Chapter 1: Network Fundamentals

1.1 Network Components

1.2 Next-generation Firewalls and IPS
1.3 Network Topology Architectures
1.3.1 The Cisco Three-Layer Hierarchical Model (3-tier)
1.3.2 Collapsed Core (2-tier)
1.3.3 Spine-Leaf
1.3.4 WAN
1.3.5 Defining WAN Terms
1.3.6 WAN Connection Bandwidth
1.4 Physical Interface and Cables
1.5 Ethernet Cabling
1.5.1 Straight-Through Cable
1.5.2 Crossover Cable
1.5.3 Fiber Optic
1.5.4 Power over Ethernet (802.3af, 802.3at)
Chapter 2: TCP/IP

2.1 Introducing TCP/IP

2.2 TCP/IP and DoD Model

2.2.1 The Process/Application LAyer Protocols

2.2.2 The Host-to-Host or Transport Layer Protocols

2.2.3 The Internet Layer Protocols

2.3 Addressing

2.3.1 IP Terminology

2.3.2 The Hierarchical IP Addressing Scheme

2.3.3 Private IP Addresses (RFC 1918)

2.4 IPv4 Address Types

2.4.1 Layer 2 Broadcasts

2.4.2 Layer 3 Broadcasts

2.4.3 Unicast Address

2.4.4 Multicast Address

Chapter 3: Easy Subnetting

I. Subnetting Basic
 a) How to create subnets

b) Subnet Mask

c) Classless Inter-Domain Routing (CIDR)

d) IP Subnet-Zero

e) Subnetting Class C Addresses

f) Subnetting Class B Addresses

Chapter 4: Troubleshooting IP Addressing

Chapter 5: IP Routing

Introduction

Routing protocol (RIP, RIPv2, EIGRP, and OSPF): routers use routing

protocols to dynamically find all network within the greater internetwork

and to ensure that all routers have the same routing table. Routing

protocole are also employed to determine the best path a packet should

take through an internetwork to get to get its destination most efficients.

Routed protocol (IP and IPv6): once all routers know about all

networks, a routed protocol can be used to send user data (packets)

through the established enterprise. Routed protocols are assigned to an

interface and determine the method of packet delivery.

I. Routing Basics

The term routing refers to taking a packet from one device and

sending it through the internetwork to another device on a different

network.

Here’s an important list of the minimum factors a router must know to abble

to effectively route packets:

● Destination address
● Neighbor routers from which it can learn about remote networks

● Possible routes to all remote networks

● The best route to each remote network

● How to maintain and verify routing information

II. The IP Routing Process

a) The Cisco Router Internal Process

b) Testing Your IP Routing Understanding

III. Configuring IP Routing

Configuring DHCP on Our Corp Router

Corp#config t

Corp(config)#ip dhcp excluded-address 192.168.10.1

Corp(config)#ip dhcp excluded-address 192.168.20.1

Corp(config)#ip dhcp pool SF_LAN

Corp(dhcp-config)#network 192.168.10.0 255.255.255.0

Corp(dhcp-config)#default-router 192.168.10.1

Corp(dhcp-config)#dns-server 4.4.4.4

Corp(dhcp-config)#exit
Corp#copy run start

Now i’m pretty sure i configured DHCP correctly. The hosts are remote

across a router, so what would i need to do that would allow them to get an

address from a DHCP server? If you concluded that i’ve got to configure the

SF and LA f0/0 interfaces to forward de DHCP client requests to the server.

LA#config t

LA(config)#int f0/0

LA(config-if)#ip helper-address 172.16.10.5

We do same thing to SF.

IV. Configuring IP Routing in Our Network

a) Static Routing

Static routing is the process that ensues when you manually add routes in

each router’s routing table.

Starting at the beginning, here’s the command syntax you use to add a

static route to a routing table from global config:

ip route [destination_network] [mask] [nex-hop_address or

exitinterface] [administrative_distance] [permanent]

By default, static routes have an administrative distance of 1 or 0 if

you use an exit interface instead of a next-hope address. You can change

the default value by adding an administrative weight at the end of the

command.

permanent if the interface is shut down or the router can’t communicate to

the next-hope router, the route will automatically be discarted from the

routing table by default.

 b) Default Routing

The SF and LA routers that I’ve connected to the Corp router are

considered stub routers. A stub indicates that the networks in this design

have only one way out to reach all other networks, which means that

instead of creating multiple static routes, we can just use a single default

route. This default route is used by IP to forward any packet with a

destination not found in the routing table, which is why it is also called a

gateway of last resort.

LA#config t

LA(config)#ip route 0.0.0.0 0.0.0.0 172.16.10.5

c) Dynamic Routing

Dynamic routing is when protocols are used to find networks and

update routing tables on routers. The routing protocol i’m going to talk

about in this chapter is Routing Information Protocol (RIP) versions 1 and 2.

Two types of routing protocols are used in internetworks: interior gateway

protocols (IGPs) and exterior gateway protocols (EGPs). IGPs are used

to exchange routing information with routers in the same autonomous

system (AS). An AS is either a single network or collection of networks

under a common administrative domain, which basically means that all

routers sharing the same routing-table information are in the same AS.

EGPs are used to communicate between ASs. An example of an EGP is

Border Gateway Protocol (BGP).

Administrative Distances

An administrative distance is an integer from 0 to 255, where 0 is the

most trusted and 255 means no trafic will be passed via this route. If the
router receives two updates listing the same remote network, the firs thing

the router checks is the AD.

If one of the advertised routes has a lower AD than the other, then

the route with the lowest AD will be chosen and placed in the routing table.

If both advertised routes to the same network have the same AD,

then routing protocol metrics like hop count and/or the badwidth of the lines

will be used to find the best path to the remote network. The advertised

route with the lowest metric will be placed in the routing table, but if both

advertised routes have the same AD as well as the same metrics, then the

routing protocol will load-balance to the remote network, meaning the

protocol will send data down each link.

Routing Protocols

There are three classes of routing protocols:

Distance vector: The distance-vector protocols is use today find

the best path to a remote network by judging distance. In RIP routing, each

intance where a packet goes through a router is called a hop, and the route
with the least number of hop to the network will be chosen as the best one.

The vector indicates the direction to the remote network. RIP is a distance-

vector routing protocol and periodically sends out the entire routing table to

directly connected neighbors.

Link state: In link-state protocols, also called shortest-path-first

(SPF) protocols, the routers each create three separate tables. One of these

tables keeps track of directly attached neighbors, one determines the

topology of the entire internetwok, and one is used as the routing table.

Link-state routers know more about the internetwork than any distance-

vector routing protocol ever could. OSPF is an IP routing protocol that’s

completely link-state.

Advanced distance vector: use aspects of both distance-vector

and link-state protocols, and EIGRP is a great example.

V. Routing Information Protocol (RIP)

RIP sends the complete routing table out of all active interfaces every

30 seconds. It relies on hop count of 15 by default, so a destination of 16

would be considered unreachable. RIP works okay in very small networks,

but it’s super inefficient on large networks with WAN links or on networks

with a large number of routers installed. It’s completely useless on networks

that have links with variable bandwidths.

RIP version 1 uses only classful routing, which means that all devicess in

the network must use the same subnet mask. This is because RIP version 1

doesn’t send updates with subnet mask information in tow. RIP version 2

provides something called prefix routing and does send subnet mask

information with its route updates. This is called classless routing.

 a) Configuring RIP Routing

b) Holding Down RIP Propagations

You probably don’t want your RIP network advertised everywhere on your

LAN and WAN.

Corp#config t

Corp(config)#router rip

Corp(config-router)#passive-interface FastEthernet 0/1

This command will prevent RIP updates from being propagated out of

FastEthernet interface 0/1, but it can still receive RIP updates.

c) Advertising a Default Route Using RIP

Now i’m going to guide you through how to advertise a way out of your

autonomous system to other routers, and you’ll see this is completed the

same way with OSPF.

Corp(config)#ip route 0.0.0.0 0.0.0.0 fa0/0

Corp(config)#router rip

Corp(config-router)#default-information originate
Chapter 6: Open Shortest Path First (OSPF)

Chapter 7: Layer 2 Switching

Chapter 8: VLANs and Inter-VLAN Routing

Chapter 9: Enhanced Switched Technologies

Chapter 10: Access Lists

I. Perimeter, Firewall, and Internal Routers

You see this a lot typically in medium to large enterprise networks the

various strategies for security are based on some mix of internal and

perimeter routers, plus firewall devices. Internal routers provide additional

security by screening traffic to various parts of the protected corporate

network. they achieve this by using access lists. In this figure, you can see

where each of devices would be found.

I’ll use the terms trusted network and untrusted network throughout this

chapter, so it’s important that you can see where the’re found in typical

secured network. The demilitarized zone(DMZ) can be global (real) Internet

addresses or private addresses, depending on how you configure your

firewall. This is typically where you’ll find the HTTP, DNS, email, and other

Internet-type corporate servers. As you know, instead of using routers, we

can create VLAN with switches on the inside, trusted network. Multilayer

switches containing their own security features can somtimes replace

internal (LAN) routers to provide higher performance in VLAN architectures.

II. Introduction to Access Lists

An access list is essentially a list of conditions that categorize packets,

and they really come in handy when you need to exercise control over

network traffic. An ACL would be your tool of choice for decision making in

these situation.

There are three important rules that a packet follows when it’s being

compared with an access list:

➢ The packet is always compared with each line of the access list in

sequential order it will always start with the first line of the access list,

move on to line 2, then line 3, and so on.

➢ The packet is compared with lines of the access list only until a match is

made. Once it matches the condition on a line of the access list, the

packet is acted upon and no further comparison take place.

➢ There is an implicit “deny” at the end of each access list this means that

if a packet doesn’t match the condition on any of the lines in the access

list, the packet will be discarted.

There are two, main types of access lists:

➢ Standard access lists: these ACLs use only the source IP address in an IP

packet as the condition test. All decisions are made based on the source

IP address. This means that standard access lists basically permit or

 deny an entire suite of protocols. They don’t distinguish between any of

the many types of IP traffic such as web, telnet, udp and so on.

➢ Extended access lists: can evaluate many of the other fields in the layer

3 and layer 4 headers of an IP packet. They can evaluate source and

destination IP addresses, the protocol field in the network layer header,

and the port number at the transport layer header.

➢ Named access list:

To use an ACLs as a packet filter, you need to apply it to an interface on

the router where you want the traffic filtered. And you’ve got to specify

which direction of traffic you want the ACLs applied to. By specifying the

direction of traffic, you can and must use different access lists for inbound

and outbound traffic on a single interface:

√ Inbound access lists: when an access list is applied to inbound packet

on an interface, those packets are processed through the access list

before being routed to the outbound interface. Any packets that are

denied won’t be routed because the’re discaeted before the routing

process is invoked.

√ Outbound access lists: when an access list is applied to outbound

packets on an interface, packets are routed to the outbound interface

and then processed through the access list before being queued.

There are some general access list guidelines that you should keep in

mind when creating and implementing access lists on router:

√ You can assign only one access list per interface per protocol per

direction. This means that when applying IP access lists, you can have

only one inbound access list and one outbound access list per interface.
√ Organize your access lists so that the more specific tests are at the top.

√ Anytime a new entry is added to the access list, it will be placed at the

bottom of the list, which is why i highly recommend using a text editor

for access list.

√ You can’t remove one line from an access list. If you try to do this, you

will remove the entire list. This is why it’s best to copy the access list to

atext editor before trying to edit the list.

√ Unless your access list end with a permit any command, all packets will

be discarded if they do not meet any of the list’s test. This means every

list should have at least one permit statement or it will deny all traffic.

√ Create access list permit and deny statements first and then apply them

to an interface. Any access list applied to an interface whithout access

list test statement already created will not filter traffic.

√ Access lists are designed to filter traffic going through the router. They

will not filter traffic that has originated from the router.

III. Mitigating security issues with ACLs

The most common attack is a denial of service (DoS) attack. Although ACLs

can help with a DoS, you really need an intrusion detection system (IDS)

and intrusion prevention system (IPS) to help prevent these common attack.

Here’s a list of the many security threats you can mitigate with ACLs:

● IP address spoofing, inbound;

● IP address spoofing outbound;

● Denial of service (DoS) TCP SYN attack, blocking external attacks

● DoS TCP SYN attacks, using TCP Intercep

● DoS smurf attacks;

● Denying/filtering ICMP messages, inbound

● Denying/filtering ICMP messages, outbound

● Denying/filtering Traceroute

It’s generally a bad idea to allow any external IP packets that contain the

source address of any internal hosts or networks into a private network just

don’t permit it

Here’s a ist of rules to live by when configuring ACLs from the Internet to

your production network to mitigate security problems:

● Deny any source address from your internal networks

● Deny any local host addresses (127.0.0.0/8)

● Deny reserved private address (RFC 1918)

● Deny any addresses in the IP multicast address range (224.0.0.0/4)

Standard Access Lists

You create a standard IP access list by using the access-list numbers 1-99 or

numbers in the expanded range of 1900-1999 because the type of ACL is

generally differentiated numerically.

Corp(config)#access-list ?

Corp(config)#access-list 10 ?

Corp(config)#access-list 10 deny ?

Corp(config)#access-list 10 deny host ?

Corp(config)#access-list 10 deny host 172.16.30.2

This tells the list to deny any packets from host 172.16.30.2. The default

parameter is host.

Chapter 11: Network Address Translation (NAT)

Chapter 12: IP Services

Chapter 13: Security

Chapter 14: First Hop Redundancy Protocol (HSRP)

Chapter 15: Virtual Private Network (VPN’n)

Chapter 16: Quality of Service (QoS)

Chapter 17: Internet Protocol Version 6 (IPv6)

Chapter 18: Troubleshooting IP, IPv6, and VLANs

Chapter 19: Wireless Technologies

Chapter 20: Configuring Wireless Technologies

Chapter 21: Virtualization, Automation, and Programmability

Chapter 22: SDN Controllers

Chapter 23: Configuring Management