ccna icnd2
DESCRIPTION
TRANSCRIPT
CCNA ICND2
VTP
VTP With two Server
VTP Pruning
VTP FeaturesFunction Server Client Transparent
Only sends VTP messages out ISL or 802.1Q trunks
Yes Yes Yes
Supports CLI configuration of VLANs
Yes No Yes
Can use normal-range VLANs (1–1005)
Yes Yes Yes
Can use extended-range VLANs (1006–4095)
No No Yes
Synchronizes (updates) its own config database when receiving VTP messages with a higher revision number
Yes Yes No
Creates and sends periodic VTP updates every 5 minutes
Yes Yes No
Does not process received VTP updates, but does forward received VTP updates out other trunks
No No Yes
Places the VLAN ID, VLAN name, and VTP configuration into the running-config file
No No Yes
Places the VLAN ID, VLAN name, and VTP configuration into the vlan.dat file in flash
Yes Yes Yes
One Switch Three VLAN
Two Switch Three VLAN
VLAN Trunking Configuration
■ The type of trunking: IEEE 802.1Q, ISL, or negotiate which one to use
■ The administrative mode: Whether to trunk, not trunk, or negotiate
Trunking Administrative Mode
Command Option Description
access Prevents the use of trunking, making the port always act as an access (nontrunk) port
trunk Always uses trunking
dynamic desirable
Initiates negotiation messages and responds to negotiation messages to dynamically choose whether to start using trunking, and defines the trunking encapsulation
dynamic auto
Passively waits to receive trunk negotiation messages, at which point the switch will respond and negotiate whether to use trunking, and if so, the type of trunking
Expected Trunking Mode
Administrative Mode Access Dynamic Auto Trunk Dynamic Desirableaccess Access Access Access Accessdynamic auto Access Access Trunk Trunktrunk Access Trunk Trunk Trunkdynamic desirable Access Trunk Trunk Trunk
Voice VLAN
Spanning Tree Protocol(IEEE 802.1D)Problem Description
Broadcast storms
The forwarding of a frame repeatedly on the same links, consuming significant parts of the links’ capacities
MAC table instability
The continual updating of a switch’s MAC address table with incorrect entries, in reaction to looping frames, resulting in frames being sent to the wrong locations
Multiple frame transmission
A side effect of looping frames in which multiple copies of one frame are delivered to the intended host, confusing the host
STP Block
STP Forwarding State Criteria
■ STP elects a root switch. STP puts all working interfaces on the root switch inForwarding State.
■ Each nonroot switch considers one of its ports to have the least administrative costbetween itself and the root switch. STP places this least-root-cost interface, called thatswitch’s root port (RP), in Forwarding State.
■ Many switches can attach to the same Ethernet segment. The switch with the lowestadministrative cost from itself to the root bridge, as compared with the other switchesattached to the same segment, is placed in Forwarding State. The lowest-cost switch oneach segment is called the designated bridge, and that bridge’s interface, attached tothat segment, is called the designated port (DP).
STP Forwarding or BlockingCharacterization of Port STP State Description
All the root switch’s ports Forwarding The root switch is always
the designated switch on
all connected segments.Each nonroot switch’s root port Forwarding The port through which
the switch has the least
cost to reach the root
switch.Each LAN’s designated port Forwarding The switch forwarding
the lowest-cost BPDU
onto the segment is the
designated switch for
that segment.All other working ports Blocking The port is not used for
forwarding frames, norare any frames receivedon these interfacesconsidered forforwarding
STP Hello BPDU
Field Description
Root bridge ID The bridge ID of the bridge/switch that the sender of this Hello currently believes to be the root switch
Sender’s bridge ID The bridge ID of the bridge/switch sending this Hello BPDU
Cost to reach root The STP cost between this switch and the current root
Timer values on the root switch
Includes the Hello timer, MaxAge timer, and Forward Delay timer
STP Tie Breaking Decision
1. Lowest root bridge ID2. Lowest root path cost to root bridge3. Lowest sender bridge ID4. Lowest sender port ID
Electing Root Bridge
SW1 Wins Election
Switch Root Port
Spanning Tree States
State Forwards Data Frames?Learns MACs BasedonReceived Frames?
Transitory or Stable State?
Blocking No No StableListening No No TransitoryLearning No Yes TransitoryForwarding Yes Yes StableDisabled No No Stable
Default Port Cost (IEEE)
Ethernet Speed Original IEEE Cost Revised IEEE Cost10 Mbps 100 100100 Mbps 10 191 Gbps 1 410 Gbps 1 2
Steady State Condition
1. The root creates and sends a Hello BPDU, with a cost of 0, out all its workinginterfaces (those in a Forwarding State).2. The nonroot switches receive the Hello on their root ports. After changing the Hello tolist their own bridge ID as the sender’s BID, and listing that switch’s root cost, theswitch forwards the Hello out all designated ports.3. Steps 1 and 2 repeat until something changes.
STP TimersTimer Description Default Value
Hello The time period between Hellos created by the root.
2 sec.
Max AgeHow long any switch should wait, after ceasing to hear Hellos, before trying to change the STP topology.
10 times Hello
Forward Delay
Delay that affects the process that occurs when an interface changes from Blocking State to Forwarding State. A port stays in an interim Listening State, and then an interim Learning State, for the number of seconds defined by the forward delay timer.
15 sec.
Reacting To Link Failure
Etherchannel
Rapid STP(IEEE 802.1w)
RSTP (802.1w) works just like STP (802.1d) in several ways: ■ It elects the root switch using the same parameters and
tiebreakers. ■ It elects the root port on nonroot switches with the
same rules. ■ It elects designated ports on each LAN segment with
the same rules. ■ It places each port in either Forwarding or Blocking
State, although RSTP calls the Blocking State the Discarding State.
RSTP Link and Edge Type
RSTP and STP Port State
Operational State STP State (802.1d) RSTP State (802.1w) Forwards Data Frames in This State?
Enabled Blocking Discarding NoEnabled Listening Discarding NoEnabled Learning Learning NoEnabled Forwarding Forwarding YesDisabled Disabled Discarding No
RSTP Port Roles
RSTP and STP Port RolesRSTP Role STP Role Definition
Root port Root portA single port on each nonroot switch in which the switch hears the best BPDU out of all the received BPDUs
Designated port Designated port
Of all switch ports on all switches attached to the same segment/collision domain, the port that advertises the “best” BPDU
Alternate port — A port on a switch that receives a suboptimal BPDU
Backup port —
A nondesignated port on a switch that is attached to the same segment/collision domain as another port on the same switch
Disabled —A port that is administratively disabled or is not capable of working for other reasons
RSTP Convergence
Multiple Instances of STP
Three Options MST
Option Supports STP
Supports RSTP
ConfigurationEffort
Only One Instance Required for Each Redundant
PVST+ Yes No small NoPVRST No Yes small NoMIST No Yes medium Yes
Bridge Priority and System ID
Priority(0 – 65535)
System ID(MAC Address)
PriorityMultipleOf 4096
System ID(MAC Address)
System ID Extension(Typically Holds VLAN ID)
STP Configuration
Setting Default Command(s) to Change Default
Bridge ID
Priority: 32,768 + VLAN IDSystem: A burned-in MAC on theswitch
spanning-tree vlan vlan-id root{primary | secondary}spanning-tree vlan vlan-id prioritypriority
Interface cost
100 for 10 Mbps, 19 for 100 Mbps, 4 for 1 Gbps, 2 for 10 Gbps spanning-tree vlan vlan-id cost cost
PortFast Not enabled spanning-tree portfastBPDU Guard Not enabled spanning-tree bpduguard enable
STP Analysis
IP Forwarding
LAN Switching
MAC Broadcast
Unicast Traffic
IP Address Design
IP Standard and Extended ACL
Cisco Access List
■ Packets can be filtered as they enter an interface, before the routing decision.
■ Packets can be filtered before they exit an interface, after the routing decision.
■ Deny is the term used in Cisco IOS software to imply that the packet will be filtered.
■ Permit is the term used in Cisco IOS software to imply that the packet will not be filtered.
■ The filtering logic is configured in the access list. ■ At the end of every access list is an implied “deny all traffic”
statement. Therefore, if a packet does not match any of your access list statements, it is blocked.
VPN• Confidentiality (Privacy): Preventing anyone in the middle of the Internet (man in the middle) from being able to read the data
• Authentication : Verifying that the sender of the VPN packet is a legitimate device and not a device used by an attacker
• Data integrity: Verifying that the packet was not changed as the packet transited the Internet
• Anti-replay: Preventing a man in the middle from copying and later replying the packets sent by a legitimate user for the purpose of appearing to be a legitimate user
VPN Tunnel Concept for Site to site VPN
Intranet, Extranet and Access VPN
Basic IPSec Encryption Process
Steps for IPSec Encryption Process
1. The sending VPN device (like the remote office router) feeds the original packet and the session key into the encryption formula, calculating the encrypted data.2. The sending device encapsulates the encrypted data into a packet , which includes the new IP header and VPN header.3. The sending device sends this new packet to the destination VPN device 4. The receiving VPN device runs the corresponding decryption formula, using the encrypted data and session key —the same value as was used on the sending VPN device—to decrypt the data.
Comparing VPN Encryption Algorithm
Encryption AlgorithmKey Length(Bits) Comments
Data Encryption Standard(DES) 56
Older and less secure than the other list here
Triple DES(3DES) 56 * 3
Applies three different 56-bit DES key in succession, improving encryption strength compare with DES
Advanced Encryption Standard(AES) 128 and 256
Considered the current best practice, with strong encryption and less computation compared with 3DES
SSL VPN Options
Routing IP over Serial
Replacing Serial with Tunnel
Tunnel Routers Learning
Encapsulating IP Packet in GRE Packet
Routing Protocol Function
1. Learn routing information about IP subnets from other neighboring routers.2. Advertise routing information about IP subnets to other neighboring routers.3. If more than one possible route exists to reach one subnet, pick the best route based on a metric.4. If the network topology changes—for example, a link fails—react by advertising that some routes have failed, and pick a new currently best route. (This process is called convergence.)
IP IGP MetricIGP Metric Description
RIP-1, RIP-2 Hop count
The number of routers (hops) between a router and the destination subnet.
OSPF Cost
The sum of all interface cost settings for all links in a route, with the cost defaulting to be based on interface bandwidth.
EIGRP Composite ofbandwidth and delay
Calculated based on the route’s slowest link and the cumulative delay associated with each interface in the route.
Distance Vector Protocol
Link State Routing Protocol
■ Router LSA: Includes a number to identify the router (router ID), the router’s interface IP addresses and masks, the state (up or down) of each interface, and the cost (metric) associated with the interface.
■ Link LSA: Identifies each link (subnet) and the routers that are attached to that link.It also identifies the link’s state (up or down).
Dijkstra Algorithm
OSPF Neighbor
Specifically, the following must match before a pair of routers become neighbors:
■ Subnet mask used on the subnet ■ Subnet number (as derived using the subnet mask and
each router's interface IP address) ■ Hello interval ■ Dead interval ■ OSPF area ID ■ Must pass authentication checks (if used) ■ Value of the stub area flag
OSPF Early Neighbor States
OSPF Database Exchange
Step 1 Based on the OSPF interface type, the routers may or may not collectively elect aDesignated Router (DR) and Backup Designated Router (BDR).Step 2 For each pair of routers that need to become fully adjacent, mutuallyexchange the contents of their respective LSDBs.Step 3 When completed, the neighbors monitor for changes and periodicallyreflood LSAs while in the Full (fully adjacent) neighbor state.
Choosing DR
OSPF DR Prerequisites ■ The router sending the Hello with the highest OSPF priority setting
becomes the DR. ■ If two or more routers tie with the highest priority setting, the router
sending the Hello with the highest RID wins. ■ It's not always the case, but typically the router with the second-
highest priority becomes the BDR. ■ A priority setting of 0 means that the router does not participate in
the election and can never become the DR or BDR. ■ The range of priority values that allow a router to be a candidate are
1 through 255. ■ If a new, better candidate comes along after the DR and BDR have
been elected, the new candidate does not preempt the existing DR and BDR.
Two Area OSPF
OSPF Area Design Advantages
■ The smaller per-area LSDB requires less memory. ■ The router requires fewer CPU cycles to process the smaller
per-area LSDB ■ The SPF algorithm has to be run on internal routers only
when an LSA inside the area changes, so routers have to run SPF less often.
■ Less information must be advertised between areas, reducing the bandwidth required to send LSAs.
■ Manual summarization can only be configured on ABRs and ASBRs, so areas allow for smaller IP routing tables by allowing for the configuration of manual route summarization.
OSPF Single Area
OSPF Single Area Configuration
interface ethernet 0/0 ip address 10.1.1.1 255.255.255.0interface serial0/0 ip address 10.1.4.1 255.255.255.0interface serial0/1 ip address 10.1.6.1 255.255.255.0!router ospf 1 network 10.0.0.0 0.255.255.255 area 0
OSPF Multi Area
OSPF Multi Area Configuration
router ospf 1 network 10.1.1.1 0.0.0.0 area 0 network 10.1.4.1 0.0.0.0 area 1 network 10.1.6.1 0.0.0.0 area 0
EIGRP Updates
EIGRP Metric Formula
107 Metric =
Least-bandwidth+
Cumulative –delay * 256
EIGRP Metric
Feasible and Reported Distance
EIGRP Feasible Successor
A router determines if a route is a feasible successor based on the feasibility condition:
If a nonsuccessor route’s RD is less than the FD, the route is a feasible successor route.
EIGRP Successor and Feasible Successor
EIGRP Compare to OSPF
Feature EIGRP OSPFConverges quickly Yes YesBuilt-in loop prevention Yes YesSends partial routing updates, advertising only new or changed information
Yes Yes
Classless; therefore, supports manual summarization and VLSM
Yes Yes
Allows manual summarization at any router Yes NoSends routing information using IP multicast on LANs Yes Yes
EIGRP Neighbor Requirement
RequirementBest Command(s) toIsolate the Problem
Must be in the same subnet show interfacesMust pass any neighbor authentication debug eigrp packets
Must use the same ASN on the router configuration command
show ip eigrp interfaces,show protocols
K-values must match show protocols
Frame Relay Components
Frame Relay LMI Types
Name Document IOS LMI-Type ParameterCisco Proprietary ciscoAnsi T1.617 Annex D ansiITU Q.933 Annex A q933a
Frame Relay PVC
LAPF Framing
LAPF Header
Information LAPFTrailer
DLCI (Usually 10 bits)
FCS
LAPF Header
Cisco LAPFTrailer
LAPF Header
RFC1490
LAPFTrailer
Packet
Packet
Includes Protocol Type Field
Frame Relay Forwarding
Typical Frame Relay Network
Typical Partial Mesh Frame Relay Network
Inverse ARP Process
Hybrid Full Partial Mesh
Frame Relay Global Addressing
DLCI Swapping
The Frame Sent by Router
With DLCI Field
Is Delivered to Router
With DLCI Field
A 41 B 40A 42 C 40B 40 A 41C 40 A 42
SNMP
Simple Network Management Protocol is an application layer protocol that provides a message format for communication between what are termed managers and agents.
MIBISO (1)
ORG (3)
DOD (6)
INTERNET (1)
PRIVATE (4)
ENTERPRISES (1)
CISCO (9)
LOCAL VARIABLES (2)
INTERFACE GROUP (2)
CISCO MGMT (9)
CISCO FLASH GROUP (10)
SNMP Get
SNMP Trap
SNMPv3
• Message integrity: This helps ensure that a packet has not been tampered with in transit.• Authentication : This helps ensure that the packet came from a known and trusted source.• Encryption : This helps to ensure that information cannot be read if the data is captured in transit .
System Message Logging ( Syslog)
Popular destinations for syslog messages include the following :• The logging buffer (RAM in side the router or switch )• The console line• The terminal lines• A syslog server
Syslog Network
System Message Format
*Dec 18 17:10:15.079: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to downNotice that by default on this particular device we see the following :• A timestamp : * Dec 18 17:10:15.079• The facility on the router that generated the message : %LINEPROTO• The severity level : 5• A mnemonic for the message : UPDOWN• The description of the message : Line protocol on Interface Fast Ethernet0/0, changed state to down
Netflow
Netflow Key Purposes
• General network traffic accounting for baseline analysis• Usage-based network billing for consumers of network services• Network design , including redesigns to include new network devices and applications to meet the needs of growing infrastructures• General network security design• Denial of service (DoS) and distributed DoS (DDoS) detection and prevention data• Ongoing network monitoring
Types of Router Memory
RAM
(Working Memory and Running Configuration
Flash
(Cisco IOS Software)
ROM
(Bootstrap programAnd ROMMON)
NVRAM
(StartupConfiguration)
Copying IOS Image for Upgrade Process
Loading bootstrap, IOS, and Initial Configuration
ROM
Flash
Network
NVRAM
Network
Console
Bootstrap
CiscoIOS
RunningConfigFile
RAM
Step 2
Step 3
Step 4
Choices for choosing OS at boot time
BootstrapAndRommon
1st IOS files2nd IOS files..Last IOS files
Boot system(1)Boot system(2)..Last boot system command
ROMRAM
Flash
BOOT = 0
BOOT = 1
BOOT = 2..FNVRAM(Startup-config)
IP Network TFTP
Locations for Copying and Results from Copy Operations
TFTP RAM NVRAM
copy tftp running-configcopy running-configstartup-config
copy running-config tftpcopy startup-configrunning-config
copy tftp startup-config
copy startup-config tftp
Logic and Decision for Entering Setup Mode after Reload
User PowersOn Routers
Is NVRAM Empty
Do you want to enter Setup
mode ?
Users answer question in Setup mode
router copies startup-configto running-config
Complete IOS Initialization
Router moves configuration intoStartup-config and Running-config
Yes
Yes
No
No
Old IOS Image Packing
IP Base IP Base IP BaseIP Base IP BaseIP Base IP Base
Security Data Voice Security Security Security
Data
Data Voice Voice