CCNP ENCOR Study Note

Netflow
Traditional
Flexible
Implementation steps:
• Configure flow record

• Configure flow exporter
• Configure flow monitor
• Apply to an interface
Configure flow monitor:
• Specify flow record
o
▪ The cache timeout tells the device to export the cache to the collector every
60 seconds
• Specify flow exporter
o
Apply to an interface:
• Ingress or egress or both
Confidential
COPP (control plane policing)
• Police traffic to & from the router itself

• COPP processes:
o Classifying
o Queue Mapping
o Scheduling
o Queue Shaping
• Configure COPP:
o Enable qos
o Define ACLs
o Define packet classification (class-map command)
▪
o Define service policy map
▪
o Apply QoS policy
RESTCONF
Methods:
• GET
• PUT: create/replace
• POST: create
• PATCH: merge
• HEAD
• DELETE
Confidential
• OPTIONS
IPSEC
IPSEC
Modes & protocols
• Transport mode
o AH
o ESP
o Routing is based on the original IP header
• Tunnel mode
o AH
o ESP
o New IP header will be added
Operation:
• IKEv1
o IKE phase 1
▪ Negotiate crypto settings (authentication method, encryption method, …)
▪ Perform secret key exchange (via DH algorithm)
▪ [encrypted] prove each other’s identity
▪ Note:
• 2 modes for IKE phase 1:
o Main mode (6 messages)
o Quick mode (3 messages)
• ISAKMP SA is bidirectional
o IKE phase 2
▪ Negotiate IPSec SA (transform set)
▪ Create an IPSec tunnel
▪ Note:
• IPSEC SA is unidirectional, so there will be two unidirectional IPSEC
SAs
• IKE phase 2 uses “quick mode” (3 messages)
• IKEv2
o Only 4 messages to bring up the bidirectional IKE SA and the unidirectional IPSEC SAs
Configuration (is this configuration for IKEv1 ??)
• Configure isakmp parameters

• Configure transform set parameters
• Define interesting traffic with acl
• Create and apply crypto map to an interface
GRE over IPSEC

Crypto map configuration:

• Configure transform set parameters
Confidential
• Define interesting traffic with acl
• Create a crypto map
• Apply the crypto map onto an interface
Ipsec profile configuration:

• Configure transform set para
• Create an ipsec profile
• Apply the ipsec profile to the tunnel interface
VTI over IPSEC

Configuration:

• Configure transform set para
• Enable VTI under gre tunnel interface
o # tunnel mode ipsec
• Create an ipsec profile
• Apply the ipsec profile to the tunnel interface
NAT
HSRP
Confidential
Administrative distance
Confidential
ERSPAN
• Both ip addresses are configured under “dst”
Confidential
HTTP response status code
Virtualization
Server vitualization
2 types of hypervisor:
• Type 1
o
• Type 2
o
VM migration:
Confidential
•
Virtual switching (vSwitch)
•
• Software-based layer 2 switch
• Enable VMs to communicate
• vSwitches can’t share the same pNIC (this makes sense as pNIC has only 1 interface)
• Traffic can’t flow directly between vSwitches. Therefore, for VM1 to get to external network,
the path is:
o VM1 --- vSwitch 2 --- NGFWv --- vSwitch 1 --- pNIC1 (or pNIC2) --- Switch 1
• Some vSwitches:
o OVS: Open vSwitch (designed to be used within “server virtualization” env)
o VMware virtual switch
o Cisco Nexus 1000V
• OVS:
Confidential
o
Containers
•
• Isolated environment for applications
Confidential
• Contain applications & their dependencies
• Container engines are used to create, run, and manage containers. For ex:
o Docker (most popular)
o …
• About Docker engine:
o By default create a vSwitch called Docker0 with the default subnet 172.17.0.0/16
o
▪ Every container is assigned the veth (virtual ethernet interface) on Docker0
▪ Eth0 of each container is assigned an ip address in the subnet 172.17.0.0/16
NFV
• NFV architectural framework

o VIM:
Confidential
▪ Managing & controlling hardware resources
o VNF manager:
▪ Managing life cycle of VNFs
o NFV orchestrator:
▪ creating, maintaining, and tearing down VNF network services
• Data traffic pattern:
o North-south: traffic direction is from pNIC --- VNF --- back to pNIC
o East-west: traffic direction is from pNIC --- VNF --- another VNF … - back to pNIC
• Performance & optimization:
o Standard OVS was never designed with NFV in mind, so it doesn’t meet NFV
requirements
o OVS-DPDK
▪
o PCI passthrough
▪
o SR-IOV
Confidential
▪
ACL
P
• Standard ACL: 0-99, 1300-1900

• Extended ACL: 100-199, 2000-2699
• Direction:
o Inbound: before routers make forwarding decision
o Outbound: after routers make forwarding decision
• Cisco allows only 1 inbound & 1 outbound ACL per interface
• Types of ACL:
o RACL: layer 3
o PACL: layer 2
o VACL: filter VLAN
o dACL (downloadable ACL): another form of PACL
• RACL:
o Standard number acl
▪ # access-list 2 permit 10.0.0.0 0.0.0.255
▪ # ip access-group 2 in
o Standard named acl
▪ # ip access-list standard NAMEACL
▪ # 5 permit 10.0.0.0 0.0.0.255
▪ # 10 deny host 192.168.1.1
▪ # ip access-group NAMEACL in
o Extended number acl
▪ # access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 192.168.1.1 eq 80
▪ # ip access-group 100 in
o Extended name acl
▪ # ip access-list extended MYACL
▪ # permit
• PACL
o Used to filter incoming traffic to layer 2 ports (no outgoing)
o Can’t filter layer 2 control packets (CDP, VTP, …)
Confidential
o Different usages:
▪ Filter layer 3 traffic: syntax is the same as RACL
▪ Filter layer 2 MAC address
•
• VACL:
o
• Processing order for PACL, VACL, RACL on the same VLAN
o Bridged traffic processing order (within the same VLAN)
▪ Inbound PACL on the switchport (for example, VLAN 10)
▪ Inbound VACL on the VLAN (for example, VLAN 10)
▪ Outbound VACL on the VLAN (for example, VLAN 10)
o Routed traffic processing order (across VLANs):
▪ Inbound PACL on the switchport (for example, VLAN 10)
▪ Inbound VACL on the VLAN (for example, VLAN 10)
▪ Inbound ACL on the SVI (for example, SVI 10)
▪ Outbound ACL on the SVI (for example, SVI 20)
▪ Outbound VACL on the VLAN (for example, VLAN 20)
Confidential
Subnetting
Bits borrowed:
• 1: 128
• 2: 192
• 3: 224
• 4: 240
• 5: 248
• 6: 252
• 7: 254
Secure Administrative Access

Password type
P
• 0: clear text
• 4: sha-256
• 5: md5 (hash)
• 6: encryption
• 7: encryption
• 8: hash-based
• 9: scrypt - hash-based
Secure terminal lines

(glo2,756)
Options to secure them (console, vty, …)
• Password configured on the line
o
• Username-based authentication
o 3 ways to configure:
▪ # username {user} privilege {level} password {pass}
▪ # username {user} privilege {level} secret {pass}
▪ # username {user} privilege {level} algorithm-type {md5…} secret {password}
o
o Privilege levels:
▪ 3 privilege levels by default on Cisco IOS (glo2,761):
• Privilege level 0
▪ Additional configurable privilege levels: from 2 to 14
Confidential
o
• AAA server
Confidential

CCNP ENCOR Study Note

Uploaded by

Copyright:

Available Formats

CCNP ENCOR Study Note

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCNP ENCOR Study Note

Uploaded by

Copyright:

Available Formats

Netflow

• Configure flow record

Configure flow monitor:

• Specify flow record

• Ingress or egress or both

• Police traffic to & from the router itself

Configuration (is this configuration for IKEv1 ??)

• Configure isakmp parameters

GRE over IPSEC

• Configure isakmp parameters

Ipsec profile configuration:

• Configure isakmp parameters

VTI over IPSEC

• Configure isakmp parameters

• Both ip addresses are configured under “dst”

Virtual switching (vSwitch)

• NFV architectural framework

• Standard ACL: 0-99, 1300-1900

Secure Administrative Access

Secure terminal lines

Options to secure them (console, vty, …)

• Password configured on the line

You might also like