for faster forwarding.

• _____________________________: The multicast traffic forwarding state that is used by a router to forward multicast traffic. The multicast state is composed of the entries found in the mroute table (S, G, IIF, OIF, and so on).

There are currently five PIM operating modes:

• _______________________________________________________

• _______________________________________________________

• _______________________________________________________

• _______________________________________________________

• _______________________________________________________

Chapter 14

There are three different QoS implementation models:

• _________________________: QoS is not enabled for this model. It is used for traffic that does not require any special treatment.

• _________________________: Applications signal the network to make a bandwidth reservation and to indicate that they require special QoS treatment.

• _________________________: The network identifies classes that require special QoS treatment.

The following traffic descriptors are typically used for classification:

• Internal: QoS groups (locally significant to a router)

• Layer 1: Physical interface, subinterface, or port

• Layer 2: ___________________________________________________________________

• Layer 2.5: MPLS Experimental (EXP) bits

• Layer 3: ___________________________________________________________________

• Layer 4: ___________________________________________________________________

• Layer 7: ___________________________________________________________________

The following traffic descriptors are used for marking traffic:

• Internal: QoS groups

• _______________: 802.1Q/p Class of Service (CoS) bits

• Layer 2.5: MPLS Experimental (EXP) bits

• _______________: Differentiated Services Code Points (DSCP) and IP Precedence (IPP)

The TCI field is a 16-bit field composed of the following three fields:

• _________________________ (PCP) field (3 bits)

• _________________________ (DEI) field (1 bit)

• _________________________ (VLAN ID) field (12 bits)

Four PHBs have been defined and characterized for general use:

• _________________________: The first 3 bits of the DSCP field are used as CS bits. The CS bits make DSCP backward compatible with IP Precedence because IP Precedence uses the same 3 bits to determine class.

• _________________________: Used for best-effort service.

• _________________________: Used for guaranteed bandwidth service.

• Expedited Forwarding (EF) PHB: _________________________

Cisco IOS policers and shapers are based on token bucket algorithms. The following list includes definitions that are used to explain how token bucket algorithms operate:

• Committed Information Rate (CIR): __________________________________________

• _______________________________________________________________

• _________________________: The time interval, in milliseconds (ms), over which the committed burst (Bc) is sent. Tc can be calculated with the formula Tc = (Bc [bits] / CIR [bps]) × 1000.

• _________________________: The maximum size of the CIR token bucket, measured in bytes, and the maximum amount of traffic that can be sent within a Tc. Bc can be calculated with the formula Bc = CIR × (Tc / 1000).

• Token: ____________________________________________________________________

• Token bucket: A bucket that accumulates tokens until a maximum predefined number of tokens is reached (such as the Bc when using a single token bucket); these tokensare added into the bucket at a fixed rate (the CIR). Each packet is checked forconformance to the defined rate and takes tokens from the bucket equal to its packet size; for example, if the packet size is 1500 bytes, it takes 12,000 bits (1500 × 8) from the bucket. If there are not enough tokens in the token bucket to send the packet, the traffic conditioning mechanism can take one of the following actions:

  • ________________________________________________________

  • ________________________________________________________

  • ________________________________________________________

There are different policing algorithms, including the following:

• _________________________________________________________

• _________________________________________________________

• _________________________________________________________

There are many queuing algorithms available, but most of them are not adequate for modern rich-media networks carrying voice and high-definition video traffic because they were designed before these traffic types came to be. The legacy queuing algorithms that predate the MQC architecture include the following:

• _______________________: _____________involves a single queue where the first packet to be placed on the output interface queue is the first packet to leave the interface (first come, first served). In FIFO queuing, all traffic belongs to the same class.

• _______________________: With ______________, queues are serviced in sequence one after the other, and each queue processes one packet only. No queues starve with round robin because every queue gets an opportunity to send one packet every round. No queue has priority over others, and if the packet sizes from all queues are about the same, the interface bandwidth is shared equally across the round robin queues. A limitation of round robin is it does not include a mechanism to prioritize traffic.

• _______________________: __________________ was developed to provide prioritization capabilities for round robin. It allows a weight to be assigned to each queue, and based on that weight, each queue effectively receives a portion of the interface bandwidth that is not necessarily equal to the other queues’ portions.

• _______________________: _______________ is a Cisco implementation of WRR that involves a set of 16 queues with a round-robin scheduler and FIFO queueing within each queue. Each queue can be customized with a portion of the link bandwidth for each selected traffic type. If a particular type of traffic is not using the bandwidth reserved for it, other traffic types may use the unused bandwidth. CQ causes long delays and also suffers from all the same problems as FIFO within each of the 16 queues that it uses for traffic classification.

• _______________________: _______________, a set of four queues (high, medium, normal, and low) are served in strict-priority order, with FIFO queueing within each queue. The high-priority queue is always serviced first, and lower-priority queues are serviced only when all higher-priority queues are empty. For example, the medium queue is serviced only when the high-priority queue is empty. The normal queue is serviced only when the high and medium queues are empty; finally, the low queue is serviced only when all the other queues are empty. At any point in time, if a packet arrives for a higher queue, the packet from the higher queue is processed before any packets in lower-level queues. For this reason, if the higher-priority queues are continuously being serviced, the lower-priority queues are starved.

• _______________________: The __________________ algorithm automatically divides the interface bandwidth by the number of flows (weighted by IP Precedence) to allocate bandwidth fairly among all flows. This method provides better service for high-priority real-time flows but can’t provide a fixed-bandwidth guarantee for any particular flow.

The current queuing algorithms recommended for rich-media networks (and supported by MQC) combine the best features of the legacy algorithms. These algorithms provide real-time, delay-sensitive traffic bandwidth and delay guarantees while not starving other types of traffic. The recommended queuing algorithms include the following:

• ___________________________: ___________________ enables the creation of up to 256 queues, serving up to 256 traffic classes. Each queue is serviced based on the bandwidth assigned to that class. It extends WFQ functionality to provide support for user-defined traffic classes. With _________________, packet classification is done based on traffic descriptors such as QoS markings, protocols, ACLs, and input interfaces. After a packet is classified as belonging to a specific class, it is possible to assign bandwidth, weight, queue limit, and maximum packet limit to it. The bandwidth assigned to a class is the minimum bandwidth delivered to the class during congestion. The queue limit for that class is the maximum number of packets allowed to be buffered in the class queue. After a queue has reached the configured queue limit, excess packets are dropped. __________________ by itself does not provide a latency guarantee and is only suitable for non-real-time data traffic.

• _______________________: __________ is CBWFQ combined with priority queueing (PQ) and it was developed to meet the requirements of real-time traffic, such as voice. Traffic assigned to the strict-priority queue is serviced up to its assigned bandwidth before other CBWFQ queues are serviced. All real-time traffic should be configured to be serviced by the priority queue. Multiple classes of real-time traffic can be defined, and separate bandwidth guarantees can be given to each, but a single priority queue schedules all the combined traffic. If a traffic class is not using the bandwidth assigned to it, it is shared among the other classes. This algorithm is suitable for combinations of real-time and non-real-time traffic. It provides both latency and bandwidth guarantees to high-priority real-time traffic. In the event of congestion, real-time traffic that goes beyond the assigned bandwidth guarantee is policed by a congestion-aware policer to ensure that the non-priority traffic is not starved.

Chapter 16

IPsec supports the following encryption, hashing, and keying methods to provide security services:

• _______________________: A 56-bit symmetric data encryption algorithm that can encrypt the data sent over a VPN. This algorithm is very weak and should be avoided.

• _______________________: A data encryption algorithm that runs the DES algorithm three times with three different 56-bit keys. Using this algorithm is no longer recommended. The more advanced and more efficient AES should be used instead.

• _______________________: A symmetric encryption algorithm used for dataencryption that was developed to replace DES and 3DES. AES supports key lengthsof 128 bits, 192 bits, or 256 bits and is based on the Rijndael algorithm.

• _______________________: A one-way, 128-bit hash algorithm used for data authentication. Cisco devices use MD5 HMAC, which provides an additional level of protection against MitM attacks. Using this algorithm is no longer recommended, and SHA should be used instead.

• _______________________: A one-way, 160-bit hash algorithm used for data authentication. Cisco devices use the SHA-1 HMAC, which provides additional protection against MitM attacks.

• _______________________: An asymmetric key exchange protocol that enables two peers to establish a shared secret key used by encryption algorithms such as AES over an unsecure communications channel. A DH group refers to the length of the key (modulus size) to use for a DH key exchange. For example, group 1 uses 768 bits, group 2 uses 1024, and group 5 uses 1536, where the larger the modulus, the more secure it is. The purpose of DH is to generate shared secret symmetric keys that are used by the two VPN peers for symmetrical algorithms, such as AES. The DH exchange itself is asymmetrical and CPU intensive, and the resulting shared secret keys that are generated are symmetrical. Cisco recommends avoiding DH groups 1, 2, and 5 and instead use DH groups 14 and higher.

• _______________________: A public-key (digital certificates) cryptographic system used to mutually authenticate the peers.

• _______________________: A security mechanism in which a locally configured key is used as a credential to mutually authenticate the peers.

There are two different ways to encrypt traffic over a GRE tunnel:

• __________________________________________________________

• __________________________________________________________

Following are the definitions for the LISP architecture components illustrated in Figure 16-5.

• ___________________________: An ____ is the IP address of an endpoint within a LISP site. EIDs are the same IP addresses in use today on endpoints (IPv4 or IPv6), and they operate in the same way.

• ___________________________: This is the name of a site where LISP routers and EIDs reside.

• ___________________________: ____ are LISP routers that LISP-encapsulate IP packets coming from EIDs that are destined outside the LISP site.

• ___________________________: ____ are LISP routers that de-encapsulate LISP-encapsulated IP packets coming from sites outside the LISP site and destined to EIDs within the LISP site.

• ___________________________: ____ refers to routers that perform ITR and ETR functions (which is most routers).

• ___________________________: ____ are just like ITRs but for non-LISP sites that send traffic to EID destinations.

• ___________________________: ____ act just like ETRs but for EIDs that send traffic to destinations at non-LISP sites.

• ___________________________: ____ refers to a router that performs PITR and PETR functions.

• ___________________________: A __________________ is a router that performs the functions of any or all of the following: ITR, ETR, PITR, and/or PETR.

• ___________________________: An ____ is an IPv4 or IPv6 address of an ETR that is Internet facing or network core facing.

• ___________________________: This is a network device (typically a router) that learns EID-to-prefix mapping entries from an ETR and stores them in a local EID-to-RLOC mapping database.

• ___________________________: This is a network device (typically a router) that receives LISP-encapsulated map requests from an ITR and finds the appropriate ETR to answer those requests by consulting the map server.

• ___________________________: When MS and the MR functions are implemented on the same device, the device is referred to as an _______.

To facilitate the discovery of VNIs over the underlay Layer 3 network, virtual tunnel endpoints (VTEPs) are used. VTEPs are entities that originate or terminate VXLAN tunnels. They map Layer 2 and Layer 3 packets to the VNI to be used in the overlay network. Each VTEP has two interfaces:

• ___________________________: These interfaces on the local LAN segment provide bridging between local hosts.

• ___________________________: This is a core-facing network interface for VXLAN. The IP interface’s IP address helps identify the VTEP in the network. It is also used for VXLAN traffic encapsulation and de-encapsulation.

The VXLAN standard defines VXLAN as a data plane protocol, but it does not define a VXLAN control plane; it was left open to be used with any control plane. Currently fourdifferent VXLAN control and data planes are supported by Cisco devices:

• _________________________________________________________

• _________________________________________________________

• _________________________________________________________

• _________________________________________________________

Chapter 17

Chapter 22

The hierarchical LAN design divides networks or their modular blocks into the following three layers:

• Access layer: ______________________________________________________________

• Distribution layer: _____________________________________ __________________________________

• Core layer (also referred to as ___________________): ___________________________ _______________________________________________________

Chapter 23

With SD-Access, an evolved campus network can be built that addresses the needs of existing campus networks by leveraging the following capabilities, features, and functionalities:

• _________________________: SD-Access replaces manual network device configurations with network device management through a single point of automation, orchestration, and management of network functions through the use of Cisco DNA Center. This simplifies network design and provisioning and allows for very fast, lower-risk deployment of network devices and services using best-practice configurations.

• _________________________: SD-Access enables proactive prediction of network-related and security-related risks by using telemetry to improve the performance of the network, endpoints, and applications, including encrypted traffic.

• _________________________: SD-Access provides host mobility for both wired and wireless clients.

• _________________________: Cisco Identity Services Engine (ISE) identifies users and devices connecting to the network and provides the contextual information required for users and devices to implement security policies for network access control and network segmentation.

• _________________________: Traditional access control lists (ACLs) can be difficult to deploy, maintain, and scale because they rely on IP addresses and subnets. Creating access and application policies based on group-based policies using Security Group Access Control Lists (SGACLs) provides a much simpler and more scalable form of policy enforcement based on identity instead of an IP address.

• _________________________: With SD-Access it is easier to segment the network to support guest, corporate, facilities, and IoT-enabled infrastructure.

• _________________________: SD-Access makes it possible to leverage a single physical infrastructure to support multiple virtual routing and forwarding (VRF) instances, referred to as virtual networks (VNs), each with a distinct set of access policies.

There are three basic planes of operation in the SD-Access fabric:

• ________________________________________________________

• ________________________________________________________

• ________________________________________________________

There are five basic device roles in the fabric overlay:

• _________________________: This node contains the settings, protocols, and mapping tables to provide the endpoint-to-location (EID-to-RLOC) mapping system for thefabric overlay.

• _________________________: This fabric device (for example, core layer device)connects external Layer 3 networks to the SDA fabric.

• _________________________: This fabric device (for example, access or distribution layer device) connects wired endpoints to the SDA fabric.

• _________________________: This fabric device connects APs and wireless endpoints to the SDA fabric.

• _________________________: These are intermediate routers or extended switches that do not provide any sort of SD-Access fabric role other than underlay services.

There are three types of border nodes:

• _________________________: Connects only to the known areas of the organization (for example, WLC, firewall, data center).

• _________________________: Connects only to unknown areas outside the organization. This border node is configured with a default route to reach external unknown networks such as the Internet or the public cloud that are not known to the control plane nodes.

• _________________________: Connects transit areas as well as known areas of the company. This is basically a border that combines internal and default borderfunctionality into a single node.

The Cisco SD-WAN solution has four main components and an optional analytics service:

• _________________________: This is a single pane of glass (GUI) for managing the SD-WAN solution.

• _________________________: This is the brains of the solution.

• _________________________: SD-WAN involves both vEdge and cEdge routers.

• _________________________: This authenticates and orchestrates connectivity between SD-WAN routers and vSmart controllers.

• _________________________: This is an optional analytics and assurance service.

Chapter 25

In addition to providing standard firewall functionality, a next-generation firewall (NGFW) can block threats such as advanced malware and application-layer attacks. According toGartner, Inc.’s definition, a NGFW firewall must include:

• __________________________________________________________________

• __________________________________________________________________

• __________________________________________________________________

• __________________________________________________________________

There are currently two offerings available for Stealthwatch:

• ___________________________________________________________________

• ___________________________________________________________________

Stealthwatch Enterprise requires the following components:

• _____________________: The _____________________ is required for the collection, management, and analysis of flow telemetry data and aggregates flows at the Stealthwatch Management Console as well as to define the volume of flows that can be collected.

• _____________________: The _____________________ collects and analyzes enterprise telemetry data such as NetFlow, IP Flow Information Export (IPFIX), and other types of flow data from routers, switches, firewalls, endpoints, and other network devices. The Flow Collector can also collect telemetry from proxy data sources, which can be analyzed by Global Threat Analytics (formerly Cognitive Threat Analytics). It can also pinpoint malicious patterns in encrypted traffic using Encrypted Traffic Analytics (ETA) without having to decrypt it to identify threats and accelerate response.Flow Collector is available as a hardware appliance and as a virtual machine.

• _____________________: The SMC is the control center for Stealthwatch. It aggregates, organizes, and presents analysis from up to 25 Flow Collectors, Cisco ISE, and other sources. It offers a powerful yet simple-to-use web console that provides graphical representations of network traffic, identity information, customized summary reports, and integrated security and network intelligence for comprehensive analysis. The SMC is available as a hardware appliance or a virtual machine.

Cisco Stealthwatch Cloud consists of two primary offerings:

• ____________________________

• ____________________________

802.1x comprises the following components:

• _____________________: This message format and framework defined by RFC 4187 provides an encapsulated transport for authentication parameters.

• _____________________: Different authentication methods can be used with EAP.

• _____________________: This Layer 2 encapsulation protocol is defined by 802.1x for the transport of EAP messages over IEEE 802 wired and wireless networks.

• _____________________: This is the AAA protocol used by EAP.

802.1x network devices have the following roles:

• _____________________: Software on the endpoint communicates and providesidentity credentials through EAPoL with the authenticator. Common 802.1x supplicants include Windows and macOS native supplicants as well as Cisco AnyConnect. All these supplicants support 802.1x machine and user authentication.

• _____________________: A network access device (NAD) such as a switch or wireless LAN controller (WLC) controls access to the network based on the authentication status of the user or endpoint. The authenticator acts as the liaison, taking Layer 2 EAP-encapsulated packets from the supplicant and encapsulating them into RADIUS packets for delivery to the authentication server.

• _____________________: A RADIUS server performs authentication of the client. The authentication server validates the identity of the endpoint and provides the authenticator with an authorization result, such as accept or deny.

• _____________________: With _____________________, a switch inserts the SGT tag inside a frame to allow upstream devices to read and apply policy. _____________________ is completely independent of any Layer 3 protocol (IPv4 or IPv6), so the frame or packet can preserve the SGT tag throughout the network infrastructure (routers, switches, firewalls, and so on) until it reaches the egress point. The downside to _____________________ is that it is supported only by Cisco network devices with ASIC support for TrustSec. If a tagged frame is received by a device that does not support _____________________ in hardware, the frame is dropped.Figure 25-10 illustrates a Layer 2 frame with a 16-bit SGT value.

• _____________________: _____________________ is a _____________________ used for network devices that do not support _____________________ in hardware. Using_____________________, IP-to-SGT mappings can be communicated between _____________________switches and other network devices. _____________________ switches also have an SGT mapping database to check packets against and enforce policy. The _____________________ peer that sends IP-to-SGT bindings is called a speaker. The IP-to-SGT binding receiver is called a listener. _____________________ can be single-hop or multi-hop, as shown in Figure 25-11.

Chapter 26

While many different kinds of ACLs can be used for packet filtering, only the following types are covered in this chapter:

• Numbered standard ACLs: These ACLs define packets based solely on the source network, and they use the numbered entries ________________ and _________________.

• Numbered extended ACLs: These ACLs define packets based on source, destination, protocol, port, or a combination of other packet attributes, and they use the numbered entries ________________ and ________________.

• _____________________: These ACLs allow standard and extended ACLs to be given names instead of numbers and are generally preferred because they can provide more relevance to the functionality of the ACL.

• _____________________: These ACLs can use standard, extended, named, and named extended MAC ACLs to filter traffic on Layer 2 switchports.

• _____________________: These ACLs can use standard, extended, named, and named extended MAC ACLs to filter traffic on VLANs.

The Cisco IOS CLI by default includes three privilege levels, each of which defines what commands are available to a user:

• _____________________: Includes the disable, enable, exit, help, and logoutcommands.

• _____________________: Also known as _____________________ mode. The command prompt in this mode includes a greater-than sign (R1>). From this mode it is not possible to make configuration changes; in other words, the command configure terminal is not available.

• _____________________: Also known as _____________________ mode. This is the highest privilege level, where all CLI commands are available. The command prompt in this mode includes a hash sign (R1#).

AAA is an architectural framework for enabling a set of three independent security functions:

• _____________________: Enables a user to be identified and verified prior to being granted access to a network device and/or network services.

• _____________________: Defines the access privileges and restrictions to be enforced for an authenticated user.

• _____________________: Provides the ability to track and log user access, including user identities, start and stop times, executed commands (that is, CLI commands), and so on. In other words, it maintains a security log of events.

Chapter 27

There are two types of hypervisors, as illustrated in Figure 27-2:

• Type 1: ________________________________________________________________

• ________________________________________________________________

• Type 2: ________________________________________________________________

• ________________________________________________________________

Cisco ENFV delivers a virtualized solution for network and application services for branch offices. It consists of four main components that are based on the ETSI NFV architectural framework:

• _____________________: Cisco DNA Center provides the VNF management and NFV orchestration capabilities. It allows for easy automation of the deployment of virtualized network services, consisting of multiple VNFs.

• _____________________: VNFs provide the desired virtual networking functions.

• _____________________: An operating system that provides virtualization capabilities and facilitates the deployment and operation of VNFs and hardware components.

• _____________________: x86-based compute resources that provide the CPU, memory, and storage required to deploy and operate VNFs and run applications.

Chapter 28