Index
Symbols
{ } (braces), 415
: (colon), 91
2.4 GHz band, 110
5 GHz band, 110
10 Gig Ethernet, 35
10BASE-T, 35
10GBASE-T, 35
40 Gig Ethernet, 35
40GBASE-LR4, 35
100BASE-T, 35
802.1D Spanning Tree Protocol, 174–176
802.11 wireless standards, 110
802.3 Ethernet standards, 35, 36–37
1000BASE-LX, 35
1000BASE-T, 35
A
AAA (authentication, authorization, and accounting), 318, 328–330
aaa new-model command, 329
Abort indicator, 43
access control. See device access control
access control lists. See ACLs (access control lists)
access points (APs), 5, 191–192
access-list 1 command, 252
access-list deny command, 359
access-list permit command, 359, 362
ACI (Application Centric Infrastructure), 397
ACLs (access control lists), 318, 353–367
ACEs (access control entries), 358
advantages of, 353
standard, 358
active routers, 239
active virtual forwarders (AVFs), 240
active virtual gateway (AVG), 240
AD (administrative distance), 206–209, 218, 243
Adaptive Security Appliance (ASA), 7
addresses
IP parameter verification, 80–81
online resources for, 87
anycast, 93
link-local unicast, 92
multicast, 92
SLAAC (stateless address autoconfiguration) of, 93, 97–98
unique local, 92
verification of, 96–97, 100–101
MAC (media access control)
aging, 127
learning, 127
MAC address tables, 128
maximum, 372
sticky MAC address learning, 373–374
PAT (Port Address Translation), 253
source addressing, 333
administrative distance (AD), 206–209, 218, 243
administrative trustworthiness, 208–209
Advanced Encryption Standard (AES), 384
adware, 315
AES (Advanced Encryption Standard), 384
aging MAC (media access control) addresses, 127
AI (artificial intelligence), 8
alignment errors, 43
alternate ports, 181
Amazon Web Services (AWS)
Database Migration Service, 2622
DataSync, 2622
anycast addresses, 93
anycast keyword, 93
APIC-EM (APIC Enterprise Module), 397
APIs (application programming interfaces)
horizontal, 398
northbound, 397
RESTful
definition of, 398
southbound, 397
Application Centric Infrastructure (ACI), 397
Application layer (OSI model), 55
application programming interfaces. See APIs (application programming interfaces)
application virtualization, 120
APs (access points), 5, 191–192
architectures
DHCP (dynamic host configuration protocol), 280
NAT (Network Address Translation), 250
OSPFv2 (open shortest path first version 2), 226
point-to-point, 22
on-premises resources, 26
SOHOs (small offices/home offices), 22
Spanning Tree Protocol, 176
three-tier architecture, 18–19
WANs (wide-area networks), 21–22
artificial intelligence (AI), 8
ASA (Adaptive Security Appliance), 7
asymmetric-key algorithms, 347
attacks
KRACK (Key Reinstallation Attack), 385
zero-day, 317
authentication, authorization, and accounting (AAA), 318, 328–330
authNoPriv level, 299
authPriv level, 299
Auto MDI-X, 35
auto setting (EtherChannel), 155
autoconfiguration, IPv6, 93
Automatic medium-dependent interface crossover (Auto MDI-X), 35
Cisco DNA (Digital Network Architecture) Center, 400–401
controller-based networking, 396–398
online resources for, 405
autonomous mode, 191
AVFs (active virtual forwarders), 240
AVG (active virtual gateway), 240
AWS (Amazon Web Services)
Database Migration Service, 2622
DataSync, 2622
B
babbles, 43
Baby Giant frames, 42
backup designated router (BDR), 231
backup ports, 181
bands, 110
banner login # command, 335–336
banner motd command, 336
banners
MOTD (message-of-the-day), 336
BDR (backup designated router), 231
BE (best effort) quality of service, 301
BID (bridge ID), 175
bidirectional NAT (Network Address Translation), 250
binary numbers, converting decimals to, 67
bogons, 77
braces ({ }), 415
bridge ID (BID), 175
bridge mode, 191
bridges
BID (bridge ID), 175
definition of, 175
root, 175
broadband PPPoE (Point-to-Point Protocol over Ethernet), 22
broadcast networks, 231
buffer logging, 298
C
Auto MDI-X, 35
frames, 42
point-to-point links, 36
shared media, 36
standards for, 35
UTP (unshielded twisted pair), 35
online resources for, 49
PoE (Power over Ethernet), 36–37
troubleshooting
potential errors and problems, 40–44
show interface command, 41, 43
CAPWAP (Control and Provisioning of Wireless Access Points), 191
carrier-sense multiple access with collision avoidance (CSMA/CA), 5, 42
Cat 1-Cat 7 cables, 35
CBWFQ (class-based weighted fair queueing), 303
CCMP (Counter Cipher Mode with Block Chaining Message Authentication Code Protocol), 385
CCX (Cisco Compatible Extensions), 190
CDP (Cisco Discovery Protocol), 144, 164–166
cdp enable command, 165
cdp run command, 165
CEF (Cisco Express Forwarding), 201
channel-group 2 mode desirable, 155
channel-group 3 mode active command, 156
channel-group command, 154
channels, 110
Cisco APIC Enterprise Module (APIC-EM), 397
Cisco Catalyst 9800-L wireless controller, 188–189
Cisco Compatible Extensions (CCX), 190
Cisco Discovery Protocol (CDP), 144, 164–166
Cisco DNA (Digital Network Architecture) Center, 10–11, 400–401
Cisco Express Forwarding (CEF), 201
Cisco Firepower NGFW (next-generation firewalls), 8
Cisco Identity Services Engine (ISE), 346
Cisco Mobility AnyConnect, 345
Cisco Open SDN Controller, 397
Cisco wireless architectures, 187–195
AP (access point) modes, 191–192
CAPWAP (Control and Provisioning of Wireless Access Points), 191
LAG (link aggregation), 189
online resources for, 195
quality of service (QoS) settings, 190
WLAN security profiles, 189–191
class-based weighted fair queueing (CBWFQ), 303
clients
DHCP (dynamic host configuration protocol), 282
DNS (Domain Name System), troubleshooting, 275–278
ip domain-lookup command, 278
ip domain-name command, 278
ip name-server command, 278
ipconfig /all command, 275–276
nslookup command, 278
IP (Internet Protocol) parameters for, 80–81
NTP (Network Time Protocol), 263
cloaking, network, 111
cloud services
virtualization and, 119
CloudFormation, 395
CNAME (domain name aliases), 273
collapsed core network designs, 19
colon (:), 91
aaa new-model, 329
access-list 1, 252
access-list deny, 359
banner motd, 336
cdp enable, 165
cdp run, 165
channel-group, 154
channel-group 2 mode desirable, 155
channel-group 3 mode active, 156
crypto key generate rsa, 304, 334–335
default-router, 281
dhcp excluded-address, 281
dns-server, 281
enable, 330
errdisable recovery, 372
exit, 329
ifconfig, 101
interface fa0/0 overload, 253–254
interface range, 154
ip access-group, 360
ip access-list standard, 360
ip address dhcp, 282
ip arp inspection, 375
ip dhcp excluded-address, 281
ip dhcp pool, 281
ip dhcp snooping, 375
ip domain-lookup, 278
ip domain-name lab.ajsnetworking.com, 334–335
ip helper-address, 283
ip name-server, 278
ip nat inside, 251
ip nat inside source list 1 pool MYNATPOOL, 253
ip nat inside source static, 251, 254
ip nat outside, 251
ip nat pool MYNATPOOL, 253
ip ospf hello-interval, 229
ip ssh version 2, 304, 334–335
ipconfig /all, 100–101, 275–276
ipv6 address, 95
ipv6 address autoconfig, 98
ipv6 enable, 97
ipv6 route, 216
lldp receive, 167
lldp run, 167
lldp transmit, 167
login local, 329
no shutdown, 154
nslookup, 278
ntp server, 263
option, 281
router ospf 1, 227
router-id, 230
security passwords min-length 10, 330–331
service password-encryption, 331–332, 333
show access-list, 359, 361, 362
show cdp, 165
show cdp interface, 165
show cdp neighbors detail, 165
show controllers, 38
show etherchannel 1 summary, 154
show etherchannel 3 summary, 157
show etherchannel summary, 155
show interface gi0/2 switchport, 144
show interface gi1/0 switchport, 149
show interface trunk, 150
show ip dhcp binding, 282, 288
show ip dhcp conflict, 282
show ip interface, 361
show ip interface brief, 283, 288
show ip nat translation, 251, 254
show ip ospf neighbor, 227–228, 230
show ip route, 204, 209, 217–218, 228
show ipv6 interface, 96
show ipv6 interface brief, 97
show ipv6 route, 218
show lldp, 168
show lldp interface, 168
show lldp neighbors detail, 168
show ntp associations, 264
show ntp status, 264
show port-security interface, 374
show run | include nat, 252
show spanning-tree, 176–179, 180
show vlan brief, 142, 143, 144
shutdown, 154
snmp-server source-interface traps loopback 1, 333
switchport access vlan 20, 143
switchport mode trunk, 149
switchport port-security, 371–373
switchport voice vlan 50, 144
transport input, 335
transport input none, 304
transport input ssh, 304, 334–335
username JOHNS privilege 15 secret 1L0v3C1sc0Systems, 329
configuration
ACLs (access control lists)
extended, 362
online resources for, 367
device access control, 325–342
AAA (authentication, authorization, and accounting), 328–330
MOTD (message-of-the-day) banners, 336
password security policy, 330–332
physical security, 332
RADIUS (Remote Authentication Dial-In User Service), 330
source addressing, 333
TACACS+, 330
DHCP (dynamic host configuration protocol), 280–282
DNS (Domain Name System) client connectivity, 275–278
ip domain-lookup command, 278
ip domain-name command, 278
ip name-server command, 278
ipconfig /all command, 275–276
nslookup command, 278
EtherChannel
interswitch connectivity, 148–150
IPv4 (Internet Protocol version 4)
IP parameter verification, 80–81
online resources for, 87
IPv6 (Internet Protocol version 6), 89–107
anycast, 93
link-local unicast, 92
multicast, 92
SLAAC (stateless address autoconfiguration) of, 93, 97–98
unique local, 92
verification of, 96–97, 100–101
NAT (Network Address Translation)
NTP (Network Time Protocol), 262–263
OSPFv2 (open shortest path first version 2), 227, 229–230
PAT (Port Address Translation), 253
PortFast, 181
Spanning Tree Protocol
classic Spanning Tree Protocol, 178–179
PortFast, 181
RPVST+ (Rapid Per VLAN Spanning Tree Plus), 179
syslog
default configuration, 296
example of, 299
SNMP security levels, 299
timestamps, 296
VLANs (virtual local-area networks), 140–145
CDP (Cisco Discovery Protocol), 144
interfaces for, 143
VTP (VLAN Trunking Protocol), 141–142
WPA (Wi-Fi Protected Access), 385
configuration management, 411–413
congestion avoidance tools, 303
congestion management tools, 303
connectivity, IP. See IP (Internet Protocol) connectivity
console logging, 296
containers, 120
Control and Provisioning of Wireless Access Points (CAPWAP), 191
controller-based networking, 396–398
controllers
controller-based networking, 396–398
wireless LAN controllers (WLCs), 11–12
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), 385
CRC (cyclic redundancy check), 43
CRUD operations, 409
crypto key generate rsa command, 304, 334–335
CSMA/CA (carrier-sense multiple access with collision avoidance), 5, 42
curly braces ({ }), 415
cut-through switching, 129
cyclic redundancy check (CRC), 43
D
DAI (dynamic ARP inspection)
configuration of, 375
online resources for, 381
Data and Pad field (Ethernet frames), 131–132
data communications equipment (DCE), 37
data exfiltration, 316
Data Link layer (OSI model), 54
data terminal equipment (DTE), 37
data traffic, 302
Database Migration Service, 2622
DataSync, 2622
DCE (data communications equipment), 37
DDoS (distributed denial-of-service) attacks, 315
decimal numbers, converting binary numbers to, 67
default routes, 216
default-router command, 281
deferred frames, 43
DEI (drop eligible indicator), 149
designated ports, 175
designated router (DR), 231
desirable setting (EtherChannel), 155
desktop virtualization, 121
Destination MAC field (Ethernet frames), 132
device access control, 325–342
AAA (authentication, authorization, and accounting), 328–330
MOTD (message-of-the-day) banners, 336
password security policy, 330–332
physical security, 332
RADIUS (Remote Authentication Dial-In User Service), 330
source addressing, 333
TACACS+, 330
device hardening, 332
DHCP (dynamic host configuration protocol)
client configuration for, 282
online resources for, 293
relay agents, 283
server/client topology, 280
servers
verification of, 282
dhcp excluded-address command, 281
DiffServ (Differentiated Services), 301–302
Digital Network Architecture (DNA) Center, 10–11, 400–401
directed broadcasts, 75
CDP (Cisco Discovery Protocol), 164–166
LLDP (Link Layer Discovery Protocol), 167–168
online resources for, 171
distributed denial-of-service (DDoS) attack, 315
DMVPN (Dynamic Multipoint VPN), 22, 347
DNA (Digital Network Architecture) Center, 10–11, 400–401
DNS (Domain Name System), 271–279
online resources for, 293
ip domain-lookup command, 278
ip domain-name command, 278
ip name-server command, 278
ipconfig /all command, 275–276
nslookup command, 278
dns-server command, 281
Docker, 120
domain name aliases (CNAME), 273
Domain Name System. See DNS (Domain Name System)
DR (designated router), 231
dribble conditions, 43
drop eligible indicator (DEI), 149
DTE (data terminal equipment), 37
dual band access points, 5
dual-homed topology, 22
duplex, 42
dynamic ARP inspection (DAI)
configuration of, 375
online resources for, 381
dynamic host configuration protocol. See DHCP (dynamic host configuration protocol)
Dynamic Multipoint VPN (DMVPN), 22, 347
dynamic NAT (Network Address Translation), 252–254
verification of, 254
dynamic port security, 371
E
enable command, 330
enable password command, 331–332
errdisable recovery command, 372
static
cabling
Auto MDI-X, 35
standards for, 35
UTP (unshielded twisted pair), 35
Layer 2
configuration with LACP, 156–157
configuration with PAgP, 155–156
online resources for, 49
PoE (Power over Ethernet), 36–37
point-to-point links, 36
runts, 42
shared media, 36
cut-through, 129
fragment-free, 129
MAC (media access control) addresses in, 127
online resources for, 136
port LEDs for, 129
switch layout, 127
exit command, 329
exit interfaces, 217
exploits, 316
extended ACLs (access control lists)
configuration of, 362
definition of, 358
F
fabric, 398
Fast Ethernet, 35
FCS (Frame Check Sequence) field, 42, 132
FHRPs (first hop redundancy protocols), 237–243
FIFO (first-in, first-out) approach, 301
File Transfer Protocol (FTP), 305
files, zone, 273
first hop redundancy protocols. See FHRPs (first hop redundancy protocols)
first-in, first-out (FIFO) approach, 301
floating static routes, 218
forwarding per-hop behavior (PHB), 301–303
fragment-free switching, 129
Frame Check Sequence (FCS) field, 42, 132
frame rewrite procedure, 201
frames
troubleshooting, 43
FTP (File Transfer Protocol), 305
full mesh topology, 22
full-duplex, 42
function virtualization, 121
G
Gateway Load Balancing Protocol (GLBP), 239–240, 243
gateway of last resort, 206
Giant frames, 42
Gigabit Ethernet, 35
H
half-duplex, 42
headers
Ethernet, 131
IPv6, 91
hexadecimal notation, 90
home offices. See SOHOs (small offices/home offices)
hop counts, 206
horizontal APIs (application programming interfaces), 398
host routes, 216
HSRP (Hot Standby Router Protocol), 238–239, 243
HTTP (Hypertext Transfer Protocol), 408
hub-and-spoke topology, 22
hybrid cloud services, 27
Hypertext Transfer Protocol (HTTP), 408
hypervisors, 119
I
IaaS (Infrastructure as a Service), 26
IANA (Internet Assigned Numbers Authority), 92
Identity Services Engine (ISE), 346
IEEE (Institute of Electrical and Electronics Engineers)
802.11 wireless standards, 110
802.3 Ethernet standards, 35
PoE (Power over Ethernet) standards, 36–37
ifconfig command, 101
ignored frames, 43
Infrastructure as a Service (IaaS), 26
injection, SQL, 316
input drops, 43
input errors, 43
inside source NAT (Network Address Translation), 247–259
motivations for, 250
one-way, 250
topology of, 250
Institute of Electrical and Electronics Engineers. See IEEE (Institute of Electrical and Electronics Engineers)
Integrated Services (IntServ), 301–302
interface fa0/0 overload command, 253–254
interface range command, 154
interfaces
exit, 217
outgoing, 217
resets, 43
for VLANs (virtual local-area networks), 143
internal networks, 344
Internet Assigned Numbers Authority (IANA), 92
Internet Protocol. See IP (Internet Protocol) connectivity; specific services
interswitch connectivity, 148–150
Inter-Switch Link (ISL), 148
intrusion prevention systems (IPSs), 8, 319
IntServ (Integrated Services), 301–302
IP (Internet Protocol) connectivity
FHRPs (first hop redundancy protocols), 237–243
IP parameter verification, 80–81
IPv4/IPv6 static routing, 215–223
floating static routes, 218
troubleshooting, 218
anycast, 93
link-local unicast, 92
multicast, 92
SLAAC (stateless address autoconfiguration) of, 93, 97–98
unique local, 92
verification of, 96–97, 100–101
online resources for, 87
OSPFv2 (open shortest path first version 2), 225–235
BDR (backup designated router), 231
configuration of, 227, 229–230
definition of, 226
DR (designated router), 231
online resources for, 235
topology of, 226
troubleshooting, 231
AD (administrative distance), 206–209
frame rewrite procedure in, 201
online resources for, 213
packet-handling process in, 200–201
Video over IP, 302
Voice over IP, 302
IP (Internet Protocol) services. See specific services
ip access-group command, 360
ip access-list standard command, 360
ip address dhcp command, 282
ip arp inspection command, 375
ip arp inspection trust command, 375
ip dhcp excluded-address command, 281
ip dhcp pool command, 281
ip dhcp snooping command, 375
ip domain-lookup command, 278
ip domain-name command, 278, 304
ip domain-name lab.ajsnetworking.com command, 334–335
ip helper-address command, 283
ip name-server command, 278
ip nat inside command, 251
ip nat inside source command, 253–254
ip nat inside source list 1 pool MYNATPOOL commands, 253
ip nat inside source static command, 251, 254
ip nat outside command, 251
ip nat pool MYNATPOOL command, 253
ip ospf dead-interval command, 229
ip ospf hello-interval command, 229
ip ssh version 2 command, 304, 334–335
ipconfig /all command, 100–101, 275–276
IPsec, 347
IPSs (intrusion prevention systems), 8, 319
IPv4 (Internet Protocol version 4)
addresses
IP parameter verification, 80–81
online resources for, 87
floating static routes, 218
troubleshooting, 218
IPv6 (Internet Protocol version 6)
anycast, 93
link-local unicast, 92
multicast, 92
SLAAC (stateless address autoconfiguration) of, 93, 97–98
unique local, 92
verification of, 96–97, 100–101
floating static routes, 218
troubleshooting, 218
ipv6 address autoconfig command, 98
ipv6 address command, 95
ipv6 enable command, 97
ipv6 route command, 216
ipv6 unicast-routing command, 96, 98
ISE (Identity Services Engine), 346
ISL (Inter-Switch Link), 148
J
JSON (JavaScript Object Notation)
benefits of, 414
definition of, 414
online resources for, 419
Jumbo frames, 42
K
Key Reinstallation Attack (KRACK), 385
keys, 347
keywords, 254
msec, 296
privilege, 330
source-interface, 333
KRACK (Key Reinstallation Attack), 385
L
LACP (Link Aggregation Control Protocol), Layer 2 EtherChannel configuration with, 156–157
LAG (link aggregation), 189
late collisions, 43
Layer 2 discovery protocols, 163–171
CDP (Cisco Discovery Protocol), 164–166
LLDP (Link Layer Discovery Protocol), 167–168
online resources for, 171
Layer 2 EtherChannel configuration
DAI (dynamic ARP inspection)
configuration of, 375
online resources for, 381
port security
dynamic, 371
online resources for, 381
violation actions, 372
sticky MAC address learning, 373–374
layers
OSI (Open Systems Interconnection) model, 53–55
TCP/IP (Transmission Control Protocol/Internet Protocol) model, 53
LDAP (Lightweight Directory Access Protocol), 346
learning MAC (media access control) addresses, 127
Length/Type field (Ethernet frames), 132
LFI (link fragmentation and interleaving), 303
Lightweight Access Point Protocol (LWAPP), 191
Lightweight Directory Access Protocol (LDAP), 346
lightweight mode, 191
Link Aggregation Control Protocol (LACP), Layer 2 EtherChannel configuration with, 156–157
link aggregation (LAG), 189
link fragmentation and interleaving (LFI), 303
Link Layer Discovery Protocol (LLDP), 167–168
link-local unicast addresses, 92
links, point-to-point, 36
Linux
IP (Internet Protocol) parameters on, 80–81
LLDP (Link Layer Discovery Protocol), 167–168
lldp receive command, 167
lldp run command, 167
lldp transmit command, 167
LLQ (low-latency queueing), 303
local mode, 191
buffer, 298
configuration of
default configuration, 296
example of, 299
SNMP security levels, 299
timestamps, 296
console, 296
message fields, 298
monitor, 297
online resources for, 310
severity levels, 298
login local command, 329
lookup operation, DNS (Domain Name System), 272–273
lost carrier errors, 44
low-latency queueing (LLQ), 303
LWAPP (Lightweight Access Point Protocol), 191
M
MAC (media access control) addresses
aging, 127
learning, 127
MAC address tables, 128
maximum, 372
sticky MAC address learning, 373–374
Mac OS systems, IP (Internet Protocol) parameters on, 80–81
malware, 314
man-in-the-middle attacks, 316
Martian packets, 77
maximum MAC (media access control) addresses, 372
message-of-the-day (MOTD) banners, 336
Metro Ethernet, 22
mGRE (Multipoint Generic Routing Encapsulation), 347
mitigation techniques, 318–319
Mobility AnyConnect, 345
models
OSI (Open Systems Interconnection), 52–56
TCP/IP (Transmission Control Protocol/Internet Protocol), 52–56
modified EUI-64 addresses, 92, 96–97
monitor logging, 297
MOTD (message-of-the-day) banners, 336
MPLS (Multiprotocol Label Switching), 22
msec keyword, 296
Multipoint Generic Routing Encapsulation (mGRE), 347
Multiprotocol Label Switching (MPLS), 22
MX (mail exchangers), 273
N
NACLs (network ACLs), 353
name servers (NS), 273
named ACLs (access control lists), 362
NAT (Network Address Translation), 77, 247–259
bidirectional, 250
verification of, 254
motivations for, 250
one-way, 250
online resources for, 259
overloading, 253
PAT (Port Address Translation), 253
pools, 253
topology of, 250
troubleshooting, 254
ND (Neighbor Discovery), 98
neighbor formation. See OSPFv2 (open shortest path first version 2)
network access
Layer 2 discovery protocols, 163–171
CDP (Cisco Discovery Protocol), 164–166
LLDP (Link Layer Discovery Protocol), 167–168
online resources for, 171
wireless. See wireless networks
network ACLs (NACLs), 353
Network Address Translation. See NAT (Network Address Translation)
network cloaking, 111
access points, 5
controllers
wireless LAN controllers (WLCs), 11–12
servers, 6
Network layer (OSI model), 54
network management, automation in, 393–405
Cisco DNA (Digital Network Architecture) Center, 400–401
controller-based networking, 396–398
online resources for, 405
network masks, 204
network models
OSI (Open Systems Interconnection), 52–56
TCP/IP (Transmission Control Protocol/Internet Protocol), 52–56
network routes, 216
DHCP (dynamic host configuration protocol), 280
NAT (Network Address Translation), 250
OSPFv2 (open shortest path first version 2), 226
point-to-point, 22
on-premises resources, 26
SOHOs (small offices/home offices), 22
Spanning Tree Protocol, 176
three-tier architecture, 18–19
WANs (wide-area networks), 21–22
network virtualization, 120
next hop IP addresses, 204–205
Next Hop Resolution Protocol (NHRP), 347
next-generation firewalls (NGFW), 7–8
next-generation SDN (software-defined networking), 397
NGFW (next-generation firewalls), 7–8
NHRP (Next Hop Resolution Protocol), 347
No buffer condition, 43
no carrier errors, 43
no shutdown command, 154
noAuthNoPriv level, 299
non-broadcast networks, 231
northbound APIs (application programming interfaces), 397
NS (name servers), 273
nslookup command, 278
NTP (Network Time Protocol), 261–269
benefits of, 262
online resources for, 269
ports for, 262
stratum value in, 262
verification of, 264
ntp server command, 263
numbered ACLs (access control lists)
O
objects, JSON (JavaScript Object Notation), 415
one-way NAT (Network Address Translation), 250
on-premises resources, 26
Open SDN Controller, 397
open shortest path first. See OSPFv2 (open shortest path first version 2)
Open Systems Interconnection. See OSI (Open Systems Interconnection) model
OpenFlow, 397
option command, 281
OSI (Open Systems Interconnection) model, 52–56
DAI (dynamic ARP inspection), 375
sticky MAC address learning, 373–374
online resources for, 64
PDUs (protocol data units) in, 55
OSPFv2 (open shortest path first version 2), 225–235
BDR (backup designated router), 231
configuration of, 227, 229–230
definition of, 226
DR (designated router), 231
floating static routes for, 218
online resources for, 235
topology of, 226
troubleshooting, 231
outgoing interfaces, 217
output buffer failures, 43
output buffers swapped out, 43
output drops, 43
output hang, 43
overlays, 398
overload keyword, 254
overloading NAT (Network Address Translation), 253
overruns, 43
P
PaaS (Platform as a Service), 26
Packet Tracer, 264
packet-handling process, 200–201
PAgP (Port Aggregation Protocol), 155–156
parameters, IP (Internet Protocol)
password security policy, 330–332
PAT (Port Address Translation), 253
PCP (priority code point), 149
PDH (plesiochronous digital hierarchy), 22
PDUs (protocol data units), 55
Per VLAN Spanning Tree Plus (PVST+), 174–176
PHB (forwarding per-hop behavior), 301–303
phishing, 315
physical interfaces, 33–49. See also cabling
online resources for, 49
troubleshooting
potential errors and problems, 40–44
show interface command, 41, 43
Physical layer (OSI model), 54
ping command, 228, 251, 276–277
Platform as a Service (PaaS), 26
plesiochronous digital hierarchy (PDH), 22
PMF (Protected Management Frames), 385
PoE (Power over Ethernet), 36–37
pointers for reverse DNS lookups (PTR), 273
point-to-multipoint networks, 231
point-to-multipoint non-broadcast networks, 231
point-to-point links, 36
point-to-point networks, 22, 231
Point-to-Point Protocol over Ethernet (PPPoE), 22
policies
security, 319
pools, NAT (Network Address Translation), 253
Port Address Translation (PAT), 253
Port Aggregation Protocol (PAgP), 155–156
PortFast, 181
ports
NTP (Network Time Protocol), 262
port LEDs, 129
port numbers, 59
PortFast, 181
security
dynamic, 371
online resources for, 381
violation actions, 372
Spanning Tree Protocol
classic Spanning Tree Protocol, 175
RPVST+ (Rapid Per VLAN Spanning Tree Plus), 181
Power over Ethernet (PoE), 36–37
PPPoE (Point-to-Point Protocol over Ethernet), 22
Preamble field (Ethernet frames), 131
Presentation layer (OSI model), 55
priority code point (PCP), 149
priority values, Spanning Tree Protocol, 178–179
private cloud services, 26
privilege keyword, 330
configuration control and management, 411–413
online resources for, 419
Protected Management Frames (PMF), 385
protocol data units (PDUs), 55
protocols. See specific protocols
PTR (pointers for reverse), 273
public cloud services, 26
public key cryptography, 347
Puppet, 412
PVST+ (Per VLAN Spanning Tree Plus), 174–176
Python, 412
Q
QoS (quality of service)
BE (best effort), 301
DiffServ (Differentiated Services), 301–302
forwarding per-hop behavior tools, 302
IntServ (Integrated Services), 301–302
marking traffic for, 302
online resources for, 310
PHB (forwarding per-hop behavior), 301–303
settings for, 190
R
radio frequencies (RF), 110
RADIUS (Remote Authentication Dial-In User Service), 319, 330, 346
ransomware, 316
Rapid Per VLAN Spanning Tree Plus (RPVST+), 179–181
Rapid Spanning Tree Protocol (RSTP), 179
REAP (Remote Edge Access Point), 191
redundancy. See FHRPs (first hop redundancy protocols)
relay agents (DHCP), 283
remote access VPNs (virtual private networks), 345
Remote Authentication Dial-In User Service (RADIUS), 319, 330, 346
Remote Edge Access Point (REAP), 191
representational state transfer (REST), 398, 408–409
resets, interface, 43
Resource Reservation Protocol (RSVP), 301–302
REST (representational state transfer), 398, 408–409
RF (radio frequencies), 110
Rogue Detector mode, 192
root bridges, 175
root cost, 175
rootkits, 315
router ospf 1 command, 227
router-id command, 230
frame rewrite procedure in, 201
IPv4/IPv6 static routing, 215–223
floating static routes, 218
troubleshooting, 218
packet-handling process in, 200–201
routing tables
administrative distance (AD) values in, 206–209
online resources for, 213
RPVST+ (Rapid Per VLAN Spanning Tree Plus), 179–181
RSTP (Rapid Spanning Tree Protocol), 179
RSVP (Resource Reservation Protocol), 301–302
Ruby, 412
runts, 42
S
SaaS (Software as a Service), 27
sandboxes, 120
SDH (synchronous digital hierarchy), 22
SDN (software-defined networking), 396–398
SE-Connect mode, 191
Secure Shell (SSH), 304–305, 319, 334–335
Secure Sockets Layer (SSL), 344
secure tunnels, 344
ACLs (access control lists), 353–367
ACEs (access control entries), 358
advantages of, 353
NACLs (network ACLs), 353
CCMP (Counter Cipher Mode with Block Chaining Message Authentication Code Protocol), 385
Cisco DNA Center, 401
DAI (dynamic ARP inspection)
configuration of, 375
online resources for, 381
device access control, 325–342
AAA (authentication, authorization, and accounting), 328–330
MOTD (message-of-the-day) banners, 336
password security policy, 330–332
physical security, 332
RADIUS (Remote Authentication Dial-In User Service), 330
source addressing, 333
TACACS+, 330
exploits, 316
mitigation techniques for, 318–319
online resources for, 323, 380–381
policies for, 319
port
dynamic, 371
online resources for, 381
violation actions, 372
SNMP (Simple Network Management Protocol), 299
SSL (Secure Sockets Layer), 344
sticky MAC address learning, 373–374
TKIP (Temporal Key Integrity Protocol), 384
TLS (Transport Layer Security), 344
vulnerabilities, 316
WLAN security profiles, 189–191
WPA (Wi-Fi Protected Access), 383–390
zero-day attacks, 317
security passwords min-length 10 command, 330–331
servers
definition of, 6
DHCP (dynamic host configuration protocol)
verification of, 282
service password-encryption command, 331–332, 333
service set identifiers (SSIDs), 111
services. See specific services
Session layer (OSI model), 55
severity levels, syslog, 298
SFD (Start Frame Delimiter) field, 131
shared media, 36
show access-list command, 359, 361, 362
show cdp command, 165
show cdp interface command, 165
show cdp neighbors detail command, 165
show controllers command, 38
show etherchannel 1 summary command, 154
show etherchannel 3 summary, 157
show etherchannel summary command, 155
show interface command, 41, 43
show interface gi0/2 switchport commands, 144
show interface gi1/0 switchport command, 149
show interface trunk command, 150
show ip dhcp binding command, 282, 288
show ip dhcp conflict command, 282
show ip interface brief command, 283, 288
show ip interface command, 361
show ip nat translation command, 251, 254
show ip ospf neighbor command, 227–228, 230
show ip route command, 204, 209, 217–218, 228
show ipv6 interface brief command, 97
show ipv6 interface command, 96
show ipv6 route command, 218
show lldp command, 168
show lldp interface command, 168
show lldp neighbors detail command, 168
show ntp associations command, 264
show ntp status command, 264
show port-security interface command, 374
show run | include nat command, 252
show spanning-tree command, 176–179, 180
show vlan brief command, 142, 143, 144
show vtp status command, 141–142
shutdown command, 154
Simple Network Management Protocol (SNMP), 299, 310
single-area OSPFv2 (open shortest path first version 2), 225–235
configuration of, 227, 229–230
definition of, 226
topology of, 226
troubleshooting, 231
single-homed topology, 22
site-to-site VPNs (virtual private networks), 345
SLAAC (stateless address autoconfiguration), 93, 97–98
small offices/home offices (SOHOs), 22
SMTP mail exchangers (MX), 273
Sniffer mode, 192
SNMP (Simple Network Management Protocol), 299, 310
snmp-server source-interface traps loopback 1 command, 333
SNMPv3, 319
online resources for, 381
SOA (start of authority), 273
Software as a Service (SaaS), 27
software-defined networking (SDN), 396–398
SOHOs (small offices/home offices), 22
SONET, 22
source addressing, 333
Source MAC field (Ethernet frames), 132
Sourcefire, 8
source-interface keyword, 333
southbound APIs (application programming interfaces), 397
Spanning Tree Protocol, 173–186
bridges
BID (bridge ID), 175
definition of, 175
root, 175
designated ports, 175
PVST+ (Per VLAN Spanning Tree Plus), 174–176
RPVST+ (Rapid Per VLAN Spanning Tree Plus), 179–181
topology of, 176
speed mismatches, 42
spyware, 315
SQL injection attacks, 316
SSH (Secure Shell), 304–305, 319, 334–335
SSIDs (service set identifiers), 111
SSL (Secure Sockets Layer), 344
standard ACLs (access control lists), 358
standby routers, 239
Start Frame Delimiter (SFD) field, 131
start of authority (SOA), 273
stateless address autoconfiguration (SLAAC), 93, 97–98
states, OSPFv2 (open shortest path first version 2), 230–231
static EtherChannel
static NAT (Network Address Translation), 250–252
floating static routes, 218
troubleshooting, 218
sticky MAC address learning, 373–374
storage virtualization, 120
store-and-forward switching, 128–129
stratum value, 262
subnetting
switching, 125–136. See also bridges
configuration for RPVST+, 180
cut-through, 129
Ethernet frame format, 131–132
fragment-free, 129
frame flooding and switching, 128
interswitch connectivity, 148–150
MAC (media access control) addresses in, 127–128
online resources for, 136
port LEDs for, 129
switch layout, 127
VLAN creation on, 142
switchport access vlan 20 command, 143
switchport mode trunk command, 149
switchport port-security command, 371–373
switchport voice vlan 50 command, 144
symmetric-key algorithms, 347
synchronous digital hierarchy (SONET/SDH), 22
buffer logging, 298
configuration of
default configuration, 296
example of, 299
SNMP security levels, 299
timestamps, 296
console logging, 296
message fields, 298
monitor logging, 297
online resources for, 310
serverity levels, 298
system logging. See syslog
T
tables
MAC address, 128
routing
administrative distance (AD) values in, 206–209
online resources for, 213
tag control information (TCI), 149
tag protocol identifier (TPID), 149
tagged ports. See trunking
targeted broadcasts, 75
TCI (tag control information), 149
TCP (Transmission Control Protocol), 57–59, 64
TCP/IP (Transmission Control Protocol/Internet Protocol) model, 52–56
Temporal Key Integrity Protocol (TKIP), 384
Temporary IPv6 Address value, 101
Terminal Access Controller Access-Control System (TACACS+), 319
TFTP (Trivial File Transfer Protocol), 305
three-tier architecture, 18–19
throttles, 43
time, NTP (Network Time Protocol), 261–269
benefits of, 262
online resources for, 269
stratum value in, 262
verification of, 264
timestamps
configuration of, 296
syslog, 298
TKIP (Temporal Key Integrity Protocol), 384
TLS (Transport Layer Security), 344
topologies. See network topology
TPID (tag protocol identifier), 149
trailers, Ethernet frame, 131
Transmission Control Protocol (TCP), 57–59, 64
Transmission Control Protocol/Internet Protocol (TCP/IP) model, 52–56
transport input command, 335
transport input none command, 304
transport input ssh command, 304, 334–335
Transport layer (OSI model), 54
Transport Layer Security (TLS), 344
Trivial File Transfer Protocol (TFTP), 305
Trojan horses, 315
troubleshooting
DHCP (dynamic host configuration protocol), 285–288
DNS (Domain Name System), 275–278
ip domain-lookup command, 278
ip domain-name command, 278
ip name-server command, 278
ipconfig /all command, 275–276
nslookup command, 278
interface and cabling issues, 43
potential errors and problems, 40–44
show interface command, 41, 43
IPv4/IPv6 static routing, 218
NAT (Network Address Translation), 254
OSPFv2 (open shortest path first version 2), 231
trunking
definition of, 141
two-tier spine-leaf architecture, 18–19
Type 1 hypervisors, 119
Type 2 hypervisors, 119
U
UDP (User Datagram Protocol), 57–59, 64
underlays, 398
underruns, 43
unidirectional NAT (Network Address Translation), 250
unique local addresses, 92
UNIX, Puppet on, 412
unknown unicast flooding, 127–128
unshielded twisted pair (UTP), 35
User Datagram Protocol (UDP), 57–59, 64
username JOHNS privilege 15 secret 1L0v3C1sc0Systems command, 329
UTP (unshielded twisted pair), 35
V
variable-length subnet masking, 71
verification
of ACLs (access control lists), 358–359
of DHCP (dynamic host configuration protocol), 282–283
of interfaces for VLANs, 143
of IPv4/IPv6 static routing, 217–218
of IPv6 configuration, 96–97, 100–101
of NAT (Network Address Translation)
dynamic, 254
of NTP (Network Time Protocol), 264
of OSPFv2 (open shortest path first version 2), 227–228
of Spanning Tree Protocol, 176–179, 180
of VLANs (virtual local-area networks), 142–143
VID (VLAN identifier), 149
Video over IP, 302
violation actions, port security, 372
Violation Mode setting (port security), 372
virtual local-area networks (VLANs), 118
virtual machines (VMs), 119
virtual private networks. See VPNs (virtual private networks)
Virtual Router Redundancy Protocol (VRRP), 238–240
virtualization
application, 120
desktop, 121
function, 121
network, 120
online resources for, 124
storage, 120
VLANs (virtual local-area networks), 118
VMs (virtual machines), 119
VPNs (virtual private networks), 343–351
online resources for, 351
viruses, definition of, 314
VLAN identifier (VID), 149
VLANs (virtual local-area networks), 118
CDP (Cisco Discovery Protocol), 144
interfaces for, 143
VTP (VLAN Trunking Protocol), 141–142
interswitch connectivity, 148–150
online resources for, 162
VTP (VLAN Trunking Protocol), 141–142
VMs (virtual machines), 119
Voice over IP, 302
voice VLANs (virtual local-area networks), 143–145
VPNs (virtual private networks), 343–351
online resources for, 351
VRRP (Virtual Router Redundancy Protocol), 238–240
VTP (VLAN Trunking Protocol), 141–142
vulnerabilities, 316
W
WANs (wide-area networks), 21–22
weighted random early detection (WRED), 303
wide-area networks (WANs), 21–22
Wi-Fi. See wireless networks
Wi-Fi Protected Access. See WPA (Wi-Fi Protected Access)
Windows systems
IP (Internet Protocol) parameters on, 80–81
Puppet on, 412
wireless LAN controllers. See WLCs (wireless LAN controllers)
bands in, 110
channels in, 110
Cisco wireless architectures, 187–195
AP (access point) modes, 191–192
CAPWAP (Control and Provisioning of Wireless Access Points), 191
LAG (link aggregation), 189
online resources for, 195
quality of service (QoS) settings, 190
WLAN security profiles, 189–191
IEEE 802.11 standards for, 111
network cloaking, 111
online resources for, 115
SSIDs (service set identifiers), 111
WPA (Wi-Fi Protected Access), 383–390
wireless security protocols, 383–390
WLCs (wireless LAN controllers), 11–12, 187–195
AP (access point) modes, 191–192
CAPWAP (Control and Provisioning of Wireless Access Points), 191
LAG (link aggregation), 189
online resources for, 195
quality of service (QoS) settings, 190
WLAN security profiles, 189–191
worm attacks, 315
WPA (Wi-Fi Protected Access), 383–390
WPA3, 385
WRED (weighted random early detection), 303
X-Y-Z
Xorg, 121
zero-day attacks, 317
zone files, 273