Network Typology:Bus: Everyone is connected to a single cable. This means all of the computers are connected to each other.Ring: Everyone is connected to each other. If one node goes down, the whole network goes down.Star: Most common, one central network and everyone is connected to that center.Mesh: Multiple points of contact, allows a switch to go down and people still able to hit the network.

Switch (Layer 2):

Central connection point for devices plugging into the network. Wall jacks will typically go to a room called an MDF or Main Distribution Facility.

•

3rd Generation Device•CAM Table: Mac Address Table•CSMA / CD - Carrier Sense Multiple Access / Collision Detection •

Routers (Layer 3):

Contains the network and moves data between networks.•Routes traffic between VLANs •Unicast message•

WAP & Controller:

2.4Ghz and 5GhzTurns wired network into a wireless networkIEEE 802.11a/b/n/acCannot detect collisionsCSMA/CA - Carrier Sense Multiple Access / Collision Avoidance (Each person attached gets a timeslot to transmit.)Slower than switches

Firewall / IPS:

Can operate in transparent or routed mode. Most common is routed mode.•Inspects traffic•

Allows higher security zone to speak to lower security zones but not the other way around. ○

Allows internet in by request○

Stateful filtering•

Setup security zone. Higher the number, the more secure the zone is.•

Watches for unusual network traffic and shapes traffic based by anomaly or heuristics.○

Most equip IPS modules.•

Common Speeds of Devices

TCP/IPFor a new protocol to be made, an RFC (Request for comments) need to be performed

SubnettingClass A - 255.0.0.0 = 16,777,214 HostsClass B - 255.255.0.0 - 65,534 HostsClass C - 255.255.255.0 - 254 Hosts

OSI ModelAway - ApplicationPizza - PresentationSausage - SessionThrow - TransportNot - NetworkDo - DatalinkPlease - Physical

Classes of NetworksA - 1 to 126B - 128 to 191C - 192 to 223

IOSInter network Operating SystemMonolithic Operating System SmartNet - Support and contract, firmware updates. Worth the cost in a prod environment

Firmware VersionsT - Experimental GD - General Deployment

TCP / IPApplicationTransportNetworkData LinkPhysical

CCENT: ICND 100-105 CBT NuggetsTuesday, May 29, 2018 22:10

IT Education Page 1

GD - General Deployment

Cabling10Base-T (IEEE 802.3) - 10Mbps using CAT3100Base-TX (IEEE 802.3u) - Commonly known as Fast Ethernet . 6 UTP two-pair wiring. Up to 100 meters long.100Base-FX (IEEE 802.3u) - Fiber cabling. Point to point tech; up to 412 meters long. Uses ST and SC connectors. 1000Base-CX (IEEE 802.3z) - Copper twisted pair called twinax. Balanced coaxial pair that can only run up 25 meters and uses a special 9 -pin connector known as High speed serial data connector (HSSDC)1000Base-T (IEEE 802.3ab) - CAT5 four pair UTP wiring up to 100 meters long and up to 1Gbps1000Base-SX (IEEE 802.3z) - 1Gigabit ethernet running over multimode fiber optic cable instead of copper twisted pair cable. 1000Base-LX (IEEE 802.3z) - Single mode fiber that uses a 9-Micron core and 1300 nm laser. Can go from 3km to 10km1000Base-ZX (Cisco standard) - Single mode fiber optic links with spans up to 43.5miles or 70km.10GBase-T (802.3.an) - 10GBase-T is a standard proposed by the IEEE 802.3an committee to provide 10 Gbps connections over conventional UTP cables (CAT 5/6/7). Supports 100meters.

Host to switch or hub•Router to switch or hub•

Straight through cable:

Switch to switch•Hub to hub•Host to host•Hub to switch•Router direct to host•Router to router•

Crossover cable:

Rolled cable or rollover cable:Serial to a console.

Enabling a console connectionLight Blue color

Can control routers/switches when internet is down if on secondary connection-

Reverse Telnet to them-

Can control multiple routers/switches-

Access Server - Octal Cable

Modes

Show Commands to get configurations-# - Privileged mode

Configure T - Global Configure Mode

Interface - Configure the interface

? - Shows available commands at current prompt

CommandsFix timeout: conf t > line console 0 > logging synchronous Turn off auto telnet: conf t > no ip-lookupAuto Reload: Reload in # (reboots switch/router)Cancel Reload: Reload cancelPipe: shows the commands limited to your search. Works like grep on linux. No exec-timeout: no timeout on the con 0 or vtyShow users: show users Clear line vty #: Kill session to deviceShow CPU: Shows the CPU info

Navigating-- More -- : Space bar = 1 page at a time, Enter = 1 line at a timeCtrl Z: Exit back to privileged modeTab to finish commandsUp/Down arrow: Command historyCtrl+Shift+6: Abort (sometime this works)Ctrl+A : Beginning of the lineCtrl+E : End of the line

File SystemCommand: Show flash

Types of storage on Switches/RouterRamNVRamFlash (HDD of the device)

Save Running Config CommandsWrCopy running-config startup-configCopy run start

Factory ResetWrite erase and then reloadDelete flash:vlan.dat

Stacking (Switches)Allows connection between switches for redundancy between switches

IT Education Page 2

New switch / router setup process

Conf t > hostname "enterhostname"a.Setup a Hostname1)

Or & MOTD &i.Conf t > banner motd c "MOTD" ca.

Set a Banner 2)

Conf t > line con 0 > password "password", logina.Conf t > line vty 0 4 > password "password", loginb.

Lock down console port / VTY ports3)

Conf t > Line con 0 > logging synchronousa.Set Logging Synchronous4)

Conf t > show ip int briefa.Conf t > show running-config | section interfacesb.

Look at the interfaces, see if interfaces are up or down. By default, switches have all of the interfaces up. On a router, all of the interfaces are down.

5)

Conf t > no ip domain-lookupa.Turn off domain lookup6)

Enable secret "password"a.Enable password "password" (Not password protected)b.

Enable password, this hashes the password.7)

Service password-encryptiona.Set enable password to be encrypted (Cracker jacks encryption) to stop shoulder surfing8)

Copy run starta.Wrb.

Save the configuration 9)

Turning on SSH

Ip domain-name "domainname"1)Crypto key generate RSA2)

Transport input ssh telneta.Login localb.

Line vty 0 43)

Conf t > username "user" secret "password"4)End5)Wr6)

Locating network devicesEnable > Show MAC address-tableEnable > Show cdp (cisco discovery protocol) neighbors

SpeedEthernet – 10MbpsFast Ethernet – 100MbpsGigabit Ethernet – 1000Mbps

Half duplex – Works like a walkie talkie. Basically used for hub only connection now a days.Full duplex – Each port on switch is a collision domain, send / receive at the same time. No collision in full duplex mode.

Auto – The devices configures itself automatically to negotiate the speed of device. Sidenote, Back in the day, this use to not wor k properly.

How to manually set speed:Conf t > Int fastethernet 2/0/1 > speed 100 > duplex full

Port Security What gets plugged into the network. Stops unwanted devices plugged into the network. Limits the number of devices on the network

Limit the number of mac addresses on each port1.

Uses static assignment of mac addresses or uses sticky assignment.a.Shutdown – Turns the port off so no devices work on that port.b.Protect – Ignores the second mac address that appears on that port but does not shut the port down.c.Restrict – Same thing as protect but it logs the event.d.

Limit what mac addresses can access the port2.

Cannot have port security on a dynamic port. Has to be access or a trunk.•Conf t > switchport port-security •

How to configure port security

Speedtest.neta.Speakeast.net/speedtestb.Speedof.mec.

Run a speed test.1.

Start iperf server. "iperf3 -s"a.Go to the client computer and run iperf3 -c "ipaddress"b.

Download and run iperf. This is a speed testing tool for the lan.2.

Find the switchport path3.

Input queue should stay low unless there is a bottleneck on the network somewhere.a.Check input errors. If the number keeps climbing, there is an issue.b.Broadcasts, this will let you know if there is a broadcast storm happening.c.Input error / CRC. This is a bad cable or bad interface. d.

Use the show interface command to review statistics4.

How to test if the network is slow

Layer 2 technology, datalink separation•Segment network, separate security appliances, applying security parameters•Segments users. Segmentation is up to the network administrator•For VLANS to talk to each other, the vlan needs to talk to the router and an ACL rule needs to be made•VLAN ports are "access ports" while connections between switches or between switch / router, are trunks.•4094 total number of usable VLANs•802.1Q - IEEE Standard•

Trunk = Tagged○

Access port = Untagged○

Tag is added on every trunk interface and removed on any existing access port.•

Ways to implement VLANSRouter Port for each vlan•"Router on a stick" - Type of VLAN on CCNA•Using a Layer 3 switch•

VLANs – Virtual Local Area Network

Sub-interfaces, allows to take one physical interface and split it up into multiple logical interfaces

Layer 3 switchingCombines switching and routing together.•Took the core routing and turned it into an acis system. Hardware able to do the routing function.•

Dynamic Trunking Protocol – DTP

IT Education Page 3

Dynamic Trunking Protocol – DTPEnabled by default. •Detects trunk or access port on plug in of the device•Great intentions but bad result•

Dynamic Auto / Dynamic Desirable Auto is passive, doesn't send DTP broadcastsDesirable is aggressive, it is constantly looking for a trunk"Switchport nonegotiate" to disable Dynamic

Worst name ever. It's not a trunking protocol.•Created by cisco to replicate VLAN between switches•Runs over trunk links but it is NOT a trunking protocol•Conforms to the network. It allows you to add a vlan to a switch and it replicates to the other switches over the trunk port.•In VTP version 2, it allows VTP advertisements to pass through it. It doesn't block it, but it doesn't get the update.•

Has to match on all of the switches`○

VTP Domain (Name)•

Shows the current status of VTP and what VTP is running on the switch○

Modes of VTP▪

Client - Do not have the ability to modify the database▪

Server - Default, has the ability to change the database▪

Transparent - Turn VTP off▪

Configuration revision - Current revision of the database○

Otherwise it will access the first domain name that is given to it▪

If the switch does not have a domain name, it is vulnerable○

"show VTP status"•

Conf t > vtp mode *•Conf t > vtp version *•Conf t > vtp domain *•

VTP - VLAN Trunking Protocol

Show interface *interface0/1* switchport

Show interface status•Show int stat•Show log•Clear counters (erase stats on interfaces)•

Switch troubleshooting

RoutingRouters need to have an IP address/subnet mask on Both Interfaces for it to build a routing table.The interfaces also need the no shutdown command to make sure that Sh IP Route - Most Useful Command on Router. Shows the IP routing table.

Setting up IP addresses on Cisco RouterAll interfaces are down by default, you have to manually bring the interface up with an IP address / subnet mask to bring the interface up.

Conf t > int g1/1 > ip address 10.0.0.2.0 255.255.255.0Conf t > int g2/1 > ip address 185.13.22.35 255.255.255.240

The above config would bridge the connection between the 10.0.2.x network and the 185.13.22.x network.

Default RouteConf t > ip route 0.0.0.0 0.0.0.0 185.13.25.35.33 This will create a route to the internet

Static RoutesIp route 0.0.0.0 0.0.0.0 185.13.25.35.33 is an example of static routing. This will set a static route to the default gateway or one router up if the router does not have the address in its routing table (Sh IP Route)

Layer 3 Switches** Need to have default gateway setup**Setup VLANsEnable "IP Routing" in conf t mode

Ip address 10.0.1.51.1 255.255.255.0Setup interface "VLAN 51"

No shutdown

This will create an SVI "Switch virtual interface"Check this by doing a sh ip route

DCHPFor L3 switching to work with DHCP, you will need a DHCP relay on the router."Show IP DHCP binding" to list the DHCP list

Need to setup exclusions first then the pool"ip dhcp excluded-address 10.0.0.x - 10.0.0.x"

Then, setup the poolIp dhcp pool "poolname"

Then set the networkNetwork 10.0.0.0 255.255.255.0

DNSDns-server 8.8.8.8 8.8.4.4

Default GatewayDefault-router 10.0.0.1

To setup DHCP relayGo to interface (int fa0/0.52 for example)"ip dhcp helper-address "address of dhcp server"

Routing Protocols

RIPv2 (Routing Protocol)

90 seconds. Version 1 was a broadcast (one to all), Version 2 is a multicast(one to a group) protocol

Turn on rip:

IT Education Page 4

Turn on rip:"Router rip"; this activates the protocol

Give it the version:"Version 2"

Then, give it a network. Network command tells RIP what networks to advertise. Network command also tells RIP what interface what to send advertisements out of."Network 10.0.0.0"

Remember that RIP is a classless protocol.

Make sure that the clock is set correctly on one computer1)Make sure you can ping the correct interfaces2)Configure t3)Router rip4)Version 25)Network "network to advertise"6)Verify with a "do sh ip protocol"7)

Access-Lists

ACL stops at the first match•Implicit deny at the bottom of the ACL•

ACL Types

Rule of thumb, if you're applying for security. Try to apply the ACL as close to the destination as possible using standard access lists.

•

Conf t > ip access-list "kind" "name"○

Deny 10.1.1.1○

Permit 0.0.0.0 255.255.255.255○

Int fa0/0 ○

Ip access-group "name" in/out○

Verify using sh run or sh ip int g0/0 or show access -lists○

How to configure an access list and apply a filter•

Configuring ACLs

NATStatic Nat1:1 - One External IP address to One Internal IP addressPAT or (Overload)1:Many - One external to many internal IP addressDynamicMany to Many - Allows you to have a pool of externals available to many internal IP addresses

Sh IP int brief to see the current interfaces on the routera.

Conf t>ip DHCP excluded *excluded*i.

Network1)DNS-servers2)Default-Router3)

Conf t>ip DHCP pool *name*ii.

Verify successful bind with ip dhcp bindingiii.

Set DHCP Pool up using b.

Assign IP Addresses and Connect Devices either DHCP or Statically1)

Conf t> ip route 0.0.0.0 0.0.0.0 200.1.1.32a.

Configure a default route to the internet - the ISP router is 200.1.1.32 Test connectivity to the internet from the router using ping.

2)

Configuring NAT

IT Education Page 5

Conf t> ip route 0.0.0.0 0.0.0.0 200.1.1.32a.Verify with a show IP routeb.

No, its not currently translating IPs. a.Test connectivity from the computers to the internet. Are they working? Why or why not.3)

Permit 192.168.1.0 0.0.0.2551)Ip access-list standard NAT_ADDRESSESi.

Ip nat insidea)Int fa0/01)

Ip nat outsidea)Int fa0/12)

Conf T> ip nat inside source list NAT_ADDRESSES interface fa0/1 overload3)

Assign to the inside/outsideii.

Create ACL to ID address to be translateda.

Show IP Nat Translationsi.Verify NATb.

Configure NAT overload to use the F0/1 interface IP address. Verify NAT is functioning using relevant show commands.

4)

Conf T> ip nat pool *NAME* *ip starting* *ip ending* prefix length *#* a.

Sh run | I nati.Turn off any existing NATb.

Ip nat inside source list *NAT_ADDRESSES* pool *NAME* overloadc.

Configure a NAT Pool5)

Device Management Logging Via SyslogBy Default, logging to the console is turned on.You can reorganize the alert logging levels.Syslog needs to be fine tuned in order to receive "good" data.

How to turn on syslogging to a host.Conf t> logging host ip address

Backing up / RestoringCopy using TFTP32

Copy command from enable

Copy flash: *location*Copy startup-config *location*Copy running-config *location*

Just do the reverse for restoringCopy *location* flashCopy *location* startup-configCopy *location* running-config

NTP TimeClock set hh:mm:ssThis will however, lose the time on reboot / time drift.

NTP can be done three ways. Pool an NTP serve Listen to NTP multicastsListen to NTP broadcasts

Reconfigure your router so it has an internet connection1)

Ping pool.ntp.orga.Determine the IP address of pool.ntp.org2)

Conf t> clock timezone *zone* *offset*i.Setup timezonea.

Conf t>ntp server *server from pool.ntp.org ping*i.Setup NTPb.

Configure your device to obtain the time in your LTZ using NTP using pool.ntp.org3)

Password Recovery

Rommon is what you need to be in to reset reset the confreg to 2142. Once in the OS, enable in and copy startup config to running config, change the password, change the register back to 2102.

Subnetting

IPv4 Subnetting3 ClassesA: 1-127B: 128-191C: 192-223

First IP identifies the network and last IP will be the broadcast.

We use subnetting to custom tailor a network to not waste IP addresses.

Binary Conversion

128 64 32 16 8 4 2 1

IT Education Page 6

IT Education Page 7

Interface Configuration and Static Routes

Sh Ip int briefa.Turn on ipv6 routing - conf t>ipv6 unicast-routingb.

Ipv6 address 2001:210:10:1::1/64i.No shutdownii.

Int s1/0c.

Assign IP addresses and connect devices1)

Test by pinging between the two devices2)Configure a static route allowing the two LAN connection to reach each other3)Test ping sourced from LAN4)

IT Education Page 8

IT Education Page 9

IT Education Page 10

IT Education Page 11