0% found this document useful (0 votes)

27 views781 pages

Advanced Computer Networks

Uploaded by

Gilbert Aggrey

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

27 views781 pages

Advanced Computer Networks

Uploaded by

Gilbert Aggrey

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 781

Module 1: Single-Area OSPFv2

Concepts
Enterprise Networking, Security, and Automation v7.0
(ENSA)
Module Objectives
Module Title: Single-Area OSPF Concepts

Module Objective: Explain how single-area OSPF operates in both point-to-point and broadcast
multiaccess networks.

Topic Title Topic Objective

OSPF Features and
Describe basic OSPF features and characteristics.
Characteristics
OSPF Packets Describe the OSPF packet types used in single-area OSPF.
OSPF Operation Explain how single-area OSPF operates.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
OSPF Features and Characteristics
Introduction to OSPF
• OSPF is a link-state routing protocol that was developed as an alternative for the
distance vector Routing Information Protocol (RIP). OSPF has significant advantages
over RIP in that it offers faster convergence and scales to much larger network
implementations.
• OSPF is a link-state routing protocol that uses the concept of areas. A network
administrator can divide the routing domain into distinct areas that help control routing
update traffic.
• A link is an interface on a router, a network segment that connects two routers, or a
stub network such as an Ethernet LAN that is connected to a single router.
• Information about the state of a link is known as a link-state. All link-state information
includes the network prefix, prefix length, and cost.
• This module covers basic, single-area OSPF implementations and configurations.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
OSPF Features and Characteristics
Components of OSPF
• All routing protocols share similar components. They all use routing protocol messages
to exchange route information. The messages help build data structures, which are
then processed using a routing algorithm.
• Routers running OSPF exchange messages to convey routing information using five
types of packets:
• Hello packet
• Database description packet
• Link-state request packet
• Link-state update packet
• Link-state acknowledgment packet
• These packets are used to discover neighboring routers and also to exchange routing
information to maintain accurate information about the network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
OSPF Features and Characteristics
Components of OSPF (Cont.)
OSPF messages are used to create and maintain three OSPF databases, as follows:

Database Table Description

•List of all neighbor routers to which a router has established bi-directional communication.
Adjacency Neighbor
•This table is unique for each router.
Database Table
•Can be viewed using the show ip ospf neighbor command.

•Lists information about all other routers in the network.

Link-state
Topology •The database represents the network LSDB.
Database
Table •All routers within an area have identical LSDB.
(LSDB)
•Can be viewed using the show ip ospf database command.

•List of routes generated when an algorithm is run on the link-state database.

Forwarding Routing •Each router's routing table is unique and contains information on how and where to send
Database Table packets to other routers.
•Can be viewed using the show ip route command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
OSPF Features and Characteristics
Components of OSPF (Cont.)
• The router builds the topology table using results of calculations based on the Dijkstra
shortest-path first (SPF) algorithm. The SPF algorithm is based on the cumulative cost
to reach a destination.
• The SPF algorithm creates an SPF tree by placing each router at the root of the tree
and calculating the shortest path to each node. The SPF tree is then used to calculate
the best routes. OSPF places the best routes into the forwarding database, which is
used to make the routing table.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
OSPF Features and Characteristics
Link-State Operation
To maintain routing information, OSPF routers complete a generic link-state routing
process to reach a state of convergence. The following are the link-state routing steps
that are completed by a router:
1. Establish Neighbor Adjacencies
2. Exchange Link-State Advertisements
3. Build the Link State Database
4. Execute the SPF Algorithm
5. Choose the Best Route

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
OSPF Features and Characteristics
Single-Area and Multiarea OSPF
To make OSPF more efficient and scalable, OSPF supports hierarchical routing using
areas. An OSPF area is a group of routers that share the same link-state information in
their LSDBs. OSPF can be implemented in one of two ways, as follows:
• Single-Area OSPF - All routers are in one area. Best practice is to use area 0.
• Multiarea OSPF - OSPF is implemented using multiple areas, in a hierarchical
fashion. All areas must connect to the backbone area (area 0). Routers
interconnecting the areas are referred to as Area Border Routers (ABRs).
The focus of this module is on single-area OSPFv2.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
OSPF Features and Characteristics
Multiarea OSPF
• The hierarchical-topology design options with multiarea OSPF can offer the following
advantages.
• Smaller routing tables - Tables are smaller because there are fewer routing table
entries. This is because network addresses can be summarized between areas.
Route summarization is not enabled by default.
• Reduced link-state update overhead - Designing multiarea OSPF with smaller
areas minimizes processing and memory requirements.
• Reduced frequency of SPF calculations -– Multiarea OSPF localize the impact of a
topology change within an area. For instance, it minimizes routing update impact
because LSA flooding stops at the area boundary.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
OSPF Features and Characteristics
OSPFv3
• OSPFv3 is the OSPFv2 equivalent for exchanging IPv6 prefixes. OSPFv3 exchanges
routing information to populate the IPv6 routing table with remote prefixes.
• Note: With the OSPFv3 Address Families feature, OSPFv3 includes support for both
IPv4 and IPv6. OSPF Address Families is beyond the scope of this curriculum.
• OSPFv3 has the same functionality as OSPFv2, but uses IPv6 as the network layer
transport, communicating with OSPFv3 peers and advertising IPv6 routes. OSPFv3
also uses the SPF algorithm as the computation engine to determine the best paths
throughout the routing domain.
• OSPFv3 has separate processes from its IPv4 counterpart. The processes and
operations are basically the same as in the IPv4 routing protocol, but run
independently.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
OSPF Packets
Video - OSPF Packets
This video will cover the following packet types:
• Hello
• Database Description (DBD)
• Link-State Request (LSR)
• Link-State Update (LSU)
• Link-State Acknowledgment (LSAck)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
OSPF Packets
Types of OSPF Packets
The table summarizes the five different types of Link State Packets (LSPs) used by
OSPFv2. OSPFv3 has similar packet types.

Type Packet Name Description

1 Hello Discovers neighbors and builds adjacencies between them

2 Database Description (DBD) Checks for database synchronization between routers

3 Link-State Request (LSR) Requests specific link-state records from router to router

4 Link-State Update (LSU) Sends specifically requested link-state records

5 Link-State Acknowledgment (LSAck) Acknowledges the other packet types

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
OSPF Packets
Link-State Updates
• LSUs are also used to forward
OSPF routing updates. An LSU
packet can contain 11 different
types of OSPFv2 LSAs. OSPFv3
renamed several of these LSAs
and also contains two additional
LSAs.
• LSU and LSA are often used
interchangeably, but the correct
hierarchy is LSU packets contain
LSA messages.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
OSPF Packets
Hello Packet
The OSPF Type 1 packet is the
Hello packet. Hello packets are
used to do the following:
• Discover OSPF neighbors and
establish neighbor adjacencies.
• Advertise parameters on which
two routers must agree to
become neighbors.
• Elect the Designated Router
(DR) and Backup Designated
Router (BDR) on multiaccess
networks like Ethernet. Point-to-
point links do not require DR or
BDR.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
OSPF Operation
Video - OSPF Operation
• This video will cover the 7 states of OSPF operation:
• Down state
• Init state
• Two-way state
• ExStart state
• Exchange state
• Loading state
• Full state

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
OSPF Operation
OSPF Operational States
State Description

•No Hello packets received = Down.

Down State •Router sends Hello packets.
•Transition to Init state.
•Hello packets are received from the neighbor.
Init State •They contain the Router ID of the sending router.
•Transition to Two-Way state.
•In this state, communication between the two routers is bidirectional.
Two-Way State •On multiaccess links, the routers elect a DR and a BDR.
•Transition to ExStart state.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
OSPF Operation
OSPF Operational States (Cont.)
State Description

On point-to-point networks, the two routers decide which router will initiate
ExStart State the DBD packet exchange and decide upon the initial DBD packet
sequence number.
•Routers exchange DBD packets.
Exchange
•If additional router information is required then transition to Loading;
State
otherwise, transition to the Full state.
•LSRs and LSUs are used to gain additional route information.
Loading State •Routes are processed using the SPF algorithm.
•Transition to the Full state.
Full State The link-state database of the router is fully synchronized.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
OSPF Operation
Establish Neighbor Adjacencies
• To determine if there is an OSPF neighbor on the link, the router sends a Hello packet
that contains its router ID out all OSPF-enabled interfaces. The Hello packet is sent to
the reserved All OSPF Routers IPv4 multicast address 224.0.0.5. Only OSPFv2
routers will process these packets.
• The OSPF router ID is used by the OSPF process to uniquely identify each router in
the OSPF area. A router ID is a 32-bit number formatted like an IPv4 address and
assigned to uniquely identify a router among OSPF peers.
• When a neighboring OSPF-enabled router receives a Hello packet with a router ID
that is not within its neighbor list, the receiving router attempts to establish an
adjacency with the initiating router.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
OSPF Operation
Establish Neighbor Adjacencies (Cont.)
The process routers use to establish adjacency on a multiaccess network:

1 Down to Init State When OSPFv2 is enabled on the interface, R1 transitions from Down to Init and starts
sending OSPFv2 Hellos out of the interface in an attempt to discover neighbors.
2 Init State When a R2 receives a hello from the previously unknown router R1, it adds R1’s router
ID to the neighbor list and responds with a Hello packet containing its own router ID.
3 Two-Way State R1 receives R2’s hello and notices that the message contains the R1 router ID in the list
of R2’s neighbors. R1 adds R2’s router ID to the neighbor list and transitions to the Two-
Way State.
If R1 and R2 are connected with a point-to-point link, they transition to ExStart
If R1 and R2 are connected over a common Ethernet network, the DR/BDR election
occurs.
4 Elect the DR & BDR The DR and BDR election occurs, where the router with the highest router ID or highest
priority is elected as the DR, and second highest is the BDR

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
OSPF Operation
Synchronizing OSPF Databases
After the Two-Way state, routers transition to database synchronization states. This is a
three step process, as follows:
• Decide first router: The router with the highest router ID sends its DBD first.
• Exchange DBDs: As many as needed to convey the database. The other router must
acknowledge each DBD with an LSAck packet.
• Send an LSR: Each router compares the DBD information with the local LSDB. If the
DBD has more current link information, the router transitions to the loading state.

After all LSRs have been exchanged and satisfied, the routers are considered
synchronized and in a full state. Updates (LSUs) are sent:
• When a change is perceived (incremental updates)
• Every 30 minutes

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
OSPF Operation
The Need for a DR
Multiaccess networks can create two
challenges for OSPF regarding the flooding of
LSAs, as follows:
• Creation of multiple adjacencies -
Ethernet networks could potentially
interconnect many OSPF routers over a
common link. Creating adjacencies with
every router would lead to an excessive
number of LSAs exchanged between
routers on the same network.
• Extensive flooding of LSAs - Link-state
routers flood their LSAs any time OSPF is
initialized, or when there is a change in the
topology. This flooding can become
excessive.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
OSPF Operation
LSA Flooding with a DR
• An increase in the number of routers on a multiaccess network also increases the
number of LSAs exchanged between the routers. This flooding of LSAs significantly
impacts the operation of OSPF.
• If every router in a multiaccess network had to flood and acknowledge all received
LSAs to all other routers on that same multiaccess network, the network traffic would
become quite chaotic.
• On multiaccess networks, OSPF elects a DR to be the collection and distribution point
for LSAs sent and received. A BDR is also elected in case the DR fails. All other
routers become DROTHERs. A DROTHER is a router that is neither the DR nor the
BDR.
• Note: The DR is only used for the dissemination of LSAs. The router will still use the best next-
hop router indicated in the routing table for the forwarding of all other packets.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Module Practice and Quiz
What Did I Learn In This Module?
• Open Shortest Path First (OSPF) is a link-state routing protocol that was developed as an
alternative for the distance vector Routing Information Protocol (RIP).
• OSPF is a link-state routing protocol that uses the concept of areas for scalability.
• A link is an interface on a router. A link is also a network segment that connects two routers, or a
stub network such as an Ethernet LAN that is connected to a single router.
• All link-state information includes the network prefix, prefix length, and cost.
• All routing protocols use routing protocol messages to exchange route information. The messages
help build data structures, which are then processed using a routing algorithm.
• Routers running OSPF exchange messages to convey routing information using five types of
packets: the Hello packet, the database description packet, the link-state request packet, the link-
state update packet, and the link-state acknowledgment packet.
• OSPF messages are used to create and maintain three OSPF databases: the adjacency database
creates the neighbor table, the link-state database (LSDB) creates the topology table, and the
forwarding database creates the routing table.
• The router builds the topology table using results of calculations based on the Dijkstra SPF
(shortest-path first) algorithm. The SPF algorithm is based on the cumulative cost to reach a
destination. In OSPF, cost is used to determine the best path to the destination.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Module Practice and Quiz
What Did I Learn In This Module?
• To maintain routing information, OSPF routers complete a generic link-state routing process to
reach a state of convergence: Establish Neighbor Adjacencies, Exchange Link-State
Advertisements, Build the Link State Database, Execute the SPF Algorithm, Choose the Best Route
• With single-area OSPF any number can be used for the area, best practice is to use area 0.
• Single-area OSPF is useful in smaller networks with few routers.
• With multiarea OSPF, one large routing domain can be divided into smaller areas, to support
hierarchical routing. Routing still occurs between the areas (interarea routing), while many of the
processor intensive routing operations, such as recalculating the database, are kept within an area.
• OSPFv3 is the OSPFv2 equivalent for exchanging IPv6 prefixes. Recall that in IPv6, the network
address is referred to as the prefix and the subnet mask is called the prefix-length.
• OSPF uses the following link-state packets (LSPs) to establish and maintain neighbor adjacencies
and exchange routing updates: 1 Hello, 2 DBD, 3 LSR, 4 LSU, and 5 LSAck.
• LSUs are also used to forward OSPF routing updates, such as link changes.
• Hello packets are used to: Discover OSPF neighbors and establish neighbor adjacencies, Advertise
parameters on which two routers must agree to become neighbors, and Elect the Designated
Router (DR) and Backup Designated Router (BDR) on multiaccess networks like Ethernet. Point-to-
point links do not require DR or BDR.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Module Practice and Quiz
What Did I Learn In This Module?
• Some important fields in the Hello packet are type, router ID, area ID, network mask, hello interval,
router priority, dead interval, DR, BDR and list of neighbors.
• The states that OSPF progresses through to do reach convergence are down state, init state, two-
way state, ExStart state, Exchange state, loading state, and full state.
• When OSPF is enabled on an interface, the router must determine if there is another OSPF
neighbor on the link by sending a Hello packet that contains its router ID out all OSPF-enabled
interfaces.
• The Hello packet is sent to the reserved All OSPF Routers IPv4 multicast address 224.0.0.5. Only
OSPFv2 routers will process these packets.
• When a neighboring OSPF-enabled router receives a Hello packet with a router ID that is not within
its neighbor list, the receiving router attempts to establish an adjacency with the initiating router.
• After the Two-Way state, routers transition to database synchronization states, which is a three step
process:
• Multiaccess networks can create two challenges for OSPF regarding the flooding of LSAs: the
creation of multiple adjacencies and extensive flooding of LSAs.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Module Practice and Quiz
What Did I Learn In This Module?
• A dramatic increase in the number of routers also dramatically increases the number of LSAs
exchanged between the routers.
• This flooding of LSAs significantly impact the operation of OSPF. If every router in a multiaccess
network had to flood and acknowledge all received LSAs to all other routers on that same
multiaccess network, the network traffic would become quite chaotic. This is why DR and BDR
election is necessary.
• On multiaccess networks, OSPF elects a DR to be the collection and distribution point for LSAs
sent and received. A BDR is also elected in case the DR fails.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Module 2: Single-Area OSPFv2
Configuration
Enterprise Networking, Security, and Automation v7.0
(ENSA)
Module Objectives
Module Title: Single-Area OSPFv2 Configuration

Module Objective: Implement single-area OSPFv2 in both point-to-point and broadcast multiaccess
networks.
Topic Title Topic Objective
OSPF Router ID Configure an OSPFv2 router ID.
Point-to-Point OSPF Networks Configure single-area OSPFv2 in a point-to-point network.
Configure the OSPF interface priority to influence the
Multiaccess OSPF Networks
DR/BDR election in a multiaccess network.
Implement modifications to change the operation of single-
Modify Single-Area OSPFv2
area OSPFv2.
Default Route Propagation Configure OSPF to propagate a default route.
Verify Single-Area OSPFv2 Verify a single-area OSPFv2 implementation.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
OSPF Router ID
OSPF Reference Topology
The figure shows the topology
used for configuring OSPFv2 in
this module. The routers in the
topology have a starting
configuration, including
interface addresses. There is
currently no static routing or
dynamic routing configured on
any of the routers. All interfaces
on R1, R2, and R3 (except the
loopback 1 on R2) are within
the OSPF backbone area. The
ISP router is used as the
gateway to the internet of the
routing domain.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
OSPF Router ID
Router Configuration Mode for OSPF
OSPFv2 is enabled using the router ospf process-id global configuration mode
command. The process-id value represents a number between 1 and 65,535 and is
selected by the network administrator. The process-id value is locally significant. It is
considered best practice to use the same process-id on all OSPF routers.
R1(config)# router ospf 10
R1(config-router)# ?
area OSPF area parameters
auto-cost Calculate OSPF interface cost according to bandwidth
default-information Control distribution of default information
distance Define an administrative distance
exit Exit from routing protocol configuration mode
log-adjacency-changes Log changes in adjacency state
neighbor Specify a neighbor router
network Enable routing on an IP network
no Negate a command or set its defaults
passive-interface Suppress routing updates on an interface
redistribute Redistribute information from another routing protocol
router-id router-id for this OSPF process
R1(config-router)#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
OSPF Router ID
Router IDs
• An OSPF router ID is a 32-bit value, represented as an IPv4 address. It is used to
uniquely identify an OSPF router, and all OSPF packets include the router ID of the
originating router.
• Every router requires a router ID to participate in an OSPF domain. It can be defined
by an administrator or automatically assigned by the router. The router ID is used by
an OSPF-enabled router to do the following:
• Participate in the synchronization of OSPF databases – During the Exchange State, the router
with the highest router ID will send their database descriptor (DBD) packets first.
• Participate in the election of the designated router (DR) - In a multiaccess LAN environment,
the router with the highest router ID is elected the DR. The routing device with the second highest
router ID is elected the backup designated router (BDR).

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
OSPF Router ID
Router ID Order of Precedence
Cisco routers derive the router ID based
on one of three criteria, in the following
preferential order:
1. The router ID is explicitly configured
using the OSPF router-id rid router
configuration mode command. This
is the recommended method to
assign a router ID.
2. The router chooses the highest IPv4
address of any of configured
loopback interfaces.
3. The router chooses the highest
active IPv4 address of any of its
physical interfaces.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
OSPF Router ID
Configure a Loopback Interface as the Router ID
Instead of relying on physical interface, the router ID can be assigned to a loopback
interface. Typically, the IPv4 address for this type of loopback interface should be
configured using a 32-bit subnet mask (255.255.255.255). This effectively creates a host
route. A 32-bit host route would not get advertised as a route to other OSPF routers.
OSPF does not need to be enabled on an interface for that interface to be chosen as the
router ID.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
OSPF Router ID
Explicitly Configure a Router ID
In our reference topology the router ID for each router is assigned as follows:
• R1 uses router ID 1.1.1.1
• R2 uses router ID 2.2.2.2
• R3 uses router ID 3.3.3.3
Use the router-id rid router configuration mode command to manually assign a router ID.
In the example, the router ID 1.1.1.1 is assigned to R1. Use the show ip
protocols command to verify the router ID.

R1(config)# router ospf 10

R1(config-router)# router-id 1.1.1.1
R1(config-router)# end
*May 23 19:33:42.689: %SYS-5-CONFIG_I: Configured from console by console
R1# show ip protocols | include Router ID
Router ID 1.1.1.1
R1#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
OSPF Router ID
Modify a Router ID
• After a router selects a router ID, an active OSPF router does not allow the router ID to
be changed until the router is reloaded or the OSPF process is reset.
• Clearing the OSPF process is the preferred method to reset the router ID.
R1# show ip protocols | include Router ID
Router ID 10.10.1.1
R1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# router ospf 10
R1(config-router)# router-id 1.1.1.1
% OSPF: Reload or use "clear ip ospf process" command, for this to take effect
R1(config-router)# end
R1# clear ip ospf process
Reset ALL OSPF processes? [no]: y
*Jun 6 01:09:46.975: %OSPF-5-ADJCHG: Process 10, Nbr 3.3.3.3 on GigabitEthernet0/0/1 from FULL to
DOWN, Neighbor Down: Interface down or detached
*Jun 6 01:09:46.981: %OSPF-5-ADJCHG: Process 10, Nbr 3.3.3.3 on GigabitEthernet0/0/1 from LOADING
to FULL, Loading Done *
R1# show ip protocols | include Router ID
Router ID 1.1.1.1
R1#
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
2.2 Point-to-Point OSPF
Networks

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Point-to-Point OSPF Networks
The network Command Syntax
• You can specify the interfaces that belong to a point-to-point network by configuring
the network command. You can also configure OSPF directly on the interface with
the ip ospf command.
• The basic syntax for the network command is as follows:

Router(config-router)# network network-address wildcard-mask area area-id

• The network-address wildcard-mask syntax is used to enable OSPF on interfaces.

Any interfaces on a router that match this part of the command are enabled to send
and receive OSPF packets.
• The area area-id syntax refers to the OSPF area. When configuring single-area
OSPFv2, the network command must be configured with the same area-id value on
all routers. Although any area ID can be used, it is good practice to use an area ID
of 0 with single-area OSPFv2. This convention makes it easier if the network is later
altered to support multiarea OSPFv2.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Point-to-Point OSPF Networks
The Wildcard Mask
• The wildcard mask is typically the inverse of the subnet mask configured on that
interface.
• The easiest method for calculating a wildcard mask is to subtract the network subnet
mask from 255.255.255.255, as shown for /24 and /26 subnet masks in the figure.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Point-to-Point OSPF Networks
Configure OSPF Using the network Command
Within routing configuration mode, there are two ways to identify the interfaces that will
participate in the OSPFv2 routing process.
• In the first example, the wildcard mask identifies the interface based on the network
addresses. Any active interface that is configured with an IPv4 address belonging to
that network will participate in the OSPFv2 routing process.
• Note: Some IOS versions allow the subnet mask to be entered instead of the wildcard
mask. The IOS then converts the subnet mask to the wildcard mask format.

R1(config)# router ospf 10

R1(config-router)# network 10.10.1.0 0.0.0.255 area 0
R1(config-router)# network 10.1.1.4 0.0.0.3 area 0
R1(config-router)# network 10.1.1.12 0.0.0.3 area 0
R1(config-router)#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Point-to-Point OSPF Networks
Configure OSPF Using the network Command (Cont.)
• As an alternative, OSPFv2 can be enabled by specifying the exact interface IPv4
address using a quad zero wildcard mask. Entering network 10.1.1.5 0.0.0.0 area
0 on R1 tells the router to enable interface Gigabit Ethernet 0/0/0 for the routing
process.
• The advantage of specifying the interface is that the wildcard mask calculation is not
necessary. Notice that in all cases, the area argument specifies area 0.

R1(config)# router ospf 10

R1(config-router)# network 10.10.1.1 0.0.0.0 area 0
R1(config-router)# network 10.1.1.5 0.0.0.0 area 0
R1(config-router)# network 10.1.1.14 0.0.0.0 area 0
R1(config-router)#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Point-to-Point OSPF Networks
Configure OSPF Using the ip ospf Command
To configure OSPF directly on the interface, use the ip ospf interface configuration mode
command. The syntax is as follows:
Router(config-if)# ip ospf process-id area area-id

Remove the network commands using the no form of the command. Then go to
each interface and configure the ip ospf command

R1(config)# router ospf 10

R1(config-router)# no network 10.10.1.1 0.0.0.0 area 0
R1(config-router)# no network 10.1.1.5 0.0.0.0 area 0
R1(config-router)# no network 10.1.1.14 0.0.0.0 area 0
R1(config-router)# interface GigabitEthernet 0/0/0
R1(config-if)# ip ospf 10 area 0
R1(config-if)# interface GigabitEthernet 0/0/1
R1(config-if)# ip ospf 10 area 0
R1(config-if)# interface Loopback 0
R1(config-if)# ip ospf 10 area 0
R1(config-if)#
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Point-to-Point OSPF Networks
Passive Interface
By default, OSPF messages are forwarded out all OSPF-enabled interfaces. However,
these messages only need to be sent out interfaces that are connecting to other OSPF-
enabled routers.
Sending out unneeded messages on a LAN affects the network in three ways:
• Inefficient Use of Bandwidth - Available bandwidth is consumed transporting
unnecessary messages.
• Inefficient Use of Resources - All devices on the LAN must process and eventually
discard the message.
• Increased Security Risk - Without additional OSPF security configurations, OSPF
messages can be intercepted with packet sniffing software. Routing updates can be
modified and sent back to the router, corrupting the routing table with false metrics that
misdirect traffic.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Point-to-Point OSPF Networks
Configure Passive Interfaces
• Use the passive-
interface router configuration
mode command to prevent
the transmission of routing
messages through a router
interface, but still allow that
network to be advertised to
other routers.
• The show ip
protocols command is then
used to verify that the
interface is listed as passive.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Point-to-Point OSPF Networks
OSPF Point-to-Point Networks
By default, Cisco routers elect a DR and BDR on Ethernet interfaces, even if there is only
one other device on the link. You can verify this with the show ip ospf
interface command. The DR/ BDR election process is unnecessary as there can only be
two routers on the point-to-point network between R1 and R2. Notice in the output that the
router has designated the network type as BROADCAST.

R1# show ip ospf interface GigabitEthernet 0/0/0

GigabitEthernet0/0/0 is up, line protocol is up
Internet Address 10.1.1.5/30, Area 0, Attached via Interface Enable
Process ID 10, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology Name
0 1 no no Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 2.2.2.2, Interface address 10.1.1.6
Backup Designated router (ID) 1.1.1.1, Interface address 10.1.1.5
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Point-to-Point OSPF Networks
OSPF Point-to-Point Networks (Cont.)
To change this to a point-to-point network, use the interface configuration command ip
ospf network point-to-point on all interfaces where you want to disable the DR/BDR
election process.

R1(config)# interface GigabitEthernet 0/0/0

R1(config-if)# ip ospf network point-to-point
*Jun 6 00:44:05.208: %OSPF-5-ADJCHG: Process 10, Nbr 2.2.2.2 on GigabitEthernet0/0/0 from
FULL to DOWN, Neighbor Down: Interface down or detached
*Jun 6 00:44:05.211: %OSPF-5-ADJCHG: Process 10, Nbr 2.2.2.2 on GigabitEthernet0/0/0 from
LOADING to FULL, Loading Done
R1(config-if)# end
R1# show ip ospf interface GigabitEthernet 0/0/0
GigabitEthernet0/0/0 is up, line protocol is up
Internet Address 10.1.1.5/30, Area 0, Attached via Interface Enable
Process ID 10, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology Name

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Point-to-Point OSPF Networks
Loopbacks and Point-to-Point Networks
• Use loopbacks to provide additional interfaces for a variety of purposes. By default,
loopback interfaces are advertised as /32 host routes.
• To simulate a real LAN, the loopback interface can be configured as a point-to-point
network to advertise the full network.
• What R2 sees when R1 advertises the loopback interface as-is:
R2# show ip route | include 10.10.1
O 10.10.1.1/32 [110/2] via 10.1.1.5, 00:03:05, GigabitEthernet0/0/0

• Configuration change at R1:

R1(config-if)# interface Loopback 0
R1(config-if)# ip ospf network point-to-point

• Result at R2:
R2# show ip route | include 10.10.1
O 10.10.1.0/24 [110/2] via 10.1.1.5, 00:03:05, GigabitEthernet0/0/0

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Point-to-Point OSPF Networks
Packet Tracer - Point-to-Point Single-Area OSPFv2 Configuration
In this Packet Tracer activity, you will do the following:

• Explicitly configure router IDs.

• Configure the network command on R1 using wildcard mask based on the subnet mask.
• Configure the network command on R2 using a quad-zero wildcard mask.
• Configure the ip ospf interface command on R3.
• Configure passive interfaces.
• Verify OSPF operation using the show ip protocols and show ip route commands.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Multiaccess OSPF Networks
OPSF Network Types
Another type of network that uses OSPF is
the multiaccess OSPF network.
Multiaccess OSPF networks are unique in
that one router controls the distribution of
LSAs.
The router that is elected for this role
should be determined by the network
administrator through proper configuration.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Multiaccess OSPF Networks
OPSF Designated Router
• In multiaccess networks, OSPF elects a DR and BDR. The DR is responsible for
collecting and distributing LSAs sent and received. The DR uses the multicast IPv4
address 224.0.0.5 which is meant for all OSPF routers.
• A BDR is also elected in case the DR fails. The BDR listens passively and maintains a
relationship with all the routers. If the DR stops producing Hello packets, the BDR
promotes itself and assumes the role of DR.
• All other routers become a DROTHER (a router that is neither the DR nor the BDR).
DROTHERs use the multiaccess address 224.0.0.6 (all designated routers) to send
OSPF packets to the DR and BDR. Only the DR and BDR listen for 224.0.0.6.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Multiaccess OSPF Networks
OPSF Multiaccess Reference Topology
• In the multiaccess topology shown
in the figure, there are three routers
interconnected over a common
Ethernet multiaccess network,
192.168.1.0/24.
• Because the routers are connected
over a common multiaccess
network, OSPF has automatically
elected a DR and BDR. R3 has
been elected as the DR because its
router ID is 3.3.3.3, which is the
highest in this network. R2 is the
BDR because it has the second
highest router ID in the network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Multiaccess OSPF Networks
Verify OSPF Router Roles
To verify the roles of the OSPFv2 router, use the show ip ospf interface command.
The output generated by R1 confirms that the following:
• R1 is not the DR or BDR, but is a DROTHER with a default priority of 1. (Line 7)
• The DR is R3 with router ID 3.3.3.3 at IPv4 address 192.168.1.3, while the BDR is R2 with router ID
2.2.2.2 at IPv4 address 192.168.1.2. (Lines 8 and 9)
• R1 has two adjacencies: one with the BDR and one with the DR. (Lines 20-22)

R1# show ip ospf interface GigabitEthernet 0/0/0

GigabitEthernet0/0/0 is up, line protocol is up
Internet Address 192.168.1.1/24, Area 0, Attached via Interface Enable
Process ID 10, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
(output omitted)
Transmit Delay is 1 sec, State DROTHER, Priority 1
Designated Router (ID) 3.3.3.3, Interface address 192.168.1.3
Backup Designated router (ID) 2.2.2.2, Interface address 192.168.1.2
(output omitted)
Neighbor Count is 2, Adjacent neighbor count is 2
Adjacent with neighbor 2.2.2.2 (Backup Designated Router)
Adjacent with neighbor 3.3.3.3 (Designated Router)
Suppress hello for 0 neighbor(s)
R1#
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Multiaccess OSPF Networks
Verify OSPF Router Roles (Cont.)
The output generated by R2 confirms that:
• R2 is the BDR with a default priority of 1. (Line 7)
• The DR is R3 with router ID 3.3.3.3 at IPv4 address 192.168.1.3, while the BDR is R2 with router ID
2.2.2.2 at IPv4 address 192.168.1.2. (Lines 8 and 9)
• R2 has two adjacencies; one with a neighbor with router ID 1.1.1.1 (R1) and the other with the DR. (Lines
20-22)
R2# show ip ospf interface GigabitEthernet 0/0/0
GigabitEthernet0/0/0 is up, line protocol is up
Internet Address 192.168.1.2/24, Area 0, Attached via Interface Enable
Process ID 10, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 1
(output omitted)
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 3.3.3.3, Interface address 192.168.1.3
Backup Designated Router (ID) 2.2.2.2, Interface address 192.168.1.2
(output omitted)
Neighbor Count is 2, Adjacent neighbor count is 2
Adjacent with neighbor 1.1.1.1
Adjacent with neighbor 3.3.3.3 (Designated Router)
Suppress hello for 0 neighbor(s)
R2#
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Multiaccess OSPF Networks
Verify OSPF Router Roles (Cont.)
The output generated by R3 confirms that:
• R3 is the DR with a default priority of 1. (Line 7)
• The DR is R3 with router ID 3.3.3.3 at IPv4 address 192.168.1.3, while the BDR is R2 with router ID 2.2.2.2
at IPv4 address 192.168.1.2. (Lines 8 and 9)
• R3 has two adjacencies: one with a neighbor with router ID 1.1.1.1 (R1) and the other with the BDR. (Lines
20-22)
R3# show ip ospf interface GigabitEthernet 0/0/0
GigabitEthernet0/0/0 is up, line protocol is up
Internet Address 192.168.1.3/24, Area 0, Attached via Interface Enable
Process ID 10, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 1
(output omitted)
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 3.3.3.3, Interface address 192.168.1.3
Backup Designated Router (ID) 2.2.2.2, Interface address 192.168.1.2
(output omitted)
Neighbor Count is 2, Adjacent neighbor count is 2
Adjacent with neighbor 1.1.1.1
Adjacent with neighbor 2.2.2.2 (Backup Designated Router)
Suppress hello for 0 neighbor(s)
R3#
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Multiaccess OSPF Networks
Verify DR/BDR Adjacencies
To verify the OSPFv2 adjacencies, use the show ip ospf neighbor command. The state
of neighbors in multiaccess networks can be as follows:
• FULL/DROTHER - This is a DR or BDR router that is fully adjacent with a non-DR or BDR router.
These two neighbors can exchange Hello packets, updates, queries, replies, and
acknowledgments.
• FULL/DR - The router is fully adjacent with the indicated DR neighbor. These two neighbors can
exchange Hello packets, updates, queries, replies, and acknowledgments.
• FULL/BDR - The router is fully adjacent with the indicated BDR neighbor. These two neighbors
can exchange Hello packets, updates, queries, replies, and acknowledgments.
• 2-WAY/DROTHER - The non-DR or BDR router has a neighbor relationship with another non-DR
or BDR router. These two neighbors exchange Hello packets.
The normal state for an OSPF router is usually FULL. If a router is stuck in another state,
it is an indication that there are problems in forming adjacencies. The only exception to
this is the 2-WAY state, which is normal in a multiaccess broadcast network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Multiaccess OSPF Networks
Verify DR/BDR Adjacencies (Cont.)
The output generated by R2 confirms that R2 has adjacencies with the following routers:
• R1 with router ID 1.1.1.1 is in a Full state and R1 is neither the DR nor BDR.
• R3 with router ID 3.3.3.3 is in a Full state and the role of R3 is DR.

R2# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/DROTHER 00:00:31 192.168.1.1 GigabitEthernet0/0/0
3.3.3.3 1 FULL/DR 00:00:34 192.168.1.3 GigabitEthernet0/0/0 R2#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Multiaccess OSPF Networks
Default DR/BDR Election Process
The OSPF DR and BDR election is based on the following criteria, in sequential order:
1. The routers in the network elect the router with the highest interface priority as the
DR. The router with the second highest interface priority is becomes the BDR.
• The priority can be configured to be any number between 0 – 255.
• If the interface priority value is set to 0, that interface cannot be elected as DR nor BDR.
• The default priority of multiaccess broadcast interfaces is 1.
2. If the interface priorities are equal, then the router with the highest router ID is elected
the DR. The router with the second highest router ID is the BDR.
• The election process takes place when the first router with an OSPF-enabled interface
is active on the network. If all of the routers on the network have not finished booting,
it is possible that a router with a lower router ID becomes the DR.
• The addition of a new router does not initiate a new election process.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Multiaccess OSPF Networks
DR Failure and Recovery
After the DR is elected, it remains the DR until one of the following events occurs:
• The DR fails.
• The OSPF process on the DR fails or is stopped.
• The multiaccess interface on the DR fails or is shutdown.

If the DR fails, the BDR is automatically promoted to DR. This is the case even if another
DROTHER with a higher priority or router ID is added to the network after the initial
DR/BDR election. However, after a BDR is promoted to DR, a new BDR election occurs
and the DROTHER with the highest priority or router ID is elected as the new BDR.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Multiaccess OSPF Networks
The ip ospf priority Command
• If the interface priorities are equal on all routers, the router with the highest router ID
is elected the DR.
• Instead of relying on the router ID, it is better to control the election by setting
interface priorities. This also allows a router to be the DR in one network and a
DROTHER in another.
• To set the priority of an interface, use the command ip ospf priority value, where
value is 0 to 255.
• A value of 0 does not become a DR or a BDR.
• A value of 1 to 255 on the interface makes it more likely that the router becomes the DR or the
BDR.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Multiaccess OSPF Networks
Configure OSPF Priority
The example shows the commands being used to change the R1 G0/0/0 interface priority
from 1 to 255 and then reset the OSPF process.

R1(config)# interface GigabitEthernet 0/0/0

R1(config-if)# ip ospf priority 255
R1(config-if)# end
R1# clear ip ospf process
Reset ALL OSPF processes? [no]: y
R1# *Jun 5 03:47:41.563: %OSPF-5-ADJCHG: Process 10, Nbr 2.2.2.2 on GigabitEthernet0/0/0
from FULL to DOWN, Neighbor Down: Interface down or detached

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Multiaccess OSPF Networks
Packet Tracer - Determine the DR and BDR
In this activity, you will complete the following:
• Examine DR and BDR roles and watch the roles change when there is a change in
the network.
• Modify the priority to control the roles and force a new election.
• Verify routers are filling the desired roles

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Modify Single-Area OSPFv2
Cisco OSPF Cost Metric
• Routing protocols use a metric to determine the best path of a packet across a
network. OSPF uses cost as a metric. A lower cost indicates a better path.
• The Cisco cost of an interface is inversely proportional to the bandwidth of the
interface. Therefore, a higher bandwidth indicates a lower cost. The formula used to
calculate the OSPF cost is:
Cost = reference bandwidth / interface bandwidth
• The default reference bandwidth is 108 (100,000,000); therefore, the formula is:
Cost = 100,000,000 bps / interface bandwidth in bps
• Because the OSPF cost value must be an integer, FastEthernet, Gigabit Ethernet, and
10 GigE interfaces share the same cost. To correct this situation, you can:
• Adjust the reference bandwidth with the auto-cost reference-bandwidth command on each
OSPF router.
• Manually set the OSPF cost value with the ip ospf cost command on necessary interfaces.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Modify Single-Area OSPFv2
Cisco OSPF Cost Metric (Cont.)
Refer to the table for a breakdown of the cost calculation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Modify Single-Area OSPFv2
Adjust the Reference Bandwidth
• The cost value must be an integer. If something less than an integer is calculated,
OSPF rounds up to the nearest integer. Therefore, the OSPF cost assigned to a
Gigabit Ethernet interface with the default reference bandwidth of 100,000,000 bps
would equal 1, because the nearest integer for 0.1 is 0 instead of 1.
Cost = 100,000,000 bps / 1,000,000,000 = 1
• For this reason, all interfaces faster than Fast Ethernet will have the same cost value
of 1 as a Fast Ethernet interface.
• To assist OSPF in making the correct path determination, the reference bandwidth
must be changed to a higher value to accommodate networks with links faster than
100 Mbps.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Modify Single-Area OSPFv2
Adjust the Reference Bandwidth (Cont.)
• Changing the reference bandwidth does not actually affect the bandwidth capacity on
the link; rather, it simply affects the calculation used to determine the metric.
• To adjust the reference bandwidth, use the auto-cost reference-bandwidth Mbps
router configuration command.
• This command must be configured on every router in the OSPF domain.
• Notice in the command that the value is expressed in Mbps; therefore, to adjust the costs for
Gigabit Ethernet, use the command auto-cost reference-bandwidth 1000. For 10 Gigabit
Ethernet, use the command auto-cost reference-bandwidth 10000.
• To return to the default reference bandwidth, use the auto-cost reference-bandwidth 100
command.
• Another option is to change the cost on one specific interface using the ip ospf cost
cost command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Modify Single-Area OSPFv2
Adjust the Reference Bandwidth (Cont.)
• Whichever method is used, it is important to apply the configuration to all routers in the
OSPF routing domain.
• The table shows the OSPF cost if the reference bandwidth is adjusted to
accommodate 10 Gigabit Ethernet links. The reference bandwidth should be adjusted
anytime there are links faster than FastEthernet (100 Mbps).
• Use the show ip ospf interface command to verify the current OSPFv2 cost assigned
to the interface.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Modify Single-Area OSPFv2
OSPF Accumulates Cost
• The cost of an OSPF route is
the accumulated value from
one router to the destination
network.
• Assuming the auto-cost
reference-bandwidth 10000
command has been
configured on all three
routers, the cost of the links
between each router is now
10. The loopback interfaces
have a default cost of 1.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Modify Single-Area OSPFv2
OSPF Accumulates Cost (Cont.)
• You can calculate the cost for
each router to reach each
network.
• For example, the total cost for
R1 to reach the 10.10.2.0/24
network is 11. This is because
the link to R2 cost = 10 and
the loopback default cost = 1.
10 + 1 = 11.
• You can verify this with the
show ip route command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Modify Single-Area OSPFv2
OSPF Accumulates Cost (Cont.)
Verifying the accumulated cost for the path to the 10.10.2.0/24 network:

R1# show ip route | include 10.10.2.0

O 10.10.2.0/24 [110/11] via 10.1.1.6, 01:05:02, GigabitEthernet0/0/0
R1# show ip route 10.10.2.0
Routing entry for 10.10.2.0/24
Known via "ospf 10", distance 110, metric 11, type intra area
Last update from 10.1.1.6 on GigabitEthernet0/0/0, 01:05:13 ago
Routing Descriptor Blocks:
* 10.1.1.6, from 2.2.2.2, 01:05:13 ago, via GigabitEthernet0/0/0
Route metric is 11, traffic share count is 1
R1#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Modify Single-Area OSPFv2
Manually Set OSPF Cost Value
Reasons to manually set the cost value include:
• The Administrator may want to influence path selection within OSPF, causing different paths to be
selected than what normally would given default costs and cost accumulation.
• Connections to equipment from other vendors who use a different formula to calculate OSPF cost.

To change the cost value reported by the local OSPF router to other OSPF routers, use
the interface configuration command ip ospf cost value.

R1(config)# interface g0/0/1 R1(config-if)# ip

ospf cost 30 R1(config-if)# interface lo0
R1(config-if)# ip ospf cost 10 R1(config-if)#
end
R1#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Modify Single-Area OSPFv2
Test Failover to Backup Route
What happens if the link between R1 and R2 goes down? You can simulate that by
shutting down the Gigabit Ethernet 0/0/0 interface and verifying the routing table is
updated to use R3 as the next-hop router. Notice that R1 can now reach the 10.1.1.4/30
network through R3 with a cost value of 50.

R1# show ip route ospf | begin 10

10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
O 10.1.1.4/30 [110/50] via 10.1.1.13, 00:00:14, GigabitEthernet0/0/1
O 10.1.1.8/30 [110/40] via 10.1.1.13, 00:00:14, GigabitEthernet0/0/1
O 10.10.2.0/24 [110/50] via 10.1.1.13, 00:00:14, GigabitEthernet0/0/1
O 10.10.3.0/24 [110/40] via 10.1.1.13, 00:00:14, GigabitEthernet0/0/1
R1#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Modify Single-Area OSPFv2
Hello Packet Intervals
• OSPFv2 Hello packets are transmitted to multicast address 224.0.0.5 (all OSPF
routers) every 10 seconds. This is the default timer value on multiaccess and point-to-
point networks.
Note: Hello packets are not sent on interfaces set to passive by the passive-interface command.
• The Dead interval is the period that the router waits to receive a Hello packet before
declaring the neighbor down. If the Dead interval expires before the routers receive a
Hello packet, OSPF removes that neighbor from its link-state database (LSDB). The
router floods the LSDB with information about the down neighbor out all OSPF-
enabled interfaces. Cisco uses a default of 4 times the Hello interval. This is 40
seconds on multiaccess and point-to-point networks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Modify Single-Area OSPFv2
Verify Hello and Dead Intervals
• The OSPF Hello and Dead intervals are configurable on a per-interface basis.
• The OSPF intervals must match or a neighbor adjacency does not occur.
• To verify the currently configured OSPFv2 interface intervals, use the show ip ospf
interface command. The Gigabit Ethernet 0/0/0 Hello and Dead intervals are set to the
default 10 seconds and 40 seconds respectively.

R1# show ip ospf interface g0/0/0

GigabitEthernet0/0/0 is up, line protocol is up
Internet Address 10.1.1.5/30, Area 0, Attached via Interface Enable
Process ID 10, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 10
Topology-MTID Cost Disabled Shutdown Topology Name
0 10 no no Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
(output omitted)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Modify Single-Area OSPFv2
Verify Hello and Dead Intervals (Cont.)
Use the show ip ospf neighbor command to see the Dead Time counting down from 40
seconds. By default, this value is refreshed every 10 seconds when R1 receives a Hello
from the neighbor.

R1# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 0 FULL/ - 00:00:35 10.1.1.13 GigabitEthernet0/0/1
2.2.2.2 0 FULL/ - 00:00:31 10.1.1.6 GigabitEthernet0/0/0
R1#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Modify Single-Area OSPFv2
Modify OSPFv2 Intervals
• It may be desirable to change the OSPF timers so that routers detect network failures
in less time. Doing this increases traffic, but sometimes the need for quick
convergence is more important than the extra traffic it creates.
Note: The default Hello and Dead intervals are based on best practices and should only be altered in
rare situations.
• OSPFv2 Hello and Dead intervals can be modified manually using the following
interface configuration mode commands:

Router(config-if)# ip ospf hello-interval seconds

Router(config-if)# ip ospf dead-interval seconds

• Use the no ip ospf hello-interval and no ip ospf dead-interval commands

to reset the intervals to their default.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Modify Single-Area OSPFv2
Modify OSPFv2 Intervals (Cont.)
• In the example, the Hello interval for the link between R1 and R2 is changed to 5
seconds. The Cisco IOS automatically modifies the Dead interval to four times the
Hello interval. However, you can document the new Dead interval in the configuration
by manually setting it to 20 seconds, as shown.
• When the Dead Timer on R1 expires, R1 and R2 lose adjacency. R1 and R2 must be
configured with the same Hello interval. Use the show ip ospf neighbor command
on R1 to verify the neighbor adjacencies.
R1(config)# interface g0/0/0
R1(config-if)# ip ospf hello-interval 5
R1(config-if)# ip ospf dead-interval 20
R1(config-if)#
*Jun 7 04:56:07.571: %OSPF-5-ADJCHG: Process 10, Nbr 2.2.2.2 on GigabitEthernet0/0/0
from FULL to DOWN, Neighbor Down: Dead timer expired
R1(config-if)# end
R1# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 0 FULL/ - 00:00:37 10.1.1.13 GigabitEthernet0/0/1
R1#
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Modify Single-Area OSPFv2
Packet Tracer - Modify Single-Area OSPFv2
In this Packet Tracer activity, you will complete the following:

• Adjust the reference bandwidth to account for gigabit and faster speeds
• Modify the OSPF cost value
• Modify the OSPF Hello timers
• Verify the modifications are accurately reflected in the routers.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Default Route Propagation
Propagate a Default Static Route in OSPFv2
To propagate a default route, the edge router must be configured with the following:
• A default static route using the ip route 0.0.0.0 0.0.0.0 [next-hop-address | exit-intf] command.
• The default-information originate router configuration command. This instructs R2 to be the
source of the default route information and propagate the default static route in OSPF updates.
In the example, R2 is configured with a loopback to simulate a connection to the internet.
A default route is configured and propagated to all other OSPF routers in the routing
domain.
Note: When configuring static routes, best practice is to use the next-hop IP address. However, when simulating a
connection to the internet, there is no next-hop IP address. Therefore, we use the exit-intf argument.
R2(config)# interface lo1
R2(config-if)# ip address 64.100.0.1 255.255.255.252
R2(config-if)# exit
R2(config)# ip route 0.0.0.0 0.0.0.0 loopback 1
%Default route without gateway, if not a point-to-point interface, may impact performance
R2(config)# router ospf 10
R2(config-router)# default-information originate
R2(config-router)# end
R2#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Default Route Propagation
Verify the Propagated Default Route
• You can verify the default route settings on R2 using the show ip route command.
You can also verify that R1 and R3 received a default route.
• Notice that the route source on R1 is O*E2, signifying that it was learned using
OSPFv2. The asterisk identifies this as a good candidate for the default route. The E2
designation identifies that it is an external route. The meaning of E1 and E2 is beyond
the scope of this module.
R2# show ip route | begin Gateway
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Loopback1
10.0.0.0/8 is variably subnetted, 9 subnets, 3 masks
(output omitted)

R1# show ip route | begin Gateway

Gateway of last resort is 10.1.1.6 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 10.1.1.6, 00:11:08, GigabitEthernet0/0/0
10.0.0.0/8 is variably subnetted, 9 subnets, 3 masks
(output omitted)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Default Route Propagation
Packet Tracer - Propagate a Default Route in OSPFv2
In this Packet Tracer, you will complete the following:

• Propagate a Default Route

• Part 2: Verify Connectivity

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
Verify Single-Area OSPFv2
Verify OSPF Neighbors
After configuring single-area OSPFv2, you will need to verify your configurations. The
following two commands are particularly useful for verifying routing:
• show ip interface brief - This verifies that the desired interfaces are active with correct IP
addressing.
• show ip route- This verifies that the routing table contains all the expected routes.
Additional commands for determining that OSPF is operating as expected include the
following:
• show ip ospf neighbor
• show ip protocols
• show ip ospf
• show ip ospf interface

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
Verify Single-Area OSPFv2
Verify OSPF Neighbors (Cont.)
• Use the show ip ospf neighbor command to verify that the router has formed an
adjacency with its neighboring routers. If the router ID of the neighboring router is not
displayed, or if it does not show as being in a state of FULL, the two routers have not
formed an OSPFv2 adjacency.
Note: A non-DR or BDR router that has a neighbor relationship with another non-DR or BDR router
will display a two-way adjacency instead of full.
• The following command output displays the neighbor table of R1.

R1# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 0 FULL/ - 00:00:35 10.1.1.13 GigabitEthernet0/0/1
2.2.2.2 0 FULL/ - 00:00:31 10.1.1.6 GigabitEthernet0/0/0
R1#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Verify Single-Area OSPFv2
Verify OSPF Neighbors (Cont.)
Two routers may not form an OSPFv2 adjacency if the following occurs:
• The subnet masks do not match, causing the routers to be on separate networks.
• The OSPFv2 Hello or Dead Timers do not match.
• The OSPFv2 Network Types do not match.
• There is a missing or incorrect OSPFv2 network command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
Verify Single-Area OSPFv2
Verify OSPF Protocol Settings
The show ip protocols R1# show ip protocols
command is a quick way to *** IP Routing is NSF aware ***
(output omitted)
verify vital OSPF Routing Protocol is "ospf 10"
configuration information, as Outgoing update filter list for all interfaces is not set
shown in the command Incoming update filter list for all interfaces is not set
Router ID 1.1.1.1
output. This includes the Number of areas in this router is 1. 1 normal 0 stub 0 nssa
OSPFv2 process ID, the Maximum path: 4
router ID, interfaces Routing for Networks:
Routing on Interfaces Configured Explicitly (Area 0):
explicitly configured to Loopback0
advertise OSPF routes, the GigabitEthernet0/0/1
neighbors the router is GigabitEthernet0/0/0
Routing Information Sources:
receiving updates from, and Gateway Distance Last Update
the default administrative 3.3.3.3 110 00:09:30
distance, which is 110 for 2.2.2.2 110 00:09:58
Distance: (default is 110)
OSPF. R1#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
Verify Single-Area OSPFv2
Verify OSPF Process Information
The show ip ospf
command can also be R1# show ip ospf
Routing Process "ospf 10" with ID 1.1.1.1
used to examine the Start time: 00:01:47.390, Time elapsed: 00:12:32.320
OSPFv2 process ID (output omitted)
and router ID, as Cisco NSF helper support enabled
Reference bandwidth unit is 10000 mbps
shown in the Area BACKBONE(0)
command output. Number of interfaces in this area is 3
This command Area has no authentication
SPF algorithm last executed 00:11:31.231 ago
displays the OSPFv2 SPF algorithm executed 4 times
area information and Area ranges are
the last time the SPF Number of LSA 3. Checksum Sum 0x00E77E
Number of opaque link LSA 0. Checksum Sum 0x000000
algorithm was Number of DCbitless LSA 0 Number of indication LSA 0
executed. Number of DoNotAge LSA 0 Flood list length 0
R1#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Verify Single-Area OSPFv2
Verify OSPF Interface Settings
The show ip ospf interface command provides a detailed list for every OSPFv2-enabled
interface. Specify an interface to display the settings of just that interface. This command
shows the process ID, the local router ID, the type of network, OSPF cost, DR and BDR
information on multiaccess links (not shown), and adjacent neighbors.

R1# show ip ospf interface GigabitEthernet 0/0/0

GigabitEthernet0/0/0 is up, line protocol is up
Internet Address 10.1.1.5/30, Area 0, Attached via Interface Enable
Process ID 10, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 10

Neighbor Count is 1, Adjacent neighbor count is 1

Adjacent with neighbor 2.2.2.2
Suppress hello for 0 neighbor(s)
R1#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
Verify Single-Area OSPFv2
Verify OSPF Interface Settings (Cont.)
To get a quick summary of OSPFv2-enabled interfaces, use the show ip ospf interface
brief command, as shown in the command output. This command is useful for seeing
important information including:
• Interfaces are participating in OSPF
• Networks that are being advertised (IP Address/Mask)
• Cost of each link
• Network state
• Number of neighbors on each link

R1# show ip ospf interface brief

Interface PID Area IP Address/Mask Cost State Nbrs F/C
Lo0 10 0 10.10.1.1/24 10 P2P 0/0
Gi0/0/1 10 0 10.1.1.14/30 30 P2P 1/1
Gi0/0/0 10 0 10.1.1.5/30 10 P2P 1/1
R1#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
Verify Single-Area OSPFv2
Packet Tracer - Verify Single-Area OSPFv2
In this Packet Tracer, you will complete the following:

• Identify and verify the status of OSPF neighbors.

• Determine how the routes are being learned in the network.
• Explain how the neighbor state is determined.
• Examine the settings for the OSPF process ID.
• Add a new LAN into an existing OSPF network and verify connectivity.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Module Practice and Quiz
Packet Tracer - Single-Area OSPFv2 Configuration
In this Packet Tracer, you will complete the following:

• Implement single-area OSPFv2 in both point-to-point and broadcast multiaccess networks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
Module Practice and Quiz
Lab - Single-Area OSPFv2 Configuration
In this lab, you will complete the following objectives:

• Build the network and configure basic device settings

• Configure and verify single-area OSPFv2 for basic operation
• Optimize and verify the single-area OSPFv2 configuration

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
Module Practice and Quiz
What Did I Learn In This Module?
• OSPFv2 is enabled using the router ospf process-id global configuration mode command. The
process-id value represents a number between 1 and 65,535 and is selected by the network
administrator.
• An OSPF router ID is a 32-bit value, represented as an IPv4 address. The router ID is used by an
OSPF-enabled router to synchronize OSPF databases and participate in the election of the DR and
BDR.
• Cisco routers derive the router ID based on one of three criteria, in this order: 1) Router ID is
explicitly configured using the OSPF router-id rid router configuration mode command, 2) the
router chooses the highest IPv4 address of any of configured loopback interfaces or 3) the router
chooses the highest active IPv4 address of any of its physical interfaces.
• The basic syntax for the network command is network network-address wildcard-mask area area-
id. Any interfaces on a router that match the network address in the network command can send
and receive OSPF packets.
• When configuring single-area OSPFv2, the network command must be configured with the same
area-id value on all routers. The wildcard mask is typically the inverse of the subnet mask
configured on that interface, but could also be a quad zero wildcard mask, which would specify the
exact interface.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Module Practice and Quiz
What Did I Learn In This Module? (Cont.)
• To configure OSPF directly on the interface, use the ip ospf interface configuration mode
command. The syntax is ip ospf process-id area area-id.
• Use the passive-interface router configuration mode command to stop transmitting routing
messages through a router interface, but still allow that network to be advertised to other routers.
• The DR/ BDR election process is unnecessary as there can only be two routers on the point-to-
point network between R1 and R2. Use the interface configuration command ip ospf network
point-to-point on all interfaces where you want to disable the DR/BDR election process.
• By default, loopback interfaces are advertised as /32 host routes. To simulate a real LAN, the
Loopback 0 interface is configured as a point-to-point network.
• OSPF Network Types
• The DR is responsible for collecting and distributing LSAs . The DR uses the multicast IPv4
address 224.0.0.5 which is meant for all OSPF routers. If the DR stops producing Hello packets, the
BDR promotes itself and assumes the role of DR. All other routers become a DROTHER.
• DROTHERs use the multiaccess address 224.0.0.6 (all designated routers) to send OSPF packets
to the DR and BDR. Only the DR and BDR listen for 224.0.0.6.
• To verify the roles of the OSPFv2 router, use the show ip ospf interface command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
Module Practice and Quiz
What Did I Learn In This Module? (Cont.)
• To verify the OSPFv2 adjacencies, use the show ip ospf neighbor command. The state of
neighbors in multiaccess networks can be: FULL/DROTHER, FULL/DR. FULL/BDR, or 2-
WAY/DROTHER.
• The OSPF DR and BDR election decision is based on the router with the highest interface priority
as the DR. The router with the second highest interface priority is elected as the BDR. If the
interface priorities are equal, then the router with the highest router ID is elected the DR. The router
with the second highest router ID is the BDR.
• The interface priority can be configured to be any number between 0 – 255. If the interface priority
value is set to 0, that interface cannot be elected as DR nor BDR. The default priority of multiaccess
broadcast interfaces is 1.
• OSPF DR and BDR elections are not pre-emptive. If the DR fails, the BDR is automatically
promoted to DR.
• To set the priority of an interface, use the command ip ospf priority value, where value is 0 to 255.
If the value is 0, the router will not become a DR or BDR. If the value is 1 to 255, then the router
with the higher priority value will more likely become the DR or BDR on the interface.
• OSPF uses cost as a metric. A lower cost indicates a better path than a higher cost.
• The formula used to calculate the OSPF cost is: Cost = reference bandwidth / interface bandwidth.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
Module Practice and Quiz
What Did I Learn In This Module? (Cont.)
• Because the OSPF cost value must be an integer, FastEthernet, Gigabit Ethernet, and 10 GigE
interfaces share the same cost. To correct this situation, you can adjust the reference bandwidth
with the auto-cost reference-bandwidth command on each OSPF router, or manually set the
OSPF cost value with the ip ospf cost command.
• The cost of an OSPF route is the accumulated value from one router to the destination network.
OSPF cost values can be manipulated to influence the route chosen by OSPF. To change the cost
value report by the local OSPF router to other OSPF routers, use the interface configuration
command ip ospf cost value.
• If the Dead interval expires before the routers receive a Hello packet, OSPF removes that neighbor
from its link-state database (LSDB). The router floods the LSDB with information about the down
neighbor out all OSPF-enabled interfaces.
• Cisco uses a default of 4 times the Hello interval or 40 seconds on multiaccess and point-to-point
networks. To verify the OSPFv2 interface intervals, use the show ip ospf interface command.
• OSPFv2 Hello and Dead intervals can be modified manually using the following interface
configuration mode commands: ip ospf hello-interval and ip ospf dead-interval.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
Module Practice and Quiz
What Did I Learn In This Module? (Cont.)
• In OSPF terminology, the router located between an OSPF routing domain and a non-OSPF
network is called the ASBR. To propagate a default route, the ASBR must be configured with a
default static route using the ip route 0.0.0.0 0.0.0.0 [next-hop-address | exit-intf] command, and
the default-information originate router configuration command.
• Verify the default route settings on the ASBR using the show ip route command.
• Additional commands for determining that OSPF is operating as expected include: show ip ospf
neighbor, show ip protocols, show ip ospf, and show ip ospf interface.
• Use the show ip ospf neighbor command to verify that the router has formed an adjacency with its
neighboring routers.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
Module 3: Network Security
Concepts
Enterprise Networking, Security, and Automation v7.0
(ENSA)
Module Objectives
Module Title: Network Security Concepts

Module Objective: Explain how vulnerabilities, threats, and exploits can be mitigated to enhance
network security.
Topic Title Topic Objective

Current State of Cybersecurity: Describe the current state of cybersecurity and vectors of data loss.

Threat Actors Describe tools used by threat actors to exploit networks.

Malware Describe malware types.

Common Network Attacks Describe common network attacks.

IP Vulnerabilities and Threats Explain how IP vulnerabilities are exploited by threat actors.

TCP and UDP Vulnerabilities Explain how TCP and UDP vulnerabilities are exploited by threat actors.

IP Services Explain how IP services are exploited by threat actors.

Network Security Best Practices Describe best practices for protecting a network.

Cryptography Describe common cryptographic processes used to protect data in transit.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Ethical Hacking Statement
• In this module, learners may be exposed to tools and techniques in a “sandboxed”, virtual machine
environment to demonstrate various types of cyber attacks. Experimentation with these tools,
techniques, and resources is at the discretion of the instructor and local institution. If the learner is
considering using attack tools for educational purposes, they should contact their instructor prior to
any experimentation.
• Unauthorized access to data, computer, and network systems is a crime in many jurisdictions and
often is accompanied by severe consequences, regardless of the perpetrator’s motivations. It is the
learner’s responsibility, as the user of this material, to be cognizant of and compliant with computer
use laws.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Current State of Cybersecurity
Current State of Affairs
• Cyber criminals now have the expertise and tools necessary to take down critical infrastructure and
systems. Their tools and techniques continue to evolve.
• Maintaining a secure network ensures the safety of network users and protects commercial
interests. All users should be aware of security terms in the table.

Security Terms Description

An asset is anything of value to the organization. It includes people, equipment, resources,
Assets
and data.
Vulnerability A vulnerability is a weakness in a system, or its design, that could be exploited by a threat.
Threat A threat is a potential danger to a company’s assets, data, or network functionality.
Exploit An exploit is a mechanism that takes advantage of a vulnerability.
Mitigation is the counter-measure that reduces the likelihood or severity of a potential
Mitigation
threat or risk. Network security involves multiple mitigation techniques.
Risk is the likelihood of a threat to exploit the vulnerability of an asset, with the aim of
Risk negatively affecting an organization. Risk is measured using the probability of the
occurrence of an event and its consequences.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Current State of Cybersecurity
Vectors of Network Attacks
• An attack vector is a path by which a threat actor can gain access to a server, host, or network.
Attack vectors originate from inside or outside the corporate network, as shown in the figure.
• Internal threats have the potential to cause greater damage than external threats because internal
users have direct access to the building and its infrastructure devices.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Current State of Cybersecurity
Data Loss
Data loss or data exfiltration is when data is intentionally or unintentionally lost, stolen, or
leaked to the outside world. The data loss can result in:
• Brand damage and loss of reputation
• Loss of competitive advantage
• Loss of customers
• Loss of revenue
• Litigation/legal action resulting in fines and civil penalties
• Significant cost and effort to notify affected parties and recover from the breach
Network security professionals must protect the organization’s data. Various Data Loss
Prevention (DLP) controls must be implemented which combine strategic, operational and
tactical measures.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Current State of Cybersecurity
Data Loss (Cont.)

Data Loss Vectors Description

Email/Social
Intercepted email or IM messages could be captured and reveal confidential information.
Networking
If the data is not stored using an encryption algorithm, then the thief can retrieve valuable
Unencrypted Devices
confidential data.
Cloud Storage Sensitive data can be lost if access to the cloud is compromised due to weak security
Devices settings.
One risk is that an employee could perform an unauthorized transfer of data to a USB drive.
Removable Media
Another risk is that a USB drive containing valuable corporate data could be lost.
Hard Copy Confidential data should be shredded when no longer required.
Improper Access Passwords or weak passwords which have been compromised can provide a threat actor
Control with easy access to corporate data.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Threat Actors
The Hacker
Hacker is a common term used to describe a threat actor

Hacker Type Description

These are ethical hackers who use their programming skills for good, ethical, and
White Hat Hackers legal purposes. Security vulnerabilities are reported to developers for them to fix
before the vulnerabilities can be exploited.
These are individuals who commit crimes and do arguably unethical things, but not
Gray Hat Hackers for personal gain or to cause damage. Gray hat hackers may disclose a vulnerability
to the affected organization after having compromised their network.
These are unethical criminals who compromise computer and network security for
Black Hat Hackers
personal gain, or for malicious reasons, such as attacking networks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Threat Actors
The Evolution of Hackers
The table displays modern hacking terms and a brief description of each.

Hacking Term Description

These are teenagers or inexperienced hackers running existing scripts, tools, and exploits, to
Script Kiddies
cause harm, but typically not for profit.
Vulnerability These are usually gray hat hackers who attempt to discover exploits and report them to
Broker vendors, sometimes for prizes or rewards.
These are gray hat hackers who publicly protest organizations or governments by posting
Hacktivists
articles, videos, leaking sensitive information, and performing network attacks.
These are black hat hackers who are either self-employed or working for large cybercrime
Cyber criminals
organizations.
These are either white hat or black hat hackers who steal government secrets, gather
intelligence, and sabotage networks. Their targets are foreign governments, terrorist groups,
State-Sponsored
and corporations. Most countries in the world participate to some degree in state-sponsored
hacking

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Threat Actors
Cyber Criminals
It is estimated that cyber criminals steal billions of dollars from consumers and
businesses. Cyber criminals operate in an underground economy where they buy, sell,
and trade attack toolkits, zero day exploit code, botnet services, banking Trojans,
keyloggers, and much more. They also buy and sell the private information and
intellectual property they steal. Cyber criminals target small businesses and consumers,
as well as large enterprises and entire industries.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Threat Actors
Hacktivists
Two examples of hacktivist groups are Anonymous and the Syrian Electronic
Army. Although most hacktivist groups are not well organized, they can cause
significant problems for governments and businesses. Hacktivists tend to rely
on fairly basic, freely available tools.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Threat Actors
State-Sponsored Hackers
State-sponsored hackers create advanced, customized attack code, often using
previously undiscovered software vulnerabilities called zero-day vulnerabilities.
An example of a state-sponsored attack involves the Stuxnet malware that was
created to damage Iran’s nuclear enrichment capabilities.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Threat Actor Tools
Video – Threat Actor Tools
This video will cover the following:
• Explain the penetration testing tools
• Explain attack types

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Threat Actor Tools
Introduction to Attack Tools
To exploit a vulnerability, a threat actor must have a technique or tool.
Over the years, attack tools have become more sophisticated, and
highly automated. These new tools require less technical knowledge to
implement.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Threat Actor Tools
Evolution of Security Tools
The table highlights categories of common penetration testing tools. Notice how some tools are used
by white hats and black hats. Keep in mind that the list is not exhaustive as new tools are always being
developed.
Penetration
Description
Testing Tool
Password cracking tools are often referred to as password recovery tools and can be used to crack or
recover a password. Password crackers repeatedly make guesses in order to crack the password.
Password Crackers
Examples of password cracking tools include John the Ripper, Ophcrack, L0phtCrack, THC Hydra,
Rainbow Crack, and Medusa.
Wireless hacking tools are used to intentionally hack into a wireless network to detect security
Wireless Hacking
vulnerabilities. Examples of wireless hacking tools include Aircrack-ng, Kismet, InSSIDer, KisMAC,
Tools
Firesheep, and ViStumbler.

Network Scanning Network scanning tools are used to probe network devices, servers, and hosts for open TCP or UDP
and Hacking Tools ports. Examples of scanning tools include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.

Packet Crafting These tools are used to probe and test a firewall’s robustness using specially crafted forged packets.
Tools Examples include Hping, Scapy, Socat, Yersinia, Netcat, Nping, and Nemesis.

These tools are used to capture and analyze packets within traditional Ethernet LANs or WLANs. Tools
Packet Sniffers
include Wireshark, Tcpdump, Ettercap, Dsniff, EtherApe, Paros, Fiddler, Ratproxy, and SSLstrip.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Threat Actor Tools
Evolution of Security Tools (Cont.)
Penetration Testing
Description
Tool
This is a directory and file integrity checker used by white hats to detect installed root kits. Example tools include
Rootkit Detectors
AIDE, Netfilter, and PF: OpenBSD Packet Filter.
Fuzzers to Search Fuzzers are tools used by threat actors to discover a computer’s security vulnerabilities. Examples of fuzzers
Vulnerabilities include Skipfish, Wapiti, and W3af.
These tools are used by white hat hackers to sniff out any trace of evidence existing in a computer. Example of
Forensic Tools
tools include Sleuth Kit, Helix, Maltego, and Encase.

These tools are used by black hats to reverse engineer binary files when writing exploits. They are also used by
Debuggers
white hats when analyzing malware. Debugging tools include GDB, WinDbg, IDA Pro, and Immunity Debugger.

Hacking Operating These are specially designed operating systems preloaded with tools optimized for hacking. Examples of specially
Systems designed hacking operating systems include Kali Linux, BackBox Linux.

Encryption tools use algorithm schemes to encode the data to prevent unauthorized access to the encrypted data.
Encryption Tools
Examples of these tools include VeraCrypt, CipherShed, OpenSSH, OpenSSL, Tor, OpenVPN, and Stunnel.

Vulnerability These tools identify whether a remote host is vulnerable to a security attack. Examples of vulnerability exploitation
Exploitation Tools tools include Metasploit, Core Impact, Sqlmap, Social Engineer Toolkit, and Netsparker.

These tools scan a network or system to identify open ports. They can also be used to scan for known
Vulnerability
vulnerabilities and scan VMs, BYOD devices, and client databases. Examples of tools include Nipper, Core Impact,
Scanners
Nessus, SAINT, and OpenVAS

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Threat Actor Tools
Attack Types
Attack Type Description

This is when a threat actor captures and “listens” to network traffic. This attack is also referred to as sniffing or
Eavesdropping Attack
snooping.
If threat actors have captured enterprise traffic, they can alter the data in the packet without the knowledge of
Data Modification Attack
the sender or receiver.
A threat actor constructs an IP packet that appears to originate from a valid address inside the corporate
IP Address Spoofing Attack
intranet.
If threat actors discover a valid user account, the threat actors have the same rights as the real user. Threat
Password-Based Attacks actors could use that valid account to obtain lists of other users, network information, change server and
network configurations, and modify, reroute, or delete data.
A DoS attack prevents normal use of a computer or network by valid users. A DoS attack can flood a computer
Denial of Service Attack or the entire network with traffic until a shutdown occurs because of the overload. A DoS attack can also block
traffic, which results in a loss of access to network resources by authorized users.
This attack occurs when threat actors have positioned themselves between a source and destination. They can
Man-in-the-Middle Attack
now actively monitor, capture, and control the communication transparently.
If a threat actor obtains a secret key, that key is referred to as a compromised key. A compromised key can be
Compromised-Key Attack
used to gain access to a secured communication without the sender or receiver being aware of the attack.
A sniffer is an application or device that can read, monitor, and capture network data exchanges and read
Sniffer Attack
network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Malware
Overview of Malware
• Now that you know about the tools that hacker use, this topic introduces you to
different types of malware that hackers use to gain access to end devices.
• End devices are particularly prone to malware attacks. It is important to know about
malware because threat actors rely on users to install malware to help exploit the
security gaps.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Malware
Viruses and Trojan Horses
• The first and most common type of computer malware is a virus. Viruses require
human action to propagate and infect other computers.
• The virus hides by attaching itself to computer code, software, or documents on the
computer. When opened, the virus executes and infects the computer.
• Viruses can:
• Alter, corrupt, delete files, or erase entire drives.
• Cause computer booting issues, and corrupt applications.
• Capture and send sensitive information to threat actors.
• Access and use email accounts to spread.
• Lay dormant until summoned by the threat actor.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Malware
Viruses and Trojan Horses (Cont.)
Modern viruses are developed for specific intent such as those listed in the table.

Types of Viruses Description

Boot sector virus Virus attacks the boot sector, file partition table, or file system.

Firmware viruses Virus attacks the device firmware.

Macro virus Virus uses the MS Office macro feature maliciously.

Program viruses Virus inserts itself in another executable program.

Script viruses Virus attacks the OS interpreter which is used to execute scripts.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Malware
Viruses and Trojan Horses (Cont.)
Threat actors use Trojan horses to compromise hosts. A Trojan horse is a program that looks useful but
also carries malicious code. Trojan horses are often provided with free online programs such as
computer games. There are several types of Trojan horses as described in the table.

Type of Trojan Horse Description

Remote-access Trojan horse enables unauthorized remote access.

Data-sending Trojan horse provides the threat actor with sensitive data, such as passwords.

Destructive Trojan horse corrupts or deletes files.

Trojan horse will use the victim's computer as the source device to launch attacks and perform other
Proxy
illegal activities.
FTP Trojan horse enables unauthorized file transfer services on end devices.

Security software disabler Trojan horse stops antivirus programs or firewalls from functioning.

Denial of Service (DoS) Trojan horse slows or halts network activity.

Trojan horse actively attempts to steal confidential information, such as credit card numbers, by
Keylogger
recording key strokes entered into a web form.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Malware
Other Types of Malware
Malware Description

•Adware is usually distributed by downloading online software.

•Adware can display unsolicited advertising using pop-up web browser windows, new toolbars, or unexpectedly redirect a
Adware
webpage to a different website.
•Pop-up windows may be difficult to control as new windows can pop-up faster than the user can close them.

•Ransomware typically denies a user access to their files by encrypting the files and then displaying a message demanding a
ransom for the decryption key.
Ransomware
•Users without up-to-date backups must pay the ransom to decrypt their files.
•Payment is usually made using wire transfer or crypto currencies such as Bitcoin.
•Rootkits are used by threat actors to gain administrator account-level access to a computer.
•They are very difficult to detect because they can alter firewall, antivirus protection, system files, and even OS commands to
conceal their presence.
Rootkit
•They can provide a backdoor to threat actors giving them access to the PC, and allowing them to upload files, and install new
software to be used in a DDoS attack.
•Special rootkit removal tools must be used to remove them, or a complete OS re-install may be required.

•Like adware but, used to gather information about the user and send to threat actors without the user’s consent.
Spyware
•Spyware can be a low threat, gathering browsing data, or it can be a high threat capturing personal and financial information.

•A worm is a self-replicating program that propagates automatically without user actions by exploiting vulnerabilities in legitimate
software.
Worm
•It uses the network to search for other victims with the same vulnerability.
•The intent of a worm is usually to slow or disrupt network operations
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
3.5 Common Network
Attacks

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Common Network Attacks
Overview of Common Network Attacks
• When malware is delivered and installed, the payload can be used to cause a variety
of network related attacks.
• To mitigate attacks, it is useful to understand the types of attacks. By categorizing
network attacks, it is possible to address types of attacks rather than individual
attacks.
• Networks are susceptible to the following types of attacks:
• Reconnaissance Attacks
• Access Attacks
• DoS Attacks

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Common Network Attacks
Video - Common Network Attacks
This video will explain the following techniques used in a reconnaissance attack:
• Perform an information query on a target
• Initiate a ping sweep of the target network
• Initiate a port scan of active ip addresses
• Run vulnerability scanners
• Run exploitation tools

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Common Network Attacks
Reconnaissance Attacks
• Reconnaissance is information gathering.
• Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and
mapping of systems, services, or vulnerabilities. Recon attacks precede access
attacks or DoS attacks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Common Network Attacks
Reconnaissance Attacks (Cont.)
Some of the techniques used by malicious threat actors to conduct reconnaissance attacks are
described in the table.

Technique Description

Perform an
The threat actor is looking for initial information about a target. Various tools can be
information query of a
used, including the Google search, organizations website, whois, and more.
target
Initiate a ping sweep The information query usually reveals the target’s network address. The threat actor can
of the target network now initiate a ping sweep to determine which IP addresses are active.
Initiate a port scan of This is used to determine which ports or services are available. Examples of port
active IP addresses scanners include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.
This is to query the identified ports to determine the type and version of the application
Run vulnerability
and operating system that is running on the host. Examples of tools include Nipper,
scanners
Core Impact, Nessus, SAINT, and Open VAS.
The threat actor now attempts to discover vulnerable services that can be exploited. A
Run exploitation tools variety of vulnerability exploitation tools exist including Metasploit, Core Impact, Sqlmap,
Social Engineer Toolkit, and Netsparker.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Common Network Attacks
Video – Access and Social Engineering Attacks
This video will cover the following:
• Techniques used in access attacks (password attacks, spoofing attacks, trust
exploitations, port redirections, man-in-the-middle attacks, buffer overflow attacks)
• Techniques used in social engineering attacks (pretesting, phishing, spear phishing,
spam, something for something, baiting, impersonation, tailgating, shoulder surfing,
dumpster diving)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Common Network Attacks
Access Attacks
• Access attacks exploit known vulnerabilities in authentication services, FTP services, and web
services. The purpose of these types of attacks is to gain entry to web accounts, confidential
databases, and other sensitive information.
• Threat actors use access attacks on network devices and computers to retrieve data, gain access,
or to escalate access privileges to administrator status.
• Password Attacks: In a password attack, the threat actor attempts to discover critical system
passwords using various methods. Password attacks are very common and can be launched using
a variety of password cracking tools.
• Spoofing Attacks: In spoofing attacks, the threat actor device attempts to pose as another device
by falsifying data. Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP
spoofing. These spoofing attacks will be discussed in more detail later in this module
• Other Access attacks include:
• Trust exploitations
• Port redirections
• Man-in-the-middle attacks
• Buffer overflow attacks

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Common Network Attacks
Social Engineering Attacks
• Social engineering is an access attack that attempts to manipulate individuals into
performing actions or divulging confidential information. Some social engineering
techniques are performed in-person while others may use the telephone or internet.
• Social engineers often rely on people’s willingness to be helpful. They also prey on
people’s weaknesses.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Common Network Attacks
Social Engineering Attacks (Cont.)
Social Engineering Attack Description

Pretexting A threat actor pretends to need personal or financial data to confirm the identity of the recipient.

A threat actor sends fraudulent email which is disguised as being from a legitimate, trusted source to trick the
Phishing
recipient into installing malware on their device, or to share personal or financial information.

Spear phishing A threat actor creates a targeted phishing attack tailored for a specific individual or organization.

Also known as junk mail, this is unsolicited email which often contains harmful links, malware, or deceptive
Spam
content.
Sometimes called “Quid pro quo”, this is when a threat actor requests personal information from a party in
Something for Something
exchange for something such as a gift.
A threat actor leaves a malware infected flash drive in a public location. A victim finds the drive and
Baiting
unsuspectingly inserts it into their laptop, unintentionally installing malware.

Impersonation This type of attack is where a threat actor pretends to be someone they are not to gain the trust of a victim.

This is where a threat actor quickly follows an authorized person into a secure location to gain access to a secure
Tailgating
area.
This is where a threat actor inconspicuously looks over someone’s shoulder to steal their passwords or other
Shoulder surfing
information.

Dumpster diving This is where a threat actor rummages through trash bins to discover confidential documents

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Common Network Attacks
Social Engineering Attacks (Cont.)

• The Social Engineering Toolkit (SET) was

designed to help white hat hackers and
other network security professionals create
social engineering attacks to test their own
networks.
• Enterprises must educate their users about
the risks of social engineering, and develop
strategies to validate identities over the
phone, via email, or in person.
• The figure shows recommended practices
that should be followed by all users.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Common Network Attacks
Lab - Social Engineering
In this lab, you will research examples of social engineering and identify
ways to recognize and prevent it.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Common Network Attacks
Video – Denial of Service Attacks
This video will cover the following:
• Techniques used in Denial-of-Service attacks (overwhelming quantity
of traffic, maliciously formatted packets)
• Techniques used in Distributed Denial of Service attacks (zombies)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Common Network Attacks
DoS and DDoS Attacks
• A Denial of Service (DoS) attack creates some sort of interruption of network services
to users, devices, or applications. There are two major types of DoS attacks:
• Overwhelming Quantity of Traffic - The threat actor sends an enormous quantity of
data at a rate that the network, host, or application cannot handle. This causes
transmission and response times to slow down. It can also crash a device or service.
• Maliciously Formatted Packets - The threat actor sends a maliciously formatted
packet to a host or application and the receiver is unable to handle it. This causes the
receiving device to run very slowly or crash.
• DoS attacks are a major risk because they interrupt communication and cause
significant loss of time and money. These attacks are relatively simple to conduct,
even by an unskilled threat actor.
• A Distributed DoS Attack (DDoS) is similar to a DoS attack, but it originates from
multiple, coordinated sources.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
IP Vulnerabilities and Threats
Video – Common IP and ICMP Attacks
This video will cover the following:
• Techniques used in IP attacks (ICMP attacks, amplification and reflection attacks,
address spoofing attacks, man-in-the-middle attacks, session hijacking)
• Techniques used in ICMP attacks (ICMP echo request and echo reply, ICMP
unreachable, ICMP mask reply, ICMP redirects, ICMP router discovery)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
IP Vulnerabilities and Threats
IPv4 and IPv6
• IP does not validate whether the source IP address contained in a packet actually came from that
source. For this reason, threat actors can send packets using a spoofed source IP address.
Security analysts must understand the different fields in both the IPv4 and IPv6 headers.
• Some of the more common IP related attacks are shown in the table

IP Attack Techniques Description

Threat actors use Internet Control Message Protocol (ICMP) echo packets (pings) to discover subnets
ICMP attacks
and hosts on a protected network, to generate DoS flood attacks, and to alter host routing tables.

Amplification and Threat actors attempt to prevent legitimate users from accessing information or services using DoS
reflection attacks and DDoS attacks.
Threat actors spoof the source IP address in an IP packet to perform blind spoofing or non-blind
Address spoofing attacks
spoofing.
Threat actors position themselves between a source and destination to transparently monitor, capture,
Man-in-the-middle attack
and control the communication. They could eavesdrop by inspecting captured packets, or alter
(MITM)
packets and forward them to their original destination.

Session hijacking Threat actors gain access to the physical network, and then use an MITM attack to hijack a session

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
IP Vulnerabilities and Threats
ICMP Attacks
• Threat actors use ICMP for reconnaissance and scanning attacks. They can launch
information-gathering attacks to map out a network topology, discover which hosts are
active (reachable), identify the host operating system (OS fingerprinting), and
determine the state of a firewall. Threat actors also use ICMP for DoS attacks.
• Note: ICMP for IPv4 (ICMPv4) and ICMP for IPv6 (ICMPv6) are susceptible to similar
types of attacks.
• Networks should have strict ICMP access control list (ACL) filtering on the network
edge to avoid ICMP probing from the internet. In the case of large networks, security
devices such as firewalls and intrusion detection systems (IDS) detect such attacks
and generate alerts to the security analysts.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
IP Vulnerabilities and Threats
ICMP Attacks (Cont.)

Common ICMP messages of interest to threat actors are listed in the table.
ICMP Messages used by Hackers Description

ICMP echo request and echo reply This is used to perform host verification and DoS attacks.

ICMP unreachable This is used to perform network reconnaissance and scanning attacks.

ICMP mask reply This is used to map an internal IP network.

This is used to lure a target host into sending all traffic through a
ICMP redirects
compromised device and create a MITM attack.
This is used to inject bogus route entries into the routing table of a target
ICMP router discovery
host.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
IP Vulnerabilities and Threats
Video – Amplification, Reflection, and Spoofing Attacks
This video will explain the amplification, reflection, and spoofing attack.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
IP Vulnerabilities and Threats
Amplification and Reflection Attacks

• Threat actors often use amplification

and reflection techniques to create
DoS attacks. The example in the figure
illustrates a Smurf attack is used to
overwhelm a target host.
• Note: Newer forms of amplification and
reflection attacks such as DNS-based
reflection and amplification attacks and
Network Time Protocol (NTP) amplification
attacks are now being used.
• Threat actors also use resource
exhaustion attacks to either to crash a
target host or to consume the
resources of a network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
IP Vulnerabilities and Threats
Address Spoofing Attacks
• IP address spoofing attacks occur when a threat actor creates packets with false source IP
address information to either hide the identity of the sender, or to pose as another legitimate user.
Spoofing is usually incorporated into another attack such as a Smurf attack.
• Spoofing attacks can be non-blind or blind:
• Non-blind spoofing - The threat actor can see the traffic that is being sent between the host and
the target. Non-blind spoofing determines the state of a firewall and sequence-number prediction.
It can also hijack an authorized session.
• Blind spoofing - The threat actor cannot see the traffic that is being sent between the host and
the target. Blind spoofing is used in DoS attacks.
• MAC address spoofing attacks are used when threat actors have access to the internal network.
Threat actors alter the MAC address of their host to match another known MAC address of a target
host.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
TCP and UDP Vulnerabilities
TCP Segment Header
• TCP segment information appears immediately
after the IP header. The fields of the TCP
segment and the flags for the Control Bits field
are displayed in the figure.
• The following are the six control bits of the
TCP segment:
• URG - Urgent pointer field significant
• ACK - Acknowledgment field significant
• PSH - Push function
• RST- Reset the connection
• SYN - Synchronize sequence numbers
• FIN - No more data from sender

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
TCP and UDP Vulnerabilities
TCP Services
TCP provides these services:
• Reliable delivery - TCP incorporates acknowledgments to guarantee delivery. If a
timely acknowledgment is not received, the sender retransmits the data. Requiring
acknowledgments of received data can cause substantial delays. Examples of
application layer protocols that make use of TCP reliability include HTTP, SSL/TLS,
FTP, DNS zone transfers, and others.
• Flow control - TCP implements flow control to address this issue. Rather than
acknowledge one segment at a time, multiple segments can be acknowledged with a
single acknowledgment segment.
• Stateful communication - TCP stateful communication between two parties occurs
during the TCP three-way handshake.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
TCP and UDP Vulnerabilities
TCP Services (Cont.)
A TCP connection is established in three steps:
1. The initiating client requests a client-to-server communication session with the server.
2. The server acknowledges the client-to-server communication session and requests a server-to-
client communication session.
3. The initiating client acknowledges the server-to-client communication session.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
TCP and UDP Vulnerabilities
TCP Attacks
TCP SYN Flood Attack
1. The threat actor sends
multiple SYN requests to a
webserver.
2. The web server replies with
SYN-ACKs for each SYN
request and waits to complete
the three-way handshake.
The threat actor does not
respond to the SYN-ACKs.
3. A valid user cannot access
the web server because the
web server has too many half-
opened TCP connections.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
TCP and UDP Vulnerabilities
TCP Attacks (Cont.)
Terminating a TCP session uses the following
four-way exchange process:
1. When the client has no more data to send in
the stream, it sends a segment with the FIN
flag set.
2. The server sends an ACK to acknowledge
the receipt of the FIN to terminate the
session from client to server.
3. The server sends a FIN to the client to
terminate the server-to-client session.
4. The client responds with an ACK to
acknowledge the FIN from the server.
A threat actor could do a TCP reset attack and
send a spoofed packet containing a TCP RST to
one or both endpoints.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
TCP and UDP Vulnerabilities
TCP Attacks (Cont.)
TCP session hijacking is another TCP vulnerability. Although difficult to conduct, a threat
actor takes over an already-authenticated host as it communicates with the target. The
threat actor must spoof the IP address of one host, predict the next sequence number,
and send an ACK to the other host. If successful, the threat actor could send, but not
receive, data from the target device.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
TCP and UDP Vulnerabilities
UDP Segment Header and Operation
• UDP is commonly used by DNS, TFTP, NFS, and SNMP. It is also used with real-time applications
such as media streaming or VoIP. UDP is a connectionless transport layer protocol. It has much
lower overhead than TCP because it is not connection-oriented and does not offer the
sophisticated retransmission, sequencing, and flow control mechanisms that provide reliability.
• These reliability functions are not provided by the transport layer protocol and must be
implemented elsewhere if required.
• The low overhead of UDP makes it very desirable for protocols that make simple request and reply
transactions.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
TCP and UDP Vulnerabilities
UDP Attacks
• UDP is not protected by any encryption. You can add encryption to UDP, but it is not available by
default. The lack of encryption means that anyone can see the traffic, change it, and send it on to
its destination.
• UDP Flood Attacks: The threat actor uses a tool like UDP Unicorn or Low Orbit Ion Cannon.
These tools send a flood of UDP packets, often from a spoofed host, to a server on the subnet.
The program will sweep through all the known ports trying to find closed ports. This will cause the
server to reply with an ICMP port unreachable message. Because there are many closed ports on
the server, this creates a lot of traffic on the segment, which uses up most of the bandwidth. The
result is very similar to a DoS attack.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
IP Services
ARP Vulnerabilities
• Hosts broadcast an ARP Request to other hosts on the segment to determine the
MAC address of a host with a particular IP address. The host with the matching IP
address in the ARP Request sends an ARP Reply.
• Any client can send an unsolicited ARP Reply called a “gratuitous ARP.” When a host
sends a gratuitous ARP, other hosts on the subnet store the MAC address and IP
address contained in the gratuitous ARP in their ARP tables.
• This feature of ARP also means that any host can claim to be the owner of any IP or
MAC. A threat actor can poison the ARP cache of devices on the local network,
creating an MITM attack to redirect traffic.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
IP Services
ARP Cache Poisoning
ARP cache poisoning can be used to launch various man-in-the-middle attacks.
1. PC-A requires the MAC address of its default gateway (R1); therefore, it sends an
ARP Request for the MAC address of 192.168.10.1.
2. R1 updates its ARP cache with the IP and MAC addresses of PC-A. R1 sends an ARP
Reply to PC-A, which then updates its ARP cache with the IP and MAC addresses of
R1.
3. The threat actor sends two spoofed gratuitous ARP Replies using its own MAC
address for the indicated destination IP addresses. PC-A updates its ARP cache with
its default gateway which is now pointing to the threat actor’s host MAC address. R1
also updates its ARP cache with the IP address of PC-A pointing to the threat actor’s
MAC address.
The ARP poisoning attack can be passive or active. Passive ARP poisoning is where
threat actors steal confidential information. Active ARP poisoning is where threat actors
modify data in transit or inject malicious data.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
IP Services
Video – ARP Spoofing
This video will explain an ARP spoofing attack.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
IP Services
DNS Attacks
• The Domain Name Service (DNS) protocol defines an automated service that matches
resource names, such as www.cisco.com, with the required numeric network address,
such as the IPv4 or IPv6 address. It includes the format for queries, responses, and
data and uses resource records (RR) to identify the type of DNS response.
• Securing DNS is often overlooked. However, it is crucial to the operation of a network
and should be secured accordingly.
• DNS attacks include the following:
• DNS open resolver attacks
• DNS stealth attacks
• DNS domain shadowing attacks
• DNS tunneling attacks

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
IP Services
DNS Attacks (Cont.)
DNS Open Resolver Attacks: A DNS open resolver answers queries from clients outside
of its administrative domain. DNS open resolvers are vulnerable to multiple malicious
activities described in the table.
DNS Resolver Vulnerabilities Description
Threat actors send spoofed, falsified record resource (RR) information to a DNS
resolver to redirect users from legitimate sites to malicious sites. DNS cache
DNS cache poisoning attacks
poisoning attacks can all be used to inform the DNS resolver to use a malicious
name server that is providing RR information for malicious activities.
Threat actors use DoS or DDoS attacks on DNS open resolvers to increase the
volume of attacks and to hide the true source of an attack. Threat actors send
DNS amplification and
DNS messages to the open resolvers using the IP address of a target host. These
reflection attacks
attacks are possible because the open resolver will respond to queries from
anyone asking a question.
A DoS attack that consumes the resources of the DNS open resolvers. This DoS
DNS resource utilization attack consumes all the available resources to negatively affect the operations of
attacks the DNS open resolver. The impact of this DoS attack may require the DNS open
resolver to be rebooted or services to be stopped and restarted.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
IP Services
DNS Attacks (Cont.)
DNS Stealth Attacks: To hide their identity, threat actors also use the DNS stealth
techniques described in the table to carry out their attacks.

DNS Stealth
Description
Techniques
Threat actors use this technique to hide their phishing and malware delivery
sites behind a quickly-changing network of compromised DNS hosts. The DNS
Fast Flux
IP addresses are continuously changed within minutes. Botnets often employ
Fast Flux techniques to effectively hide malicious servers from being detected.
Threat actors use this technique to rapidly change the hostname to IP address
Double IP Flux mappings and to also change the authoritative name server. This increases the
difficulty of identifying the source of the attack.
Domain Threat actors use this technique in malware to randomly generate domain
Generation names that can then be used as rendezvous points to their command and
Algorithms control (C&C) servers.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
IP Services
DNS Attacks (Cont.)
DNS Domain Shadowing Attacks: Domain shadowing involves the
threat actor gathering domain account credentials in order to silently
create multiple sub-domains to be used during the attacks. These
subdomains typically point to malicious servers without alerting the
actual owner of the parent domain.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
IP Services
DNS Tunneling
• Threat actors who use DNS tunneling place non-DNS traffic within DNS traffic. This method often
circumvents security solutions when a threat actor wishes to communicate with bots inside a
protected network, or exfiltrate data from the organization. This is how DNS tunneling works for
CnC commands sent to a botnet:
1. The command data is split into multiple encoded chunks.
2. Each chunk is placed into a lower level domain name label of the DNS query.
3. Because there is no response from the local or networked DNS for the query, the request is sent to the ISP’s
recursive DNS servers.
4. The recursive DNS service will forward the query to the threat actor’s authoritative name server.
5. The process is repeated until all the queries containing the chunks of are sent.
6. When the threat actor’s authoritative name server receives the DNS queries from the infected devices, it sends
responses for each DNS query, which contain the encapsulated, encoded CnC commands.
7. The malware on the compromised host recombines the chunks and executes the commands hidden within the
DNS record.
• To stop DNS tunneling, the network administrator must use a filter that inspects DNS traffic. Pay
close attention to DNS queries that are longer than average, or those that have a suspicious
domain name..
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
IP Services
DHCP
• DHCP servers dynamically provide IP
configuration information to clients.
• In the figure, a client broadcasts a
DHCP discover message. The DHCP
responds with a unicast offer that
includes addressing information the
client can use. The client broadcasts a
DHCP request to tell the server that
the client accepts the offer. The server
responds with a unicast
acknowledgment accepting the
request.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
IP Services
DHCP Attacks
• A DHCP spoofing attack occurs when a rogue DHCP server is connected to the
network and provides false IP configuration parameters to legitimate clients. A rogue
server can provide a variety of misleading information:
• Wrong default gateway - Threat actor provides an invalid gateway, or the IP
address of its host to create a MITM attack. This may go entirely undetected as the
intruder intercepts the data flow through the network.
• Wrong DNS server - Threat actor provides an incorrect DNS server address pointing
the user to a malicious website.
• Wrong IP address - Threat actor provides an invalid IP address, invalid default
gateway IP address, or both. The threat actor then creates a DoS attack on the
DHCP client.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
IP Services
DHCP Attacks (Cont.)
Assume a threat actor has successfully connected a rogue DHCP server to a switch port
on the same subnet as the target clients. The goal of the rogue server is to provide clients
with false IP configuration information.
1. The client broadcasts a DHCP Discover request looking for a response from a DHCP
server. Both servers receive the message.
2. The legitimate and rogue DHCP servers each respond with valid IP configuration
parameters. The client replies to the first offer received
3. The client received the rogue offer first. It broadcasts a DHCP request accepting the
parameters from the rogue server. The legitimate and rogue server each receive the
request.
4. Only the rogue server unicasts a reply to the client to acknowledge its request. The
legitimate server stops communicating with the client because the request has already
been acknowledged.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
IP Services
Lab – Explore DNS Traffic
In this lab, you will complete the following objectives:
• Capture DNS Traffic
• Explore DNS Query Traffic
• Explore DNS Response Traffic

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Network Security Best Practices
Confidentiality, Availability, and Integrity
• Network security consists of protecting information and information systems from
unauthorized access, use, disclosure, disruption, modification, or destruction.
• Most organizations follow the CIA information security triad:
• Confidentiality - Only authorized individuals, entities, or processes can access
sensitive information. It may require using cryptographic encryption algorithms such
as AES to encrypt and decrypt data.
• Integrity - Refers to protecting data from unauthorized alteration. It requires the use
of cryptographic hashing algorithms such as SHA.
• Availability - Authorized users must have uninterrupted access to important
resources and data. It requires implementing redundant services, gateways, and
links.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
Network Security Best Practices
The Defense-in-Depth Approach
• To ensure secure communications across both public and private networks, you must
secure devices including routers, switches, servers, and hosts. Most organizations
employ a defense-in-depth approach to security. It requires a combination of
networking devices and services working together.
• Several security devices and services are implemented.
• VPN
• ASA Firewall
• IPS
• ESA/WSA
• AAA Server
• All network devices including the router and switches are hardened.
• You must also secure data as it travels across various links.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
Network Security Best Practices
Firewalls
A firewall is a system, or group of systems, that enforces an access control policy
between networks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
Network Security Best Practices
IPS
• To defend against fast-moving and evolving attacks, you may need cost-effective
detection and prevention systems integrated into the entry and exit points of the
network.
• IDS and IPS technologies share several characteristics. IDS and IPS technologies are
both deployed as sensors. An IDS or IPS sensor can be in the form of several
different devices:
• A router configured with Cisco IOS IPS software
• A device specifically designed to provide dedicated IDS or IPS services
• A network module installed in an adaptive security appliance (ASA), switch, or router
• IDS and IPS technologies detect patterns in network traffic using signatures, which is a set of rules
that used to detect malicious activity. IDS and IPS technologies can detect atomic signature
patterns (single-packet) or composite signature patterns (multi-packet).

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
Network Security Best Practices
IPS (Cont.)
The figure shows how an IPS handles denied traffic.
1. The threat actor sends a packet destined for
the target laptop.
2. The IPS intercepts the traffic and evaluates it
against known threats and the configured
policies.
3. The IPS sends a log message to the
management console.
4. The IPS drops the packet.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
Network Security Best Practices
Content Security Devices
• The Cisco Email Security Appliance (ESA) is a special device designed to monitor
Simple Mail Transfer Protocol (SMTP). The Cisco ESA is constantly updated by real-
time feeds from the Cisco Talos. This threat intelligence data is pulled by the Cisco
ESA every three to five minutes.
• The Cisco Web Security Appliance (WSA) is a mitigation technology for web-based
threats. The Cisco WSA combines advanced malware protection, application visibility
and control, acceptable use policy controls, and reporting.
• Cisco WSA provides complete control over how users access the internet. The WSA
can perform blacklisting of URLs, URL-filtering, malware scanning, URL
categorization, web application filtering, and encryption and decryption of web traffic.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77
Cryptography
Video - Cryptography
This video will demonstrate security data using hashing and encryption.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78
Cryptography
Securing Communications
• Organizations must provide support to secure the data as it travels across links. This
may include internal traffic, but it is even more important to protect the data that
travels outside of the organization.
• These are the four elements of secure communications:
• Data Integrity - Guarantees that the message was not altered. Integrity is ensured by implementing either
Message Digest version 5 (MD5) or Secure Hash Algorithm (SHA) hash-generating algorithms.
• Origin Authentication - Guarantees that the message is not a forgery and does come from whom it states. Many
modern networks ensure authentication with protocols, such as hash message authentication code (HMAC).
• Data Confidentiality - Guarantees that only authorized users can read the message. Data confidentiality is
implemented using symmetric and asymmetric encryption algorithms.
• Data Non-Repudiation - Guarantees that the sender cannot repudiate, or refute, the validity of a message sent.
Nonrepudiation relies on the fact that only the sender has the unique characteristics or signature for how that
message is treated.
• Cryptography can be used almost anywhere that there is data communication. In fact,
the trend is toward all communication being encrypted.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79
Cryptography
Data Integrity
• Hash functions are used to ensure the integrity of a message. They guarantee that message data
has not changed accidentally or intentionally.
• In the figure, the sender is sending a $100 money transfer to Alex. The sender wants to ensure
that the message is not altered on its way to the receiver.
1. The sending device inputs the message into a hashing algorithm and computes its fixed-length hash of
4ehiDx67NMop9.
2. This hash is then attached to the message and sent to the receiver. Both the message and the hash are in
plaintext.
3. The receiving device removes the hash from the message and inputs the message into the same hashing
algorithm. If the computed hash is equal to the one that is attached to the message, the message has not been
altered during transit. If the hashes are not equal, then the integrity of the message can no longer be trusted.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80
Cryptography
Hash Functions
• There are three well-known hash functions.
• MD5 with 128-bit Digest: MD5 is a one-way function that produces a 128-bit hashed message.
MD5 is a legacy algorithm that should only be used when no better alternatives are available. Use
SHA-2 instead.
• SHA Hashing Algorithm: SHA-1 is very similar to the MD5 hash functions. SHA-1 creates a 160-
bit hashed message and is slightly slower than MD5. SHA-1 has known flaws and is a legacy
algorithm. Use SHA-2 when possible.
• SHA-2: This includes SHA-224 (224 bit), SHA-256 (256 bit), SHA-384 (384 bit), and SHA-512
(512 bit). SHA-256, SHA-384, and SHA-512 are next-generation algorithms and should be used
whenever possible.
• While hashing can be used to detect accidental changes, it cannot be used to guard
against deliberate changes. This means that anyone can compute a hash for any data,
if they have the correct hash function.
• Therefore, hashing is vulnerable to man-in-the-middle attacks and does not provide
security to transmitted data.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81
Cryptography
Origin Authentication
• To add authentication to integrity assurance,
use a keyed-hash message authentication
code (HMAC).
• An HMAC is calculated using any
cryptographic algorithm that combines a
cryptographic hash function with a secret key.
• Only parties who have access to that secret
key can compute the digest of an HMAC
function. This defeats man-in-the-middle
attacks and provides authentication of the
data origin.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82
Cryptography
Data Confidentiality
• There are two classes of encryption used to provide data confidentiality. These two
classes differ in how they use keys.
• Symmetric encryption algorithms such as (DES), 3DES, and Advanced Encryption
Standard (AES) are based on the premise that each communicating party knows the
pre-shared key. Data confidentiality can also be ensured using asymmetric algorithms,
including Rivest, Shamir, and Adleman (RSA) and the public key infrastructure (PKI).
• The figure highlights some differences between each encryption algorithm method.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 83
Cryptography
Symmetric Encryption
• Symmetric algorithms use the same pre-shared key, also called a secret key, to
encrypt and decrypt data. A pre-shared key is known by the sender and receiver
before any encrypted communications can take place.
• Symmetric encryption algorithms are commonly used with VPN traffic because they
use less CPU resources than asymmetric encryption algorithms.
• When using symmetric encryption algorithms, the longer the key, the longer it will take
for someone to discover the key. To ensure that the encryption is safe, use a minimum
key length of 128 bits.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84
Cryptography
Symmetric Encryption (Cont.)
Symmetric Encryption
Description
Algorithms
This is a legacy symmetric encryption algorithm. It can be used in stream cipher
Data Encryption Algorithm
mode but usually operates in block mode by encrypting data in 64-bit block size. A
(DES)
stream cipher encrypts one byte or one bit at a time.
This is a newer version of DES, but it repeats the DES algorithm process three
3DES
times. It is considered very trustworthy when implemented using very short key
(Triple DES)
lifetimes.
AES is a secure and more efficient algorithm than 3DES.
Advanced Encryption Standard It is a popular and recommended symmetric encryption algorithm. It offers nine
(AES) combinations of key and block length by using a variable key length of 128-, 192-,
or 256-bit key to encrypt data blocks that are 128, 192, or 256 bits long.
Software-Optimized Encryption SEAL is a faster alternative symmetric encryption algorithm to DES, 3DES, and
Algorithm AES. It uses a 160-bit encryption key and has a lower impact on the CPU
(SEAL) compared to other software-based algorithms.
This algorithm was developed by Ron Rivest. Several variations have been
Rivest ciphers
developed, but RC4 is the most prevalent in use. RC4 is a stream cipher and is
(RC) series algorithms
used to secure web traffic in SSL and TLS.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 85
Cryptography
Asymmetric Encryption
• Asymmetric algorithms, also called public-key algorithms, are designed so that the key
that is used for encryption is different from the key that is used for decryption.
• Asymmetric algorithms use a public key and a private key. The complementary paired
key is required for decryption. Data encrypted with the public key requires the private
key to decrypt. Asymmetric algorithms achieve confidentiality, authentication, and
integrity by using this process.
• Because neither party has a shared secret, very long key lengths must be used.
Asymmetric encryption can use key lengths between 512 to 4,096 bits. Key lengths
greater than or equal to 1,024 bits can be trusted while shorter key lengths are
considered unreliable.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
Cryptography
Asymmetric Encryption (Cont.)
• Examples of protocols that use asymmetric key algorithms include:
• Internet Key Exchange (IKE) - This is a fundamental component of IPsec VPNs.
• Secure Socket Layer (SSL) - This is now implemented as IETF standard Transport Layer
Security (TLS).
• Secure Shell (SSH) - This protocol provides a secure remote access connection to network
devices.
• Pretty Good Privacy (PGP) - This computer program provides cryptographic privacy and
authentication. It is often used to increase the security of email communications.
• Asymmetric algorithms are substantially slower than symmetric algorithms. Their
design is based on computational problems, such as factoring extremely large
numbers or computing discrete logarithms of extremely large numbers.
• Because they are slow, asymmetric algorithms are typically used in low-volume
cryptographic mechanisms, such as digital signatures and key exchange.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87
Cryptography
Asymmetric Encryption (Cont.)
Asymmetric Encryption Algorithm Key Length Description

The Diffie-Hellman algorithm allows two parties to agree on a key that they can use
Diffie-Hellman 512, 1024, 2048, to encrypt messages they want to send to each other. The security of this algorithm
(DH) 3072, 4096 depends on the assumption that it is easy to raise a number to a certain power, but
difficult to compute which power was used given the number and the outcome.

Digital Signature Standard (DSS) DSS specifies DSA as the algorithm for digital signatures. DSA is a public key
and 512 - 1024 algorithm based on the ElGamal signature scheme. Signature creation speed is
Digital Signature Algorithm (DSA) similar to RSA but is 10 to 40 times slower for verification.

RSA is for public-key cryptography that is based on the current difficulty of factoring
Rivest, Shamir, and Adleman
very large numbers. It is the first algorithm known to be suitable for signing as well
encryption algorithms 512 to 2048
as encryption. It is widely used in electronic commerce protocols and is believed to
(RSA)
be secure given sufficiently long keys and the use of up-to-date implementations.
An asymmetric key encryption algorithm for public-key cryptography which is based
on the Diffie-Hellman key agreement. A disadvantage of the ElGamal system is that
EIGamal 512 - 1024
the encrypted message becomes very big, about twice the size of the original
message and for this reason it is only used for small messages such as secret keys.
Elliptic curve cryptography can be used to adapt many cryptographic algorithms,
Elliptical curve techniques 160 such as Diffie-Hellman or ElGamal. The main advantage of elliptic curve
cryptography is that the keys can be much smaller.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 88
Cryptography
Diffie-Hellman
• Diffie-Hellman (DH) is an asymmetric mathematical algorithm where two computers generate an
identical shared secret key without having communicated before. The new shared key is never
actually exchanged between the sender and receiver.
• Here are three examples of instances when DH is commonly used:
• Data is exchanged using an IPsec VPN.
• Data is encrypted on the internet using either SSL or TLS.
• SSH data is exchanged.
• DH security uses unbelievably large numbers in its calculations.
• Unfortunately, asymmetric key systems are extremely slow for any sort of bulk encryption.
Therefore, it is common to encrypt the bulk of the traffic using a symmetric algorithm, such as
3DES or AES and then use the DH algorithm to create keys that will be used by the encryption
algorithm.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 89
Cryptography
Diffie-Hellman (Cont.)
• The colors in the figure will be used instead of numbers to simplify
the DH key agreement process. The DH key exchange begins with
Alice and Bob agreeing on an arbitrary common color that does not
need to be kept secret. The agreed upon color in our example is
yellow.
• Next, Alice and Bob will each select a secret color. Alice chose red
while Bob chose blue. These secret colors will never be shared
with anyone. The secret color represents the chosen secret private
key of each party.
• Alice and Bob now mix the shared common color (yellow) with their
respective secret color to produce a private color. Therefore, Alice
will mix the yellow with her red color to produce a private color of
orange. Bob will mix the yellow and the blue to produce a private
color of green.
• Alice sends her private color (orange) to Bob and Bob sends his
private color (green) to Alice.
• Alice and Bob each mix the color they received with their own,
original secret color (Red for Alice and blue for Bob.). The result is
a final brown color mixture that is identical to the other’s final color
mixture. The brown color represents the resulting shared secret
key between Bob and Alice.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 90
3.11 Module Practice and Quiz

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 91
Module Practice and Quiz
What Did I Learn In This Module?
• Network security breaches can disrupt e-commerce, cause the loss of business data, threaten people’s
privacy, and compromise the integrity of information.
• Vulnerabilities must be addressed before they become a threat and are exploited. Mitigation techniques are
required before, during, and after an attack.
• An attack vector is a path by which a threat actor can gain access to a server, host, or network. Attack
vectors originate from inside or outside the corporate network.
• The term ‘threat actor’ includes hackers and any device, person, group, or nation state that is, intentionally
or unintentionally, the source of an attack.
• Attack tools have become more sophisticated and highly automated. These new tools require less
technical knowledge to implement.
• Common types of attacks are: eavesdropping, data modification, IP address spoofing, password-based,
denial-of-service, man-in-the-middle, compromised-key, and sniffer.
• The three most common types of malware are worms, viruses, and Trojan horses.
• Networks are susceptible to the following types of attacks: reconnaissance, access, and DoS.
• Types of access attacks are: password, spoofing, trust exploitations, port redirections, man-in-the-middle,
and buffer overflow.
• IP attack techniques include: ICMP, amplification and reflection, address spoofing, MITM, and session
hijacking.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 92
Module Practice and Quiz
What Did I Learn In This Module?
• Threat actors use ICMP for reconnaissance and scanning attacks. They launch information-gathering
attacks to map out a network topology, discover which hosts are active (reachable), identify the host
operating system (OS fingerprinting), and determine the state of a firewall. Threat actors often use
amplification and reflection techniques to create DoS attacks.
• TCP attacks include: TCPSYN Flood attack, TCP reset attack, and TCP Session hijacking. UDP Flood
attacks send a flood of UDP packets, often from a spoofed host, to a server on the subnet. The result is
very similar to a DoS attack.
• Any client can send an unsolicited ARP Reply called a “gratuitous ARP.” This mean that any host can claim
to be the owner of any IP or MAC. A threat actor can poison the ARP cache of devices on the local
network, creating an MITM attack to redirect traffic.
• DNS attacks include: open resolver attacks, stealth attacks, domain shadowing attacks, and tunneling
attacks. To stop DNS tunneling, the network administrator must use a filter that inspects DNS traffic.
• A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false
IP configuration parameters to legitimate clients.
• Most organizations follow the CIA information security triad: confidentiality, integrity, and availability.
• To ensure secure communications across both public and private networks, you must secure devices
including routers, switches, servers, and hosts. This is known as defense-in-depth.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 93
Module Practice and Quiz
What Did I Learn In This Module?
• A firewall is a system, or group of systems, that enforces an access control policy between networks.
• To defend against fast-moving and evolving attacks, you may need an intrusion detection systems (IDS), or
the more scalable intrusion prevention systems (IPS).
• The four elements of secure communications are data integrity, origin authentication, data confidentiality,
and data non-repudiation.
• Hash functions guarantee that message data has not changed accidentally or intentionally.
• Three well-known hash functions are MD5 with 128-bit digest, SHA hashing algorithm, and SHA-2.
• To add authentication to integrity assurance, use a keyed-hash message authentication code (HMAC).
HMAC is calculated using any cryptographic algorithm that combines a cryptographic hash function with a
secret key.
• Symmetric encryption algorithms using DES, 3DES, AES, SEAL, and RC are based on the premise that
each communicating party knows the pre-shared key.
• Data confidentiality can also be ensured using asymmetric algorithms, including Rivest, Shamir, and
Adleman (RSA) and the public key infrastructure (PKI). Diffie-Hellman (DH) is an asymmetric mathematical
algorithm where two computers generate an identical shared secret key without having communicated
before.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 94
Module 4: ACL Concepts
Enterprise Networking, Security, and Automation v7.0
(ENSA)
Module Objectives
Module Title: ACL Concepts

Module Objective: Explain how ACLs are used as part of a network security policy.

Topic Title Topic Objective

Purpose of ACLs Explain how ACLs filter traffic.
Wildcard Masks in ACLs Explain how ACLs use wildcard masks.
Guidelines for ACL Creation Explain how to create ACLs.
Types of IPv4 ACLs Compare standard and extended IPv4 ACLs.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Purpose of ACLs
What is an ACL?
An ACL is a series of IOS commands that are used to filter packets based on information
found in the packet header. By default, a router does not have any ACLs configured.
When an ACL is applied to an interface, the router performs the additional task of
evaluating all network packets as they pass through the interface to determine if the
packet can be forwarded.
• An ACL uses a sequential list of permit or deny statements, known as access control
entries (ACEs).
Note: ACEs are also commonly called ACL statements.
• When network traffic passes through an interface configured with an ACL, the router
compares the information within the packet against each ACE, in sequential order, to
determine if the packet matches one of the ACEs. This process is called packet
filtering.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Purpose of ACLs
What is an ACL? (Cont.)
Several tasks performed by routers require the use of ACLs to identify
traffic:
• Limit network traffic to increase network performance
• Provide traffic flow control
• Provide a basic level of security for network access
• Filter traffic based on traffic type
• Screen hosts to permit or deny access to network services
• Provide priority to certain classes of network traffic

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Purpose of ACLs
Packet Filtering
• Packet filtering controls access to a
network by analyzing the incoming and/or
outgoing packets and forwarding them or
discarding them based on given criteria.
• Packet filtering can occur at Layer 3 or
Layer 4.
• Cisco routers support two types of ACLs:
• Standard ACLs - ACLs only filter at Layer 3
using the source IPv4 address only.
• Extended ACLs - ACLs filter at Layer 3 using
the source and / or destination IPv4 address.
They can also filter at Layer 4 using TCP, UDP
ports, and optional protocol type information for
finer control.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Purpose of ACLs
ACL Operation
• ACLs define the set of rules that give added control for packets that enter inbound
interfaces, packets that relay through the router, and packets that exit outbound
interfaces of the router.
• ACLs can be configured to apply to inbound traffic and outbound traffic.
Note: ACLs do not act on packets that originate from the router itself.
• An inbound ACL filters packets before they are routed to the outbound interface. An
inbound ACL is efficient because it saves the overhead of routing lookups if the packet
is discarded.
• An outbound ACL filters packets after being routed, regardless of the inbound
interface.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Purpose of ACLs
ACL Operation (Cont.)
When an ACL is applied to an interface, it follows a specific operating procedure. Here are
the operational steps used when traffic has entered a router interface with an inbound
standard IPv4 ACL configured:
1. The router extracts the source IPv4 address from the packet header.
2. The router starts at the top of the ACL and compares the source IPv4 address to each ACE in a
sequential order.
3. When a match is made, the router carries out the instruction, either permitting or denying the
packet, and the remaining ACEs in the ACL, if any, are not analyzed.
4. If the source IPv4 address does not match any ACEs in the ACL, the packet is discarded because
there is an implicit deny ACE automatically applied to all ACLs.
The last ACE statement of an ACL is always an implicit deny that blocks all traffic. It is
hidden and not displayed in the configuration.
Note: An ACL must have at least one permit statement otherwise all traffic will be denied due to the
implicit deny ACE statement.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Purpose of ACLs
Packet Tracer - ACL Demonstration
In this Packet Tracer, you will complete the following objectives:

• Part 1: Verify Local Connectivity and Test Access Control List

• Part 2: Remove Access Control List and Repeat Test

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Wildcard Masks in ACLs
Wildcard Mask Overview
A wildcard mask is similar to a subnet mask in that it uses the ANDing process to identify
which bits in an IPv4 address to match. Unlike a subnet mask, in which binary 1 is equal
to a match and binary 0 is not a match, in a wildcard mask, the reverse is true.
• An IPv4 ACE uses a 32-bit wildcard mask to determine which bits of the address to
examine for a match.
• Wildcard masks use the following rules to match binary 1s and 0s:
• Wildcard mask bit 0 - Match the corresponding bit value in the address
• Wildcard mask bit 1 - Ignore the corresponding bit value in the address

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Wildcard Masks in ACLs
Wildcard Mask Overview (Cont.)
Wildcard Mask Last Octet (in Binary) Meaning (0 - match, 1 - ignore)

0.0.0.0 00000000 Match all octets.

•Match the first three octets
0.0.0.63 00111111 •Match the two left most bits of the last octet
•Ignore the last 6 bits
•Match the first three octets
0.0.0.15 00001111 •Match the four left most bits of the last octet
•Ignore the last 4 bits of the last octet
•Match the first three octets
0.0.0.248 11111100 •Ignore the six left most bits of the last octet
•Match the last two bits
•Match the first three octet
0.0.0.255 11111111
•Ignore the last octet

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Wildcard Masks in ACLs
Wildcard Mask Types
Wildcard to Match a Host:
• Assume ACL 10 needs an ACE that only permits the host with IPv4 address
192.168.1.1. Recall that “0” equals a match and “1” equals ignore. To match a specific
host IPv4 address, a wildcard mask consisting of all zeroes (i.e., 0.0.0.0) is required.
• When the ACE is processed, the wildcard mask will permit only the 192.168.1.1
address. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.1
0.0.0.0.

Decimal Binary
IPv4 address 192.168.1.1 11000000.10101000.00000001.00000001
Wildcard Mask 0.0.0.0 00000000.00000000.00000000.00000000
Permitted IPv4
192.168.1.1 11000000.10101000.00000001.00000001
Address

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Wildcard Masks in ACLs
Wildcard Mask Types (Cont.)
Wildcard Mask to Match an IPv4 Subnet
• ACL 10 needs an ACE that permits all hosts in the 192.168.1.0/24 network. The
wildcard mask 0.0.0.255 stipulates that the very first three octets must match exactly
but the fourth octet does not.
• When processed, the wildcard mask 0.0.0.255 permits all hosts in the 192.168.1.0/24
network. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.0
0.0.0.255.

Decimal Binary
IPv4 address 192.168.1.1 11000000.10101000.00000001.00000001
Wildcard Mask 0.0.0.255 00000000.00000000.00000000.11111111
Permitted IPv4
192.168.1.0/24 11000000.10101000.00000001.00000000
Address

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Wildcard Masks in ACLs
Wildcard Mask Types (Cont.)
Wildcard Mask to Match an IPv4 Address Range
• ACL 10 needs an ACE that permits all hosts in the 192.168.16.0/24, 192.168.17.0/24,
…, 192.168.31.0/24 networks.
• When processed, the wildcard mask 0.0.15.255 permits all hosts in the
192.168.16.0/24 to 192.168.31.0/24 networks. The resulting ACE in ACL 10 would
be access-list 10 permit 192.168.16.0 0.0.15.255.

Decimal Binary
IPv4 address 192.168.16.0 11000000.10101000.00010000.00000000

Wildcard Mask 0.0.15.255 00000000.00000000.00001111.11111111

192.168.16.0/24 11000000.10101000.00010000.00000000
Permitted IPv4
to
Address
192.168.31.0/24 11000000.10101000.00011111.00000000

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Wildcard Masks in ACLs
Wildcard Mask Calculation
Calculating wildcard masks can be challenging. One shortcut method is to
subtract the subnet mask from 255.255.255.255. Some examples:
• Assume you wanted an ACE in ACL 10 to permit access to all users in the
192.168.3.0/24 network. To calculate the wildcard mask, subtract the subnet mask
(255.255.255.0) from 255.255.255.255. This produces the wildcard mask 0.0.0.255.
The ACE would be access-list 10 permit 192.168.3.0 0.0.0.255.
• Assume you wanted an ACE in ACL 10 to permit network access for the 14 users in
the subnet 192.168.3.32/28. Subtract the subnet (i.e., 255.255.255.240) from
255.255.255.255. This produces the wildcard mask 0.0.0.15. The ACE would
be access-list 10 permit 192.168.3.32 0.0.0.15.
• Assume you needed an ACE in ACL 10 to permit only networks 192.168.10.0 and
192.168.11.0. These two networks could be summarized as 192.168.10.0/23 which is
a subnet mask of 255.255.254.0. Subtract 255.255.254.0 subnet mask from
255.255.255.255. This produces the wildcard mask 0.0.1.255. The ACE would
be access-list 10 permit 192.168.10.0 0.0.1.255.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Wildcard Masks in ACLs
Wildcard Mask Keywords
The Cisco IOS provides two keywords to identify the most common uses of wildcard
masking. The two keywords are:
• host - This keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4
address bits must match to filter just one host address.
• any - This keyword substitutes for the 255.255.255.255 mask. This mask says to
ignore the entire IPv4 address or to accept any addresses.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Guidelines for ACL Creation
Limited Number of ACLs per Interface
There is a limit on the number of ACLs that can be applied on a router interface. For
example, a dual-stacked (i.e, IPv4 and IPv6) router interface can have up to four ACLs
applied, as shown in the figure.
Specifically, a router interface can have:
• One outbound IPv4 ACL.
• One inbound IPv4 ACL.
• One inbound IPv6 ACL.
• One outbound IPv6 ACL.

Note: ACLs do not have to be configured in both

directions. The number of ACLs and their direction
applied to the interface will depend on the security
policy of the organization.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Guidelines for ACL Creation
ACL Best Practices
Using ACLs requires attention to detail and great care. Mistakes can be costly in terms of
downtime, troubleshooting efforts, and poor network service. Basic planning is required
before configuring an ACL.

Guideline Benefit
Base ACLs on the organizational security This will ensure you implement organizational
policies. security guidelines.
This will help you avoid inadvertently creating
Write out what you want the ACL to do.
potential access problems.
Use a text editor to create, edit, and save all of This will help you create a library of reusable
your ACLs. ACLs.
Document the ACLs using This will help you (and others) understand the
the remark command. purpose of an ACE.
Test the ACLs on a development network before
This will help you avoid costly errors.
implementing them on a production network.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
4.4 Types of IPv4 ACLs

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Types of IPv4 ACLs
Standard and Extended ACLs
There are two types of IPv4 ACLs:
• Standard ACLs - These permit or deny packets based only on the source IPv4
address.
• Extended ACLs - These permit or deny packets based on the source IPv4 address
and destination IPv4 address, protocol type, source and destination TCP or UDP ports
and more.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Types of IPv4 ACLs
Numbered and Named ACLs
Numbered ACLs
• ACLs numbered 1-99, or 1300-1999 are standard ACLs, while ACLs numbered 100-
199, or 2000-2699 are extended ACLs.

R1(config)# access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799> 48-bit MAC address access list
rate-limit Simple rate-limit specific access list
template Enable IP template acls
Router(config)# access-list

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Types of IPv4 ACLs
Numbered and Named ACLs (Cont.)
Named ACLs
• Named ACLs are the preferred method to use when configuring ACLs. Specifically,
standard and extended ACLs can be named to provide information about the purpose
of the ACL. For example, naming an extended ACL FTP-FILTER is far better than
having a numbered ACL 100.
• The ip access-list global configuration command is used to create a named ACL, as
shown in the following example.

R1(config)# ip access-list extended FTP-FILTER

R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq ftp
R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq ftp-data
R1(config-ext-nacl)#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Types of IPv4 ACLs
Where to Place ACLs
• Every ACL should be placed where it
has the greatest impact on efficiency.
• Extended ACLs should be located as
close as possible to the source of the
traffic to be filtered.
• Standard ACLs should be located as
close to the destination as possible.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Types of IPv4 ACLs
Where to Place ACLs (Cont.)

Factors Influencing ACL Placement Explanation

Placement of the ACL can depend on whether or not the
The extent of organizational control organization has control of both the source and
destination networks.
It may be desirable to filter unwanted traffic at the source
Bandwidth of the networks involved
to prevent transmission of bandwidth-consuming traffic.
•It may be easier to implement an ACL at the destination,
but traffic will use bandwidth unnecessarily.
•An extended ACL could be used on each router where
Ease of configuration
the traffic originated. This would save bandwidth by
filtering the traffic at the source, but it would require
creating extended ACLs on multiple routers.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Types of IPv4 ACLs
Standard ACL Placement Example
In the figure, the administrator
wants to prevent traffic originating in
the 192.168.10.0/24 network from
reaching the 192.168.30.0/24
network.

Following the basic placement

guidelines, the administrator would
place a standard ACL on router R3.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Types of IPv4 ACLs
Standard ACL Placement Example (Cont.)
There are two possible interfaces on R3 to
apply the standard ACL:
• R3 S0/1/1 interface (inbound) - The
standard ACL can be applied inbound on the
R3 S0/1/1 interface to deny traffic from .10
network. However, it would also filter .10
traffic to the 192.168.31.0/24 (.31 in this
example) network. Therefore, the standard
ACL should not be applied to this interface.
• R3 G0/0 interface (outbound) - The
standard ACL can be applied outbound on
the R3 G0/0/0 interface. This will not affect
other networks that are reachable by R3.
Packets from .10 network will still be able to
reach the .31 network. This is the best
interface to place the standard ACL to meet
the traffic requirements.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Types of IPv4 ACLs
Extended ACL Placement Example
• Extended ACLs should be located as close
to the source as possible.
• However, the organization can only place
ACLs on devices that they control.
Therefore, the extended ACL placement
must be determined in the context of
where organizational control extends.
• In the figure, for example, Company A
wants to deny Telnet and FTP traffic to
Company B’s 192.168.30.0/24 network
from their 192.168.11.0/24 network, while
permitting all other traffic.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Types of IPv4 ACLs
Extended ACL Placement Example (Cont.)
An extended ACL on R3 would accomplish the task,
but the administrator does not control R3. In addition,
this solution allows unwanted traffic to cross the entire
network, only to be blocked at the destination.
The solution is to place an extended ACL on R1 that
specifies both source and destination addresses.
There are two possible interfaces on R1 to apply the
extended ACL:
• R1 S0/1/0 interface (outbound) - The extended ACL can be
applied outbound on the S0/1/0 interface. This solution will
process all packets leaving R1 including packets from
192.168.10.0/24.
• R1 G0/0/1 interface (inbound) - The extended ACL can be
applied inbound on the G0/0/1 and only packets from the
192.168.11.0/24 network are subject to ACL processing on
R1. Because the filter is to be limited to only those packets
leaving the 192.168.11.0/24 network, applying the extended
ACL to G0/1 is the best solution.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Module Practice and Quiz
What Did I Learn In This Module?
• An ACL is a series of IOS commands that are used to filter packets based on information found in the
packet header.
• A router does not have any ACLs configured by default.
• When an ACL is applied to an interface, the router performs the additional task of evaluating all network
packets as they pass through the interface to determine if the packet can be forwarded.
• An ACL uses a sequential list of permit or deny statements, known as ACEs.
• Cisco routers support two types of ACLs: standard ACLs and extended ACLs.
• An inbound ACL filters packets before they are routed to the outbound interface. If the packet is permitted
by the ACL, it is then processed for routing.
• An outbound ACL filters packets after being routed, regardless of the inbound interface.
• An IPv4 ACE uses a 32-bit wildcard mask to determine which bits of the address to examine for a match.
• A wildcard mask is similar to a subnet mask in that it uses the ANDing process to identify which bits in an
IPv4 address to match. However, they differ in the way they match binary 1s and 0s. Wildcard mask bit
0 matches the corresponding bit value in the address. Wildcard mask bit 1 ignores the corresponding bit
value in the address.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Module Practice and Quiz
What Did I Learn In This Module? (Cont.)
• A shortcut to calculating a wildcard mask is to subtract the subnet mask from 255.255.255.255.
• Working with decimal representations of binary wildcard mask bits can be simplified by using the Cisco IOS
keywords host and any to identify the most common uses of wildcard masking.
• There is a limit on the number of ACLs that can be applied on a router interface.
• ACLs do not have to be configured in both directions. The number of ACLs and their direction applied to the
interface will depend on the security policy of the organization.
• Standard ACLs permit or deny packets based only on the source IPv4 address.
• Extended ACLs permit or deny packets based on the source IPv4 address and destination IPv4 address,
protocol type, source and destination TCP or UDP ports and more.
• ACLs numbered 1-99, or 1300-1999, are standard ACLs. ACLs numbered 100-199, or 2000-2699, are
extended ACLs.
• Named ACLs is the preferred method to use when configuring ACLs.
• Specifically, standard and extended ACLs can be named to provide information about the purpose of the
ACL.
• Every ACL should be placed where it has the greatest impact on efficiency.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Module Practice and Quiz
What Did I Learn In This Module? (Cont.)
• Extended ACLs should be located as close as possible to the source of the traffic to be filtered. This way,
undesirable traffic is denied close to the source network without crossing the network infrastructure.
• Standard ACLs should be located as close to the destination as possible. If a standard ACL was placed at
the source of the traffic, the "permit" or "deny" will occur based on the given source address no matter
where the traffic is destined.
• Placement of the ACL may depend on the extent of organizational control, bandwidth of the networks, and
ease of configuration.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Module 5: ACLs for IPv4
Configuration
Enterprise Networking, Security,
and Automation v7.0 (ENSA)
Module Objectives
Module Title: ACLs for IPv4 Configuration

Module Objective: Implement IPv4 ACLs to filter traffic and secure administrative access.

Topic Title Topic Objective

Configure Standard IPv4 ACLs Configure standard IPv4 ACLs to filter traffic to meet
networking requirements.
Modify IPv4 ACLs Use sequence numbers to edit existing standard IPv4
ACLs.
Secure VTY Ports with a Standard IPv4 ACL Configure a standard ACL to secure VTY access.

Configure Extended IPv4 ACLs Configure extended IPv4 ACLs to filter traffic
according to networking requirements.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Configure Standard IPv4 ACLs
Create an ACL
All access control lists (ACLs) must be planned. When configuring a complex ACL, it is
suggested that you:
• Use a text editor and write out the specifics of the policy to be implemented.
• Add the IOS configuration commands to accomplish those tasks.
• Include remarks to document the ACL.
• Copy and paste the commands onto the device.
• Always thoroughly test an ACL to ensure that it correctly applies the desired policy.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Configure Standard IPv4 ACLs
Numbered Standard IPv4 ACL Syntax
To create a numbered standard ACL, use the access-list command.

Parameter Description
access-list-number Number range is 1 to 99 or 1300 to 1999
deny Denies access if the condition is matched
permit Permits access if the condition is matched
remark text (Optional) text entry for documentation purposes
source Identifies the source network or host address to filter
source-wildcard (Optional) 32-bit wildcard mask that is applied to the source
log (Optional) Generates and sends an informational message when the ACE is matched

Note: Use the no access-list access-list-number global configuration command to remove a numbered standard ACL.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Configure Standard IPv4 ACLs
Named Standard IPv4 ACL Syntax
To create a named standard ACL, use the ip access-list standard command.
• ACL names are alphanumeric, case sensitive, and must be unique.
• Capitalizing ACL names is not required but makes them stand out when viewing the
running-config output.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Configure Standard IPv4 ACLs
Apply a Standard IPv4 ACL
After a standard IPv4 ACL is configured, it must be linked to an interface or feature.
• The ip access-group command is used to bind a numbered or named standard IPv4
ACL to an interface.
• To remove an ACL from an interface, first enter the no ip access-group interface
configuration command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Configure Standard IPv4 ACLs
Numbered Standard ACL Example
The example ACL
permits traffic
from host
192.168.10.10
and all hosts on
the
192.168.20.0/24
network out
interface serial
0/1/0 on router
R1.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Configure Standard IPv4 ACLs
Numbered Standard ACL Example (Cont.)
• Use the show running-config command to review the ACL in the configuration.
• Use the show ip interface command to verify the ACL is applied to the interface.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Configure Standard IPv4 ACLs
Named Standard ACL Example
The example ACL permits traffic
from host 192.168.10.10 and all
hosts on the 192.168.20.0/24
network out interface serial 0/1/0 on
router R1.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Configure Standard IPv4 ACLs
Named Standard ACL Example (Cont.)
• Use the show access-list
command to review the ACL
in the configuration.
• Use the show ip interface
command to verify the ACL is
applied to the interface.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Configure Standard IPv4 ACLs
Packet Tracer – Configure Numbered Standard IPv4 ACLs
In this Packet Tracer, you will complete the following objectives:
• Plan an ACL Implementation.
• Configure, Apply, and Verify a Standard ACL.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Configure Standard IPv4 ACLs
Packet Tracer – Configure Named Standard IPv4 ACLs
In this Packet Tracer, you will complete the following objectives:
• Configure and Apply a Named Standard ACL.
• Verify the ACL Implementation.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Modify IPv4 ACLs
Two Methods to Modify an ACL
After an ACL is configured, it may need to be modified. ACLs with multiple ACEs can be
complex to configure. Sometimes the configured ACE does not yield the expected
behaviors.
There are two methods to use when modifying an ACL:
• Use a text editor.
• Use sequence numbers.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Modify IPv4 ACLs
Text Editor Method
ACLs with multiple ACEs should be created in a text editor. This allows you to plan the
required ACEs, create the ACL, and then paste it into the router interface. It also simplifies
the tasks to edit and fix an ACL.
To correct an error in an ACL:
• Copy the ACL from the running configuration and paste it into the text editor.
• Make the necessary edits or changes.
• Remove the previously configured ACL on the router.
• Copy and paste the edited ACL back to the router.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Modify IPv4 ACLs
Sequence Number Method
An ACL ACE can be deleted or added using
the ACL sequence numbers.
• Use the ip access-list standard
command to edit an ACL.
• Statements cannot be overwritten using
an existing sequence number. The
current statement must be deleted first
with the no 10 command. Then the
correct ACE can be added using
sequence number.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Modify IPv4 ACLs
Modify a Named ACL Example
Named ACLs can also use sequence numbers to delete and add ACEs. In the example
an ACE is added to deny hosts 192.168.10.11.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Modify IPv4 ACLs
ACL Statistics
The show access-lists command in the example shows statistics for each statement that
has been matched.
• The deny ACE has been matched 20 times and the permit ACE has been matched 64 times.
• Note that the implied deny any statement does not display any statistics. To track how many implicit
denied packets have been matched, you must manually configure the deny any command.
• Use the clear access-list counters command to clear the ACL statistics.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Modify IPv4 ACLs
Packet Tracer – Configure and Modify Standard IPv4 ACLs
In this Packet Tracer, you will complete the following objectives:
• Configure Devices and Verify Connectivity.
• Configure and Verify Standard Numbered and Named ACLs.
• Modify a Standard ACL.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
5.3 Secure VTY Ports with a
Standard IPv4 ACL

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Secure VTY Ports with a Standard IPv4 ACL
The access-class Command
A standard ACL can secure remote administrative access to a device using the vty lines
by implementing the following two steps:
• Create an ACL to identify which administrative hosts should be allowed remote access.
• Apply the ACL to incoming traffic on the vty lines.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Secure VTY Ports with a Standard IPv4 ACL
Secure VTY Access Example
This example demonstrates how to configure an ACL to filter vty traffic.
• First, a local database entry for a user ADMIN and password class is configured.
• The vty lines on R1 are configured to use the local database for authentication, permit
SSH traffic, and use the ADMIN-HOST ACL to restrict traffic.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Secure VTY Ports with a Standard IPv4 ACL
Verify the VTY Port is Secured
After an ACL to restrict access to the vty lines is configured, it is important to verify it
works as expected.

To verify the ACL statistics, issue the show access-lists command.

• The match in the permit line of the output is a result of a successful SSH connection by
host with IP address 192.168.10.10.
• The match in the deny statement is due to the failed attempt to create a SSH
connection from a device on another network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Configure Extended IPv4 ACLs
Extended ACLs
Extended ACLs provide a greater degree of control. They can filter on source
address, destination address, protocol (i.e., IP, TCP, UDP, ICMP), and port
number.

Extended ACLs can be created as:

• Numbered Extended ACL - Created using the access-list access-list-number global
configuration command.
• Named Extended ACL - Created using the ip access-list extended access-list-
name.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Configure Extended IPv4 ACLs
Protocols and Ports Protocol Options

Extended ACLs
can filter on
internet
protocols and
ports. Use the
? to get help
when entering
a complex
ACE. The four
highlighted
protocols are
the most
popular
options.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Configure Extended IPv4 ACLs
Protocols and Ports (Cont.)
Selecting a
protocol
influences port
options. Many
TCP port
options are
available, as
shown in the
output.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Configure Extended IPv4 ACLs
Protocols and Port Numbers Configuration Examples
Extended ACLs can filter on different port number and port name options.

This example configures an extended ACL 100 to filter HTTP traffic. The first ACE uses
the www port name. The second ACE uses the port number 80. Both ACEs achieve
exactly the same result.

Configuring the port number is required when there is not a specific protocol name listed
such as SSH (port number 22) or an HTTPS (port number 443), as shown in the next
example.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Configure Extended IPv4 ACLs
Apply a Numbered Extended IPv4 ACL
In this example, the ACL permits both HTTP and HTTPS traffic from the 192.168.10.0
network to go to any destination.

Extended ACLs can be applied in various locations. However, they are commonly applied
close to the source. Here ACL 110 is applied inbound on the R1 G0/0/0 interface.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Configure Extended IPv4 ACLs
TCP Established Extended ACL
TCP can also perform basic stateful firewall services using the TCP established keyword.
• The established keyword enables inside traffic to exit the inside private network and
permits the returning reply traffic to enter the inside private network.
• TCP traffic generated by an outside host and attempting to communicate with an
inside host is denied.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Configure Extended IPv4 ACLs
TCP Established Extended ACL (Cont.)
• ACL 120 is configured to only permit returning web traffic to the inside hosts. The ACL
is then applied outbound on the R1 G0/0/0 interface.
• The show access-lists command shows that inside hosts are accessing the secure
web resources from the internet.
Note: A match occurs if the returning TCP segment has the ACK or reset (RST) flag bits set, indicating
that the packet belongs to an existing connection.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Configure Extended IPv4 ACLs
Named Extended IPv4 ACL Syntax
Naming an ACL makes it easier to understand its function. To create a named extended
ACL, use the ip access-list extended configuration command.

In the example, a named extended ACL called NO-FTP-ACCESS is created and the
prompt changed to named extended ACL configuration mode. ACE statements are
entered in the named extended ACL sub configuration mode.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Configure Extended IPv4 ACLs
Named Extended IPv4 ACL Example
The topology below is used to demonstrate configuring and applying two named extended
IPv4 ACLs to an interface:
• SURFING - This will permit inside HTTP and HTTPS traffic to exit to the internet.
• BROWSING - This will only permit returning web traffic to the inside hosts while all other traffic
exiting the R1 G0/0/0 interface is implicitly denied.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Configure Extended IPv4 ACLs
Named Extended IPv4 ACL Example (Cont.)
• The SURFING ACL permits
HTTP and HTTPS traffic
from inside users to exit the
G0/0/1 interface connected
to the internet. Web traffic
returning from the internet is
permitted back into the
inside private network by the
BROWSING ACL.
• The SURFING ACL is
applied inbound and the
BROWSING ACL is applied
outbound on the R1 G0/0/0
interface.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Configure Extended IPv4 ACLs
Named Extended IPv4 ACL Example (Cont.)
The show access-lists command is used to verify the ACL statistics. Notice that the
permit secure HTTPS counters (i.e., eq 443) in the SURFING ACL and the return
established counters in the BROWSING ACL have increased.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Configure Extended IPv4 ACLs
Edit Extended ACLs
An extended ACL can be edited using a text editor when many changes are required. Or,
if the edit applies to one or two ACEs, then sequence numbers can be used.

Example:
• The ACE sequence number 10 in the SURFING ACL has an incorrect source IP
networks address.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Configure Extended IPv4 ACLs
Edit Extended ACLs (Cont.)
• To correct this error the original statement is removed with the no sequence_#
command and the corrected statement is added replacing the original statement.
• The show access-lists command output verifies the configuration change.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Configure Extended IPv4 ACLs
Another Extended IPv4 ACL Example
Two named extended ACLs will be created:
• PERMIT-PC1 - This will only permit PC1 TCP access to the internet and deny all other hosts in the
private network.
• REPLY-PC1 - This will only permit specified returning TCP traffic to PC1 implicitly deny all other
traffic.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Configure Extended IPv4 ACLs
Another Extended IPv4 ACL Example (Cont.)
• The PERMIT-PC1 ACL
permits PC1 (192.168.10.10)
TCP access to the FTP, SSH,
Telnet, DNS , HTTP, and
HTTPS traffic.
• The REPLY-PC1 ACL will
permit return traffic to PC1.
• The PERMIT-PC1 ACL is
applied inbound and the
REPLY-PC1 ACL applied
outbound on the R1 G0/0/0
interface.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Configure Extended IPv4 ACLs
Verify Extended ACLs
The show ip interface command is used
to verify the ACL on the interface and the
direction in which it was applied.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Configure Extended IPv4 ACLs
Verify Extended ACLs (Cont.)
The show access-lists command can be used to confirm that the ACLs work as
expected. The command displays statistic counters that increase whenever an ACE is
matched.
Note: Traffic must be generated to verify the operation of the ACL.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Configure Extended IPv4 ACLs
Verify Extended ACLs (Cont.)
The show running-config command can be used to validate what was configured. The
command also displays configured remarks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Configure Extended IPv4 ACLs
Packet Tracer – Configure Extended IPv4 ACLs - Scenario 1
In this Packet Tracer, you will complete the following objectives:
• Configure, Apply, and Verify an Extended Numbered IPv4 ACL.
• Configure, Apply, and Verify an Extended Named IPv4 ACL.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Configure Extended IPv4 ACLs
Packet Tracer – Configure Extended IPv4 ACLs - Scenario 2
In this Packet Tracer, you will complete the following objectives:
• Configure a Named Extended IPv4 ACL.
• Apply and Verify the Extended IPv4 ACL.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Module Practice and Quiz
Packet Tracer – IPv4 ACL Implementation Challenge
In this Packet Tracer, you will complete the following objectives:
• Configure a router with standard named ACLs
• Configure a router with extended named ACLs
• Configure a router with extended ACLs to meet specific communication requirements
• Configure an ACL to control access to network device terminal lines
• Configure the appropriate router interfaces with ACLs in the appropriate direction
• Verify the operation of the configured ACLs

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Module Practice and Quiz
Lab – Configure and Verify Extended IPv4 ACLs
In this lab, you will complete the following objectives:

• Build the Network and Configure Basic Device Settings

• Configure and Verify Extended IPv4 ACLs

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Module Practice and Quiz
What did I learn in this module?
• To create a numbered standard ACL, use the use the ip access-list standard access-list-
name global configuration command.
• Use the no access-list access-list-number global configuration command to remove a
numbered standard ACL.
• Use the show ip interface command to verify if an interface has an ACL applied to it.
• To create a named standard ACL, use the ip access-list standard access-list-name global
configuration command.
• Use the no ip access-list standard access-list-name global configuration command to
remove a named standard IPv4 ACL.
• To bind a numbered or named standard IPv4 ACL to an interface, use the ip access-group
{access-list-number | access-list-name} { in | out } global configuration command.
• To remove an ACL from an interface, first enter the no ip access-group interface
configuration command.
• To remove the ACL from the router, use the no access-list global configuration command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Module Practice and Quiz
What did I learn in this module?
• Extended ACLs can filter on source address, destination address, protocol (i.e., IP, TCP, UDP,
ICMP), and port number.
• To create a numbered extended ACL, use the Router(config)# access-list access-list-number
{deny | permit | remark text} protocol source source-wildcard [operator [port]] destination
destination-wildcard [operator [port]] [established] [log] global configuration command.
• ALCs can also perform basic stateful firewall services using the TCP established keyword.
• The show ip interface command is used to verify the ACL on the interface and the direction
in which it was applied.
• To modify an ACL, use a text editor or use sequence numbers.
• An ACL ACE can also be deleted or added using the ACL sequence numbers.
• Sequence numbers are automatically assigned when an ACE is entered.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Module 6: NAT for IPv4
Enterprise Networking, Security,
and Automation v7.0 (ENSA)
Module Objectives
Module Title: NAT for IPv4

Module Objective: Configure NAT services on the edge router to provide IPv4 address
scalability.

Topic Title Topic Objective

NAT Characteristics Explain the purpose and function of NAT.

Types of NAT Explain the operation of different types of NAT.

NAT Advantages and Disadvantages Describe the advantages and disadvantages of NAT.

Static NAT Configure static NAT using the CLI.

Dynamic NAT Configure dynamic NAT using the CLI.

PAT Configure PAT using the CLI.

NAT64 Describe NAT for IPv6.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
NAT Characteristics
IPv4 Address Space
• Networks are commonly implemented
using private IPv4 addresses, as defined Activity
Class Activity Type
in RFC 1918. Name
• Private IPv4 addresses cannot be A 10.0.0.0 – 10.255.255.255 10.0.0.0/8
routed over the internet and are used
B 172.16.0.0 – 172.31.255.255 172.16.0.0/12
within an organization or site to allow
192.168.0.0/1
devices to communicate locally. C 192.168.0.0 – 192.168.255.255
6
• To allow a device with a private IPv4
address to access devices and
resources outside of the local network,
the private address must first be
translated to a public address.
• NAT provides the translation of private
addresses to public addresses.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
NAT Characteristics
What is NAT
• The primary use of NAT is to conserve
public IPv4 addresses.
• NAT allows networks to use private IPv4
addresses internally and translates them
to a public address when needed.
• A NAT router typically operates at the
border of a stub network.
• When a device inside the stub network
wants to communicate with a device
outside of its network, the packet is
forwarded to the border router which
performs the NAT process, translating
the internal private address of the device
to a public, outside, routable address.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
NAT Characteristics
How NAT Works
PC1 wants to communicate with an outside web server with
public address 209.165.201.1.
1. PC1 sends a packet addressed to the web server.
2. R2 receives the packet and reads the source IPv4 address
to determine if it needs translation.
3. R2 adds mapping of the local to global address to the NAT
table.
4. R2 sends the packet with the translated source address
toward the destination.
5. The web server responds with a packet addressed to the
inside global address of PC1 (209.165.200.226).
6. R2 receives the packet with destination address
209.165.200.226. R2 checks the NAT table and finds an
entry for this mapping. R2 uses this information and
translates the inside global address (209.165.200.226) to
the inside local address (192.168.10.10), and the packet is
forwarded toward PC1.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
NAT Characteristics
NAT Terminology
NAT includes four types of addresses:
• Inside local address
• Inside global address
• Outside local address
• Outside global address
NAT terminology is always applied from the perspective of the device with the
translated address:
• Inside address - The address of the device which is being translated by NAT.
• Outside address - The address of the destination device.
• Local address - A local address is any address that appears on the inside portion
of the network.
• Global address - A global address is any address that appears on the outside
portion of the network.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
NAT Characteristics
NAT Terminology (Cont.)
Inside local address
The address of the source as seen from inside the network.
This is typically a private IPv4 address. The inside local
address of PC1 is 192.168.10.10.
Inside global addresses
The address of source as seen from the outside network. The
inside global address of PC1 is 209.165.200.226
Outside global address
The address of the destination as seen from the outside
network. The outside global address of the web server is
209.165.201.1
Outside local address
The address of the destination as seen from the inside
network. PC1 sends traffic to the web server at the IPv4
address 209.165.201.1. While uncommon, this address could
be different than the globally routable address of the
destination.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
6.2 Types of NAT

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Types of NAT
Static NAT
Static NAT uses a one-to-one mapping of
local and global addresses configured by
the network administrator that remain
constant.
• Static NAT is useful for web servers or
devices that must have a consistent
address that is accessible from the
internet, such as a company web server.
• It is also useful for devices that must be
accessible by authorized personnel when
offsite, but not by the general public on
the internet.
Note: Static NAT requires that enough public
addresses are available to satisfy the total
number of simultaneous user sessions.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Types of NAT
Dynamic NAT
Dynamic NAT uses a pool of public
addresses and assigns them on a first-
come, first-served basis.
• When an inside device requests access
to an outside network, dynamic NAT
assigns an available public IPv4 address
from the pool.
• The other addresses in the pool are still
available for use.
Note: Dynamic NAT requires that enough
public addresses are available to satisfy the
total number of simultaneous user sessions.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Types of NAT
Port Address Translation
Port Address Translation (PAT), also known
as NAT overload, maps multiple private
IPv4 addresses to a single public IPv4
address or a few addresses.
• With PAT, when the NAT router receives
a packet from the client, it uses the
source port number to uniquely identify
the specific NAT translation.
• PAT ensures that devices use a different
TCP port number for each session with
a server on the internet.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Types of NAT
Next Available Port
PAT attempts to preserve the original
source port. If the original source port is
already used, PAT assigns the first
available port number starting from the
beginning of the appropriate port group 0-
511, 512-1,023, or 1,024-65,535.
• When there are no more ports available
and there is more than one external
address in the address pool, PAT moves
to the next address to try to allocate the
original source port.
• The process continues until there are no
more available ports or external IPv4
addresses in the address pool.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Types of NAT
NAT and PAT Comparison
Summary of the differences between NAT NAT PAT

and PAT. One-to-one mapping One Inside Global address

between Inside Local and can be mapped to many
NAT - Only modifies the IPv4 addresses Inside Global addresses. Inside Local addresses.
Uses IPv4 addresses and
Inside Global Address Inside Local Address Uses only IPv4 addresses TCP or UDP source port
in translation process. numbers in translation
209.165.200.226 192.168.10.10
process.
A unique Inside Global A single unique Inside
PAT - PAT modifies both the IPv4 address and the address is required for Global address can be
each inside host shared by many inside
port number. accessing the outside hosts accessing the
network. outside network.
Inside Global Address Inside Local Address

209.165.200.226:2031 192.168.10.10:2031

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Types of NAT
Packets without a Layer 4 Segment
Some packets do not contain a Layer 4 port number, such as ICMPv4
messages. Each of these types of protocols is handled differently by PAT.

For example, ICMPv4 query messages, echo requests, and echo replies
include a Query ID. ICMPv4 uses the Query ID to identify an echo request
with its corresponding echo reply.

Note: Other ICMPv4 messages do not use the Query ID. These messages and other
protocols that do not use TCP or UDP port numbers vary and are beyond the scope
of this curriculum.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Types of NAT
Packet Tracer – Investigate NAT Operations
In this Packet Tracer, you will complete the following objectives:
• Investigate NAT operation across the intranet
• Investigate NAT operation across the internet
• Conduct further investigations

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
NAT Advantages and Disadvantages
Advantages of NAT
NAT provides many benefits:
• NAT conserves the legally registered addressing scheme by allowing the
privatization of intranets.
• NAT conserves addresses through application port-level multiplexing.
• NAT increases the flexibility of connections to the public network.
• NAT provides consistency for internal network addressing schemes.
• NAT allows the existing private IPv4 address scheme to remain while allowing for
easy change to a new public addressing scheme.
• NAT hides the IPv4 addresses of users and other devices.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
NAT Advantages and Disadvantages
Disadvantages of NAT
NAT does have drawbacks:
• NAT increases forwarding delays.
• End-to-end addressing is lost.
• End-to-end IPv4 traceability is lost.
• NAT complicates the use of tunneling protocols, such as IPsec.
• Services that require the initiation of TCP connections from the outside network, or
stateless protocols, such as those using UDP, can be disrupted.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Static NAT
Static NAT Scenario
• Static NAT is a one-to-one mapping
between an inside address and an
outside address.
• Static NAT allows external devices
to initiate connections to internal
devices using the statically
assigned public address.
• For instance, an internal web server
may be mapped to a specific inside
global address so that it is
accessible from outside networks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Static NAT
Configure Static NAT
There are two basic tasks when configuring static NAT translations:
• Step 1 - Create a mapping between the inside local address and the inside global
addresses using the ip nat inside source static command.
• Step 2 - The interfaces participating in the translation are configured as inside or
outside relative to NAT with the ip nat inside and ip nat outside commands.

R2(config)# ip nat inside source static 192.168.10.254 209.165.201.5

R2(config)#
R2(config)# interface serial 0/1/0
R2(config-if)# ip address 192.168.1.2 255.255.255.252
R2(config-if)# ip nat inside
R2(config-if)# exit
R2(config)# interface serial 0/1/1
R2(config-if)# ip address 209.165.200.1 255.255.255.252
R2(config-if)# ip nat outside

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Static NAT
Analyze Static NAT
The static NAT translation process between the
client and the web server:
1. The client sends a packet to the web server.
2. R2 receives packets from the client on its NAT
outside interface and checks its NAT table.
3. R2 translates the inside global address of to the
inside local address and forwards the packet
towards the web server.
4. The web server receives the packet and responds
to the client using its inside local address.
5. (a) R2 receives the packet from the web server
on its NAT inside interface with source address of
the inside local address of the web server and (b)
translates the source address to the inside global
address.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Static NAT
Verify Static NAT
To verify NAT operation, issue the show ip nat translations command.
• This command shows active NAT translations.
• Because the example is a static NAT configuration, the translation is always present in
the NAT table regardless of any active communications.
• If the command is issued during an active session, the output also indicates the
address of the outside device.
R2# show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 209.165.201.5 192.168.10.254 --- ---
Total number of translations: 1

R2# show ip nat translations

Pro Inside global Inside local Outside local Outside global
tcp 209.165.201.5 192.168.10.254 209.165.200.254 209.165.200.254
--- 209.165.201.5 192.168.10.254 --- ---
Total number of translations: 2

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Static NAT
Verify Static NAT (Cont.)
Another useful command is show ip nat statistics.
• It displays information about the total number of active translations, NAT
configuration parameters, the number of addresses in the pool, and the number of
addresses that have been allocated.
• To verify that the NAT translation is working, it is best to clear statistics from any
past translations using the clear ip nat statistics command before testing.

R2# show ip nat statistics

Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Outside interfaces:
Serial0/1/1
Inside interfaces:
Serial0/1/0
Hits: 4 Misses: 1
(output omitted)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Static NAT
Packet Tracer – Configure Static NAT
In this Packet Tracer, you will complete the following objectives:
• Test Access without NAT
• Configure Static NAT
• Test Access with NAT

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Static NAT
Dynamic NAT Scenario
• Dynamic NAT automatically maps
inside local addresses to inside
global addresses.
• Dynamic NAT uses a pool of inside
global addresses.
• The pool of inside global addresses
is available to any device on the
inside network on a first-come first-
served basis.
• If all addresses in the pool are in
use, a device must wait for an
available address before it can
access the outside network.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Static NAT
Configure Dynamic NAT
There are five tasks when configuring dynamic NAT translations:
• Step 1 - Define the pool of addresses that will be used for translation using the ip
nat pool command.
• Step 2 - Configure a standard ACL to identify (permit) only those addresses that
are to be translated.
• Step 3 - Bind the ACL to the pool, using the ip nat inside source list command.

R2(config)# ip nat pool NAT-POOL1 209.165.200.226 209.165.200.240 netmask 255.255.255.224

R2(config)# access-list 1 permit 192.168.0.0 0.0.255.255
R2(config)# ip nat inside source list 1 pool NAT-POOL1

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Static NAT
Configure Dynamic NAT (Cont.)
There are five tasks when configuring dynamic NAT translations:
• Step 4 - Identify which interfaces are inside.
• Step 5 - Identify which interfaces are outside.

R2(config)# ip nat pool NAT-POOL1 209.165.200.226 209.165.200.240 netmask 255.255.255.224

R2(config)# access-list 1 permit 192.168.0.0 0.0.255.255
R2(config)# ip nat inside source list 1 pool NAT-POOL1
R2(config)# interface serial 0/1/0
R2(config-if)# ip nat inside
R2(config-if)# interface serial 0/1/1
R2(config-if)# ip nat outside

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Static NAT
Analyze Dynamic NAT – Inside to Outside
Dynamic NAT translation process:
1. PC1 and PC2 send packets requesting a
connection to the server.
2. R2 receives the first packet from PC1,
checks the ALC to determine if the packet
should be translated, selects an available
global address, and creates a translation
entry in the NAT table.
3. R2 replaces the inside local source address
of PC1, 192.168.10.10, with the translated
inside global address of 209.165.200.226
and forwards the packet. (The same process
occurs for the packet from PC2 using the
translated address of 209.165.200.227.)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Static NAT
Analyze Dynamic NAT – Outside to Inside
Dynamic NAT translation process:
4. The server receives the packet from PC1 and
responds using the destination address of
209.165.200.226. The server receives the packet
from PC2, it responds to using the destination
address of 209.165.200.227.
5. (a) When R2 receives the packet with the
destination address of 209.165.200.226; it
performs a NAT table lookup and translates the
address back to the inside local address and
forwards the packet toward PC1.
(b) When R2 receives the packet with the
destination address of 209.165.200.227; it
performs a NAT table lookup and translates the
address back to the inside local address
192.168.11.10 and forwards the packet toward
PC2.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Static NAT
Analyze Dynamic NAT – Outside to Inside (Cont.)
Dynamic NAT translation process:
6. PC1 and PC2 receive the packets and
continue the conversation. The router
performs Steps 2 to 5 for each packet.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Static NAT
Verify Dynamic NAT
The output of the show ip nat translations command displays all static
translations that have been configured and any dynamic translations that
have been created by traffic.

R2# show ip nat translations

Pro Inside global Inside local Outside local Outside global
--- 209.165.200.228 192.168.10.10 --- ---
--- 209.165.200.229 192.168.11.10 --- ---
R2#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Static NAT
Verify Dynamic NAT (Cont.)
Adding the verbose keyword displays additional information about each
translation, including how long ago the entry was created and used.

R2# show ip nat translation verbose

Pro Inside global Inside local Outside local Outside global
tcp 209.165.200.228 192.168.10.10 --- ---
create 00:02:11, use 00:02:11 timeout:86400000, left 23:57:48, Map-Id(In): 1,
flags:
none, use_count: 0, entry-id: 10, lc_entries: 0
tcp 209.165.200.229 192.168.11.10 --- ---
create 00:02:10, use 00:02:10 timeout:86400000, left 23:57:49, Map-Id(In): 1,
flags:
none, use_count: 0, entry-id: 12, lc_entries: 0
R2#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Static NAT
Verify Dynamic NAT (Cont.)
By default, translation entries time out after 24 hours, unless the timers have been
reconfigured with the ip nat translation timeout timeout-seconds command in global
configuration mode. To clear dynamic entries before the timeout has expired, use the
clear ip nat translation privileged EXEC mode command.

R2# clear ip nat translation *

R2# show ip nat translation

Command Description

clear ip nat translation *

Clears all dynamic address translation entries from the
NAT translation table.
clear ip nat translation inside global-ip Clears a simple dynamic translation entry containing an inside
local-ip [outside local-ip global-ip] translation or both inside and outside translation.
clear ip nat translation protocol inside
global-ip global-port local-ip local-port [
Clears an extended dynamic translation entry.
outside local-ip local-port global-ip global-
port]
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Static NAT
Verify Dynamic NAT (Cont.)
The show ip nat statistics command displays information about the total number of
active translations, NAT configuration parameters, the number of addresses in the
pool, and how many of the addresses have been allocated.
R2# show ip nat statistics
Total active translations: 4 (0 static, 4 dynamic; 0 extended)
Peak translations: 4, occurred 00:31:43 ago
Outside interfaces:
Serial0/1/1
Inside interfaces:
Serial0/1/0
Hits: 47 Misses: 0
CEF Translated packets: 47, CEF Punted packets: 0
Expired translations: 5
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 pool NAT-POOL1 refcount 4
pool NAT-POOL1: netmask 255.255.255.224
start 209.165.200.226 end 209.165.200.240
type generic, total addresses 15, allocated 2 (13%), misses 0
(output omitted)
R2#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Static NAT
Verify Dynamic NAT (Cont.)
The show running-config command and show s the NAT, ACL, interface, or pool
commands with the required values.

R2# show running-config | include NAT

ip nat pool NAT-POOL1 209.165.200.226 209.165.200.240 netmask 255.255.255.224
ip nat inside source list 1 pool NAT-POOL1

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Dynamic NAT
Packet Tracer – Configure Dynamic NAT
In this Packet Tracer, you will complete the following objectives:
• Configure Dynamic NAT
• Verify NAT Implementation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
PAT
Configure PAT to Use a Single IPv4 Address
To configure PAT to use a single IPv4 address, add the keyword overload to the ip nat
inside source command.

In the example, all hosts from network 192.168.0.0/16 (matching ACL 1) that send
traffic through router R2 to the internet will be translated to IPv4 address
209.165.200.225 (IPv4 address of interface S0/1/1). The traffic flows will be identified
by port numbers in the NAT table because the overload keyword is configured.

R2(config)# ip nat inside source list 1 interface serial 0/1/0 overload

R2(config)# access-list 1 permit 192.168.0.0 0.0.255.255
R2(config)# interface serial0/1/0
R2(config-if)# ip nat inside
R2(config-if)# exit
R2(config)# interface Serial0/1/1
R2(config-if)# ip nat outside

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
PAT
Configure PAT to Use an Address Pool
An ISP may allocate more than one public IPv4 address to an organization. In this
scenario the organization can configure PAT to use a pool of IPv4 public addresses for
translation.
To configure PAT for a dynamic NAT address pool, simply add the keyword overload
to the ip nat inside source command.

In the example, NAT-POOL2 is bound to an ACL to permit 192.168.0.0/16 to be

translated. These hosts can share an IPv4 address from the pool because PAT is
enabled with the keyword overload.
R2(config)# ip nat pool NAT-POOL2 209.165.200.226 209.165.200.240 netmask 255.255.255.224
R2(config)# access-list 1 permit 192.168.0.0 0.0.255.255
R2(config)# ip nat inside source list 1 pool NAT-POOL2 overload
R2(config)# interface serial0/1/0
R2(config-if)# ip nat inside
R2(config-if)# interface serial0/1/0
R2(config-if)# ip nat outside

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
PAT
Analyze PAT – Server to PC
1. PC1 and PC2 send packets to Svr1 and
Svr2.
2. The packet from PC1 reaches R2 first.
R2 modifies the source IPv4 address to
209.165.200.225 (inside global address).
The packet is then forwarded towards
Svr1.
3. The packet from PC2 arrives at R2. PAT
changes the source IPv4 address of PC2
to the inside global address
209.165.200.225. PC2 has the same
source port number as the translation for
PC1. PAT increments the source port
number until it is a unique value in its
table. In this instance, 1445.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
PAT
Analyze PAT – PC to Server
1. PC1 and PC2 send packets to Svr1
and Svr2.
2. The packet from PC1 reaches R2 first.
R2 modifies the source IPv4 address to
209.165.200.225 (inside global
address). The packet is then forwarded
towards Svr1.
3. The packet from PC2 arrives at R2.
PAT changes the source IPv4 address
of PC2 to the inside global address
209.165.200.225. PC2 has the same
source port number as the translation
for PC1. PAT increments the source
port number until it is a unique value in
its table. In this instance, it is 1445.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
PAT
Analyze PAT – Server to PC
1. The servers use the source port from the
received packet as the destination port,
and the source address as the destination
address for the return traffic.
2. R2 changes the destination IPv4 address
of the packet from Srv1 from
209.165.200.225 to 192.168.10.10, and
forwards the packet toward PC1.
3. R2 changes the destination address of
packet from Srv2. from 209.165.200.225 to
192.168.10.11. and modifies the
destinations port back to its original value
of 1444. The packet is then forwarded
toward PC2.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
PAT
Verify PAT
The same commands used to verify static and dynamic NAT are used to verify PAT.
The show ip nat translations command displays the translations from two different
hosts to different web servers. Notice that two different inside hosts are allocated the
same IPv4 address of 209.165.200.226 (inside global address). The source port
numbers in the NAT table differentiate the two transactions.

R2# show ip nat translations

Pro Inside global Inside local Outside local Outside global
tcp 209.165.200.225:1444 192.168.10.10:1444 209.165.201.1:80 209.165.201.1:80
tcp 209.165.200.225:1445 192.168.11.10:1444 209.165.202.129:80 209.165.202.129:80
R2#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
PAT
Verify PAT (Cont.)
The show ip nat statistics command verifies that NAT-POOL2 has allocated a single
address for both translations. Also shown are the number and type of active translations,
NAT configuration parameters, the number of addresses in the pool, and how many have
been allocated.
R2# show ip nat statistics
Total active translations: 4 (0 static, 2 dynamic; 2 extended)
Peak translations: 2, occurred 00:31:43 ago
Outside interfaces:
Serial0/1/1
Inside interfaces:
Serial0/1/0
Hits: 4 Misses: 0
CEF Translated packets: 47, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 3] access-list 1 pool NAT-POOL2 refcount 2
pool NAT-POOL2: netmask 255.255.255.224
start 209.165.200.225 end 209.165.200.240
type generic, total addresses 15, allocated 1 (6%), misses 0
(output omitted)
R2#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Dynamic NAT
Packet Tracer – Configure PAT
In this Packet Tracer, you will complete the following objectives:
• Configure Dynamic NAT with Overload
• Verify Dynamic NAT with Overload Implementation
• Configure PAT using an Interface
• Verify PAT Interface Implementation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
NAT64
NAT for IPv6?
IPv6 was developed with the intention of making NAT for IPv4 with translation between
public and private IPv4 addresses unnecessary.
• However, IPv6 does include its own IPv6 private address space, unique local
addresses (ULAs).
• IPv6 unique local addresses (ULA) are similar to RFC 1918 private addresses in
IPv4 but have a different purpose.
• ULA addresses are meant for only local communications within a site. ULA
addresses are not meant to provide additional IPv6 address space, nor to provide a
level of security.
• IPv6 does provide for protocol translation between IPv4 and IPv6 known as NAT64.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
NAT64
NAT64
• NAT for IPv6 is used in a much different
context than NAT for IPv4.
• The varieties of NAT for IPv6 are used to
transparently provide access between
IPv6-only and IPv4-only networks, as
shown. It is not used as a form of private
IPv6 to global IPv6 translation.
• NAT for IPv6 should not be used as a
long-term strategy, but as a temporary
mechanism to assist in the migration
from IPv4 to IPv6.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Dynamic NAT
Packet Tracer – Configure NAT for IPv4
In this Packet Tracer, you will complete the following objectives:
• Configure Dynamic NAT with PAT
• Configure Static NAT

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Dynamic NAT
Packet Tracer – Configure NAT for IPv4
In this Lab, you will complete the following objectives:
• Build the Network and Configure Basic Device Settings
• Configure and verify NAT for IPv4
• Configure and verify PAT for IPv4
• Configure and verify Static NAT for IPv4

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Module Practice and Quiz
What did I learn in this module?
• There are not enough public IPv4 addresses to assign a unique address to each device
connected to the internet.
• The primary use of NAT is to conserve public IPv4 addresses.
• In NAT terminology, the inside network is the set of networks that is subject to translation. The
outside network refers to all other networks.
• NAT terminology is always applied from the perspective of the device with the translated
address.
• Inside address are the address of the device which is being translated by NAT.
• Outside address are the address of the destination device.
• Local address is any address that appears on the inside portion of the network.
• Global address is any address that appears on the outside portion of the network.
• Static NAT uses a one-to-one mapping of local and global addresses.
• Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-served
basis.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Module Practice and Quiz
What did I learn in this module? (Cont.)
• Port Address Translation (PAT), also known as NAT overload, maps multiple private IPv4
addresses to a single public IPv4 address or a few addresses.
• NAT increases forwarding delays because the translation of each IPv4 address within the
packet headers takes time.
• NAT complicates the use of tunneling protocols, such as IPsec, because NAT modifies values
in the headers, causing integrity checks to fail.
• The show ip nat translations command displays all static translations that have been
configured and any dynamic translations that have been created by traffic.
• To clear dynamic entries before the timeout has expired, use the clear ip nat translation
privileged EXEC mode command.
• IPv6 was developed with the intention of making NAT for IPv4 with translation between public
and private IPv4 addresses unnecessary.
• IPv6 unique local addresses (ULA) are similar to RFC 1918 private addresses in IPv4 but
have a different purpose.
• IPv6 does provide for protocol translation between IPv4 and IPv6 known as NAT64.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Module 7: WAN Concepts
Enterprise Networking, Security,
and Automation v7.0 (ENSA)
Module Objectives
Module Title: WAN Concepts

Module Objective: Explain how WAN access technologies can be used to satisfy business
requirements.

Topic Title Topic Objective

Purpose of WANs Explain the purpose of a WAN.

WAN Operations Explain how WANs operate.

Traditional WAN Connectivity Compare traditional WAN connectivity options.

Modern WAN Connectivity Compare modern WAN connectivity options.

Internet-Based Connectivity Compare internet-based connectivity options.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Purpose of WANs
LANs and WANs
A WAN is a telecommunications network that spans over a relatively large geographical
area and is required to connect beyond the boundary of the LAN.

Local Area Networks (LANs) Wide Area Networks (WANs)

LANs provide networking services WANs provide networking services
within a small geographic area. over large geographical areas.
LANs are used to interconnect local WANs are used to interconnect
computers, peripherals, and other remote users, networks, and sites.
devices.
A LAN is owned and managed by WANs are owned and managed by
an organization or home user. internet service, telephone, cable,
and satellite providers.
Other than the network WAN services are provided for a
infrastructure costs, there is no fee fee.
to use a LAN.
LANs provide high bandwidth WANs providers offer low to high
speeds using wired Ethernet and bandwidth speeds, over long
Wi-Fi services. distances.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Purpose of WANs
Private and Public WANs
A private WAN is a connection that is dedicated to a single customer.

Private WANs provide the following:

• Guaranteed service level
• Consistent bandwidth
• Security

A public WAN connection is typically provided by an ISP or telecommunications service

provider using the internet. In this case, the service levels and bandwidth may vary, and
the shared connections do not guarantee security.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Purpose of WANs
WAN Topologies
WANs are implemented using the following logical topology designs:
• Point-to-Point Topology
• Hub-and-Spoke Topology
• Dual-homed Topology
• Fully Meshed Topology
• Partially Meshed Topology

Note: Large networks usually deploy a combination of these topologies.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Purpose of WANs
WAN Topologies (Cont.)
Point-to-Point Topology
• Employs a point-to-point circuit between two endpoints.
• Involves a Layer 2 transport service through the service provider network.
• The point-to-point connection is transparent to the customer network.

Note: It can become expensive if many point-to-point connections are required.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Purpose of WANs
WAN Topologies (Cont.)
Hub-and-Spoke Topology
• Enables a single interface on the hub router to be shared by all spoke circuits.
• Spoke routers can be interconnected through the hub router using virtual circuits and
routed subinterfaces.
• Spoke routers can only communicate with each other through the hub router.

Note: The hub router represents a

single point of failure. If it fails, inter-
spoke communication also fails.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Purpose of WANs
WAN Topologies (Cont.)
Dual-homed Topology
• Offers enhanced network redundancy, load balancing, distributed computing and
processing, and the ability to implement backup service provider connections.
• More expensive to implement than single-homed topologies. This is because they
require additional networking hardware, such as additional routers and switches.
• More difficult to implement because they require additional, and more complex,
configurations.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Purpose of WANs
WAN Topologies (Cont.)
Fully Meshed Topology
• Uses multiple virtual circuits to connect all
sites
• The most fault-tolerant topology

Partially Meshed Topology

• Connects many but not all sites

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Purpose of WANs
Carrier Connections
Another aspect of WAN design is how an organization connects to the internet. An
organization usually signs a service level agreement (SLA) with a service provider. The
SLA outlines the expected services relating to the reliability and availability of the
connection.

The service provider may or may not be the actual carrier. A carrier owns and maintains
the physical connection and equipment between the provider and the customer. Typically,
an organization will choose either a single-carrier or dual-carrier WAN connection.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Purpose of WANs
Carrier Connections (Cont.)
A single-carrier connection is when an
organization connects to only one
service provider. An SLA is negotiated
between the organization and the
service provider.

A dual-carrier connection provides

redundancy and increases network
availability. The organization negotiates
separate SLAs with two different service
providers.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Purpose of WANs
Evolving Networks
Network requirements of a company can change dramatically as the company grows
over time.
• A network must meet the day-to-day operational needs of business, and it must be
able to adapt and grow as a company changes.
• Network designers and administrators meet these challenges by carefully
choosing network technologies, protocols, and service providers.
• Networks can be optimized by using a variety of network design techniques and
architectures.
To illustrate differences between network size, we will use a fictitious company called
SPAN Engineering as it grows from a small, local, business into a global enterprise.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Purpose of WANs
Evolving Networks (Cont.)
Small Network
SPAN, a small fictitious company,
started with a few employees in a
small office.
• Uses a single LAN connected to
a wireless router for sharing
data and peripherals.
• Connection to the internet is
through a common broadband
service called Digital Subscriber
Line (DSL)
• IT support is contracted from the
DSL provider.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Purpose of WANs
Evolving Networks (Cont.)
Campus Network
Within a few years SPAN grew and
required several floors of a building.
The company now required a
Campus Area Network (CAN).
• A firewall secures internet
access to corporate users.
• In-house IT staff to support and
maintain the network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Purpose of WANs
Evolving Networks (Cont.)
Branch Network
• A few years later, the company
expanded and added a branch site
in the city, and remote and regional
sites in other cities.
• The company now required a
metropolitan area network (MAN)
to interconnect sites within the city.
• To connect to the central office,
branch offices in nearby cities used
private dedicated lines through
their local service provider.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Purpose of WANs
Evolving Networks (Cont.)
Distributed Network
• SPAN Engineering has now
been in business for 20 years
and has grown to thousands of
employees distributed in offices
worldwide.
• Site-to-site and remote access
Virtual Private Networks (VPNs)
enable the company to use the
internet to connect easily and
securely with employees and
facilities around the world.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
WAN Operations
WAN Standards
Modern WAN standards are defined and managed by a number of
recognized authorities including the following:
• TIA/EIA - Telecommunications Industry Association and Electronic Industries
Alliance
• ISO - International Organization for Standardization
• IEEE - Institute of Electrical and Electronics Engineers

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
WAN Operations
WANs in the OSI Model
Most WAN standards focus on the physical layer
and the data link layer.
Layer 1 Protocols
• Synchronous Digital Hierarchy (SDH)
• Synchronous Optical Networking (SONET)
• Dense Wavelength Division Multiplexing (DWDM)
Layer 2 Protocols
• Broadband (i.e., DSL and Cable)
• Wireless
• Ethernet WAN (Metro Ethernet)
• Multiprotocol Label Switching (MPLS)
• Point-to-Point Protocol (PPP) (less used)
• High-Level Data Link Control (HDLC) (less used)
• Frame Relay (legacy)
• Asynchronous Transfer Mode (ATM) (legacy)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
WAN Operations
Common WAN Terminology
There are specific terms used to describe WAN
connections between the subscriber (i.e., the
company / client) and the WAN service provider.

WAN Term Description

Data Terminal Connects the subscriber LANs to the WAN
Equipment (DTE) communication device
Data Communications Device used to communicate with the
Equipment (DCE) provider
Customer Premises This is the DTE and DCE devices located on
Equipment (CPE) the enterprise edge
Point-of-Presence The point where the subscriber connects to
(POP) the service provider network
Demarcation Point The physical location in a building or
complex that officially separates the CPE
from service provider equipment.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
WAN Operations
Common WAN Terminology (Cont.)

WAN Term Description

Local Loop (last mile) The copper or fiber cable that connects the
CPE to the CO of the service provider
Central office (CO) The local service provider facility or building
that connects the CPE to the provider
network
Toll network Includes backhaul, long-haul, all-digital,
fiber-optic communications lines, switches,
routers, and other equipment inside the
WAN provider network
Backhaul network Connects multiple access nodes of the
service provider network
Backbone network Large, high-capacity networks used to
interconnect service provider networks and
to create a redundant network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
WAN Operations
WAN Devices
There are many types of devices that are specific to WAN environments.

WAN Device Description

Voiceband Dial-up modem – uses telephone lines
Modem Legacy device
DSL Modem / Collectively known as broadband modems, these
Cable Modem high-speed digital modems connect to the DTE
router using Ethernet.
CSU/DSU Digital-leased lines require a CSU and a DSU. It
connects a digital device to a digital line.
Optical Converter Connect fiber-optic media to copper media and
convert optical signals to electronic pulses.
Wireless Router / Devices are used to wirelessly connect to a WAN
Access Point provider.
WAN Core WAN backbone consists of multiple high-speed
devices routers and Layer 3 switches.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
WAN Operations
Serial Communication
• Almost all network communications
occur using a serial communication
delivery. Serial communication transmits
bits sequentially over a single channel.
• In contrast, parallel communications
simultaneously transmit several bits
using multiple wires.
• As the cable length increases, the
synchronization timing between multiple
channels becomes more sensitive to
distance. For this reason, parallel
communication is limited to very short
distances

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
WAN Operations
Circuit-Switched Communication
A circuit-switched network establishes a
dedicated circuit (or channel) between
endpoints before the users can communicate.
• Establishes a dedicated virtual connection
through the service provider network
before communication can start.
• All communication uses the same path.
• The two most common types of circuit-
switched WAN technologies are the public
switched telephone network (PSTN) and
the legacy Integrated Services Digital
Network (ISDN).

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
WAN Operations
Packet-Switched Communication
Network communication is most commonly
implemented using packet-switched
communication.
• Segments traffic data into packets that are
routed over a shared network.
• Much less expensive and more flexible
than circuit switching.
• Common types of packet-switched WAN
technologies are:
• Ethernet WAN (Metro Ethernet),
• Multiprotocol Label Switching (MPLS)
• Frame Relay
• Asynchronous Transfer Mode (ATM).

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
WAN Operations
SDH, SONET, and DWDM
Service provider networks use fiber-optic infrastructures to transport user data between
destinations. Fiber-optic cable is far superior to copper cable for long distance transmissions due
to its much lower attenuation and interference.

There are two optical fiber OSI layer 1 standards available to service providers:
• SDH - Synchronous Digital Hierarchy (SDH) is a global standard for transporting data over
fiber-optic cable.
• SONET - Synchronous Optical Networking (SONET) is the North American standard that
provides the same services as SDH.
SDH/SONET define how to transfer multiple data, voice, and video communications over optical
fiber using lasers or light-emitting diodes (LEDs) over great distances.
Dense Wavelength Division Multiplexing (DWDM) is a newer technology that increases the
data-carrying capacity of SDH and SONET by simultaneously sending multiple streams of data
(multiplexing) using different wavelengths of light.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Traditional WAN Connectivity
Traditional WAN Connectivity Options
To understand the WANs of today, it helps
to know where they started.
• When LANs appeared in the 1980s,
organizations began to see the need to
interconnect with other locations.
• To do so, they needed their networks to
connect to the local loop of a service
provider.
• This was accomplished by using
dedicated lines, or by using switched
services from a service provider.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Traditional WAN Connectivity
Common WAN Terminology
Point-to-point lines could be leased from a service provider and were called “leased
lines”. The term refers to the fact that the organization pays a monthly lease fee to a
service provider to use the line.
• Leased lines are available in different fixed capacities and are generally priced
based on the bandwidth required and the distance between the two connected
points.
• There are two systems used to define the digital capacity of a copper media serial
link:
• T-carrier - Used in North America, T-carrier provides T1 links supporting bandwidth up to 1.544
Mbps and T3 links supporting bandwidth up to 43.7 Mbps.
• E-carrier – Used in Europe, E-carrier provides E1 links supporting bandwidth up to 2.048
Mbps and E3 links supporting bandwidth up to 34.368 Mbps.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Traditional WAN Connectivity
Common WAN Terminology (Cont.)
The table summarizes the advantages and disadvantages of leased lines.

Advantages
Simplicity Point-to-point communication links require minimal expertise to install and maintain.

Quality Point-to-point communication links usually offer high quality service, if they have adequate
bandwidth.
Availability Constant availability is essential for some applications, such as e-commerce. Point-to-point
communication links provide permanent, dedicated capacity which is required for VoIP or Video
over IP.

Disadvantages
Cost Point-to-point links are generally the most expensive type of WAN access. The cost of leased line
solutions can become significant when they are used to connect many sites over increasing
distances.
Limited WAN traffic is often variable, and leased lines have a fixed capacity, so that the bandwidth of the
flexibility line seldom matches the need exactly.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Traditional WAN Connectivity
Circuit-Switch Options
Circuit-switched connections are provided by Public Service Telephone Network
(PSTN) carriers. The local loop connecting the CPE to the CO is copper media.
There are two traditional circuit-switched options:
Public Service Telephone Network (PSTN)
• Dialup WAN access uses the PSTN as its WAN connection. Traditional local loops can transport
binary computer data through the voice telephone network using a voiceband modem.
• The physical characteristics of the local loop and its connection to the PSTN limit the rate of the
signal to less than 56 kbps.
Integrated Services Digital Network (ISDN)
• ISDN is a circuit-switching technology that enables the PSTN local loop to carry digital signals.
This provided higher capacity switched connections than dialup access. ISDN provides for data
rates from 45 Kbps to 2.048 Mbps.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Traditional WAN Connectivity
Packet-Switch Options
Packet switching segments data into packets that are routed over a shared network. It allows
many pairs of nodes to communicate over the same channel.
There are two traditional (legacy) circuit-switched options:
Frame Relay
• Frame Relay is a simple Layer 2 non-broadcast multi-access (NBMA) WAN technology that
is used to interconnect enterprise LANs.
• Frame Relay creates PVCs which are uniquely identified by a data-link connection identifier
(DLCI).
Asynchronous Transfer Mode (ATM)
• Asynchronous Transfer Mode (ATM) technology is capable of transferring voice, video, and
data through private and public networks.
• ATM is built on a cell-based architecture rather than on a frame-based architecture. ATM
cells are always a fixed length of 53 bytes.
Note: Frame relay and ATM networks have been largely replaced by faster Metro Ethernet and internet-based solutions.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Modern WAN Connectivity
Modern WANs
Modern WANS have more connectivity
options than traditional WANs.
• Enterprises now require faster and more
flexible WAN connectivity options.
• Traditional WAN connectivity options
have rapidly declined in use because
they are either no longer available, too
expensive, or have limited bandwidth.

The figure displays the local loop connections most

likely encountered today.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Modern WAN Connectivity
Modern WAN Connectivity Options
New technologies are continually emerging. The
figure summarizes the modern WAN connectivity
options.
Dedicated broadband
• Fiber can be installed independently by an
organization to connect remote locations directly
together.
• Dark fiber can be leased or purchased from a
supplier.
Packet-switched
• Metro Ethernet – Replacing many traditional WAN
options.
• MPLS – Enables sites to connect to the provider
regardless of its access technologies.
Internet-based broadband
• Organizations are now commonly using the global
internet infrastructure for WAN connectivity.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Modern WAN Connectivity
Ethernet WAN
Service providers now offer Ethernet WAN service
using fiber-optic cabling.
The Ethernet WAN service can go by many
names, including the following:
• Metropolitan Ethernet (Metro E)
• Ethernet over MPLS (EoMPLS)
• Virtual Private LAN Service (VPLS)
There are several benefits to an Ethernet WAN:
• Reduced expenses and administration
• Easy integration with existing networks
• Enhanced business productivity

Note: Ethernet WANs have gained in popularity and are now commonly being used to replace the
traditional serial point-to-point, Frame Relay and ATM WAN links.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Modern WAN Connectivity
MPLS
Multiprotocol Label Switching (MPLS) is a high-performance service provider WAN routing
technology to interconnect clients without regard to access method or payload.
• MPLS supports a variety of client access methods (e.g., Ethernet, DSL, Cable, Frame Relay).
• MPLS can encapsulate all types of protocols including IPv4 and IPv6 traffic.
• An MPLS router can be a customer edge (CE) router, a provider edge (PE) router, or an
internal provider (P) router.
• MPLS routers are label switched routers (LSRs). They attach labels to packets that are then
used by other MPLS routers to forward traffic.
• MPLS also provides services for QoS support, traffic engineering, redundancy, and VPNs.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Internet-Based Connectivity
Internet-Based Connectivity Options
Internet-based broadband connectivity is an alternative to using
dedicated WAN options.
Internet-based connectivity can be divided into wired and
wireless options.
Wired Options
• Wired options use permanent cabling (e.g., copper or fiber)
to provide consistent bandwidth, and reduce error rates and
latency. Examples: DSL, cable connections, and optical fiber
networks.
Wireless Options
• Wireless options are less expensive to implement compared
to other WAN connectivity options because they use radio
waves instead of wired media to transmit data. Examples:
cellular 3G/4G/5G or satellite internet services.
• Wireless signals can be negatively affected by factors such
as distance from radio towers, interference from other
sources and weather.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Internet-Based Connectivity
DSL Technology
Digital Subscriber Line (DSL) is a high-speed,
always-on, connection technology that uses
existing twisted-pair telephone lines to provide
IP services to users.

DSL are categorized as either Asymmetric

DSL (ADSL) or Symmetric DSL (SDSL).
• ADSL and ADSL2+ provide higher downstream
bandwidth to the user than upload bandwidth.
• SDSL provides the same capacity in both
directions.

DSL transfer rates are dependent on the

actual length of the local loop, and the type
and condition of the cabling.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Internet-Based Connectivity
DSL Connections
Service providers deploy DSL connections in the local loop. The connection is set up
between the DSL modem and the DSL access multiplexer (DSLAM).
• The DSL modem converts the Ethernet signals from the teleworker device to a
DSL signal, which is transmitted to a DSL access multiplexer (DSLAM) at the
provider location.
• A DSLAM is located at the Central Office (CO) of the provider and concentrates
connections from multiple DSL subscribers.
• DSL is not a shared medium. Each user has a separate direct connection to the
DSLAM. Adding users does not impede performance.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Internet-Based Connectivity
DSL and PPP
ISPs use PPP as the Layer 2 protocol for broadband DSL connections.
• PPP can be used to authenticate the subscriber.
• PPP can assign a public IPv4 address to the subscriber.
• PPP provides link-quality management features.
There are two ways PPP over Ethernet (PPPoE) can be deployed:
• Host with PPoE Client - The PPPoE client software communicates with the DSL modem
using PPPoE and the modem communicates with the ISP using PPP.
• Router PPPoE Client - The router is the PPPoE client and obtains its configuration from
the provider.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Internet-Based Connectivity
Cable Technology
Cable technology is a high-speed always-on connection technology that uses a coaxial cable
from the cable company to provide IP services to users.
The Data over Cable Service Interface Specification (DOCSIS) is the international standard for
adding high-bandwidth data to an existing cable system.
• The optical node converts RF signals to light pulses over fiber-optic cable.
• The fiber media enables the signals to travel over long distances to the provider headend where a Cable
Modem Termination System (CMTS) is located.
• The headend contains the databases needed to provide internet access while the CMTS is responsible
for communicating with the cable modems.

Note: All the local subscribers share the same cable bandwidth. As more users join the service, available bandwidth may drop
below the expected rate.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Internet-Based Connectivity
Optical Fiber
Many municipalities, cities, and providers install fiber-optic cable to the user
location. This is commonly referred to as Fiber to the x (FTTx) and includes
the following:
• Fiber to the Home (FTTH) - Fiber reaches the boundary of the residence.
• Fiber to the Building (FTTB) - Fiber reaches the boundary of the building with the
final connection to the individual living space being made via alternative means.
• Fiber to the Node/Neighborhood (FTTN) – Optical cabling reaches an optical
node that converts optical signals to a format acceptable for twisted pair or coaxial
cable to the premise.

Note: FTTx can deliver the highest bandwidth of all broadband options.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Internet-Based Connectivity
Wireless Internet-Based Broadband
Wireless technology uses the unlicensed radio spectrum to send and receive data.
• Municipal Wi-Fi - Municipal wireless networks are available in many cities providing
high-speed internet access for free, or for substantially less than the price of other
broadband services.
• Cellular – Increasingly used to connect devices to the internet using radio waves to
communicate through a nearby mobile phone tower. 3G/4G/5G and Long-Term
Evolution (LTE) are cellular technologies.
• Satellite Internet - Typically used by rural users or in remote locations where cable and
DSL are not available. A router connects to a satellite dish which is pointed to a service
provider satellite in Geosynchronous orbit. Trees and heavy rains can impact the
satellite signal.
• WiMAX - Worldwide Interoperability for Microwave Access (WiMAX) is described in the
IEEE standard 802.16 Provides high-speed broadband service with wireless access
and provides broad coverage like a cell phone network rather than through small Wi-Fi
hotspots.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Internet-Based Connectivity
VPN Technology
VPNs can be used to address security concerns incurred when a remote office worker uses broadband services
to access the corporate WAN over the internet.
A VPN is an encrypted connection between private networks over a public network. VPN tunnels are routed
through the internet from the private network of the company to the remote site or employee host.
There are several benefits to using VPN:
• Cost savings - Eliminates expensive, dedicated WAN links and modem banks.
• Security - Advanced encryption and authentication protocols protect data from unauthorized access.
• Scalability - Corporations can add large amounts of capacity without adding significant infrastructure.
• Compatibility with broadband technology - Supported by broadband service providers such as DSL and
cable.
VPNs are commonly implemented as the following:
• Site-to-site VPN - VPN settings are configured on routers. Clients are unaware that their data is being
encrypted.
• Remote Access - The user is aware and initiates remote access connection. For example, using HTTPS in
a browser to connect to your bank. Alternatively, the user can run VPN client software on their host to
connect to and authenticate with the destination device.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Internet-Based Connectivity
ISP Connectivity Options
There are different ways an organization can connect to an ISP. The
choice depends on the needs and budget of the organization.
• Single-homed –Single connection to the ISP using one link.
Provides no redundancy and is the least expensive solution.
• Dual-homed - Connects to the same ISP using two links.
Provides both redundancy and load balancing. However, the
organization loses internet connectivity if the ISP experiences an
outage.
• Multihomed -The client connects to two different ISPs. This
design provides increased redundancy and enables load-
balancing, but it can be expensive.
• Dual-multihomed - Dual-multihomed is the most resilient
topology of the four shown. The client connects with redundant
links to multiple ISPs. This topology provides the most redundancy
possible. It is the most expensive option of the four.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Internet-Based Connectivity
Broadband Solution Comparison
Each broadband solution has advantages and disadvantages. If there are multiple broadband
solutions available, a cost-versus-benefit analysis should be performed to determine the best
solution.
Some factors to consider include the following:
• Cable - Bandwidth is shared by many users. Therefore, upstream data rates are often slow
during high-usage hours in areas with over-subscription.
• DSL - Limited bandwidth that is distance sensitive (in relation to the ISP central office).
Upload rate is proportionally lower compared to download rate.
• Fiber-to-the-Home - This option requires fiber installation directly to the home.
• Cellular/Mobile - With this option, coverage is often an issue, even within a small office or
home office where bandwidth is relatively limited.
• Municipal Wi-Fi - Most municipalities do not have a mesh Wi-Fi network deployed. If is
available and in range, then it is a viable option.
• Satellite - This option is expensive and provides limited capacity per subscriber. Typically
used when no other option is available.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Internet-Based Connectivity
Lab – Configure and Verify Extended IPv4 ACLs
In this lab, you will complete the following objectives:
• Investigate Broadband Distribution
• Research Broadband Access Options for Specific Scenarios

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Module Practice and Quiz
Packet Tracer – WAN Concepts
In this lab, you will do the following:
• Describe different WAN connectivity options

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Module Practice and Quiz
What did I learn in this module?
• A Wide Area Network (WAN) is required to connect beyond the boundary of the LAN.
• A private WAN is a connection that is dedicated to a single customer.
• A public WAN connection is typically provided by an ISP or telecommunications service
provider using the internet.
• WANs are implemented using the following logical topologies: Point-to-Point, Hub-and-
Spoke, Dual-homed, Fully Meshed, and Partially Meshed.
• A dual-carrier connection provides redundancy and increases network availability. The
organization negotiates separate SLAs with two different service providers.
• Site-to-site and remote access Virtual Private Networks (VPNs) enable the company to use
the internet to securely connect with employees and facilities around the world.
• Modern WAN standards are defined and managed by a number of recognized authorities:
TIA/EIA, ISO, and IEEE.
• Layer 1 optical fiber protocol standards include SDH, SONET, and DWDM. Layer 2 protocols
define how data will be encapsulated into a frame.
• Layer 2 protocols include broadband, wireless, Ethernet WAN, MPLS, PPP, HDLC.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Module Practice and Quiz
What did I learn in this module?
• Serial communication transmits bits sequentially over a single channel. In contrast, parallel
communications simultaneously transmit several bits using multiple wires.
• The two most common types of circuit-switched WAN technologies are PSTN and ISDN.
• Common types of packet-switched WAN technologies are Ethernet WAN and MPLS. There
are two optical fiber OSI layer 1 standards.
• SDH/SONET define how to transfer multiple data, voice, and video communications over
optical fiber using lasers or LEDs over great distances.
• Circuit-switched connections were provided by PSTN carriers.
• ISDN is a circuit-switching technology that enables the PSTN local loop to carry digital
signals.
• Packet switching segments data into packets that are routed over a shared network.
• Frame Relay is a simple Layer 2 NBMA WAN technology used to interconnect enterprise
LANs.
• ATM technology is capable of transferring voice, video, and data through private and public
networks. It is built on a cell-based architecture rather than on a frame-based architecture.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Module Practice and Quiz
What did I learn in this module?
• Modern WAN connectivity options include dedicated broadband, Ethernet WAN and MPLS
(packet-switched), along with various wired and wireless version of internet-based
broadband.
• MPLS is a high-performance service provider WAN routing technology to interconnect clients.
MPLS supports a variety of client access methods (e.g., Ethernet, DSL, Cable, Frame Relay).
MPLS can encapsulate all types of protocols including IPv4 or IPv6 traffic.
• Internet-based broadband connectivity is an alternative to using dedicated WAN options.
• Examples of wired broadband connectivity are Digital Subscriber Line (DSL), cable
connections, and optical fiber networks.
• Examples of wireless broadband include cellular 3G/4G/5G or satellite internet services.
• DSL is a high-speed, always-on, connection technology that uses existing twisted-pair
telephone lines to provide IP services to users.
• Cable technology is a high-speed always-on connection technology that uses a cable
company coaxial cable to provide IP services to users.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Module Practice and Quiz
What did I learn in this module?
• Newer developments in wireless technology include Municipal Wi-Fi, Cellular, Satellite
internet, and WiMAX.
• VPN tunnels are routed through the internet from the private network of the company to the
remote site or employee host.
• ISP connectivity options include single-homed, dual-homed, multihomed, and dual-
multihomed.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Module 8: VPN and IPsec
Concepts
Enterprise Networking, Security,
and Automation v7.0 (ENSA)
Module Objectives
Module Title: VPN and IPsec Concepts

Module Objective: Explain how VPNs and IPsec are used to secure site-to-site and remote
access connectivity.

Topic Title Topic Objective

VPN Technology Describe the benefits of VPN technology.
Types of VPNs Describe different types of VPNs.
IPsec Explain how the IPsec framework is used to secure
network traffic.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
VPN Technology
Virtual Private Networks
• Virtual private networks (VPNs) to
create end-to-end private network
connections.
• A VPN is virtual in that it carries
information within a private network,
but that information is actually
transported over a public network.
• A VPN is private in that the traffic is
encrypted to keep the data confidential
while it is transported across the public
network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
VPN Technology
VPN Benefits
• Modern VPNs now support encryption features, such as Internet Protocol Security
(IPsec) and Secure Sockets Layer (SSL) VPNs to secure network traffic between sites.
• Major benefits of VPNs are shown in the table:

Benefit Description

Cost Savings Organizations can use VPNs to reduce their connectivity costs while simultaneously
increasing remote connection bandwidth.
Security Encryption and authentication protocols protect data from unauthorized access.

Scalability VPNs allow organizations to use the internet, making it easy to add new users without
adding significant infrastructure.
Compatibility VPNs can be implemented across a wide variety of WAN link options including
broadband technologies. Remote workers can use these high-speed connections to
gain secure access to corporate networks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
VPN Technology
Site-to-Site and Remote Access VPNs
A site-to-site VPN is terminated on VPN gateways. VPN traffic is only encrypted
between the gateways. Internal hosts have no knowledge that a VPN is being used.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
VPN Technology
Site-to-Site and Remote Access VPNs (Cont.)
A remote-access VPN is dynamically created to establish a secure connection between a
client and a VPN terminating device.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
VPN Technology
Enterprise and Service Provider VPNs
VPNs can be managed and
deployed as:
• Enterprise VPNs - common solution
for securing enterprise traffic across
the internet. Site-to-site and remote
access VPNs are created and
managed by the enterprise using
IPsec and SSL VPNs.
• Service Provider VPNs - created
and managed by the provider
network. The provider uses
Multiprotocol Label Switching
(MPLS) at Layer 2 or Layer 3 to
create secure channels between an
enterprise’s sites, effectively
segregating the traffic from other
customer traffic.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
8.2 Types of VPNs

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Types of VPNs
Remote-Access VPNs
• Remote-access VPNs let remote and
mobile users securely connect to the
enterprise.
• Remote-access VPNs are typically enabled
dynamically by the user when required and
can be created using either IPsec or SSL.
• Clientless VPN connection -The
connection is secured using a web
browser SSL connection.
• Client-based VPN connection - VPN
client software such as Cisco AnyConnect
Secure Mobility Client must be installed on
the remote user’s end device.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Types of VPNs
SSL VPNs
SSL uses the public key infrastructure and digital certificates to authenticate peers.
The type of VPN method implemented is based on the access requirements of the
users and the organization’s IT processes. The table compares IPsec and SSL
remote access deployments.

Feature IPsec SSL

Applications supported Extensive – All IP-based applications Limited – Only web-based applications and
file sharing
Authentication strength Strong – Two-way authentication with Moderate – one-way or two-way
shared keys or digital certificates authentication
Encryption strength Strong – Key lengths 56 – 256 bits Moderate to strong - Key lengths 40 – 256
bits
Connection complexity Medium – Requires VPN client Low – Requires web browser on a host
installed on a host
Connection option Limited – Only specific devices with Extensive – Any device with a web browser
specific configurations can connect can connect
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Types of VPNs
Site-to-Site IPsec VPNs
• Site-to-site VPNs connect networks
across an untrusted network such as the
internet.
• End hosts send and receive normal
unencrypted TCP/IP traffic through a VPN
gateway.
• The VPN gateway encapsulates and
encrypts outbound traffic from a site and
sends the traffic through the VPN tunnel
to the VPN gateway at the target site.
The receiving VPN gateway strips the
headers, decrypts the content, and relays
the packet toward the target host inside
its private network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Types of VPNs
GRE over IPsec
• Generic Routing Encapsulation (GRE) is a non-secure site-to-site VPN tunneling
protocol.
• A GRE tunnel can encapsulate various network layer protocols as well as multicast
and broadcast traffic.
• GRE does not by default support encryption; and therefore, it does not provide a
secure VPN tunnel.
• A GRE packet can be encapsulated into an IPsec packet to forward it securely to
the destination VPN gateway.
• Standard IPsec VPNs (non-GRE) can only create secure tunnels for unicast
traffic.
• Encapsulating GRE into IPsec allows multicast routing protocol updates to be
secured through a VPN.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Types of VPNs
GRE over IPsec (Cont.)
The terms used to describe the encapsulation of GRE over IPsec tunnel are
passenger protocol, carrier protocol, and transport protocol.
• Passenger protocol – This is the original packet that is to be encapsulated by
GRE. It could be an IPv4 or IPv6 packet, a routing update, and more.
• Carrier protocol – GRE is the carrier protocol that encapsulates the original
passenger packet.
• Transport protocol – This is the protocol that will actually be used to forward the
packet. This could be IPv4 or IPv6.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Types of VPNs
GRE over IPsec (Cont.)
For example, Branch and HQ need to exchange OSPF routing information over an
IPsec VPN. GRE over IPsec is used to support the routing protocol traffic over the
IPsec VPN. Specifically, the OSPF packets (i.e., passenger protocol) would be
encapsulated by GRE (i.e., carrier protocol) and subsequently encapsulated in an
IPsec VPN tunnel.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Types of VPNs
Dynamic Multipoint VPNs
Site-to-site IPsec VPNs and GRE over IPsec are not sufficient when the enterprise
adds many more sites. Dynamic Multipoint VPN (DMVPN) is a Cisco software
solution for building multiple VPNs in an easy, dynamic, and scalable manner.
• DMVPN simplifies the VPN tunnel configuration and provides a flexible option to
connect a central site with branch sites.
• It uses a hub-and-spoke configuration to establish a full mesh topology.
• Spoke sites establish secure VPN tunnels with the hub site.
• Each site is configure using Multipoint Generic Routing Encapsulation (mGRE).
The mGRE tunnel interface allows a single GRE interface to dynamically support
multiple IPsec tunnels.
• Spoke sites can also obtain information about each other, and alternatively build
direct tunnels between themselves (spoke-to-spoke tunnels).

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Types of VPNs
IPsec Virtual Tunnel Interface
IPsec Virtual Tunnel Interface (VTI) simplifies the configuration process required to
support multiple sites and remote access.
• IPsec VTI configurations are applied to a virtual interface instead of static mapping
the IPsec sessions to a physical interface.
• IPsec VTI is capable of sending and receiving both IP unicast and multicast
encrypted traffic. Therefore, routing protocols are automatically supported without
having to configure GRE tunnels.
• IPsec VTI can be configured between sites or in a hub-and-spoke topology.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Types of VPNs
Service Provider MPLS VPNs
Today, service providers use MPLS in their core network. Traffic is forwarded through
the MPLS backbone using labels. Traffic is secure because service provider
customers cannot see each other’s traffic.
• MPLS can provide clients with managed VPN solutions; therefore, securing traffic
between client sites is the responsibility of the service provider.
• There are two types of MPLS VPN solutions supported by service providers:
• Layer 3 MPLS VPN - The service provider participates in customer routing by establishing a
peering between the customer’s routers and the provider’s routers.
• Layer 2 MPLS VPN - The service provider is not involved in the customer routing. Instead,
the provider deploys a Virtual Private LAN Service (VPLS) to emulate an Ethernet multiaccess
LAN segment over the MPLS network. No routing is involved. The customer’s routers
effectively belong to the same multiaccess network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
IPSec
Video – IPsec Concepts
This video will cover the following:
• The purpose of IPsec
• IPsec protocols (AH, ESP, SA, IKE)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
IPSec
IPsec Technologies
IPsec is an IETF standard that defines how a VPN can be secured across
IP networks. IPsec protects and authenticates IP packets between source
and destination and provides these essential security functions:
• Confidentiality - Uses encryption algorithms to prevent cybercriminals from
reading the packet contents.
• Integrity - Uses hashing algorithms to ensure that packets have not been altered
between source and destination.
• Origin authentication - Uses the Internet Key Exchange (IKE) protocol to
authenticate source and destination.
• Diffie-Hellman – Used to secure key exchange.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
IPSec
IPsec Technologies (Cont.)
• IPsec is not bound to any specific rules
for secure communications.
• IPsec can easily integrate new security
technologies without updating existing
IPsec standards.
• The open slots in the IPsec framework
shown in the figure can be filled with any
of the choices that are available for that
IPsec function to create a unique security
association (SA).

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
IPSec
IPsec Protocol Encapsulation
Choosing the IPsec protocol
encapsulation is the first building block
of the framework.
• IPsec encapsulates packets using
Authentication Header (AH) or
Encapsulation Security Protocol
(ESP).
• The choice of AH or ESP establishes
which other building blocks are
available.
• AH is appropriate only when
confidentiality is not required or permitted.
• ESP provides both confidentiality and
authentication.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
IPSec
Confidentiality
The degree of confidentiality
depends on the encryption
algorithm and the length of the
key used in the encryption
algorithm.

The number of possibilities to try

to hack the key is a function of the
length of the key - the shorter the
key, the easier it is to break.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
IPSec
Confidentiality (Cont.)
The encryption algorithms highlighted in
the figure are all symmetric key
cryptosystems:
• DES uses a 56-bit key.
• 3DES uses three independent 56-bit
encryption keys per 64-bit block.
• AES offers three different key
lengths: 128 bits, 192 bits, and 256
bits.
• SEAL is a stream cipher, which
means it encrypts data continuously
rather than encrypting blocks of data.
SEAL uses a 160-bit key.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
IPSec
Integrity
• Data integrity means that the data
has not changed in transit.
• A method of proving data integrity is
required.
• The Hashed Message Authentication
Code (HMAC) is a data integrity
algorithm that guarantees the integrity
of the message using a hash value.
• Message-Digest 5 (MD5) uses a
128-bit shared-secret key.
• The Secure Hash Algorithm (SHA)
uses a 160-bit secret key.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
IPSec
Authentication
There are two IPsec peer authentication
methods:
1. Pre-shared key (PSK) - (PSK) value
is entered into each peer manually.
• Easy to configure manually
• Does not scale well
• Must be configured on every peer
2. Rivest, Shamir, and Adleman
(RSA) - authentication uses digital
certificates to authenticate the peers.
• Each peer must authenticate its opposite
peer before the tunnel is considered
secure.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
IPSec
Secure Key Exchange with Diffie - Hellman
DH provides allows two peers to establish
a shared secret key over an insecure
channel.

Variations of the DH key exchange are

specified as DH groups:
• DH groups 1, 2, and 5 should no longer be
used.
• DH groups 14, 15, and 16 use larger key
sizes with 2048 bits, 3072 bits, and 4096
bits, respectively
• DH groups 19, 20, 21 and 24 with respective
key sizes of 256 bits, 384 bits, 521 bits, and
2048 bits support Elliptical Curve
Cryptography (ECC), which reduces the time
needed to generate keys.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
IPSec
Video – IPsec Transport and Tunnel Mode
This video will explain the process of the IPv4 packet with ESP in transport
mode and in tunnel mode.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Module Practice and Quiz
What did I learn in this module?
• A VPN is private in that the traffic is encrypted to keep the data confidential while it is
transported across the public network.
• Benefits of VPNs are cost savings, security, scalability, and compatibility.
• Remote-access VPNs let remote and mobile users securely connect to the enterprise by
creating an encrypted tunnel. Remote access VPNs can be created using either IPsec or
SSL.
• Site-to-site VPNs are used to connect networks across an untrusted network such as the
internet.
• In a site-to-site VPN, end hosts send and receive normal unencrypted TCP/IP traffic through
a VPN terminating device. The VPN terminating device is typically called a VPN gateway.
• GRE is a non-secure site-to-site VPN tunneling protocol.
• DMVPN is a Cisco software solution for easily building multiple, dynamic, scalable VPNs.
• Like DMVPNs, IPsec VTI simplifies the configuration process required to support multiple
sites and remote access.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Module Practice and Quiz
What did I learn in this module? (Cont.)
• IPsec protects and authenticates IP packets between source and destination.
• IPsec can protect traffic from Layer 4 through Layer 7.
• Using the IPsec framework, IPsec provides confidentiality, integrity, origin authentication, and
Diffie-Hellman.
• IPsec encapsulates packets using AH or ESP.
• The degree of confidentiality depends on the encryption algorithm and the length of the key
used in the encryption algorithm.
• DH provides a way for two peers to establish a shared secret key that only they know, even
though they are communicating over an insecure channel.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Module 9: QoS Concepts
Enterprise Networking, Security,
and Automation v7.0 (ENSA)
Module Objectives
Module Title: QoS Concepts

Module Objective: Explain how networking devices implement QoS.

Topic Title Topic Objective

Network Transmission Quality Explain how network transmission characteristics impact
quality.
Traffic Characteristics Describe minimum network requirements for voice, video,
and data traffic.
Queuing Algorithms Describe the queuing algorithms used by networking
devices.
QoS Models Describe the different QoS models.

QoS Implementation Explain how QoS uses mechanisms to ensure

Techniques transmission quality.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Network Transmission Quality
Video – The Purpose of QoS
This video explains Quality of Service (QoS) and why it is needed.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Network Transmission Quality
Prioritizing Traffic
• When traffic volume is greater than
what can be transported across the
network, devices queue (hold) the
packets in memory until resources
become available to transmit them.
• Queuing packets causes delay
because new packets cannot be
transmitted until previous packets have
been processed.
• If the number of packets to be queued
continues to increase, the memory
within the device fills up and packets
are dropped.
• One QoS technique that can help with Note: A device implements QoS only when it is
this problem is to classify data into experiencing some type of congestion.
multiple queues, as shown in the figure.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Network Transmission Quality
Bandwidth, Congestion, Delay, and Jitter
• Network bandwidth is measured in the number of bits that can be transmitted in a single
second, or bits per second (bps).
• Network congestion causes delay. An interface experiences congestion when it is presented
with more traffic than it can handle. Network congestion points are ideal candidates for QoS
mechanisms.
• The typical congestion points are aggregation, speed mismatch, and LAN to WAN.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Network Transmission Quality
Bandwidth, Congestion, Delay, and Jitter (Cont.)
Delay or latency refers to the time it takes for a packet to travel from the source to the
destination.
• Fixed delay is the amount of time a specific process takes, such as how long it takes to place a
bit on the transmission media.
• Variable delay takes an unspecified amount of time and is affected by factors such as how
much traffic is being processed.
• Jitter is the variation of delay of received packets.
Delay Description
Code delay The fixed amount of time it takes to compress data at the source before transmitting to the first
internetworking device, usually a switch.
Packetization delay The fixed time it takes to encapsulate a packet with all the necessary header information.
Queuing delay The variable amount of time a frame or packet waits to be transmitted on the link.
Serialization delay The fixed amount of time it takes to transmit a frame onto the wire.
Propagation delay The variable amount of time it takes for the frame to travel between the source and destination.
De-jitter delay The fixed amount of time it takes to buffer a flow of packets and then send them out in evenly
spaced intervals.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Network Transmission Quality
Packet Loss
Without QoS mechanisms, time-sensitive
packets, such as real-time video and voice,
are dropped with the same frequency as
data that is not time-sensitive.
• When a router receives a Real-Time
Protocol (RTP) digital audio stream for
Voice over IP (VoIP), it compensates for
the jitter that is encountered using a
playout delay buffer.
• The playout delay buffer buffers these
packets and then plays them out in a
steady stream.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Network Transmission Quality
Packet Loss (Cont.)
If the jitter is so large that it causes packets
to be received out of the range of the play
out buffer, the out-of-range packets are
discarded and dropouts are heard in the
audio.
• For losses as small as one packet, the
digital signal processor (DSP)
interpolates what it thinks the audio
should be and no problem is audible to
the user.
• When jitter exceeds what the DSP can
do to make up for the missing packets,
audio problems are heard.
Note: In a properly designed network, packet loss
should be near zero.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Traffic Characteristics
Video – Traffic Characteristics
This video will explain the characteristics of voice, video, and data traffic.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Traffic Characteristics
Network Traffic Trends
In the early 2000s, the predominant types of IP traffic were voice and data.
• Voice traffic has a predictable bandwidth need and known packet arrival times.
• Data traffic is not real-time and has unpredictable bandwidth need.
• Data traffic can temporarily burst, as when a large file is being downloaded. This
bursting can consume the entire bandwidth of a link.
More recently, video traffic has become the increasingly important to business
communications and operations.
• According to the Cisco Visual Networking Index (VNI), video traffic represented
70% of all traffic in 2017.
• By 2022, video will represent 82% of all traffic.
• Mobile video traffic will reach 60.9 exabytes per month by 2022.
The type of demands that voice, video, and data traffic place on the network are very
different.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Traffic Characteristics
Voice
Voice traffic is predictable and smooth and very sensitive to delays and dropped
packets.
• Voice packets must receive a higher priority than other types of traffic.
• Cisco products use the RTP port range 16384 to 32767 to prioritize voice traffic.
Voice can tolerate a certain amount of latency, jitter, and loss without any noticeable
effects
Latency should be no more than 150 milliseconds (ms).
• Jitter should be no more than 30 ms, and packet loss no more than 1%.
• Voice traffic requires at least 30 Kbps of bandwidth.
Voice Traffic One-Way Requirements
Characteristics
• Smooth • Latency < 150ms
• Benign • Jitter < 30ms
• Drop sensitive • Loss < 1% Bandwidth (30-128 Kbps)
• Delay sensitive
• UPD priority
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Traffic Characteristics
Video
Video traffic tends to be unpredictable, inconsistent, and bursty. Compared to voice,
video is less resilient to loss and has a higher volume of data per packet.
• The number and size of video packets varies every 33 ms based on the content of
the video.
• UDP ports such as 554, are used for the Real-Time Streaming Protocol (RSTP)
and should be given priority over other, less delay-sensitive, network traffic.
• Latency should be no more than 400 milliseconds (ms). Jitter should be no more
than 50 ms, and video packet loss should be no more than 1%. Video traffic
requires at least 384 Kbps of bandwidth.
Video Traffic One-Way Requirements
Characteristics
• Bursty • Latency < 200-400 ms
• Greedy • Jitter < 30-50 ms
• Drop sensitive • Loss < 0.1 – 1%
• Delay sensitive • Bandwidth (384 Kbps - 20 Mbps)
• UPD priority
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Traffic Characteristics
Data
Data applications that have no tolerance for data loss, such as email and web pages,
use TCP to ensure that if packets are lost in transit, they will be resent.
• Data traffic can be smooth or bursty.
• Network control traffic is usually smooth and predictable.
Some TCP applications can consume a large portion of network capacity. FTP will
consume as much bandwidth as it can get when you download a large file, such as a
movie or game.

Data Traffic Characteristics

• Smooth/bursty
• Benign/greedy
• Drop insensitive
• Delay insensitive
• TCP Retransmits

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Traffic Characteristics
Data (Cont.)
Data traffic is relatively insensitive to drops and delays compared to voice and video.
Quality of Experience or QoE is important to consider with data traffic.
• Does the data come from an interactive application?
• Is the data mission critical?

Factor Mission Critical Not Mission Critical

Interactive Prioritize for the lowest delay of all data traffic Applications could benefit from lower delay.
and strive for a 1 to 2 second response time.
Not interactive Delay can vary greatly as long as the Gets any leftover bandwidth after all voice,
necessary minimum bandwidth is supplied. video, and other data application needs are
met.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Queuing Algorithms
Video – QoS Algorithms
This video will cover the following:
• FIFO Queuing (absence of QoS)
• Weighted Fair Queuing (WFQ)
• Class Based Weighted Fair Queuing (CBWFQ)
• Low Latency Queuing (LLQ)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Queuing Algorithms
Queuing Overview
The QoS policy implemented by the network administrator becomes active when
congestion occurs on the link. Queuing is a congestion management tool that can
buffer, prioritize, and, if required, reorder packets before being transmitted to the
destination.

A number of queuing algorithms are available:

• First-In, First-Out (FIFO)
• Weighted Fair Queuing (WFQ)
• Class-Based Weighted Fair Queuing (CBWFQ)
• Low Latency Queuing (LLQ)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Queuing Algorithms
First in First Out
• First In First Out (FIFO) queuing buffers and forwards packets in the order of their
arrival.
• FIFO has no concept of priority or classes of traffic and consequently, makes no
decision about packet priority.
• There is only one queue, and all packets are treated equally.
• Packets are sent out an interface in the order in which they arrive.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Queuing Algorithms
Weighted Fair Queuing (WFQ)
Weighted Fair Queuing (WFQ) is an automated
scheduling method that provides fair bandwidth
allocation to all network traffic.
• WFQ applies priority, or weights, to identified
traffic, classifies it into conversations or flows,
and then determines how much bandwidth
each flow is allowed relative to other flows.
• WFQ classifies traffic into different flows based
on source and destination IP addresses, MAC
addresses, port numbers, protocol, and Type of
Service (ToS) value.
• WFQ is not supported with tunneling and
encryption because these features modify the
packet content information required by WFQ
for classification.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Queuing Algorithms
Class-Based Weighted Fair Queuing (CBWFQ)
Class-Based Weighted Fair Queuing (CBWFQ) extends the standard WFQ
functionality to provide support for user-defined traffic classes.
• Traffic classes are defined based on match criteria including protocols, access
control lists (ACLs), and input interfaces.
• Packets satisfying the match criteria for a class constitute the traffic for that class.
• A FIFO queue is reserved for each class, and traffic belonging to a class is
directed to the queue for that class.
• A class can be assigned characteristics, such as bandwidth, weight, and maximum
packet limit. The bandwidth assigned to a class is the guaranteed bandwidth
delivered during congestion.
• Packets belonging to a class are subject to the bandwidth and queue limits, which
is the maximum number of packets allowed to accumulate in the queue, that
characterize the class.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Queuing Algorithms
Class-Based Weighted Fair Queuing (CBWFQ) (Cont.)
After a queue has reached its configured queue limit, adding more packets to the
class causes tail drop or packet drop to take effect, depending on how class policy is
configured.
• Tail drop discards any packet that arrives at the tail end of a queue that has
completely used up its packet-holding resources.
• This is the default queuing response to congestion. Tail drop treats all traffic
equally and does not differentiate between classes of service.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Queuing Algorithms
Low Latency Queuing (LLQ)
The Low Latency Queuing (LLQ) feature
brings strict priority queuing (PQ) to
CBWFQ.
• Strict PQ allows delay-sensitive
packets such as voice to be sent
before packets in other queues.
• LLQ allows delay-sensitive packets
such as voice to be sent first (before
packets in other queues), giving
delay-sensitive packets preferential
treatment over other traffic.
• Cisco recommends that only voice
traffic be directed to the priority
queue.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
QoS Models
Video – QoS Models
This video will cover the following:
• Best-effort model
• Integrated services (IntServ)
• Differentiated services (DiffServ)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
QoS Models
Selecting an Appropriate QoS Policy Model
There are three models for implementing QoS. QoS is implemented in a network
using either IntServ or DiffServ.
• IntServ provides the highest guarantee of QoS, it is very resource-intensive, and therefore,
not easily scalable.
• DiffServ is less resource-intensive and more scalable.
• IntServ and DiffServ are sometimes co-deployed in network QoS implementations.

Model Description
Best-effort model • Not an implementation as QoS is not explicitly configured.
• Use when QoS is not required.
Integrated services • Provides very high QoS to IP packets with guaranteed delivery.
(IntServ) • Defines a signaling process for applications to signal to the network that they require special
QoS for a period and that bandwidth should be reserved.
• IntServ can severely limit the scalability of a network.
Differentiated • Provides high scalability and flexibility in implementing QoS.
services (DiffServ) • Network devices recognize traffic classes and provide different levels of QoS to different
traffic classes. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
QoS Models
Best Effort
The basic design of the internet is best-effort packet delivery and provides no
guarantees.
• The best-effort model treats all network packets in the same way, so an
emergency voice message is treated the same way that a digital photograph
attached to an email is treated.
• Benefits and drawbacks of the best effort model:

Benefits Drawbacks
The model is the most scalable. There are no guarantees of delivery.
Scalability is only limited by available bandwidth, in Packets will arrive whenever they can and in any order
which case all traffic is equally affected. possible, if they arrive at all.
No special QoS mechanisms are required. No packets have preferential treatment.

It is the easiest and quickest model to deploy. Critical data is treated the same as casual email is treated.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
QoS Models
Integrated Services
IntServ delivers the end-to-end QoS that real-
time applications require.
• Explicitly manages network resources to
provide QoS to individual flows or streams,
sometimes called microflows.
• Uses resource reservation and admission-
control mechanisms as building blocks to
establish and maintain QoS.
• Uses a connection-oriented approach. Each
individual communication must explicitly
specify its traffic descriptor and requested
resources to the network.
• The edge router performs admission control
to ensure that available resources are
sufficient in the network.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
QoS Models
Integrated Services (Cont.)
In the IntServ model, the application requests a specific kind of service from the network before
sending data.
• The application informs the network of its traffic profile and requests a particular kind of service
that can encompass its bandwidth and delay requirements.
• IntServ uses the Resource Reservation Protocol (RSVP) to signal the QoS needs of an
application’s traffic along devices in the end-to-end path through the network.
• If network devices along the path can reserve the necessary bandwidth, the originating
application can begin transmitting. If the requested reservation fails along the path, the
originating application does not send any data.

Benefits Drawbacks
• Explicit end-to-end resource admission control • Resource intensive due to the stateful architecture
• Per-request policy admission control requirement for continuous signaling.
• Signaling of dynamic port numbers • Flow-based approach not scalable to large implementations
such as the internet.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
QoS Models
Differentiated Services
The differentiated services (DiffServ) QoS
model specifies a simple and scalable
mechanism for classifying and managing
network traffic.
• Is not an end-to-end QoS strategy because
it cannot enforce end-to-end guarantees.
• Hosts forward traffic to a router which
classifies the flows into aggregates (classes)
and provides the appropriate QoS policy for
the classes.
• Enforces and applies QoS mechanisms on a
hop-by-hop basis, uniformly applying global
meaning to each traffic class to provide both
flexibility and scalability.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
QoS Models
Differentiated Services (Cont.)
• DiffServ divides network traffic into classes based on business requirements. Each
of the classes can then be assigned a different level of service.
• As the packets traverse a network, each of the network devices identifies the
packet class and services the packet according to that class.
• It is possible to choose many levels of service with DiffServ.

Benefits Drawbacks
• Highly scalable • No absolute guarantee of service quality
• Provides many different levels of quality • Requires a set of complex mechanisms to work in
concert throughout the network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
QoS Implementation Techniques
Video – QoS Implementation Techniques
This video will cover the following:
• Implementation tools (classification and marking, congestion avoidance,
and congestion management)
• Traffic marking

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
QoS Implementation Techniques
Avoiding Packet Loss
Packet loss is usually the result of congestion on an interface. Most applications that
use TCP experience slowdown because TCP automatically adjusts to network
congestion. Dropped TCP segments cause TCP sessions to reduce their window
sizes. Some applications do not use TCP and cannot handle drops (fragile flows).

The following approaches can prevent drops in sensitive applications:

• Increase link capacity to ease or prevent congestion.
• Guarantee enough bandwidth and increase buffer space to accommodate bursts
of traffic from fragile flows. WFQ, CBWFQ, and LLQ can guarantee bandwidth
and provide prioritized forwarding to drop-sensitive applications.
• Drop lower-priority packets before congestion occurs. Cisco IOS QoS provides
queuing mechanisms, such as weighted random early detection (WRED), that
start dropping lower-priority packets before congestion occurs.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
QoS Implementation Techniques
QoS Tools
There are three categories of QoS tool, as described in the table.
QoS Tools Description
Classification and marking • Sessions, or flows, are analyzed to determine what traffic class they
tools belong to.
• When the traffic class is determined, the packets are marked.
Congestion avoidance tools • Traffic classes are allotted portions of network resources, as
defined by the QoS policy.
• The QoS policy also identifies how some traffic may be selectively
dropped, delayed, or re-marked to avoid congestion.
• The primary congestion avoidance tool is WRED and is used to
regulate TCP data traffic in a bandwidth-efficient manner before tail
drops caused by queue overflows occur.
Congestion management • When traffic exceeds available network resources, traffic is queued
tools to await availability of resources.
• Common Cisco IOS-based congestion management tools include
CBWFQ and LLQ algorithms.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
QoS Implementation Techniques
QoS Tools (Cont.)
The figure shows the sequence of QoS tools used when applied to packet flows.
• Ingress packets are classified and their respective IP header is marked.
• To avoid congestion, packets are then allocated resources based on defined
policies.
• Packets are then queued and forwarded out the egress interface based on their
defined QoS shaping and policing policy.

Note: Classification and marking can be done on ingress or egress, whereas

other QoS actions such queuing and shaping are usually done on egress.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
QoS Implementation Techniques
Classification and Marking
Before a packet can have a QoS policy applied to it, the packet has to be classified.
Classification determines the class of traffic to which packets or frames belong. Only
after traffic is marked can policies be applied to it.

How a packet is classified depends on the QoS implementation.

• Methods of classifying traffic flows at Layer 2 and 3 include using interfaces,
ACLs, and class maps.
• Traffic can also be classified at Layers 4 to 7 using Network Based Application
Recognition (NBAR).

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
QoS Implementation Techniques
Classification and Marking (Cont.)
How traffic is marked usually depends on the technology. The decision of whether to
mark traffic at Layers 2 or 3 (or both) is not trivial and should be made after
consideration of the following points:
• Layer 2 marking of frames can be performed for non-IP traffic.
• Layer 2 marking of frames is the only QoS option available for switches that are
not “IP aware”.
• Layer 3 marking will carry the QoS information end-to-end.
QoS Tools Layer Marking Field Width in Bits
Ethernet (802.1q, 802.1p) 2 Class of Service (CoS) 3
802.11 (Wi-Fi) 2 Wi-Fi Traffic Identifier (TID) 3
MPLS 2 Experimental (EXP) 3
IPv4 and IPv6 3 IP Precedence (IPP) 3
IPv4 and IPv6 3 Differentiated Services Code Point (DSCP) 6

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
QoS Implementation Techniques
Marking at Layer 2
802.1Q is the IEEE standard that supports VLAN tagging at Layer 2 on Ethernet
networks. When 802.1Q is implemented, two fields are inserted into the Ethernet
frame following the source MAC address field.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
QoS Implementation Techniques
Marking at Layer 2 (Cont.)
The 802.1Q standard also includes the QoS prioritization scheme known as IEEE 802.1p. The
802.1p standard uses the first three bits in the Tag Control Information (TCI) field. Known as
the Priority (PRI) field, this 3-bit field identifies the Class of Service (CoS) markings.

Three bits means that a Layer 2 Ethernet frame can be marked with one of eight levels of
priority (values 0-7).
CoS Value CoS Binary Value Description
0 000 Best-Effort Data
1 001 Medium-Priority Data
2 010 High-Priority Data
3 011 Call Signaling
4 100 Videoconferencing
5 101 Voice bearer (voice traffic)
6 110 Reserved
7 111 Reserved © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
QoS Implementation Techniques
Marking at Layer 3
IPv4 and IPv6 specify an 8-bit field in
their packet headers to mark packets.

Both IPv4 and IPv6 support an 8-bit field

for marking: the Type of Service (ToS)
field for IPv4 and the Traffic Class field
for IPv6.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
QoS Implementation Techniques
Type of Service and Traffic Class Field
The Type of Service (IPv4) and Traffic Class
(IPv6) carry the packet marking as assigned by
the QoS classification tools.
• RFC 791 specified the 3-bit IP Precedence
(IPP) field to be used for QoS markings.
• RFC 2474 supersedes RFC 791 and redefines
the ToS field by renaming and extending the
IPP field to 6 bits.
• Called the Differentiated Services Code Point
(DSCP) field, these six bits offer a maximum of
64 possible classes of service.
• The remaining two IP Extended Congestion
Notification (ECN) bits can be used by ECN-
aware routers to mark packets instead of
dropping them.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
QoS Implementation Techniques
DSCP Values
The 64 DSCP values are organized into three categories:
• Best-Effort (BE) - This is the default for all IP packets. The DSCP value is 0. The
per-hop behavior is normal routing. When a router experiences congestion, these
packets will be dropped. No QoS plan is implemented.
• Expedited Forwarding (EF) - RFC 3246 defines EF as the DSCP decimal value
46 (binary 101110). The first 3 bits (101) map directly to the Layer 2 CoS value 5
used for voice traffic. At Layer 3, Cisco recommends that EF only be used to mark
voice packets.
• Assured Forwarding (AF) - RFC 2597 defines AF to use the 5 most significant
DSCP bits to indicate queues and drop preference.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
QoS Implementation Techniques
DSCP Values (Cont.)
Assured Forwarding values are shown in
the figure.
The AFxy formula is specified as follows:
• The first 3 most significant bits are
used to designate the class. Class 4 is
the best queue and Class 1 is the
worst queue.
• The 4th and 5th most significant bits
are used to designate the drop
preference.
• The 6th most significant bit is set to
zero.
For example: AF32 belongs to class 3 (binary 011) and has a medium drop preference
(binary 10). The full DSCP value is 28 because you include the 6th 0 bit (binary 011100).

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
QoS Implementation Techniques
Class Selector Bits
Class Selector (CS) bits:
• The first 3 most significant bits
of the DSCP field and indicate
the class.
• Map directly to the 3 bits of the
CoS field and the IPP field to
maintain compatibility with
802.1p and RFC 791.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
QoS Implementation Techniques
Trust Boundaries
Traffic should be classified and marked as close to its source as technically and
administratively feasible. This defines the trust boundary.
1. Trusted endpoints have the capabilities and intelligence to mark application traffic to the
appropriate Layer 2 CoS and/or Layer 3 DSCP values.
2. Secure endpoints can have traffic marked at the Layer 2 switch.
3. Traffic can also be marked at Layer 3 switches / routers.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
QoS Implementation Techniques
Congestion Avoidance
Congestion avoidance tools monitor network traffic loads in an effort to anticipate and
avoid congestion at common network and internetwork bottlenecks before congestion
becomes a problem.
• They monitor network traffic loads in an effort to anticipate and avoid congestion at common
network and internetwork bottlenecks before congestion becomes a problem.
• They monitor the average depth of the queue. When the queue is below the minimum threshold,
there are no drops. As the queue fills up to the maximum threshold, a small percentage of packets
are dropped. When the maximum threshold is passed, all packets are dropped.
Some congestion avoidance techniques provide preferential treatment for which packets
get dropped.
• Weighted random early detection (WRED) allows for congestion avoidance on network interfaces
by providing buffer management and allowing TCP traffic to decrease, or throttle back, before
buffers are exhausted.
• WRED helps avoid tail drops and maximizes network use and TCP-based application
performance.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
QoS Implementation Techniques
Shaping and Policing
Traffic shaping and traffic policing are two mechanisms provided by Cisco IOS QoS
software to prevent congestion.
• Traffic shaping retains excess packets in a queue and then schedules the excess for
later transmission over increments of time. Traffic shaping results in a smoothed
packet output rate.
• Shaping is an outbound concept; packets going out an interface get queued and can
be shaped. In contrast, policing is applied to inbound traffic on an interface.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
QoS Implementation Techniques
Shaping and Policing (Cont.)
Policing is applied to inbound traffic on an interface. Policing is commonly implemented
by service providers to enforce a contracted customer information rate (CIR). However,
the service provider may also allow bursting over the CIR if the service provider’s
network is not currently experiencing congestion.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
QoS Implementation Techniques
QoS Policy Guidelines
QoS policies must consider the full path from source to destination.

A few guidelines that help ensure the best experience for end users includes the
following:
• Enable queuing at every device in the path between source and destination.
• Classify and mark traffic as close the source as possible.
• Shape and police traffic flows as close to their sources as possible.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Module Practice and Quiz
What did I learn in this module?
• Voice and live video transmissions create higher expectations for quality delivery among
users, and create a need for Quality of Service (QoS).
• Without any QoS mechanisms in place, packets are processed in the order in which they are
received. When congestion occurs, network devices such as routers and switches can drop
packets.
• Without any QoS time-sensitive packets, such as real-time video and voice, will be dropped
with the same frequency as data that is not time-sensitive, such as email and web browsing.
• Queuing packets causes delay because new packets cannot be transmitted until previous
packets have been processed.
• Two types of delays are fixed and variable.
• Sources of delay are code delay, packetization delay, queuing delay, serialization delay,
propagation delay, and de-jitter delay.
• Jitter is the variation in the delay of received packets.
• Voice and video traffic are two of the main reasons for QoS.
• Voice traffic is smooth and benign, but it is sensitive to drops and delays.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Module Practice and Quiz
What did I learn in this module? (Cont.)
• Voice can tolerate a certain amount of latency, jitter, and loss without any noticeable effects.
• Video traffic is more demanding than voice traffic because of the size of the packets it sends
across the network.
• Video traffic is bursty, greedy, drop sensitive, and delay sensitive.
• Data traffic is not as demanding as voice and video traffic. Data packets often use TCP
applications which can retransmit data and, therefore, are not sensitive to drops and delays.
• The QoS policy implemented by the network administrator becomes active when congestion
occurs on the link.
• Queuing is a congestion management tool that can buffer, prioritize, and, if required, reorder
packets before being transmitted to the destination.
• FIFO queuing buffers and forwards packets in the order of their arrival. FIFO has no concept
of priority or classes of traffic and consequently, makes no decision about packet priority.
• WFQ is an automated scheduling method that provides fair bandwidth allocation to all
network traffic. WFQ applies priority, or weights, to identified traffic and classifies it into
conversations or flows.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Module Practice and Quiz
What did I learn in this module? (Cont.)
• CBWFQ extends the standard WFQ functionality to provide support for user-defined traffic
classes. With CBWFQ, you define traffic classes based on match criteria including protocols,
access control lists (ACLs), and input interfaces. LLQ feature brings strict priority queuing
(PQ) to CBWFQ.
• There are three models for implementing QoS: Best-effort model, Integrated services
(IntServ), and Differentiated services (DiffServ).
• IntServ architecture model was developed to meet the needs of real-time applications, such
as remote video, multimedia conferencing, data visualization applications, and virtual reality.
• DiffServ QoS model specifies a simple and scalable mechanism for classifying and managing
network traffic. The DiffServ design overcomes the limitations of both the best-effort and
IntServ models.
• There are three categories of QoS tools: classification and marking tools, congestion
avoidance tools, and congestion management tools.
• Classification determines the class of traffic to which packets or frames belong.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Module Practice and Quiz
What did I learn in this module? (Cont.)
• Methods of classifying traffic flows at Layer 2 and 3 include using interfaces, ACLs, and class
maps. Traffic can also be classified at Layers 4 to 7 using Network Based Application
Recognition (NBAR).
• Congestion management includes queuing and scheduling methods where excess traffic is
buffered or queued (and sometimes dropped) while it waits to be sent out an egress
interface.
• Congestion avoidance tools help to monitor network traffic loads in an effort to anticipate and
avoid congestion at common network and internetwork bottlenecks before congestion
becomes a problem.
• Cisco IOS QoS includes weighted random early detection (WRED) as a possible congestion
avoidance solution.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Module 10: Network
Management
Enterprise Networking, Security, and Automation v7.0
(ENSA)
Module Objectives
Module Title: Network Management

Module Objective: Implement protocols to manage the network.

Topic Title Topic Objective

Device Discovery with CDP Use CDP to map a network topology.
Device Discovery with LLDP Use LLDP to map a network topology.
NTP Implement NTP between an NTP client and NTP server.
SNMP Explain how SNMP operates.
Syslog Explain syslog operation.
Router and Switch File Use commands to back up and restore an IOS configuration
Maintenance file.
IOS Image Management Implement protocols to manage the network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Device Discovery with CDP
CDP Overview
CDP is a Cisco proprietary Layer 2 protocol that is used to gather information about Cisco
devices which share the same data link. CDP is media and protocol independent and runs
on all Cisco devices, such as routers, switches, and access servers.

The device sends periodic CDP advertisements to connected devices. These

advertisements share information about the type of device that is discovered, the name of
the devices, and the number and type of the interfaces.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Device Discovery with CDP
Configure and Verify CDP
• For Cisco devices, CDP is enabled by default. To verify the status of CDP and display
information about CDP, enter the show cdp command.
• To disable CDP on a specific interface, enter no cdp enable in the interface
configuration mode. CDP is still enabled on the device; however, no more CDP
advertisements will be sent out that interface. To enable CDP on the specific interface
again, enter cdp enable.
• To enable CDP globally for all the supported interfaces on the device, enter cdp
run in the global configuration mode. CDP can be disabled for all the interfaces on the
device with the no cdp run command in the global configuration mode.
• Use the show cdp interface command to display the interfaces that are CDP-
enabled on a device. The status of each interface is also displayed.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Device Discovery with CDP
Discover Devices by Using CDP
• With CDP enabled on the network, the show cdp neighbors command can be used
to determine the network layout, as shown in the output.
• The output shows that there is another Cisco device, S1, connected to the G0/0/1
interface on R1. Furthermore, S1 is connected through its F0/5

R1# show cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID Local Intrfce Holdtme Capability Platform Port ID

S1 Gig 0/0/1 179 S I WS-C3560- Fas 0/5

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Device Discovery with CDP
Discover Devices by Using CDP (Cont.)
The network administrator uses show cdp neighbors detail to discover the IP address
for S1. As displayed in the output, the address for S1 is 192.168.1.2.

R1# show cdp neighbors detail

-------------------------
Device ID: S1
Entry address(es):
IP address: 192.168.1.2
Platform: cisco WS-C3560-24TS, Capabilities: Switch IGMP
Interface: GigabitEthernet0/0/1, Port ID (outgoing port): FastEthernet0/5
Holdtime : 136 sec

(output omitted)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Device Discovery with CDP
Packet Tracer - Use CDP to Map a Network
A senior network administrator requires you to map the Remote Branch Office network
and discover the name of a recently installed switch that still needs an IPv4 address to be
configured. Your task is to create a map of the branch office network. To map the network,
you will use SSH for remote access and the Cisco Discovery Protocol (CDP) to discover
information about neighboring network devices, like routers and switches.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Device Discovery with LLDP
LLDP Overview
Link Layer Discovery Protocol (LLDP) is a vendor-neutral neighbor discovery protocol
similar to CDP. LLDP works with network devices, such as routers, switches, and wireless
LAN access points. This protocol advertises its identity and capabilities to other devices
and receives the information from a physically-connected Layer 2 device.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Device Discovery with LLDP
Configure and Verify LLDP
• LLDP may be enabled by default. To enable LLDP globally on a Cisco network device,
enter the lldp run command in the global config mode. To disable LLDP, enter the no
lldp run command in the global config mode.
• LLDP can be configured on specific interfaces. However, LLDP must be configured
separately to transmit and receive LLDP packets.
• To verify LLDP is enabled, enter the show lldp command in privileged EXEC mode.
Switch# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# lldp run
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# lldp transmit
Switch(config-if)# lldp receive
Switch(config-if)# end
Switch# show lldp
Global LLDP Information:
Status: ACTIVE
LLDP advertisements are sent every 30 seconds
LLDP hold time advertised is 120 seconds
LLDP interface reinitialisation delay is 2 seconds © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Device Discovery with LLDP
Discover Devices by Using LLDP
With LLDP enabled, device neighbors can be discovered by using the show lldp
neighbors command.

S1# show lldp neighbors

Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
Device ID Local Intf Hold-time Capability Port ID
R1 Fa0/5 117 R Gi0/0/1
S2 Fa0/1 112 B Fa0/1
Total entries displayed: 2

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Device Discovery with LLDP
Discover Devices by Using LLDP (Cont.)
When more details about the neighbors are needed, the show lldp neighbors
detail command can provide information, such as the neighbor IOS version, IP address,
and device capability.
S1# show lldp neighbors detail
------------------------------------------------
Chassis id: 848a.8d44.49b0
Port id: Gi0/0/1
Port Description: GigabitEthernet0/0/1
System Name: R1
System Description: Cisco IOS Software [Fuji], ISR Software (X86_64_LINUX_.....,
RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Thu 22-Aug-19 18:09 by mcpre

Time remaining: 111 seconds

System Capabilities: B,R
Enabled Capabilities: R
Management Addresses - not advertised
(output omitted)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Device Discovery with LLDP
Packet Tracer - Use LLDP to Map a Network
In this Packet Tracer activity, you will complete the following objectives:
• Build the Network and Configure Basic Device Settings
• Network Discovery with CDP
• Network Discovery with LLDP

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
NTP
Time and Calendar Services
• The software clock on a router or switch starts when the system boots. It is the
primary source of time for the system. It is important to synchronize the time across all
devices on the network. When the time is not synchronized between devices, it will be
impossible to determine the order of the events and the cause of an event.
• Typically, the date and time settings on a router or switch can be set by using one of
two methods You can manually configure the date and time, as shown in the example,
or configure the Network Time Protocol (NTP).

R1# clock set 20:36:00 nov 15 2019

R1#
*Nov 15 20:36:00.000: %SYS-6-CLOCKUPDATE: System clock has been
updated from 21:32:31 UTC Fri Nov 15 2019 to 20:36:00 UTC Fri Nov 15
2019, configured from console by console.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
NTP
Time and Calendar Services (Cont.)
As a network grows, it becomes difficult to ensure that all infrastructure devices are
operating with synchronized time using the manual method.

A better solution is to configure the NTP on the network. This protocol allows routers on
the network to synchronize their time settings with an NTP server, which provides more
consistent time settings. NTP can be set up to synchronize to a private master clock, or it
can synchronize to a publicly available NTP server on the internet. NTP uses UDP port
123 and is documented in RFC 1305.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
NTP
NTP Operation
NTP networks use a hierarchical
system of time sources. Each level
in this hierarchical system is called a
stratum. The stratum level is defined
as the number of hop counts from
the authoritative source. The
synchronized time is distributed
across the network by using NTP.

The max hop count is 15. Stratum

16, the lowest stratum level,
indicates that a device is
unsynchronized.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
NTP
NTP Operation (Cont.)
• Stratum 0: These authoritative time sources are high-precision timekeeping devices
assumed to be accurate and with little or no delay associated with them.
• Stratum 1: Devices that are directly connected to the authoritative time sources. They
act as the primary network time standard.
• Stratum 2 and Lower: Stratum 2 servers are connected to stratum 1 devices through
network connections. Stratum 2 devices, such as NTP clients, synchronize their time
by using the NTP packets from stratum 1 servers. They could also act as servers for
stratum 3 devices.

Time servers on the same stratum level can be configured to act as a peer with other time
servers on the same stratum level for backup or verification of time.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
NTP
Configure and Verify NTP
• Before NTP is configured on the network, the show clock command displays the
current time on the software clock. With the detail option, notice that the time source
is user configuration. That means the time was manually configured with
the clock command.
• The ntp server ip-address command is issued in global configuration mode to
configure 209.165.200.225 as the NTP server for R1. To verify the time source is set
to NTP, use the show clock detail command. Notice that now the time source is NTP.
R1# show clock detail
20:55:10.207 UTC Fri Nov 15 2019
Time source is user configuration
R1# config t
R1(config)# ntp server 209.165.200.225
R1(config)# end
R1# show clock detail
21:01:34.563 UTC Fri Nov 15 2019
Time source is NTP
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
NTP
Configure and Verify NTP (Cont.)
The show ntp associations and show ntp status commands are used to verify that R1 is
synchronized with the NTP server at 209.165.200.225. Notice that R1 is synchronized with a
stratum 1 NTP server at 209.165.200.225, which is synchronized with a GPS clock. The show
ntp status command displays that R1 is now a stratum 2 device that is synchronized with the
NTP server at 209.165.220.225.
R1# show ntp associations

address ref clock st when poll each delay offset disp

*~209.165.200.225 .GPS. 1 61 64 377 0.481 7.480 4.261
• sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

R1# show ntp status

Clock is synchronized, stratum 2, reference is 209.165.200.225
nominal freq is 250.0000 Hz, actual freq is 249.9995 Hz, precision is 2**19
(output omitted)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
NTP
Configure and Verify NTP (Cont.)
• The clock on S1 is configured to synchronize to R1 with the ntp server command and
the configuration is verified with the show ntp associations command.
• Output from the show ntp associations command verifies that the clock on S1 is
now synchronized with R1 at 192.168.1.1 via NTP. R1 is a stratum 2 device, making
S1 is a stratum 3 device that can provide NTP service to other devices in the network.

S1(config)# ntp server 192.168.1.1

S1(config)# end
S1# show ntp associations
address ref clock st when poll reach delay offset disp
*~192.168.1.1 209.165.200.225 2 12 64 377 1.066 13.616 3.840
• sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
(output omitted)

S1# show ntp status

Clock is synchronized, stratum 3, reference is 192.168.1.1
nominal freq is 119.2092 Hz, actual freq is 119.2088 Hz, precision is 2**17
(output omitted

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
NTP
Packet Tracer - Configure and Verify NTP
In this Packet Tracer, you will configure NTP on R1 and R2 to allow time
synchronization.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
SNMP
Introduction to SNMP
SNMP was developed to allow administrators to manage nodes on an IP network. It
enables network administrators to monitor and manage network performance, find and
solve network problems, and plan for network growth.

SNMP is an application layer protocol that provides a message format for communication
between managers and agents. The SNMP system consists of three elements:
• SNMP manager
• SNMP agents (managed node)
• Management Information Base (MIB)

SNMP defines how management information is exchanged between network

management applications and management agents. The SNMP manager polls the agents
and queries the MIB for SNMP agents on UDP port 161. SNMP agents send any SNMP
traps to the SNMP manager on UDP port 162.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
SNMP
Introduction to SNMP (Cont.)
• The SNMP manager is part of a network
management system (NMS). The SNMP
manager can collect information from an
SNMP agent by using the “get” action and
can change configurations on an agent by
using the “set” action. SNMP agents can
forward information directly to a network
manager by using “traps”.
• The SNMP agent and MIB reside on SNMP
client devices. MIBs store data about the
device and operational statistics and are
meant to be available to authenticated
remote users. The SNMP agent is
responsible for providing access to the
local MIB.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
SNMP
SNMP Operation
• SNMP agents that reside on managed devices collect and store information about the
device and its operation locally in the MIB. The SNMP manager then uses the SNMP
agent to access information within the MIB.
• There are two primary SNMP manager requests, get and set. In addition to
configuration, a set can cause an action to occur, like restarting a router.
Operation Description
get-request Retrieves a value from a specific variable.
Retrieves a value from a variable within a table; the SNMP manager does not need to
get-next-request know the exact variable name. A sequential search is performed to find the needed
variable from within a table.
Retrieves large blocks of data, such as multiple rows in a table, that would otherwise
get-bulk-request
require the transmission of many small blocks of data. (Only works with SNMPv2 or later.)
get-response Replies to a get-request, get-next-request, and set-request sent by an NMS.
set-request Stores a value in a specific variable.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
SNMP
SNMP Operation (Cont.)
The SNMP agent responds to SNMP manager requests as follows:
• Get an MIB variable - The SNMP agent performs this function in response to a
GetRequest-PDU from the network manager. The agent retrieves the value of the
requested MIB variable and responds to the network manager with that value.
• Set an MIB variable - The SNMP agent performs this function in response to a
SetRequest-PDU from the network manager. The SNMP agent changes the value of
the MIB variable to the value specified by the network manager. An SNMP agent reply
to a set request includes the new settings in the device.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
SNMP
SNMP Agent Traps
• Traps are unsolicited messages alerting the SNMP manager to a condition or event
on the network. Trap-directed notifications reduce network and agent resources by
eliminating the need for some of SNMP polling requests.
• The figure illustrates the use of an SNMP trap to alert the network administrator that
interface G0/0/0 has failed. The NMS software can send the network administrator a
text message, pop up a window on the NMS software, or turn the router icon red in
the NMS GUI.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
SNMP
SNMP Versions
• SNMPv1 - Legacy standard defined in RFC 1157. Uses a simple community-string
based authentication method. Should not be used due to security risks.
• SNMPv2c - Defined in RFCs 1901-1908. Uses a simple community-string based
authentication method. Provides for bulk retrieval options, as well as more detailed
error messages.
• SNMPv3 - Defined in RFCs 3410-3415. Uses username authentication, provides data
protection using HMAC-MD5 or HMAC-SHA and encryption using DES, 3DES, or AES
encryption.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
SNMP
Community Strings
SNMPv1 and SNMPv2c use community strings that control access to the MIB.
Community strings are plaintext passwords. SNMP community strings authenticate
access to MIB objects.

There are two types of community strings:

• Read-only (ro) - This type provides access to the MIB variables, but does not allow these
variables to be changed, only read. Because security is minimal in version 2c, many organizations
use SNMPv2c in read-only mode.
• Read-write (rw) - This type provides read and write access to all objects in the MIB.

To view or set MIB variables, the user must specify the appropriate community string for
read or write access.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
SNMP
MIB Object ID
The MIB organizes variables hierarchically. Formally, the MIB defines each variable as an
object ID (OID). OIDs uniquely identify managed objects. The MIB organizes the OIDs
based on RFC standards into a hierarchy of OIDs, usually shown as a tree.
• The MIB tree for any given device includes some branches with variables common to
many networking devices and some branches with variables specific to that device or
vendor.
• RFCs define some common public variables. Most devices implement these MIB
variables. In addition, networking equipment vendors, like Cisco, can define their own
private branches of the tree to accommodate new variables specific to their devices.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
SNMP
MIB Object ID (Cont.)
The figure shows portions of the MIB
structure defined by Cisco. Note how
the OID can be described in words or
numbers to help locate a particular
variable in the tree.

OIDs belonging to Cisco, are

numbered as follows: .iso (1).org
(3).dod (6).internet (1).private
(4).enterprises (1).cisco (9).

Therefore, the OID is 1.3.6.1.4.1.9.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
SNMP
SNMP Polling Scenario
• SNMP can be used is to observe CPU utilization over a period of time by polling
devices. CPU statistics can then be compiled on the NMS and graphed. This creates
a baseline for the network administrator.
• The data is retrieved via the snmpget utility, issued on the NMS. Using the snmpget
utility, you can manually retrieve real-time data, or have the NMS run a report. This
report would give you a period of time that you could use the data to get the average.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
SNMP
SNMP Object Navigator
The snmpget utility gives some insight into
the basic mechanics of how SNMP works.
However, working with long MIB variable
names like 1.3.6.1.4.1.9.2.1.58.0 can be
problematic for the average user. More
commonly, the network operations staff
uses a network management product with
an easy-to-use GUI, which makes the
entire MIB data variable naming
transparent to the user.

The Cisco SNMP Navigator on

the http://www.cisco.com website allows a
network administrator to research details
about a particular OID.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
SNMP
Lab - Research Network Monitoring Software
In this lab, you will complete the following objectives:
• Part 1: Survey Your Understanding of Network Monitoring
• Part 2: Research Network Monitoring Tools
• Part 3: Select a Network Monitoring Tool

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Syslog
Introduction to Syslog
Syslog uses UDP port 514 to send event notification messages across IP networks to
event message collectors, as shown in the figure.

The syslog logging service provides three primary functions, as follows:

• The ability to gather logging information for monitoring and troubleshooting
• The ability to select the type of logging information that is captured
• The ability to specify the destinations of captured syslog messages

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Syslog
Syslog Operation
The syslog protocol starts by sending system messages and debug output to a local
logging process. Syslog configuration may send these messages across the network to an
external syslog server, where they can be retrieved without needing to access the actual
device.
Alternatively, syslog messages may be sent to an internal buffer. Messages sent to the
internal buffer are only viewable through the CLI of the device.
The network administrator may specify that only certain types of system messages be sent
to various destinations. Popular destinations for syslog messages include the following:
• Logging buffer (RAM inside a router or switch)
• Console line
• Terminal line
• Syslog server

Cisco devices produce syslog

messages as a result of network
Severity Name Severity Level Explanation
events. Every syslog message
contains a severity level and a Emergency Level 0 System Unusable
facility. Alert Level 1 Immediate Action Needed
Critical Level 2 Critical Condition
The smaller numerical levels are
Error Level 3 Error Condition
the more critical syslog alarms.
The severity level of the messages Warning Level 4 Warning Condition
can be set to control where each Normal, but Significant
Notification Level 5
type of message is displayed (i.e. Condition
on the console or the other Informational Level 6 Informational Message
destinations). The complete list of
Debugging Level 7 Debugging Message
syslog levels is shown in the table.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Syslog
Syslog Facilities
In addition to specifying the severity, syslog messages also contain information on the
facility. Syslog facilities are service identifiers that identify and categorize system state
data for error and event message reporting. The logging facility options that are available
are specific to the networking device.

Some common syslog message facilities reported on Cisco IOS routers include:
• IP
• OSPF protocol
• SYS operating system
• IP security (IPsec)
• Interface IP (IF)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Syslog
Syslog Facilities (Cont.)
By default, the format of syslog messages on the Cisco IOS Software is as follows:
%facility-severity-MNEMONIC: description

For example, sample output on a Cisco switch for an EtherChannel link changing state to
up is:
%LINK-3-UPDOWN: Interface Port-channel1, changed state to up

Here the facility is LINK and the severity level is 3, with a MNEMONIC of UPDOWN.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Syslog
Configure Syslog Timestamp
By default, log messages are not timestamped. Log messages should be timestamped so
that when they are sent to another destination, such as a Syslog server, there is record of
when the message was generated. Use the command service timestamps log
datetime to force logged events to display the date and time.
R1# configure terminal
R1(config)# interface g0/0/0
R1(config-if)# shutdown
%LINK-5-CHANGED: Interface GigabitEthernet0/0/0, changed state to administratively down
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to down
R1(config-if)# exit
R1(config)# service timestamps log datetime
R1(config)# interface g0/0/0
R1(config-if)# no shutdown
*Mar 1 11:52:42: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to down
*Mar 1 11:52:45: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to up
*Mar 1 11:52:46: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0,
changed state to up
R1(config-if)#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Router and Switch File Maintenance
Router File Systems
The Cisco IOS File System (IFS)
allows the administrator to
navigate to different directories
and list the files in a directory. The
administrator can also create
subdirectories in flash memory or
on a disk. The directories available
depend on the device.

The example displays the output

of the show file
systems command, which lists all
of the available file systems on a The asterisk indicates the current default file system. The
Cisco 4221 router. pound sign (#) indicates a bootable disk. Both of these are
assigned to the flash file system by default
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Router and Switch File Maintenance
Router File Systems (Cont.)

Because flash is the

default file system,
the dir command lists the
contents of flash. Of
specific interest is the last
listing. This is the name
of the current Cisco IOS
file image that is running
in RAM.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Router and Switch File Maintenance
Router File Systems (Cont.)
To view the contents of NVRAM, you
must change the current default file
system by using the cd (change
directory) command, as shown in the
example.

The present working directory

command is pwd. This command
verifies that we are viewing the
NVRAM directory. Finally,
the dir command lists the contents
of NVRAM. Although there are
several configuration files listed, of
specific interest is the startup-
configuration file.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Router and Switch File Maintenance
Switch File Systems
With the Cisco 2960 switch
flash file system, you can copy
configuration files, and archive
(upload and download) software
images.

The command to view the file

systems on a Catalyst switch is
the same as on a Cisco
router: show file systems.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Router and Switch File Maintenance
Use a Text File to Back Up a Configuration
Configuration files can be saved to
a text file by using Tera Term:
Step 1. On the File menu, click Log.
Step 2. Choose the location to save the
file. Tera Term will begin capturing text.
Step 3. After capture has been started,
execute the show running-
config or show startup-
config command at the privileged
EXEC prompt. Text displayed in the
terminal window will be directed to the
chosen file.
Step 4. When the capture is complete,
select Close in the Tera Term: Log
window.
Step 5. View the file to verify that it was
not corrupted.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Router and Switch File Maintenance
Use a Text File to Restore a Configuration
A configuration can be copied from a file and then directly pasted to a device. The file will
require editing to ensure that encrypted passwords are in plaintext, and that non-command
text such as --More-- and IOS messages are removed.

In addition, you may want to add enable and configure terminal to the beginning of the file
or enter global configuration mode before pasting the configuration. Instead of copying and
pasting, a configuration can be restored from a text file by using Tera Term. When using Tera
Term, the steps are as follows:
Step 1. On the File menu, click Send file.
Step 2. Locate the file to be copied into the device and click Open.
Step 3. Tera Term will paste the file into the device.

The text in the file will be applied as commands in the CLI and become the running
configuration on the device.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Router and Switch File Maintenance
Using TFTP to Back Up and Restore a Configuration
Follow these steps to back up the running configuration to a TFTP server:
Step 1. Enter the copy running-config tftp command.
Step 2. Enter the IP address of the host where the configuration file will be stored.
Step 3. Enter the name to assign to the configuration file.
Step 4. Press Enter to confirm each choice.

Use the following steps to restore the running configuration from a TFTP server:
Step 1. Enter the copy tftp running-config command.
Step 2. Enter the IP address of the host where the configuration file is stored.
Step 3. Enter the name to assign to the configuration file.
Step 4. Press Enter to confirm each choice.
R1# copy running-config tftp
Remote host []?192.168.10.254
Name of the configuration file to write[R1-config]? R1-Jan-2019
Write file R1-Jan-2019 to 192.168.10.254? [confirm]
Writing R1-Jan-2019 !!!!!! [OK]

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Router and Switch File Maintenance
USB Ports on a Cisco Router
The Universal Serial Bus (USB) storage feature enables certain models of Cisco routers
to support USB flash drives. The USB flash feature provides an optional secondary
storage capability and an additional boot device. The USB ports of a Cisco 4321 Router
are shown in the figure.

Use the dir command to view the contents of the USB flash drive.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Router and Switch File Maintenance
Using USB to Back Up and Restore a Configuration
• Issue the show file systems command to verify that the USB drive is there and
confirm its name. For this example, the USB file system is named usbflash0:.
• Use the copy run usbflash0:/ command to copy the configuration file to the USB flash
drive. Be sure to use the name of the flash drive, as indicated in the file system. The
slash is optional but indicates the root directory of the USB flash drive.
• The IOS will prompt for the filename. If the file already exists on the USB flash drive,
the router will prompt to overwrite.
R1# copy running-config usbflash0:
Destination filename [running-config]? R1-Config
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]

5024 bytes copied in 1.796 secs (2797 bytes/sec)

R1#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Router and Switch File Maintenance
Using USB to Back Up and Restore a Configuration (Cont.)
Use the dir command to see the file on
the USB drive and use
the more command to see the contents.

To Restore Configurations with a USB

Flash Drive, it will be necessary to edit
the USB R1-Config file with a text editor.
Assuming the file name is R1-Config,
use the command copy usbflash0:/R1-
Config running-config to restore a
running configuration.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Router and Switch File Maintenance
Password Recovery Procedures
Passwords on devices are used to prevent unauthorized access. For encrypted
passwords, such as the enable secret passwords, the passwords must be replaced after
recovery. Depending on the device, the detailed procedure for password recovery varies.
However, all the password recovery procedures follow the same principle:
Step 1. Enter the ROMMON mode.
Step 2. Change the configuration register.
Step 3. Copy the startup-config to the running-config.
Step 4. Change the password.
Step 5. Save the running-config as the new startup-config.
Step 6. Reload the device.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Router and Switch File Maintenance
Password Recovery Example
Step 1. Enter the ROMMON mode. With console access, a user can access the
ROMMON mode by using a break sequence during the boot up process or removing the
external flash memory when the device is powered off.
When successful, the rommon 1 > prompt displays, as shown in the example.

Readonly ROMMON initialized

monitor: command "boot" aborted due to user interrupt

rommon 1 >

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Router and Switch File Maintenance
Password Recovery Example (Cont.)
Step 2. Change the configuration register. The confreg 0x2142 command allows the
user to set the configuration register to 0x2142, which causes the device to ignore the
startup config file during startup.
After setting the configuration register to 0x2142, type reset at the prompt to restart the
device. Enter the break sequence while the device is rebooting and decompressing the
IOS. The example displays the terminal output of a 1941 router in the ROMMON mode
after using a break sequence during the boot up process.

rommon 1 > confreg 0x2142

rommon 2 > reset

System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2010 by cisco Systems, Inc.
(output omitted)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
Router and Switch File Maintenance
Password Recovery Example (Cont.)
Step 3. Copy the startup-config to the running-config. After the device has finished
reloading, issue the copy startup-config running-config command.
CAUTION: Do not enter copy running-config startup-config. This command erases
your original startup configuration.

Router# copy startup-config running-config

Destination filename [running-config]?

1450 bytes copied in 0.156 secs (9295 bytes/sec)

R1#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
Router and Switch File Maintenance
Password Recovery Example (Cont.)
Step 4. Change the password. Because you are in privileged EXEC mode, you can now
configure all the necessary passwords.

Note: The password cisco is not a strong password and is used here only as an example

R1# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# enable secret cisco

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
Router and Switch File Maintenance
Password Recovery Example (Cont.)
Step 5. Save the running-config as the new startup-config. After the new passwords
are configured, change the configuration register back to 0x2102 by using the config-
register 0x2102 command in the global configuration mode. Save the running-config to
startup-config.

R1(config)# config-register 0x2102

R1(config)# end
R1# copy running-config startup-config
Destination filename [startup-config]?
Building configuration... [OK]
R1#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Router and Switch File Maintenance
Packet Tracer - Backup Configuration Files
In this activity, you will complete the following objectives:
• Part 1: Establish Connectivity to TFTP Server
• Part 2: Transfer the Configuration File from TFTP Server
• Part 3: Backup Configuration and IOS to TFTP Server

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
Router and Switch File Maintenance
Lab - Use Tera Term to Manage Router Configuration Files
In this lab, you will complete the following objectives:
• Part 1: Configure Basic Device Settings
• Part 2: Use Terminal Emulation Software to Create a Backup Configuration
File
• Part 3: Use a Backup Configuration File to Restore a Router

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
Router and Switch File Maintenance
Lab - Use TFTP, Flash, and USB to Manage Configuration
Files
In this lab, you will complete the following objectives:
• Part 1: Build the Network and Configure Basic Device Settings
• Part 2: (Optional) Download TFTP Server Software
• Part 3: Use TFTP to Back Up and Restore the Switch Running Configuration
• Part 4: Use TFTP to Back Up and Restore the Router Running Configuration
• Part 5: Back Up and Restore Running Configurations Using Router Flash Memory
• Part 6: (Optional) Use a USB Drive to Back Up and Restore the Running
Configuration

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Router and Switch File Maintenance
Lab - Research Password Recovery Procedures
In this lab, you will complete the following objectives:
• Part 1: Research the Configuration Register
• Part 2: Document the Password Recovery Procedure for a Specific Cisco
Router

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
IOS Image Management
Video - Managing Cisco IOS Images
This video will demonstrate the process of upgrading the IOS on a Cisco router.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
IOS Image Management
TFTP Servers as a Backup Location
As a network grows, Cisco IOS Software images and configuration files can be stored on
a central TFTP server. This helps to control the number of IOS images and the revisions
to those IOS images, as well as the configuration files that must be maintained.

Production internetworks usually span wide areas and contain multiple routers. For any
network, it is good practice to keep a backup copy of the Cisco IOS Software image in
case the system image on the router becomes corrupted or accidentally erased.

Widely distributed routers need a source or backup location for Cisco IOS Software
images. Using a network TFTP server allows image and configuration uploads and
downloads over the network. The network TFTP server can be another router, a
workstation, or a host system.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
IOS Image Management
Backup IOS Image to TFTP Server Example
To maintain network operations with minimum down time, it is necessary to have
procedures in place for backing up Cisco IOS images. This allows the network
administrator to quickly copy an image back to a router in case of a corrupted or erased
image. Use the following steps:
Step 1. Ping the TFTP server. Ping the TFTP server to test connectivity.
Step 2. Verify image size in flash. Verify that the TFTP server has sufficient disk space
to accommodate the Cisco IOS Software image. Use the show flash0: command on the
router to determine the size of the Cisco IOS image file.
Step 3. Copy the image to the TFTP server. Copy the image to the TFTP server by
using the copy source-url destination-url command. After issuing the command by using
the specified source and destination URLs, the user is prompted for the source file name,
IP address of the remote host, and destination file name. The transfer will then begin.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
IOS Image Management
Copy an IOS Image to a Device Example
Step 1. Ping the TFTP server. Ping the TFTP server to test connectivity.
Step 2. Verify the amount of free flash. Ensure that there is sufficient flash space on the
device being upgraded by using the show flash: command. Compare the free flash space
with the new image file size.
Step 3. Copy the IOS image file from the TFTP server to the router by using the copy tftp:
flash: command. After issuing this command, the user will be prompted for the IP address of
the remote host, source file name, and destination file name.

R1# copy tftp: flash:

Address or name of remote host []? 2001:DB8:CAFE:100::99
Source filename []? isr4200-universalk9_ias.16.09.04.SPA.bin
Destination filename [isr4200-universalk9_ias.16.09.04.SPA.bin]?
Accessing tftp://2001:DB8:CAFE:100::99/ isr4200- universalk9_ias.16.09.04.SPA.bin...
Loading isr4200-universalk9_ias.16.09.04.SPA.bin from 2001:DB8:CAFE:100::99 (via
GigabitEthernet0/0/0): !!!!!!!!!!!!!!!!!!!!

[OK - 517153193 bytes]

517153193 bytes copied in 868.128 secs (265652 bytes/sec)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
IOS Image Management
The boot system Command
During startup, the bootstrap code parses the startup configuration file in NVRAM for the boot
system commands that specify the name and location of the Cisco IOS Software image to
load. Several boot system commands can be entered in sequence to provide a fault-tolerant
boot plan.

If there are no boot system commands in the configuration, the router defaults to loading the
first valid Cisco IOS image in flash memory and runs it.

To upgrade to the copied IOS image after that image is saved on the flash memory of the
router, configure the router to load the new image by using the boot system command. Save
the configuration. Reload the router to boot the router with new image.
R1# configure terminal
R1(config)# boot system flash0:isr4200-universalk9_ias.16.09.04.SPA.bin
R1(config)# exit
R1# copy running-config startup-config
R1# reload
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
IOS Image Management
Packet Tracer - Use a TFTP Server to Upgrade a Cisco IOS
Image
In this Packet Tracer, you will complete the following objectives:
• Part 1: Upgrade an IOS Image on a Cisco Device
• Part 2: Backup an IOS Image on a TFTP Server

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
Module Practice and Quiz
Packet Tracer - Configure CDP, LLDP, and NTP
In this Packet Tracer activity, you will complete the following objectives:
• Build the Network and Configure Basic Device Settings

• Network Discovery with CDP

• Network Discovery with LLDP

• Configure and Verify NTP

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
Module Practice and Quiz
Lab- Configure CDP, LLDP, and NTP
In this lab, you will complete the following objectives:
• Build the Network and Configure Basic Device Settings

• Network Discovery with CDP

• Network Discovery with LLDP

• Configure and Verify NTP

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
Module Practice and Quiz
What Did I Learn In This Module?
• Cisco Discovery Protocol (CDP) is a Cisco proprietary Layer 2 protocol that is used to gather
information about Cisco devices which share the same data link.
• CDP can be used as a network discovery tool to determine the information about the neighboring
devices. This information gathered from CDP can help build a logical topology of a network when
documentation is missing or lacking in detail.
• On Cisco devices, CDP is enabled by default. To enable CDP globally for all the supported
interfaces on the device, enter cdp run in the global configuration mode. To enable CDP on the
specific interface, enter the cdp enable command.
• To verify the status of CDP and display a list of neighbors, use the show cdp neighbors command in
the privileged EXEC mode.
• Cisco devices also support Link Layer Discovery Protocol (LLDP), which is a vendor-neutral
neighbor discovery protocol similar to CDP.
• To enable LLDP globally on a Cisco network device, enter the lldp run command in the global
configuration mode.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
Module Practice and Quiz
What Did I Learn In This Module? (Cont.)
• With LLDP enabled, device neighbors can be discovered by using the show lldp
neighbors command. When more details about the neighbors are needed, the show lldp neighbors
detail command can provide information, such as the neighbor IOS version, IP address, and device
capability.
• When the time is not synchronized between devices, it will be impossible to determine the order of
the events and the cause of an event.
• You can manually configure the date and time, or you can configure the NTP, which allows devices
on the network to synchronize their time settings with an NTP server.
• NTP networks use a hierarchical system of time sources and each level in this system is called a
stratum. Authoritative time sources, also referred to as stratum 0 devices, are high-precision
timekeeping devices. Stratum 1 devices are directly connected to the authoritative time sources.
Stratum 2 devices, such as NTP clients, synchronize their time by using the NTP packets from
stratum 1 servers.
• The ntp server ip-address command is issued in global configuration mode to configure a device as
the NTP server.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76
Module Practice and Quiz
What Did I Learn In This Module? (Cont.)
• To verify the time source is set to NTP, use the show clock detail command. The show ntp
associations and show ntp status commands are used to verify that a device is synchronized with
the NTP server.
• SNMP is an application layer protocol that provides a message format for communication between
managers and agents.
• The SNMP system consists of three elements: SNMP manager, SNMP agents, and the MIB.
• The SNMP manager can collect information from an SNMP agent by using the “get” action and can
change configurations on an agent by using the “set” action. SNMP agents can forward information
directly to a network manager by using “traps”.
• SNMPv1, SNMPv2c, and SNMPv3 are all versions of SNMP. SNMPv1 is a legacy solution. Both
SNMPv1 and SNMPv2c use a community-based form of security. SNMPv3 provides for both security
models and security levels.
• The MIB organizes variables hierarchically. OIDs uniquely identify managed objects in the MIB
hierarchy. The Cisco SNMP Navigator on the http://www.cisco.com website allows a network
administrator to research details about a particular OID.
• The syslog protocol uses UDP port 514 to allow networking devices to send their system messages
across the network to syslog servers.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77
Module Practice and Quiz
What Did I Learn In This Module? (Cont.)
• The syslog logging service provides three primary functions: gather logging information for
monitoring and troubleshooting, select the type of logging information that is captured, and specify
the destinations of captured syslog messages.
• Destinations for syslog messages include the logging buffer (RAM inside a router or switch),
console line, terminal line, and syslog server.
• Syslog facilities identify and categorize system state data for error and event message reporting.
Common syslog message facilities reported on Cisco IOS routers include: IP, OSPF protocol, SYS
operating system, IPsec, and IF.
• The default format of syslog messages on Cisco IOS software is: %facility-severity-MNEMONIC:
description.
• Use the command service timestamps log datetime to force logged events to display the date and
time.
• The Cisco IFS lets the administrator navigate to different directories and list the files in a directory,
and to create subdirectories in flash memory or on a disk.
• Use the show file systems command to view the file systems on a Catalyst switch or a Cisco router.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78
Module Practice and Quiz
What Did I Learn In This Module? (Cont.)
• Configuration files can be saved to a text file by using Tera Term. A configuration can be copied
from a file and then directly pasted to a device.
• Configuration files can be stored on a TFTP server, or a USB drive.
• To save the running configuration or the startup configuration to a TFTP server, use either the copy
running-config tftp or copy startup-config tftp command.
• Cisco IOS Software images and configuration files can be stored on a central TFTP server to
control the number of IOS images and the revisions to those IOS images, as well as the
configuration files that must be maintained.
• Select a Cisco IOS image file that meets the requirements in terms of platform, features, and
software. Download the file from cisco.com and transfer it to the TFTP server.
• To upgrade to the copied IOS image after that image is saved on the router's flash memory,
configure the router to load the new image during bootup by using the boot system command.

Enterprise Networking, Security, and Automation v7.0

(ENSA)
Module Objectives
Module Title: Network Design

Module Objective: Explain the characteristics of scalable network architectures.

Topic Title Topic Objective
Hierarchical Networks Explain how data, voice, and video are converged
in a switched network.
Scalable Networks Explain considerations for designing a scalable
network.
Switch Hardware Explain how switch hardware features support
network requirements.
Router Hardware Describe the types of routers available for small to-
medium-sized business networks.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Hierarchical Networks
Video - Three-Layer Network Design
This video will demonstrate a three-layer model in network design.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Hierarchical Networks
The Need to Scale the Network
Organizations increasingly rely on their network infrastructure to provide mission-critical
services.

Evolving organizations require networks that can scale and support:

• Converged network traffic
• Critical applications
• Diverse business needs
• Centralized administrative control

Campus network designs include small networks that use a single LAN switch, up to very
large networks with thousands of connections.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Hierarchical Networks
Borderless Switched Networks
The Cisco Borderless Network is a network architecture that can connect anyone,
anywhere, anytime, on any device; securely, reliably, and seamlessly.

• It provides the framework to unify wired and

wireless access, built on a hierarchical
infrastructure of hardware that is scalable and
resilient.

• Borderless switched networks are hierarchical,

modular, resilient, and flexible.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Hierarchical Networks
Hierarchy in the Borderless Switched Network
Hierarchical networks use a tiered design of access, distribution, and core layers with
each layer performing a well-defined role in the campus network.

There are two time- Three-tier layer Two-tier layer

tested and proven
hierarchical design
frameworks for
campus networks.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Hierarchical Networks
Access, Distribution, and Core Layer Functions
Access Layer
• The access layer provide network access to the user.
• Access layer switches connect to distribution layer switches.

Distribution Layer
• The distribution layer implements routing, quality of service, and security.
• It aggregates large-scale wiring closet networks and limits Layer 2 broadcast domains.
• Distribution layer switches connect to access layer and core layer switches.

Core Layer
• The core layer is the network backbone and connects several layers of the network.
• The core layer provides fault isolation and high-speed backbone connectivity.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Hierarchical Networks
Three-Tier and Two-Tier Examples
Three-tier Campus Network
• Used by organizations requiring access, distribution, and core
layers.
• The recommendation is to build an extended-star physical network
topology from a centralized building location to all other buildings on
the same campus.

Two-tier Campus Network

• Used when separate distribution and core layers is not required.
• Useful for smaller campus locations, or in campus sites consisting of
a single building.
• Also known as the collapsed core network design.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Hierarchical Networks
Role of Switched Networks
• Networks have fundamentally changed
from a flat network of hubs to switched
LANs in a hierarchical network.

• A switched LAN allows additional

flexibility, traffic management, quality of
service, security.

• A switched LAN may also support

wireless networking and other
technologies such as IP telephone and
mobility services.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Scalable Networks
Design for Scalability
Scalability is the term for a network that can grow without losing availability and reliability.

Network designers must develop strategies to enable the network to be available and to
scale effectively and easily.

This is accomplished using:

• Redundancy
• Multiple Links
• Scalable Routing protocol
• Wireless Connectivity

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Scalable Networks
Plan for Redundancy
Redundancy can prevent disruption of network services by minimizing the possibility of a
single point of failure by:
• Installing duplicate equipment
• Providing failover services for critical devices

Redundant paths offer alternate physical paths

for data to traverse the network supporting high
availability.
• However, redundant paths in an Ethernet
network may cause logical Layer 2 loops.
• Therefore, Spanning Tree Protocol (STP) is
required.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Scalable Networks
Reduce Failure Domain Size
A well-designed network controls traffic and limits the size of failure domains (i.e., the
area of a network that is impacted when the network experiences problems).
• In the hierarchical design model, failure domains are terminated at the distribution
layer.
• Every router functions as a gateway for a limited number of access layer users.

Routers, or multilayer switches, are usually deployed in pairs in a configuration referred to

as a building, or departmental, switch block.
• Each switch block acts independently of the others.
• As a result, the failure of a single device does not cause the network to go down.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Scalable Networks
Increase Bandwidth
Link aggregation (e.g., EtherChannel) allows an administrator to increase the amount of
bandwidth between devices by creating one logical link made up of several physical links.
• EtherChannel combines existing switch ports
into one logical link using a Port Channel
interface.
• Most configuration tasks are done on the Port
Channel interface (instead of on each
individual port) to ensure configuration
consistency on the links.
• EtherChannel can load balance between
links.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Scalable Networks
Expand the Access Layer
An increasingly popular option for extending access layer connectivity is through wireless.
• Wireless LANs (WLANs) provides increased flexibility, reduced costs, and the ability to grow and
adapt to changing network and business requirements.

• To communicate wirelessly, end devices require a

wireless NIC to connect to a wireless router or a
wireless access point (AP).

Considerations when implementing a wireless

network include:
• Types of wireless devices connecting to the WLAN
• Wireless coverage requirements
• Interference considerations
• Security considerations

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Scalable Networks
Tune Routing Protocols
Advanced routing protocols, such as Open Shortest Path First (OSPF) are used in large
networks.
• OSPF is a link-state routing protocol
that uses areas to support a
hierarchical networks.
• OSPF routers establish and
maintain neighbor adjacencies with
other connected OSPF routers.
• OSPF routers synchronize their link-
state database.
• When a network change occurs,
link-state updates are sent,
informing other OSPF routers of the
change and establishing a new best
path, if one is available.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Switch Hardware
Switch Platforms
There is a variety of switch platforms, form factors, and other features that must be
considered before choosing a switch. When designing a network, it is important to select
the proper hardware to meet current network requirements, as well as to allow for network
growth. Within an enterprise network, both switches and routers play a critical role in
network communication.

Campus LAN Switches, such as the Cisco

3850 series shown here, support high
concentrations of user connections with
speed and security appropriate for the
enterprise network.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Switch Hardware
Switch Platforms (Cont.)
Cisco Meraki cloud-managed access
switches enable virtual stacking of switches.
They monitor and configure thousands of
switch ports over the web, without the
intervention of onsite IT staff.

The Cisco Nexus platform

promotes infrastructure
scalability, operational
continuity, and transport
flexibility in the data center.

Service provider Ethernet access switches

feature application intelligence, unified
services, virtualization, integrated security,
and simplified management.

Cisco Nexus virtual networking switch

platforms provide secure multi-tenant
services by adding virtualization intelligence
technology to the data center network.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Switch Hardware
Switch Form Factors
When selecting switches, network administrators must determine the switch form factors.
This includes fixed configuration, modular configuration, stackable, or non-stackable.

Features and options on fixed configuration switches

are limited to those that originally come with the switch.

The chassis on modular switches accept field-

replaceable line cards.

Special cables are used to connect stackable switches that

allow them to effectively operate as one large switch.

The thickness of the switch, which is expressed in the number of rack units, is also
important for switches that are mounted in a rack. For example, the fixed configuration
switches shown in the figure are all one rack units (1U) or 1.75 inches (44.45 mm) in height.

Fixed configuration switches support a

variety of port density configurations. The
Cisco Catalyst 3850 come in 12, 24, 48
port configurations. Modular switches can support very high
port densities through the addition of
multiple switchport line cards. The
modular Catalyst 9400 switch supports
384 switchport interfaces.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Switch Hardware
Forwarding Rates
Forwarding rates define the processing capabilities of a switch by rating how much data
the switch can process per second.
• Switch product lines are classified by forwarding rates.
• Entry-level switches have lower forwarding rates than enterprise-level switches.

If switch forwarding rate is too low, it cannot accommodate full wire-speed communication
across all of its switch ports.
• Wire speed is the data rate that each Ethernet port on the switch is capable of
attaining.
• Data rates can be 100 Mbps, 1 Gbps, 10 Gbps, or 100 Gbps.
• Access layer switches typically do not need to operate at full wire speed, because they
are physically limited by their uplinks to the distribution layer.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Switch Hardware
Power over Ethernet
Power over Ethernet (PoE) allows the switch to deliver power to a device (e.g., IP phone,
AP, camera) over the existing Ethernet cabling.

A network administrator should ensure that the PoE features are actually required for a
given installation, because switches that support PoE are expensive.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Switch Hardware
Multilayer Switching
Multilayer switches are typically deployed in the core and distribution layers of an
organization's switched network.
• They support some routing protocols and forward IP packets at a rate close to that of
Layer 2 forwarding.
• Multilayer switches often support specialized hardware, such as application-specific
integrated circuits (ASICs).
• ASICs along with dedicated software data structures can streamline the forwarding of
IP packets independent of the CPU.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Switch Hardware
Business Considerations for Switch Selection
Consideration Description
The cost of a switch will depend on the number and speed of the interfaces, supported features,
Cost
and expansion capability.

Port density Network switches must support the appropriate number of devices on the network.

It is now common to power access points, IP phones, and compact switches user Power over
Ethernet (PoE).
Power
In addition to PoE considerations, some chassis-based switches support redundant power
supplies.

Reliability The switch should provide continuous access to the network.

Port speed The speed of the network connection is of primary concern to end users.

The ability of the switch to store frames is important in a network where there may be congested
Frame buffers
ports to servers or other areas of the network.
The number of users on a network typically grows over time; therefore, the switch should
Scalability
provide the opportunity for growth.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Router Hardware
Router Requirements
Routers use the network portion (prefix) of the destination IP address to route packets to
the proper destination.
• They select an alternate path if a link goes down.
• All hosts on a network specify the IP address of the local router interface as their
default gateway.

Routers also serve other beneficial functions as follows:

• They provide broadcast containment by limiting broadcasts to the local network.
• They interconnect geographically separated locations.
• The group users logically by application or department within a company, who have
command needs or require access to the same resources.
• They provide enhanced security by filtering unwanted traffic through access control
lists.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Router Hardware
Cisco Routers
Branch routers, shown in the figure, optimize branch services on a single platform while
delivering an optimal application experience across branch and WAN infrastructures.
Shown are the Cisco Integrated Services Router (ISR) 4000 Series Routers.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Router Hardware
Cisco Routers (Cont.)
Network edge routers, shown in the figure, enable the network edge to deliver high-
performance, highly secure, and reliable services that unite campus, data center, and
branch networks. Shown are the Cisco Aggregation Services Routers (ASR) 9000 Series
Routers.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Router Hardware
Cisco Routers (Cont.)
Service provider routers, shown in the figure, deliver end-to-end scalable solutions and
subscriber-aware services. Shown are the Cisco Network Convergence System (NCS)
6000 Series Routers.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Router Hardware
Cisco Routers (Cont.)
Industrial routers, such as the ones shown in the figure, are designed to provide
enterprise-class features in rugged and harsh environments. Shown are the Cisco 1100
Series Industrial Integrated Services Routers.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Router Hardware
Router Form Factors
Cisco 900 Series: This is a small branch office router. It combines WAN, switching,
security, and advanced connectivity options in a compact, fanless platform for small and
medium-sized businesses.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Router Hardware
Router Form Factors
Cisco ASR 9000 and 1000 Series Aggregation Services Routers: These routers
provide density and resiliency with programmability, for a scalable network edge.

Cisco Network Convergence System 5500

Series Routers: These routers are designed to
efficiently scale between large data centers and
large enterprise networks, web, and service
provider WAN and aggregation networks.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Router Hardware
Router Form Factors
Cisco 800 Industrial Integrated Services Router: This router is compact and designed
for harsh environments.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Module Practice and Quiz
Packet Tracer - Compare Layer 2 and Layer 3 Devices
In this Packet Tracer activity, you will use various commands to examine three different
switching topologies and compare the similarities and differences between the 2960 and
3650 switches.

You will also compare the routing table of a 4321 router with that of a 3650 switch.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Module Practice and Quiz
What did I learn in this module?
• The Cisco Borderless Network provides the framework to unify wired and wireless access,
and is built on a hierarchical infrastructure of hardware that is scalable and resilient.
• Two proven hierarchical design frameworks for campus networks are the three-tier layer and
the two-tier layer models.
• The three critical layers within these tiered designs are the access, distribution, and core
layers.
• Implement redundant links between critical devices and between access layer and core layer
devices.
• Implement multiple links between equipment, with either link aggregation (EtherChannel) or
equal cost load balancing, to increase bandwidth.
• Use a scalable routing protocol and implementing features to minimize the routing table size.
• Implement wireless connectivity to allow for mobility and expansion.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Module Practice and Quiz
What did I learn in this module? (Cont.)
• There are campus LAN, cloud-managed, data center, service provider, and virtual networking
witches.
• Form factors for switches include fixed configuration, modular configuration, and stack
• Routers use the network portion (prefix) of the destination IP address to route packets to the
proper destination.
• Routers select an alternate path if a link or path goes down.

• Cisco has several categories of routers including branch, network edge, service provider and
industrial.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Module 12: Network
Troubleshooting
Enterprise Networking, Security, and Automation v7.0
(ENSA)
Module Objectives
Module Title: Network Troubleshooting

Module Objective: Troubleshoot enterprise networks.

Topic Title Topic Objective
Network Documentation Explain how network documentation is developed
and used to troubleshoot network issues.
Troubleshooting Process Compare troubleshooting methods that use a
systematic, layered approach.
Troubleshooting Tools Describe different networking troubleshooting tools.

Symptoms and Causes of Network Problems Determine the symptoms and causes of network
problems using a layered model.
Troubleshooting IP Connectivity Troubleshoot a network using the layered model.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Network Documentation
Documentation Overview
Accurate and complete network documentation is required to effectively monitor and
troubleshoot networks.

Common network documentation includes the following:

• Physical and logical network topology diagrams
• Network device documentation that records all pertinent device information
• Network performance baseline documentation

All network documentation should be kept in a single location and backup documentation
should be maintained and kept in a separate location.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Network Documentation
Network Topology Diagrams
There are two types of network topology diagrams: physical and logical.
Physical Topology Logical Topology

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Network Documentation
Network Device Documentation
Router Device
Documentation
Network device
documentation should
contain accurate, up-to-
date records of the
network hardware and Switch Device
software. Documentation

Documentation should
include all pertinent
information about the
network devices. End-System
Documentation

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Network Documentation
Establish a Network Baseline
A network baseline is used to establish normal network performance to determine the
“personality” of a network under normal conditions. Establishing a network performance
baseline requires collecting performance data from the ports and devices that are
essential to network operation.

The baseline data is as follows:

• Provides insight into whether the current network design can meet business
requirements.
• Can reveal areas of congestion or areas in the network that are underutilized.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Network Documentation
Step 1 - Determine What Types of Data to Collect
When conducting the initial baseline, start by selecting a few variables that represent the
defined policies.

If too many data points are selected, the amount of data can be overwhelming, making
analysis of the collected data difficult.

Start out simply and fine-tune along the way.

Some good starting variables are interface utilization and CPU utilization.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Network Documentation
Step 2 - Identify Devices and Ports of Interest
A logical network topology can be useful in
identifying key devices and ports to monitor.
As shown in the sample topology, the
devices and ports of interest include:
• PC1 (the Admin terminal)
• Two servers (i.e., Srv1 and Svr2)
• Router interfaces
• Key ports on switches

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Network Documentation
Step 3 - Determine the Baseline Duration
When capturing data for analysis, the period specified should be:
• At a minimum, seven days long.
• Last no more than six weeks, unless specific long-term trends need to be measured.
• Generally, a two-to-four-week baseline is adequate.

Conduct an annual analysis of the entire network, or baseline different sections of the
network on a rotating basis.

Analysis must be conducted regularly to understand how the network is affected by

growth and other changes.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Network Documentation
Data Measurement
The table lists some of the most common Cisco IOS commands used for data collection.
Command Description
show version • Displays uptime, version information for device software and hardware
show ip interface [brief]
show ipv6 interface [brief] • Displays all the configuration options that are set on an interface.

show interfaces • Displays detailed output for each interface.

show ip route [static | eigrp | ospf | bgp] • Displays the routing table content listing directly connected networks and
show ipv6 route [static | eigrp | ospf | bgp] learned remote networks.
show cdp neighbors detail • Displays detailed information about directly connected Cisco devices.
show arp
show ipv6 neighbors • Displays the contents of the ARP table (IPv4) and the neighbor table (IPv6).

show running-config • Displays current configuration.

show vlan • Displays the status of VLANs on a switch.
show port • Displays the status of ports on a switch.

show tech-support
• Used to collect a large amount of information using multiple show commands
for technical support reporting purposes.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
12.2 Troubleshooting
Process

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Troubleshooting Process
General Troubleshooting Procedures
Troubleshooting can be time consuming
because networks differ, problems differ, and
troubleshooting experience varies.
• Using a structured troubleshooting method
will shorten overall troubleshooting time.
• There are several troubleshooting
processes that can be used to solve a
problem.
• The figure displays the logic flowchart of a
simplified three-stage troubleshooting
process.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Troubleshooting Process
Seven-Step Troubleshooting Process
The figure displays a more detailed seven-
step troubleshooting process.

Steps Description

Define the Problem • Verify that there is a problem and then properly define what the problem is.

Gather Information • Targets (i.e., hosts, devices) are identified, accessed, and information gathered.

Analyze Information • Identify possible causes using network documentation, network baselines, knowledge bases, and peers.

Eliminate Possible
• Progressively eliminate possible causes to eventually identify the most probable cause.
Causes

Propose Hypothesis • When the most probable cause has been identified, a solution must be formulated.

Test Hypothesis • Assess the urgency of the problem, create a rollback plan, implement the solution, and verify outcome.

Solve the Problem • When solved, inform all involved and document the cause and solution to help solve future problems.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Troubleshooting Process
Question End Users
The table provides questioning guidelines and sample open ended end-user questions.
Guidelines Example Open Ended End-User Questions

• What does not work?

Ask pertinent questions. • What exactly is the problem?
• What are you trying to accomplish?

• Who does this issue affect? Is it just you or others?

Determine the scope of the problem.
• What device is this happening on?

• When exactly does the problem occur?

Determine when the problem occurred /
• When was the problem first noticed?
occurs.
• Were there any error message(s) displayed?

Determine if the problem is constant or • Can you reproduce the problem?

intermittent. • Can you send me a screenshot or video of the problem?

Determine if anything has changed. • What has changed since the last time it did work?

Use questions to eliminate or discover • What works?

possible problems. • What does not work?

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Troubleshooting Process
Gather Information
Common Cisco IOS commands used to gather network problem symptoms.
Command Description
ping {host |ip-address} • Sends an echo request packet to an address, then waits for a reply.

traceroute destination • Identifies the path a packet takes through the networks.

telnet {host | ip-address} • Connects to an IP address using the Telnet application (Note: Use SSH whenever possible).

ssh -l user-id ip-address • Connects to an IP address using SSH.

show ip interface brief

show ipv6 interface brief • Displays a summary status of all interfaces on a device.

show ip route
show ipv6 route • Displays the current IPv4 and IPv6 routing tables.

show protocols • Displays the global and interface-specific status of any configured Layer 3 protocol.
debug • Displays a list of options for enabling or disabling debugging events.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Troubleshooting Process
Troubleshooting with Layered Models
The OSI and TCP/IP models can be applied to isolate network problems when
troubleshooting.

The figure shows some common

devices and the OSI layers that
must be examined during the
troubleshooting process for that
device.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Troubleshooting Process
Structured Troubleshooting Methods
Different troubleshooting approaches that can be used include the following.
Troubleshooting
Description
Approach

Bottom-Up • Good approach to use when the problem is suspected to be a physical one.

Top-Down • Use this approach for simpler problems, or when you think the problem is with a piece of software.

Divide-and-Conquer • Start at a middle layer (i.e, Layer 3) and tests in both directions from that layer.

Follow-the-Path • Used to discover the actual traffic path from source to destination to reduce the scope of troubleshooting.

Substitution • You physically swap a suspected problematic device with a known, working one.

Comparison • Attempts to resolve the problem by comparing a nonoperational element with the working one.

Educated guess • Success of this method varies based on your troubleshooting experience and ability.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Troubleshooting Process
Guidelines for Selecting a Troubleshooting Method
To quickly resolve network problems, take the
time to select the most effective network
troubleshooting method.

• The figure illustrates which method could be

used when a certain type of problem is
discovered.
• Troubleshooting is a skill that is developed by
doing it.
• Every network problem you identify and solve
gets added to your skill set.

Software Tool Description

Network Management • Network software include device-level monitoring, configuration, and fault-management tools.
System Tools • Tools can be used to investigate and correct network problems.

• Online network device vendor knowledge bases have become indispensable sources of information.
Knowledge Bases • When vendor-based knowledge bases are combined with internet search engines, a network administrator
has access to a vast pool of experience-based information.

• Many tools for automating the network documentation and baselining process are available.
Baselining Tools • Baselining tools help with common documentation tasks such as network diagrams, update network
software and hardware documentation, and cost-effectively measure baseline network bandwidth use.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Troubleshooting Tools
Protocol Analyzers
A protocol analyzer can
capture and display the
physical layer to the
application layer information
contained in a packet.

Protocol analyzers, such as

Wireshark, can help
troubleshoot network
performance problems.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Troubleshooting Tools
Hardware Troubleshooting Tools
There are multiple types of hardware troubleshooting tools.
Hardware Tools Description

Digital Multimeters Devices measure electrical values of voltage, current, and resistance.

Cable Testers Handheld devices are designed for testing the various types of data communication cabling.

Cable Analyzers Multifunctional handheld devices used to test and certify copper and fiber cables.

Portable Network
Specialized device used for troubleshooting switched networks and VLANs.
Analyzers

Cisco Prime NAM Browser-based interface that displays device performance analysis in a switched and routed environment.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Troubleshooting Tools
Syslog Server as a Troubleshooting Tool
Syslog is used by syslog clients to send text-based log messages to a syslog server.

• Log messages can be sent to the console, VTY lines, memory Level Keyword

buffer, or syslog server. 0 Emergencies

1 Alerts
• Cisco IOS log messages fall into one of eight levels. 2 Critical
• The lower the level number, the higher the severity level. 3 Errors

• By default, the console displays level 6 (debugging) messages. 4 Warnings

5 Notifications
• In the command output, level 0 (emergencies) to 5 (notifications) 6 Informational
are sent to the syslog server at 209.165.200.225. 7 Debugging

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Symptoms and Causes of Network Problems
Physical Layer Troubleshooting
The table lists common symptoms of physical layer network problems.

Symptom Description
• Requires previous baselines for comparison.
Performance lower
• The most common reasons include overloaded or underpowered servers, unsuitable switch or router
than baseline
configurations, traffic congestion on a low-capacity link, and chronic frame loss.
• Loss of connectivity could be due to a failed or disconnected cable.
Loss of connectivity • Can be verified using a simple ping test.
• Intermittent connectivity loss can indicate a loose or oxidized connection.
Network bottlenecks • If a route fails, routing protocols could redirect traffic to sub-optimal routes.
or congestion • This can result in congestion or bottlenecks in parts of the network.
High CPU utilization • High CPU utilization rates indicates that a device is operating at or exceeding its design limits.
rates • If not addressed quickly, CPU overloading can cause a device to shut down or fail.
Console error • Error messages reported on the device console could indicate a physical layer problem.
messages • Console messages should be logged to a central syslog server.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Symptoms and Causes of Network Problems
Physical Layer Troubleshooting (Cont.)
The table lists issues that commonly cause network problems at the physical layer.
Problem Cause Description
Power-related Check the operation of the fans and ensure that the chassis intake and exhaust vents are clear.
Faulty or corrupt NIC driver files, bad cabling, or grounding problems can cause network transmission
Hardware faults
errors such as late collisions, short frames, and jabber.
Look for damaged cables, improper cable, and poorly crimped connectors.
Cabling faults
Suspect cables should be tested or exchanged with a known functioning cable.
Attenuation can be caused if a cable length exceeds the design limit for the media, or when there is a
Attenuation
poor connection resulting from a loose cable, or dirty or oxidized contacts.
Local electromagnetic interference (EMI) can be generated by many sources, such as crosstalk,
Noise
nearby electric cables, large electric motors, FM radio stations, police radio, and more.
Interface configuration Causes can include incorrect clock rate, incorrect clock source, and interface not being turned on.
errors This causes a loss of connectivity with attached network segments.
Exceeding design
A component could operate sub-optimally if it is being utilized beyond specifications.
limits
Symptoms include processes with high CPU utilization percentages, input queue drops, slow
CPU overload performance, SNMP timeouts, no remote access, no DHCP services, Telnet, and pings are slow or fail
to respond.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Symptoms and Causes of Network Problems
Data Link Layer Troubleshooting
The table lists common symptoms of data link layer network problems.
Symptom Description

No functionality or connectivity Some Layer 2 problems can stop the exchange of frames across a link, while others only
at the network layer or above cause network performance to degrade.
• Frames can take a suboptimal path to their destination but still arrive causing the network
Network is operating below
to experience unexpected high-bandwidth usage on links.
baseline performance levels
• An extended or continuous ping can help reveal if frames are being dropped.
• Operating systems use broadcasts and multicasts extensively.
Excessive broadcasts • Generally, excessive broadcasts are the result of a poorly programmed or configured
applications, a large Layer 2 broadcast domains, or an underlying network problems .

• Routers send messages when it detects a problem with interpreting incoming frames
(encapsulation or framing problems) or when keepalives are expected but do not arrive.
Console messages
• The most common console message that indicates a Layer 2 problem is a line protocol
down message

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Symptoms and Causes of Network Problems
Data Link Layer Troubleshooting
The table lists issues that commonly cause network problems at the data link layer.
Problem Cause Description
Encapsulation errors Occurs when bits placed in a field by the sender are not what the receiver
expects to see.
Address mapping Occurs when Layer 2 and Layer addressing is not available.
errors
Framing errors Framing errors can be caused by a noisy serial line, an improperly designed
cable, faulty NIC, duplex mismatch, or an incorrectly configured channel
service unit (CSU) line clock.
STP failures or loops Most STP problems are related to forwarding loops that occur when no ports
in a redundant topology are blocked and traffic is forwarded in circles
indefinitely, excessive flooding because of a high rate of STP topology
changes.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Symptoms and Causes of Network Problems
Network Layer Troubleshooting
The table lists common symptoms of network layer network problems.

Symptom Description

• Occurs when the network is nearly or completely non-functional, affecting all

users and applications on the network.
Network failure
• These failures are usually noticed quickly by users and network administrators
and are obviously critical to the productivity of a company.
• These involve a subset of users, applications, destinations, or a type of traffic.
• Optimization issues can be difficult to detect and even harder to isolate and
diagnose.
Suboptimal performance
• This is because they usually involve multiple layers, or even a single host
computer.
• Determining that the problem is a network layer problem can take time.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Symptoms and Causes of Network Problems
Network Layer Troubleshooting (Cont.)
The table lists common symptoms of network layer network problems.
Problem Cause Description
• Often a change in the topology may unknowingly have effects on other areas
of the network.
General network issues
• Determine whether anything in the network has recently changed, and if
there is anyone currently working on the network infrastructure.
Check for any equipment and connectivity problems, including power
Connectivity issues problems, environmental problems, and Layer 1 problems, such as cabling
problems, bad ports, and ISP problems.
Check the routing table for anything unexpected, such as missing routes or
Routing table
unexpected routes.
Check to see if there are any problems with the routers forming neighbor
Neighbor issues
adjacencies.
Check the table for anything unexpected, such as missing entries or
Topology database
unexpected entries. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Symptoms and Causes of Network Problems
Transport Layer Troubleshooting - ACLs
The table lists areas where ACL misconfigurations commonly occur.
Misconfigurations Description

Selection of traffic flow An ACL must be applied to the correct interface in the correct traffic direction.

Order of access control entries The entries in an ACL should be from specific to general.

Implicit deny any The implicit ACE can be the cause of an ACL misconfiguration.

Complex IPv4 wildcard masks are more efficient, but are more subject to
Addresses and IPv4 wildcard masks
configuration errors.

Selection of transport layer protocol It is important that only the correct transport layer protocol be specified in an ACE.

Source and destination ports Ensuring that the correct inbound and outbound ports are specified in an ACE

Use of the established keyword The established keyword applied incorrectly, can provide unexpected results.

Uncommon protocols Misconfigured ACLs often cause problems for protocols other than TCP and UDP.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Symptoms and Causes of Network Problems
Transport Layer Troubleshooting - NAT for IPv4
The table lists common interoperability areas with NAT.
Symptom Description
• The DHCP-Request packet has a source IPv4 address of 0.0.0.0.
• However, NAT requires both a valid destination and source IPv4 address,
BOOTP and DHCP therefore, BOOTP and DHCP can have difficulty operating over a router running
either static or dynamic NAT.
• Configuring the IPv4 helper feature can help solve this problem.
• A DNS server outside the NAT router does not have an accurate representation of
DNS the network inside the router.
• Configuring the IPv4 helper feature can help solve this problem.
• An SNMP management station on one side of a NAT router may not be able to
SNMP contact SNMP agents on the other side of the NAT router.
• Configuring the IPv4 helper feature can help solve this problem.
Encryption and tunneling protocols often require that traffic be sourced from a
Tunneling and encryption protocols specific UDP or TCP port, or use a protocol at the transport layer that cannot be
processed by NAT.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Symptoms and Causes of Network Problems
Application Layer Troubleshooting
The table provides a short description of these application layer protocols.

Applications Description
SSH/Telnet Enables users to establish terminal session connections with remote hosts.
Supports the exchanging of text, graphic images, sound, video, and other multimedia files on the
HTTP
web.
FTP Performs interactive file transfers between hosts.

TFTP Performs basic interactive file transfers typically between hosts and networking devices.

SMTP Supports basic message delivery services.

POP Connects to mail servers and downloads email.

SNMP Collects management information from network devices.

DNS Maps IP addresses to the names assigned to network devices.

NFS Network File System (NFS) enables computers to mount and use drives on remote hosts.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Troubleshooting IP Connectivity
Components of Troubleshooting End-to-End Connectivity
Bottom-up approach steps when there is no end-to-end connectivity are as follows:
1. Check physical connectivity at the point where network communication stops.
2. Check for duplex mismatches.
3. Check data link and network layer addressing on the local network.
4. Verify that the default gateway is correct.
5. Ensure that devices are determining the correct path from the source to the
destination.
6. Verify the transport layer is functioning properly.
7. Verify that there are no ACLs blocking traffic.
8. Ensure that DNS settings are correct.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Troubleshooting IP Connectivity
End-to-End Connectivity Problem Initiates Troubleshooting
Usually what initiates a troubleshooting
effort is the discovery that there is a
problem with end-to-end connectivity.

Two of the most common utilities used

to verify a problem with end-to-end
connectivity are ping and traceroute.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Troubleshooting IP Connectivity
Step 1 - Verify the Physical Layer
The show interfaces command is useful
when troubleshooting performance-
related issues and hardware is suspected
to be at fault.

Of interest in the output are the:

• Interface status
• Input queue drops
• Output queue drops
• Input errors
• Output errors

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Troubleshooting IP Connectivity
Step 2 - Check for Duplex Mismatches
The IEEE 802.3ab Gigabit Ethernet standard mandates the use of autonegotiation for
speed and duplex and practically all Fast Ethernet NICs also use autonegotiation by
default.

Problems can occur when there is a duplex mismatch.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Troubleshooting IP Connectivity
Step 3 - Verify Addressing on the Local Network
The arp Windows command displays and modifies entries in the ARP cache that are used
to store IPv4 addresses and their resolved Ethernet physical (MAC) addresses.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Troubleshooting IP Connectivity
Troubleshoot VLAN Assignment Example
Another issue to consider when troubleshooting end-to-end connectivity is VLAN
assignment.
For example, the MAC address on Fa0/1 should The following configuration changes Fa0/1 to
be in VLAN 10 instead of VLAN 1. VLAN 10 and verifies the change.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Troubleshooting IP Connectivity
Step 4 - Verify Default Gateway
Misconfigured or missing default gateways can cause connectivity problems.

In the figure for example, the default

gateways for:
• R1 is 192.168.1.2 (R2)
• PC1 is 10.1.10.1 (R1 G0/0/0)

Useful commands to verify the default

gateway on:
• R1: show ip route
• PC1: route print (or netstat –r)

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Troubleshooting IP Connectivity
Troubleshoot IPv6 Default Gateway Example
An IPv6default gateway can be configured manually, using SLAAC, or by using DHCPv6.

For example, a PC is unable to acquire its IPv6 R1 is enabled as an IPv6 router and now the
configuration using SLAAC. The command output verifies that R1 is a member of ff02::2,
output is missing the all IPv6-router multicast the All-IPv6-Routers multicast group.
group (FF02::2).

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Troubleshooting IP Connectivity
Step 5 - Verify Correct Path
When troubleshooting, it is often necessary to verify the path to the destination network.

• The figure describes the process for

both the IPv4 and IPv6 routing tables.
• The process of forwarding IPv4 and
IPv6 packets is based on the longest bit
match or longest prefix match.
• The routing table process will attempt to
forward the packet using an entry in the
routing table with the greatest number
of leftmost matching bits.
• The number of matching bits is
indicated by the prefix length of the
route.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Troubleshooting IP Connectivity
Step 6 - Verify the Transport Layer
Two of the most common issues that affect transport layer connectivity include ACL
configurations and NAT configurations.
• A common tool for testing transport layer functionality is the Telnet utility.

• For example, the administrator attempts to Telnet to R2 using port 80.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Troubleshooting IP Connectivity
Step 7 - Verify ACLs
On routers, there may be ACLs that prohibit protocols from passing through the interface
in the inbound or outbound direction.
In this example, ACL 100 has been incorrectly The ACL is removed from G0/0/0 and
configured inbound on the G0/0/0 instead of configured inbound on S0/1/1.
inbound on S0/1/1.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Troubleshooting IP Connectivity
Step 8 - Verify DNS
The DNS protocol controls the DNS, a distributed database with which you can map
hostnames to IP addresses.
• When you configure DNS on the device, you can substitute the hostname for the IP
address with all IP commands, such as ping or telnet. command output.
• Use the ip host global configuration
command to enter a name to be used
instead of the IPv4 address of the switch
or router, as shown in the command
output.

• Use the nslookup Windows command to

display the name-to-IP-address mapping
information.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Troubleshooting IP Connectivity
Packet Tracer - Troubleshoot Enterprise Networks
In this Packet Tracer activity, you complete the following objectives:
• Part 1: Verify Switching Technologies
• Part 2: Verify DHCP
• Part 3: Verify Routing
• Part 4: Verify WAN Technologies
• Part 5: Verify Connectivity

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Structured Design
Packet Tracer – Network Troubleshooting
In this Packet Tracer activity, you complete the following objectives:
• Test network connectivity.
• Compile host addressing information.
• Remotely access default gateway devices.
• Document default gateway device configurations.
• Discover devices on the network.
• Draw the network topology.

In this Packet Tracer activity, you complete the following objectives:

• Use various techniques and tools to identify connectivity issues.
• Use documentation to guide troubleshooting efforts.
• Identify specific network problems.
• Implement solutions to network communication problems.
• Verify network operation.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Module Practice and Quiz
What did I learn in this module?
• Common network documentation includes physical and logical network topologies, network
device documentation, and network performance baseline documentation.
• The troubleshooting process should be guided by structured methods such as the seven-step
troubleshooting process: (i.e., 1. Define the problem, 2. Gather information, 3. Analyze
information, 4. Eliminate possible causes, 5. Propose hypothesis, 6. Test hypothesis, and 7.
Solve the problem).
• Troubleshooting tools include NMS tools, knowledge bases, baselining tools, protocol
analyzer, digital multimeters, cable testers, cable analyzers, portable network analyzers,
Cisco Prime NAM, and syslog servers.
• Physical layer problems cause failures and suboptimal conditions. Data link layer problems
are typically caused by encapsulation errors, address mapping errors, framing errors, and
STP failures or loops. Network layer problems include IPv4, IPv6, routing protocols (such as
EIGRP, OSPF, etc.). Transport layer problems can be misconfigured NAT or ACLs.
Application layer problems can result in unreachable or unusable resources.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Module Practice and Quiz
What did I learn in this module? (Cont.)
• A bottom-up troubleshooting method can be used to solve connectivity problems. Start
verifying the physical layer, check for duplex mismatches, verify addressing and default gateway,
verify that the correct path is taken, and verify the transport layer.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Module 13: Network
Virtualization
Enterprise Networking, Security, and Automation v7.0
(ENSA)
Module Objectives
Module Title: Network Virtualization

Module Objective: Explain the purpose and characteristics of network virtualization.

Topic Title Topic Objective

Cloud Computing Explain the importance of cloud computing.
Virtualization Explain the importance of virtualization.
Describe the virtualization of network devices and
Virtual Network Infrastructure
services.
Software-Defined Networking Describe software-defined networking.
Controllers Describe controllers used in network programming.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Cloud Computing
Video - Cloud and Virtualization
This video will cover the following:
• Data centers
• Cloud computing (SaaS, PaaS, and IaaS)
• Virtualization (Type 1 Hypervisor, Type 2 Hypervisor)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Cloud Computing
Cloud Overview
Cloud computing addresses a variety of data management issues:
• Enables access to organizational data anywhere and at any time
• Streamlines the organization’s IT operations by subscribing only to needed services
• Eliminates or reduces the need for onsite IT equipment, maintenance, and
management
• Reduces cost for equipment, energy, physical plant requirements, and personnel
training needs
• Enables rapid responses to increasing data volume requirements

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Cloud Computing
Cloud Services
The three main cloud computing services defined by the National Institute of Standards
and Technology (NIST) in their Special Publication 800-145 are as follows:
• Software as a Service (SaaS) - The cloud provider is responsible for access to
applications and services that are delivered over the internet.
• Platform as a Service (PaaS) - The cloud provider is responsible for providing users
access to the development tools and services used to deliver the applications.
• Infrastructure as a Service (IaaS) - The cloud provider is responsible for giving IT
managers access to the network equipment, virtualized network services, and
supporting network infrastructure.
Cloud service providers have extended this model to also provide IT support for each of
the cloud computing services (ITaaS). For businesses, ITaaS can extend the capability of
the network without requiring investment in new infrastructure, training new personnel, or
licensing new software.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Cloud Computing
Cloud Models
There are four primary cloud models:
• Public clouds - Cloud-based applications and services made available to the general
population.
• Private clouds - Cloud-based applications and services intended for a specific
organization or entity, such as the government.
• Hybrid clouds - A hybrid cloud is made up of two or more clouds (example: part
private, part public), where each part remains a separate object, but both are
connected using a single architecture.
• Community clouds - A community cloud is created for exclusive use by a specific
community. The differences between public clouds and community clouds are the
functional needs that have been customized for the community. For example,
healthcare organizations must remain compliant with policies and laws (e.g., HIPAA)
that require special authentication and confidentiality.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Cloud Computing
Cloud Computing versus Data Center
These are the correct definitions of data center and cloud computing:
• Data center: Typically, a data storage and processing facility run by an in-house IT
department or leased offsite. Data centers are typically very expensive to build and
maintain.
• Cloud computing: Typically, an off-premise service that offers on-demand access to
a shared pool of configurable computing resources. These resources can be rapidly
provisioned and released with minimal management effort.

Data centers are the physical facilities that provide the compute, network, and storage
needs of cloud computing services. Cloud service providers use data centers to host their
cloud services and cloud-based resources.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Virtualization
Cloud Computing and Virtualization
• The terms “cloud computing” and
“virtualization” are often used
interchangeably; however, they mean
different things. Virtualization is the
foundation of cloud computing.
Without it, cloud computing, as it is
most-widely implemented, would not
be possible.
• Virtualization separates the operating
system (OS) from the hardware.
Various providers offer virtual cloud
services that can dynamically
provision servers as required. These
virtualized instances of servers are
created on demand.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Virtualization
Dedicated Servers
Historically, enterprise servers consisted of a
server OS, such as Windows Server or Linux
Server, installed on specific hardware. All of
a server’s RAM, processing power, and hard
drive space were dedicated to the service
provided (e.g., Web, email services, etc.).
• When a component fails, the service that is
provided by this server becomes unavailable.
This is known as a single point of failure.
• Dedicated servers were generally underused.
They often sat idle for long periods of time,
waiting until there was a need to deliver the
specific service they provide. These servers
wasted energy and took up more space than
was warranted by the amount of service
provided. This is known as server sprawl.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Virtualization
Server Virtualization
• Server virtualization takes advantage of idle
resources and consolidates the number of
required servers. This also allows for
multiple operating systems to exist on a
single hardware platform.
• The use of virtualization normally includes
redundancy to protect from a single point of
failure.
• The hypervisor is a program, firmware, or
hardware that adds an abstraction layer on
top of the physical hardware. The
abstraction layer is used to create virtual
machines which have access to all the
hardware of the physical machine such as
CPUs, memory, disk controllers, and NICs.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Virtualization
Advantages of Virtualization
One major advantage of virtualization is overall reduced cost:
• Less equipment is required
• Less energy is consumed
• Less space is required

These are additional benefits of virtualization:

• Easier prototyping
• Faster server provisioning
• Increased server uptime
• Improved disaster recovery
• Legacy support

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Virtualization
Abstraction Layers
A computer system consists of the following abstraction layers: Services, OS, Firmware,
and Hardware.
• At each of these layers of abstraction, some type of programming code is used as an
interface between the layer below and the layer above.
• A hypervisor is installed between the firmware and the OS. The hypervisor can
support multiple instances of OSs.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Virtualization
Type 2 Hypervisors
• A Type 2 hypervisor is software that creates and runs VM instances. The computer, on
which a hypervisor is supporting one or more VMs, is a host machine. Type 2
hypervisors are also called hosted hypervisors.
• A big advantage of Type 2 hypervisors is that management console software is not
required.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Virtual Network Infrastructure
Type 1 Hypervisors
• Type 1 hypervisors are also called the “bare metal” approach because the hypervisor
is installed directly on the hardware. Type 1 hypervisors are usually used on
enterprise servers and data center networking devices.
• With Type 1 hypervisors, the hypervisor is installed directly on the server or
networking hardware. Then, instances of an OS are installed on the hypervisor, as
shown in the figure. Type 1 hypervisors have direct access to the hardware resources.
Therefore, they are more efficient than hosted architectures. Type 1 hypervisors
improve scalability, performance, and robustness.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Virtual Network Infrastructure
Installing a VM on a Hypervisor
• Type 1 hypervisors require a “management console” to manage the hypervisor.
Management software is used to manage multiple servers using the same hypervisor.
The management console can automatically consolidate servers and power on or off
servers as required.
• The management console provides recovery from hardware failure. If a server
component fails, the management console automatically moves the VM to another
server. Cisco Unified Computing System (UCS) Manager controls multiple servers
and manages resources for thousands of VMs.
• Some management consoles also allow server over allocation. Over allocation is
when multiple OS instances are installed, but their memory allocation exceeds the
total amount of memory that a server has. Over allocation is a common practice
because all four OS instances rarely require the all their allocated resources at any
one moment.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Virtual Network Infrastructure
The Complexity of Network Virtualization
• Server virtualization hides server resources. This
can create problems when using traditional
network architectures.
• VMs are movable, and the network administrator
must be able to add, drop, and change network
resources and profiles to support their mobility.
This process would be manual and time-
consuming with traditional network switches.
• Traffic flows differ from the traditional client-
server model. Typically, there is a considerable
amount of traffic being exchanged between
virtual servers (East-West traffic) that changes in
location and intensity over time. North-South
traffic is typically traffic destined for offsite
locations such as another data center, other
cloud providers, or the internet.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Virtual Network Infrastructure
The Complexity of Network Virtualization (Cont.)
• Dynamic ever-changing traffic requires a flexible approach to network resource
management. Existing network infrastructures can respond to changing requirements
related to the management of traffic flows by using Quality of Service (QoS) and
security level configurations for individual flows. However, in large enterprises using
multivendor equipment, each time a new VM is enabled, the necessary
reconfiguration can be very time-consuming.
• The network infrastructure can also benefit from virtualization. Network functions can
be virtualized. Each network device can be segmented into multiple virtual devices
that operate as independent devices. Examples include subinterfaces, virtual
interfaces, VLANs, and routing tables. Virtualized routing is called virtual routing and
forwarding (VRF).

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Software-Defined Networking
Video - Software-Defined Networking
This video will cover the following:
• Network Programming
• SDN (Open Network Foundation, OpenFlow, and OpenStack)
• Controllers

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Software-Defined Networking
Control Plane and Data Plane
A network device contains the following planes:
• Control plane - This is typically regarded as the brains of a device. It is used to make
forwarding decisions. The control plane contains Layer 2 and Layer 3 route forwarding
mechanisms, such as routing protocol neighbor tables and topology tables, IPv4 and
IPv6 routing tables, STP, and the ARP table. Information sent to the control plane is
processed by the CPU.
• Data plane - Also called the forwarding plane, this plane is typically the switch fabric
connecting the various network ports on a device. The data plane of each device is
used to forward traffic flows. Routers and switches use information from the control
plane to forward incoming traffic out the appropriate egress interface. Information in
the data plane is typically processed by a special data plane processor without the
CPU getting involved.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Software-Defined Networking
Control Plane and Data Plane (Cont.)
• CEF is an advanced, Layer 3 IP switching
technology that enables forwarding of
packets to occur at the data plane without
consulting the control plane.
• SDN is basically the separation of the
control plane and data plane. The control
plane function is removed from each
device and is performed by a centralized
controller. The centralized controller
communicates control plane functions to
each device. Each device can now focus
on forwarding data while the centralized
controller manages data flow, increases
security, and provides other services.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Software-Defined Networking
Control Plane and Data Plane (Cont.)
• The management plane is responsible for managing a device through its connection
to the network.
• Network administrators use applications such as Secure Shell (SSH), Trivial File
Transfer Protocol (TFTP), Secure FTP, and Secure Hypertext Transfer Protocol
(HTTPS) to access the management plane and configure a device.
• The management plane is how you have accessed and configured devices in your
networking studies. In addition, protocols like Simple Network Management Protocol
(SNMP), use the management plane.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Software-Defined Networking
Network Virtualization Technologies
Two major network architectures have been developed to support network virtualization:
• Software-Defined Networking (SDN) - A network architecture that virtualizes the
network, offering a new approach to network administration and management that
seeks to simplify and streamline the administration process.
• Cisco Application Centric Infrastructure (ACI) - A purpose-built hardware solution
for integrating cloud computing and data center management.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Software-Defined Networking
Network Virtualization Technologies (Cont.)
Components of SDN may include the following:
• OpenFlow - This approach was developed at Stanford University to manage traffic
between routers, switches, wireless access points, and a controller. The OpenFlow
protocol is a basic element in building SDN solutions.
• OpenStack - This approach is a virtualization and orchestration platform designed to
build scalable cloud environments and provide an IaaS solution. OpenStack is often
used with Cisco ACI. Orchestration in networking is the process of automating the
provisioning of network components such as servers, storage, switches, routers, and
applications.
• Other components - Other components include Interface to the Routing System
(I2RS), Transparent Interconnection of Lots of Links (TRILL), Cisco FabricPath (FP),
and IEEE 802.1aq Shortest Path Bridging (SPB).

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Software-Defined Networking
Traditional and SDN Architectures
In a traditional router or switch architecture, the control plane and data plane functions
occur in the same device. Routing decisions and packet forwarding are the responsibility
of the device operating system. In SDN, management of the control plane is moved to a
centralized SDN controller. The figure compares traditional and SDN architectures.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Software-Defined Networking
Traditional and SDN Architectures (Cont.)
• The SDN controller is a logical entity that enables
network administrators to manage and dictate how the
data plane of switches and routers should handle
network traffic. It orchestrates, mediates, and facilitates
communication between applications and network
elements.
• The complete SDN framework is shown in the figure.
Note the use of Application Programming Interfaces
(APIs). An API is a standardized definition of the proper
way for an application to request services from another
application.
• The SDN controller uses northbound APIs to
communicate with the upstream applications, helping
network administrators shape traffic and deploy services.
The SDN controller uses southbound APIs to define the
behavior of the data planes on downstream switches
and routers. OpenFlow is a widely implemented
southbound API.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
13.5 Controllers

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Controllers
SDN Controller and Operations
• The SDN controller defines the
data flows between the
centralized control plane and the
data planes on individual routers
and switches.
• Each flow traveling through the
network must first get permission
from the SDN controller, which
verifies that the communication is
permissible according to the
network policy.
• All complex functions are
performed by the controller. The
controller populates flow tables.
Switches manage the flow tables.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Controllers
SDN Controller and Operations (Cont.)
Within each switch, a series of tables implemented in hardware or firmware are used to
manage the flows of packets through the switch. To the switch, a flow is a sequence of
packets that matches a specific entry in a flow table.
The three table types shown in the previous figure are as follows:
• Flow Table - This table matches incoming packets to a particular flow and specifies the functions
that are to be performed on the packets. There may be multiple flow tables that operate in a
pipeline fashion.
• Group Table - A flow table may direct a flow to a Group Table, which may trigger a variety of
actions that affect one or more flows.
• Meter Table - This table triggers a variety of performance-related actions on a flow including the
ability to rate-limit the traffic.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Controllers
Video - Cisco ACI
• Very few organizations actually have the desire or skill to program the network using
SDN tools. However, the majority of organizations want to automate the network,
accelerate application deployments, and align their IT infrastructures to better meet
business requirements. Cisco developed the Application Centric Infrastructure (ACI) to
meet these objectives in more advanced and innovative ways than earlier SDN
approaches.
• Cisco ACI is a hardware solution for integrating cloud computing and data center
management. At a high level, the policy element of the network is removed from the
data plane. This simplifies the way data center networks are created.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Controllers
Core Components of ACI
There are three core components of the ACI architecture:
• Application Network Profile (ANP) - An ANP is a collection of end-point groups (EPG), their
connections, and the policies that define those connections.
• Application Policy Infrastructure Controller (APIC) - APIC is a centralized software controller
that manages and operates a scalable ACI clustered fabric. It is designed for programmability and
centralized management. It translates application policies into network programming.
• Cisco Nexus 9000 Series switches - These switches provide an application-aware switching
fabric and work with an APIC to manage the virtual and physical network infrastructure.
The APIC is positioned between the APN and the ACI-enabled network infrastructure. The
APIC translates the application requirements into a network configuration to meet those
needs.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Controllers
Spine-Leaf Topology
• The Cisco ACI fabric is composed of the
APIC and the Cisco Nexus 9000 series
switches using two-tier spine-leaf
topology, as shown in the figure. The leaf
switches attach to the spines, but they
never attach to each other. Similarly, the
spine switches only attach to the leaf and
core switches (not shown). In this two-
tier topology, everything is one hop from
everything else.
• When compared to SDN, the APIC
controller does not manipulate the data
path directly. Instead, the APIC
centralizes the policy definition and
programs the leaf switches to forward
traffic based on the defined policies.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Controllers
SDN Types
The Cisco Application Policy Infrastructure Controller - Enterprise Module (APIC-EM)
extends ACI aimed at enterprise and campus deployments. To better understand APIC-
EM, it is helpful to take a broader look at the three types of SDN:
• Device-based SDN: Devices are programmable by applications running on the device
itself or on a server in the network, as shown in the figure.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Controllers
SDN Types (Cont.)
Controller-based SDN: Uses a centralized controller that has knowledge of all devices in
the network, as shown in the figure. The applications can interface with the controller
responsible for managing devices and manipulating traffic flows throughout the network.
The Cisco Open SDN Controller is a commercial distribution of OpenDaylight.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Controllers
SDN Types (Cont.)
Policy-based SDN: Similar to controller-
based SDN where a centralized controller
has a view of all devices in the network,
as shown in the figure. Policy-based SDN
includes an additional Policy layer that
operates at a higher level of abstraction.
It uses built-in applications that automate
advanced configuration tasks via a
guided workflow and user-friendly GUI.
No programming skills are required.
Cisco APIC-EM is an example of this type
of SDN.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Controllers
APIC-EM Features
Cisco APIC-EM provides a single
interface for network management
including:
• Discovering and accessing device
and host inventories.
• Viewing the topology (as shown in
the figure).
• Tracing a path between end points.
• Setting policies.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Controllers
APIC-EM Path Trace
The APIC-EM Path Trace tool allows
the administrator to easily visualize
traffic flows and discover any
conflicting, duplicate, or shadowed
ACL entries. This tool examines
specific ACLs on the path between
two end nodes, displaying any
potential issues. You can see where
any ACLs along the path either
permitted or denied your traffic, as
shown in the figure. Notice how
Branch-Router2 is permit all traffic.
The network administrator can now
make adjustments, if necessary, to
better filter traffic.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Module Practice and Quiz
Lab - Install Linux in a Virtual Machine and Explore the GUI
In this lab, you will install will complete the following objective;

• Prepare a Computer for Virtualization

• Install a Linux OS on the Virtual Machine
• Explore the GUI

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Module Practice and Quiz
What Did I Learn In This Module?
• Cloud computing involves large numbers of computers connected through a network that can be physically
located anywhere. Cloud computing can reduce operational costs by using resources more efficiently.
• The three main cloud computing services defined by the National Institute of Standards and Technology
(NIST) are Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service
(IaaS).
• The four types of clouds are public, private, hybrid, and community.
• Virtualization is the foundation of cloud computing. Virtualization separates the operating system (OS) from
the hardware.
• Virtualization reduces costs because less equipment is required, less energy is consumed, and less space
is required. It provides for easier prototyping, faster server provisioning, increased server uptime, improved
disaster recovery, and legacy support.
• With Type 1 hypervisors, the hypervisor is installed directly on the server or networking hardware. A Type 2
hypervisor is software that creates and runs VM instances. It can be installed on top of the OS or can be
installed between the firmware and the OS.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Module Practice and Quiz
What Did I Learn In This Module? (Cont.)
• Type 1 hypervisors are also called the “bare metal” approach because the hypervisor is installed directly on
the hardware. Type 1 hypervisors have direct access to the hardware resources and are more efficient than
hosted architectures. They improve scalability, performance, and robustness.
• Type 1 hypervisors require a “management console” to manage the hypervisor.
• Server virtualization hides server resources, such as the number and identity of physical servers,
processors, and OSs from server users. This practice can create problems if the data center is using
traditional network architectures.
• Traffic flows in the data center differ substantially from the traditional client-server model. Typically, a data
center has a considerable amount of traffic being exchanged between virtual servers (East-West traffic)
and can change in location and intensity over time. North-South traffic occurs between the distribution and
core layers and is typically traffic destined for offsite locations such as another data center, other cloud
providers, or the internet.
• Two major network architectures have been developed to support network virtualization: Software-Defined
Networking (SDN) and Cisco Application Centric Infrastructure (ACI).
• Components of SDN may include OpenFlow, OpenStack, and other components.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Module Practice and Quiz
What Did I Learn In This Module? (Cont.)
• A network device contains a control plane and a data plane. The control plane is regarded as the brains of
a device.
• SDN is basically the separation of the control plane and data plane. The control plane function is removed
from each device and is performed by a centralized controller
• The SDN controller is a logical entity that enables network administrators to manage and dictate how the
data plane of switches and routers should handle network traffic.
• The data plane, also called the forwarding plane, is typically the switch fabric connecting the various
network ports on a device, and is used to forward traffic flows.
• The management plane is responsible for managing a device through its connection to the network.
• The SDN controller is a logical entity that enables network administrators to manage and dictate how the
data plane of switches and routers should handle network traffic.
• Cisco developed the Application Centric Infrastructure (ACI) which is more advanced and innovative than
earlier SDN approaches.
• Cisco ACI is a hardware solution for integrating cloud computing and data center management.
• At a high level, the policy element of the network is removed from the data plane. This simplifies the way
data center networks are created.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Module Practice and Quiz
What Did I Learn In This Module? (Cont.)
• The three core components of the ACI architecture are Application Network Profile (ANP), Application
Policy Infrastructure Controller (APIC), and Cisco Nexus 9000 Series switches.
• The Cisco ACI fabric is composed of the APIC and the Cisco Nexus 9000 series switches using two-tier
spine-leaf topology.
• When compared to SDN, the APIC controller does not manipulate the data path directly. Instead, the APIC
centralizes the policy definition and programs the leaf switches to forward traffic based on the defined
policies.
• There are three types of SDN: Device-based SDN, Controller-based SDN, and Policy-based SDN.
• Policy-based SDN includes an additional Policy layer that operates at a higher level of abstraction. Policy-
based SDN is the most robust, providing for a simple mechanism to control and manage policies across
the entire network.
• Cisco APIC-EM is an example of policy-based SDN. Cisco APIC-EM provides a single interface for network
management including discovering and accessing device and host inventories, viewing the topology,
tracing a path between end points, and setting policies.
• The APIC-EM Path Trace tool allows the administrator to easily visualize traffic flows and discover any
conflicting, duplicate, or shadowed ACL entries. This tool examines specific ACLs on the path between two
end nodes, displaying any potential issues.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Module 14: Network Automation
Enterprise Networking, Security, and Automation v7.0
(ENSA)
Module Objectives
Module Title: Network Virtualization

Module Objective: Explain the purpose and characteristics of network virtualization.

Topic Title Topic Objective

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Automation Overview
Video - Automation Everywhere
We now see automation everywhere, from self-serve checkouts at stores and automatic
building environmental controls, to autonomous cars and planes. How many automated
systems do you encounter in a single day?

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Automation Overview
The Increase in Automation
These are some of the benefits of automation:
• Machines can work 24 hours a day without breaks, which results in greater output.
• Machines provide a more uniform product.
• Automation allows the collection of vast amounts of data that can be quickly analyzed
to provide information which can help guide an event or process.
• Robots are used in dangerous conditions such as mining, firefighting, and cleaning up
industrial accidents. This reduces the risk to humans.
• Under certain circumstances, smart devices can alter their behavior to reduce energy
usage, make a medical diagnosis, and improve automobile driving safety.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Automation Overview
Thinking Devices
• Many devices now incorporate smart technology to help to govern their behavior. This
can be as simple as a smart appliance lowering its power consumption during periods
of peak demand or as complex as a self-driving car.
• Whenever a device takes a course of action based on an outside piece of information,
then that device is referred to as a smart device. Many devices that we interact with
now have the word smart in their names. This indicates that the device has the ability
to alter its behavior depending on its environment.
• In order for devices to “think”, they need to be programmed using network automation
tools.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Data Formats
The Data Formats Concept
• Data formats are simply a way to store and exchange data in a structured format. One
such format is called Hypertext Markup Language (HTML). HTML is a standard
markup language for describing the structure of web pages.
• These are some common data formats that are used in many applications including
network automation and programmability:
• JavaScript Object Notation (JSON)
• eXtensible Markup Language (XML)
• YAML Ain’t Markup Language (YAML)
• The data format that is selected will depend on the format that is used by the
application, tool, or script that you are using. Many systems will be able to support
more than one data format, which allows the user to choose their preferred one.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Data Formats
Data Format Rules
Data formats have rules and structure similar to what we have with programming and
written languages. Each data format will have specific characteristics:
• Syntax, which includes the types of brackets used, such as [ ], ( ), { }, the use of white
space, or indentation, quotes, commas, and more.
• How objects are represented, such as characters, strings, lists, and arrays.
• How key/value pairs are represented. The key is usually on the left side and it
identifies or describes the data. The value on the right is the data itself and can be a
character, string, number, list or another type of data.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Data Formats
Compare Data Formats
message: success
timestamp: 1560789260
iss_position:
{ latitude: '25.9990’
"message": "success", longitude: '-132.6992'
"timestamp": 1560789260,
"iss_position": { YAML Format
"latitude": "25.9990", <?xml version="1.0" encoding="UTF-8" ?>
"longitude": "-132.6992" <root>
} <message>success</message>
} <timestamp>1560789260</timestamp>
JSON Format <iss_position>
<latitude>25.9990</latitude>
<longitude>-132.6992</longitude>
</iss_position>
</root>

XML Format
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Data Formats
JSON Data Format
• JSON is a human readable data format used by applications for storing, transferring
and reading data. JSON is a very popular format used by web services and APIs to
provide public data. This is because it is easy to parse and can be used with most
modern programming languages, including Python.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Data Formats
JSON Data Format (Cont.)
GigabitEthernet0/0/0 is up, line protocol is up (connected)
Description: Wide Area Network
Internet address is 172.16.0.2/24

{
"ietf-interfaces:interface": {
Compare the IOS output "name": "GigabitEthernet0/0/0",
above to the output in "description": "Wide Area Network”,
JSON format. Notice that "enabled": true,
each object (each "ietf-ip:ipv4": {
"address": [
key/value pair) is a
{
different piece of data "ip": "172.16.0.2",
about the interface "netmask": "255.255.255.0"
including its name, a }
description, and whether ]
the interface is enabled. }
}
} © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Data Formats
JSON Syntax Rules
These are some of the characteristics of JSON:
• It uses a hierarchical structure and contains nested values.
• It uses braces { } to hold objects and square brackets [ ] hold arrays.
• Its data is written as key/value pairs.

With JSON, the data known as an object is one or more key/value pairs enclosed in
braces { }. The syntax for a JSON object includes:
• Keys must be strings within double quotation marks " ".
• Values must be a valid JSON data type (string, number, array, Boolean, null, or
another object).
• Keys and values are separated by a colon.
• Multiple key/value pairs within an object are separated by commas.
• White space is not significant.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Data Formats
JSON Syntax Rules (Cont.)
At times a key may contain more than one value. This is known as an array. An array in
JSON is an ordered list of values. Characteristics of arrays in JSON include:
• The key followed by a colon and a list of values enclosed in square brackets [ ].
• The array is an ordered list of values.
• The array can contain multiple value types including a string, number, Boolean, object
or another array inside the array.
• Each value in the array is separated by a comma.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Data Formats
JSON Syntax Rules (Cont.)
For example, a list of IPv4 {
addresses might look like the "addresses": [
following output. The key is {
“addresses”. Each item in the list is "ip": "172.16.0.2",
a separate object, separated by "netmask": "255.255.255.0"
braces { }. The objects are two },
key/value pairs: an IPv4 address {
(“ip”) and a subnet mask "ip": "172.16.0.3",
(“netmask”) separated by a comma. "netmask": "255.255.255.0"
The array of objects in the list is },
also separated by a comma {
following the closing brace for each "ip": "172.16.0.4",
object. "netmask": "255.255.255.0"
}
]
}

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Data Formats
YAML Data Format
YAML is another type of human readable data format used by applications for storing,
transferring, and reading data. Some of the characteristic of YAML include:
• It is like JSON and is considered a superset of JSON.
• It has a minimalist format making it easy to both read and write.
• It uses indentation to define its structure, without the use of brackets or commas.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Data Formats
YAML Data Format (Cont.)
{ • IOS output in JSON is to the left. The same data
"ietf-interfaces:interface": {
"name": "GigabitEthernet2",
in YAML format is below. It is easier to read.
"description": "Wide Area Network", • Similar to JSON, a YAML object is one or more
"enabled": true, key value pairs. Key value pairs are separated
"ietf-ip:ipv4": { by a colon without the use of quotation marks. In
"address": [
YAML, a hyphen is used to separate each
{
"ip": "172.16.0.2", element in a list.
"netmask": "255.255.255.0"
}, ietf-interfaces:interface:
{ name: GigabitEthernet2
"ip": "172.16.0.3", description: Wide Area Network
"netmask": "255.255.255.0" enabled: true
}, ietf-ip:ipv4:
{ address:
"ip": "172.16.0.4", - ip: 172.16.0.2
"netmask": "255.255.255.0" netmask: 255.255.255.0
} - ip: 172.16.0.3
] netmask: 255.255.255.0
} - ip: 172.16.0.4
} netmask: 255.255.255.0
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
}
Data Formats
XML Data Format
XML is one more type of human readable data format used to store, transfer, and read
data by applications. Some of the characteristics of XML include:
• It is like HTML , which is the standardized markup language for creating web pages
and web applications.
• It is self-descriptive. It encloses data within a related set of tags: <tag>data</tag>
• Unlike HTML, XML uses no predefined tags or document structure.

XML objects are one or more key/value pairs, with the beginning tag used as the name of
the key: <key>value</key>

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Data Formats
XML Data Format (Cont.)
<?xml version="1.0" encoding="UTF-8" ?>
The output shows the same data for <ietf-interfaces:interface>
GigabitEthernet2 formatted as an <name>GigabitEthernet2</name>
<description>Wide Area Network</description>
XML data structure. Notice how the <enabled>true</enabled>
values are enclosed within the object <ietf-ip:ipv4>
tags. In this example, each key/value <address>
<ip>172.16.0.2</ip>
pair is on a separate line and some <netmask>255.255.255.0</netmask>
lines are indented. This is not required </address>
but is done for readability. The list <address>
<ip>172.16.0.3</ip>
uses repeated instances <netmask>255.255.255.0</netmask>
of <tag></tag> for each element in </address>
the list. The elements within these <address>
<ip>172.16.0.4</ip>
repeated instances represent one or <netmask>255.255.255.0</netmask>
more key/value pairs. </address>
</ietf-ip:ipv4>
</ietf-interfaces:interface>

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
APIs
Video - APIs
This video will cover the following:
• Define API
• See examples of popular APIs:
• SOAP
• REST
• NETCONF
• RESTCONF
• Execute an API call in a browser and in Postman.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
APIs
The API Concept
• An API is software that allows other applications to access its data or services. It is a
set of rules describing how one application can interact with another, and the
instructions to allow the interaction to occur. The user sends an API request to a
server asking for specific information and receives an API response in return from the
server along with the requested information.
• An API is similar to a waiter in a restaurant, as shown in the following figure.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
APIs
An API Example
To really understand how APIs
can be used to provide data
and services, we will look at
two options for booking airline
reservations. The first option
uses the web site of a specific
airline. Using the airline’s web
site, the user enters the
information to make a
reservation request. The web
site interacts directly with the
airline’s own database and
provides the user with
information matching the
user’s request.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
APIs
An API Example (Cont.)
A travel site can access this same
information, not only from a specific
airline but a variety of airlines. In this
case, the user enters in similar
reservation information. The travel
service web site interacts with the
various airline databases using APIs
provided by each airline. The travel
service uses each airline API to request
information from that specific airline,
and then it displays the information from
all the airlines on the its web page.
The API acts as a kind of messenger
between the requesting application and
the application on the server that
provides the data or service. The
message from the requesting
application to the server where the data
resides is known as an API call.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
APIs
Open, Internal, and Partner APIs
An important consideration when developing an API is the distinction between open,
internal, and partner APIs:
• Open APIs or Public APIs - These APIs are publicly available and can be used with
no restrictions. Because these APIs are public, many API providers require the user to
get a free key, or token, prior to using the API. This is to help control the number of
API requests they receive and process.
• Internal or Private APIs - These are APIs that are used by an organization or
company to access data and services for internal use only. An example of an internal
API is allowing authorized salespeople access to internal sales data on their mobile
devices.
• Partner APIs - These are APIs that are used between a company and its business
partners or contractors to facilitate business between them. The business partner
must have a license or other form of permission to use the API. A travel service using
an airline’s API is an example of a partner API.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
APIs
Types of Web Service APIs
A web service is a service that is available over the internet, using the World Wide Web.
There are four types of web service APIs:
• Simple Object Access Protocol (SOAP)
• Representational State Transfer (REST)
• eXtensible Markup Language-Remote Procedure Call (XML-RPC)
• JavaScript Object Notation-Remote Procedure Call (JSON-RPC)

Characteristic SOAP REST XML-RPC JSON-RPC

JSON, XML, YAML,
Data Format XML XML JSON
and others
First released 1998 2000 1998 2005
Flexible formatting and Well-established,
Strengths Well-established Simplicity
most widely used simplicity

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Software-Defined Networking
Video - REST
This video covers the following:
• Execute a REST API request
• Web browser - HTTP
• Command Line - CURL
• Application - Postman
• Programming Language - Python, Javascript, Ruby, and more

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Software-Defined Networking
REST and RESTful API
• Web browsers use HTTP or HTTPS to request (GET) a web page. If successfully
requested (HTTP status code 200), web servers respond to GET requests with an
HTML coded web page.
• Simply stated, a REST API is an API that works on top of the HTTP protocol. It defines
a set of functions developers can use to perform requests and receive responses via
HTTP protocol such as GET and POST.
• Conforming to the constraints of the REST architecture is generally referred to as
being “RESTful”. An API can be considered “RESTful” if it has the following features:
• Client-Server - The client handles the front end and the server handles the back end. Either can
be replaced independently of the other.
• Stateless - No client data is stored on the server between requests. The session state is stored
on the client.
• Cacheable - Clients can cache responses to improve performance.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Software-Defined Networking
RESTful Implementation
A RESTful web service is implemented using HTTP. It is a collection of resources with four defined
aspects:
• The base Uniform Resource Identifier (URI) for the web service, such
as http://example.com/resources.
• The data format supported by the web service. This is often JSON, YAML, or XML but could be
any other data format that is a valid hypertext standard.
• The set of operations supported by the web service using HTTP methods.
• The API must be hypertext driven.
RESTful APIs use common HTTP methods including POST, GET, PUT, PATCH and DELETE. As
shown in the following table, these correspond to RESTful operations: Create, Read, Update, and
Delete (or CRUD).
HTTP Method RESTful Operation
POST Create
GET Read
PUT/PATCH Update
DELETE Delete © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Software-Defined Networking
URI, URN, and URL
Web resources and web services such as RESTful APIs are identified using a URI. A URI
is a string of characters that identifies a specific network resource. A URI has two
specializations:
• Uniform Resource Name (URN) - identifies only the namespace of the resource (web page,
document, image, etc.) without reference to the protocol.
• Uniform Resource Locator (URL) - defines the network location of a specific resource. HTTP or
HTTPS URLs are typically used with web browsers. Protocols such as FTP, SFTP, SSH, and
others can use a URL. A URL using SFTP might look like: sftp://sftp.example.com.
These are the parts of the URI https://www.example.com/author/book.html#page155 :
• Protocol/scheme – HTTPS or other protocols such as FTP, SFTP, mailto, and NNTP
• Hostname - www.example.com
• Path and file name - /author/book.html
• Fragment - #page155

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Software-Defined Networking
Anatomy of a RESTful Request
• In a RESTful Web service, a request made to a resource's URI will elicit a response.
The response will be a payload typically formatted in JSON, but could be HTML, XML,
or some other format. The figure shows the URI for the MapQuest directions API. The
API request is for directions from San Jose, California to Monterey, California.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Software-Defined Networking
Anatomy of a RESTful Request (Cont.)
These are the different parts of the API request:
• API Server - This is the URL for the server that answers REST requests. In this example it is the MapQuest API
server.
• Resources - Specifies the API that is being requested. In this example it is the MapQuest directions API.
• Query - Specifies the data format and information the client is requesting from the API service. Queries can
include:
• Format – This is usually JSON but can be YAML or XML. In this example JSON is requested.
• Key - The key is for authorization, if required. MapQuest requires a key for their directions API. In the above URI,
you would need to replace “KEY” with a valid key to submit a valid request.
• Parameters - Parameters are used to send information pertaining to the request. In this example, the query
parameters include information about the directions that the API needs so it knows what directions to return:
"from=San+Jose,Ca" and "to=Monterey,Ca".

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Software-Defined Networking
Anatomy of a RESTful Request (Cont.)
Many RESTful APIs, including public APIs, require a key. The key is used to identify the
source of the request. Here are some reasons why an API provider may require a key:
• To authenticate the source to make sure they are authorized to use the API.
• To limit the number of people using the API.
• To limit the number of requests per user.
• To better capture and track the data being requested by users.
• To gather information on the people using the API.
Note: The MapQuest API does require a key. Search the internet for the URL to obtain a
MapQuest key. Use the search parameters: developer.mapquest. You can also search the
internet for the current URL that outlines the MapQuest privacy policy.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Software-Defined Networking
RESTful API Applications
• Many web sites and applications use APIs to access information and provide service
for their customers.
• Some RESTful API requests can be made by typing in the URI from within a web
browser. The MapQuest directions API is an example of this. A RESTful API request
can also be made in other ways.
• Developer Web Site: Developers often maintain web sites that include information about the API,
parameter information, and usage examples. These sites may also allow the user to perform the
API request within the developer web page by entering in the parameters and other information.
• Postman: Postman is an application for testing and using REST APIs. It contains everything
required for constructing and sending REST API requests, including entering query parameters
and keys.
• Python: APIs can also be called from within a Python program. This allows for possible
automation, customization, and App integration of the API.
• Network Operating Systems: Using protocols such as NETCONF (NET CONFiguration) and
RESTCONF, network operating systems are beginning to provide an alternative method for
configuration, monitoring, and management.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
14.5 Configuration
Management Tools

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Configuration Management Tools
Video - Configuration Management Tools
This video will cover the following:
• Compare configuration management tools including Ansible, Puppet, Chef and
SaltStack.
• Review plays, tasks, modules, parameters, and variables in a sample playbook

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Configuration Management Tools
Traditional Network Configuration
Network devices have
traditionally been
configured by a network
administrator using the
CLI. Whenever there is
a change or new
feature, the necessary
configuration
commands must be
manually entered on all
of the appropriate
devices. This becomes
a major issue on larger
networks or with more
complex configurations.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Configuration Management Tools
Traditional Network Configuration
Simple Network Management Protocol
(SNMP) lets administrators manage
nodes on an IP network. With a
network management station (NMS),
network administrators use SNMP to
monitor and manage network
performance, find and solve network
problems, and perform queries for
statistics. SNMP is not typically used
for configuration due to security
concerns and difficulty in
implementation.
You can also use APIs to automate the
deployment and management of
network resources. Instead of manually
configuring ports, access lists, QoS,
and load balancing policies, you can
use tools to automate configurations.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Configuration Management Tools
Network Automation
We are rapidly moving away from a world
where a network administrator manages a
few dozen network devices, to one where
they are deploying and managing a great
number of complex network devices (both
physical and virtual) with the help of
software. This transformation is quickly
spreading to all places in the network. There
are new and different methods for network
administrators to automatically monitor,
manage, and configure the network. These
include protocols and technologies such as
REST, Ansible, Puppet, Chef, Python,
JSON, XML, and more.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Configuration Management Tools
Configuration Management Tools
Configuration management tools make use of RESTful API requests to automate tasks
and can scale across thousands of devices. These are some characteristics of the
network that administrators benefit from automating:
• Software and version control
• Device attributes such as names, addressing, and security
• Protocol configurations
• ACL configurations
Configuration management tools typically include automation and orchestration.
Automation is when a tool automatically performs a task on a system. Orchestration is the
arranging of the automated tasks that results in a coordinate process or workflow.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Configuration Management Tools
Configuration Management Tools (Cont.)
There are several tools available to make configuration management easier:
• Ansible
• Chef
• Puppet
• SaltStack
The goal of all of these tools is to reduce the complexity and time involved in configuring
and maintaining a large-scale network infrastructure with hundreds, even thousands of
devices. These same tools can benefit smaller networks as well.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Configuration Management Tools
Compare Ansible, Chef, Puppet, and SaltStack
Ansible, Chef, Puppet, and SaltStack all come with API documentation for configuring
RESTful API requests. All of them support JSON and YAML as well as other data formats.
The following table shows a summary of a comparison of major characteristics of Ansible,
Puppet, Chef, and SaltStack configuration management tools.

Characteristic Ansible Chef Puppet SaltStack

What
programming Python + YAML Ruby Ruby Python
language?
Agent-based or
Agentless Agent-based Supports both Supports both
agentless?
How are devices Any device can
Chef Master Puppet Master Salt Master
managed? be “controller”
What is created by
Playbook Cookbook Manifest Pillar
the tool?
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
14.6 IBN and Cisco DNA
Center

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
IBN and Cisco DNA Center
Video - Intent-Based Networking
• You have learned of the many tools and software that can help you automate your
network. Intent-Based Networking (IBN) and Cisco Digital Network Architecture (DNA)
Center can help you bring it all together to create an automated network.
• Play the video by Cisco’s John Apostolopoulos and Anand Oswal explaining how
artificial intelligence and intent-based networking (IBN) can improve networks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
IBN and Cisco DNA Center
Intent-Based Networking Overview
• IBN is the emerging industry model for the next generation of networking. IBN builds
on Software-Defined Networking (SDN), transforming a hardware-centric and manual
approach to designing and operating networks to one that is software-centric and fully
automated.
• Business objectives for the network are expressed as intent. IBN captures business
intent and uses analytics, machine learning, and automation to align the network
continuously and dynamically as business needs change.
• IBN captures and translates business intent into network policies that can be
automated and applied consistently across the network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
IBN and Cisco DNA Center
Intent-Based Networking Overview (Cont.)
Cisco views IBN as having three essential functions: translation, activation, and
assurance. These functions interact with the underlying physical and virtual infrastructure,
as shown in the figure.
Translation - The translation function enables the
network administrator to express the expected
networking behavior that will best support the
business intent.
Activation - The captured intent then needs to be
interpreted into policies that can be applied across
the network. The activation function installs these
policies into the physical and virtual network
infrastructure using networkwide automation.
Assurance - In order to continuously check that the
expressed intent is honored by the network at any
point in time, the assurance function maintains a
continuous validation-and-verification loop.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
IBN and Cisco DNA Center
Network Infrastructure as Fabric
• From the perspective of IBN, the physical and
virtual network infrastructure is a fabric; an
overlay that represents the logical topology
used to virtually connect to devices. The
overlay limits the number of devices the
network administrator must program and
provides services and alternative forwarding
methods not controlled by the underlying
physical devices.
• The overlay is where encapsulation protocols
like IPsec and CAPWAP occur. Using an IBN
solution, the network administrator can use
policies to specify exactly what happens in the
overlay control plane. Notice that how the
switches are physically connected is not a
concern of the overlay.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
IBN and Cisco DNA Center
Network Infrastructure as Fabric (Cont.)
The underlay network is the
physical topology that includes
all hardware required to meet
business objectives. The
underlay reveals additional
devices and specifies how these
devices are connected. End
points, such as the servers in
the figure, access the network
through the Layer 2 devices.
The underlay control plane is
responsible for simple
forwarding tasks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
IBN and Cisco DNA Center
Cisco Digital Network Architecture (DNA)
Cisco implements the IBN fabric
using Cisco DNA. The business
intent is securely deployed into the
network infrastructure (the fabric).
Cisco DNA then continuously
gathers data from a multitude of
sources (devices and applications)
to provide a rich context of
information. This information can
then be analyzed to make sure the
network is performing securely at its
optimal level and in accordance with
business intent and network
policies.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
IBN and Cisco DNA Center
Cisco Digital Network Architecture (DNA) (Cont.)
Cisco DNA
Description Benefits
Solution
•First intent-based enterprise networking solution
built using Cisco DNA.
•It uses a single network fabric across LAN and
Enables network access in minutes
WLAN to create a consistent, highly secure user
for any user or device to any
SD-Access experience.
application without compromising
•It segments user, device, and application traffic
security.
and automates user-access policies to establish
the right policy for any user or device, with any
application, across a network.
•It uses a secure cloud-delivered architecture to •Delivers better user experiences for
centrally manage WAN connections. applications residing on-premise or in
•It simplifies and accelerates delivery of secure, the cloud.
SD-WAN
flexible and rich WAN services to connect data •Achieve greater agility and cost
centers, branches, campuses, and colocation savings through easier deployments
facilities. and transport independence.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
IBN and Cisco DNA Center
Cisco Digital Network Architecture (DNA) (Cont.)
Cisco DNA
Description Benefits
Solution
•Allows you to identify root causes and
•Used to troubleshoot and increase IT
provides suggested remediation for faster
productivity.
troubleshooting.
•It applies advanced analytics and
•The Cisco DNA Center provides an easy-to-
Cisco DNA machine learning to improve performance
use single dashboard with insights and drill-
Assurance and issue resolution, and predict to
down capabilities.
assure network performance.
•Machine learning continually improves
•It provides real-time notification for
network intelligence to predict problems
network conditions that require attention.
before they occur.
•Used to provide visibility by using the •Reduce risk and protect your organization
network as a sensor for real-time analysis against threats - even in encrypted traffic.
Cisco DNA and intelligence. •Gain 360-degree visibility through real-time
Security •It provides increased granular control to analytics for deep intelligence across the
enforce policy and contain threats across network.
the network. •Lower complexity with end-to-end security.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
IBN and Cisco DNA Center
Cisco DNA Center
• Cisco DNA Center is the foundational controller and analytics platform at the heart of
Cisco DNA. It supports the expression of intent for multiple use cases, including basic
automation capabilities, fabric provisioning, and policy-based segmentation in the
enterprise network. Cisco DNA Center is a network management and command
center for provisioning and configuring network devices. It is a hardware and software
platform providing a ‘single-pane-of-glass’ (single interface) that focuses on
assurance, analytics, and automation.
• The DNA Center interface launch page gives you an overall health summary and
network snapshot. From here, the network administrator can quickly drill down into
areas of interest.

At the top, menus provide you access to DNA Center’s five main areas. As shown in the
figure, these are:
• Design - Model your entire network, from sites and buildings to devices and links, both physical
and virtual, across campus, branch, WAN, and cloud.
• Policy - Use policies to automate and simplify network management, reducing cost and risk while
speeding rollout of new and enhanced services.
• Provision - Provide new services to users with ease, speed, and security across your enterprise
network, regardless of network size and complexity.
• Assurance - Use proactive monitoring and insights from the network, devices, and applications to
predict problems faster and ensure that policy and configuration changes achieve the business
intent and the user experience you want.
• Platform - Use APIs to integrate with your preferred IT systems to create end-to-end solutions and
add support for multi-vendor devices.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
IBN and Cisco DNA Center
Video - DNA Center Overview and Platform APIs
This video is an overview of the Cisco DNA Center GUI. It includes
design, policy, provision, and assurance tools used to control multiple
sites and multiple devices.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
IBN and Cisco DNA Center
Video - DNA Center Design and Provision
This video is an overview of the Cisco DNA Center design and provision areas where you
can add new devices and update existing devices.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
IBN and Cisco DNA Center
Video - DNA Center Policy and Assurance
This video explains the Cisco DNA Center policy and assurance areas. The policy area
enables you to create policies that reflect your organization’s business intent and deploy
them across networks and devices. Assurance provides you with an interface to quickly
view and troubleshoot devices connected to the network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
IBN and Cisco DNA Center
Video - DNA Center Troubleshooting User Connectivity
This video explains how to use Cisco DNA Center to troubleshoot devices.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Module Practice and Quiz
What Did I Learn In This Module?
• Automation is any process that is self-driven, reducing and potentially eliminating, the need
for human intervention.
• Whenever a course of action is taken by a device based on an outside piece of information,
then that device is a smart device. For smart devices to “think”, they need to be programmed
using network automation tools.
• Data formats are simply a way to store and interchange data in a structured format.
• Common data formats that are used in many applications including network automation and
programmability are JavaScript Object Notation (JSON), eXtensible Markup Language
(XML), and YAML Ain’t Markup Language (YAML).
• Data formats have rules and structure similar to what we have with programming and written
languages.
• An API is a set of rules describing how one application can interact with another, and the
instructions to allow the interaction to occur.
• Open/Public APIs are, as the name suggests, publicly available. Internal/Private APIs are
used only within an organization. Partner APIs are used between a company and its business
partners.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
Module Practice and Quiz
What Did I Learn In This Module? (Cont.)
• There are four types of web service APIs: Simple Object Access Protocol (SOAP),
Representational State Transfer (REST), eXtensible Markup Language-Remote Procedure
Call (XML-RPC), and JavaScript Object Notation-Remote Procedure Call (JSON-RPC).
• A REST API defines a set of functions developers can use to perform requests and receive
responses via HTTP protocol such as GET and POST.
• Conforming to the constraints of the REST architecture is generally referred to as being
“RESTful”.
• RESTful APIs use common HTTP methods including POST, GET, PUT, PATCH and DELETE.
These methods correspond to RESTful operations: Create, Read, Update, and Delete (or
CRUD).
• Web resources and web services such as RESTful APIs are identified using a URI. A URI has
two specializations, Uniform Resource Name (URN) and Uniform Resource Locator (URL).
• In a RESTful Web service, a request made to a resource's URI will elicit a response. The
response will be a payload typically formatted in JSON.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
Module Practice and Quiz
What Did I Learn In This Module? (Cont.)
• The different parts of the API request are API server, Resources, and Query. Queries can
include format, key, and parameters.
• There are now new and different methods for network operators to automatically monitor,
manage, and configure the network. These include protocols and technologies such as
REST, Ansible, Puppet, Chef, Python, JSON, XML, and more.
• Configuration management tools use RESTful API requests to automate tasks and scale
across thousands of devices.
• Characteristics of the network that benefit from automation include software and version
control, device attributes such as names, addressing, and security, protocol configurations,
and ACL configurations.
• Configuration management tools typically include automation and orchestration.
Orchestration is the arranging of the automated tasks that results in a coordinated process or
workflow.
• IBN builds on SDN, taking a software-centric, fully automated approach to designing and
operating networks.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Module Practice and Quiz
What Did I Learn In This Module? (Cont.)
• Cisco views IBN as having three essential functions: translation, activation, and assurance.
• The physical and virtual network infrastructure is a fabric. The term fabric describes an
overlay that represents the logical topology used to virtually connect to devices.
• The underlay network is the physical topology that includes all hardware required to meet
business objectives.
• Cisco implements the IBN fabric using Cisco DNA. The business intent is securely deployed
into the network infrastructure (the fabric). Cisco DNA then continuously gathers data from a
multitude of sources (devices and applications) to provide a rich context of information.
• Cisco DNA Center is a network management and command center for provisioning and
configuring network devices. It is a single interface hardware and software platform that
focuses on assurance, analytics, and automation.

Common questions

A comprehensive understanding of ACL syntax is essential for configuring both standard and extended ACLs effectively. Proper syntax use ensures accurate filtering of network traffic according to security policies. Misconfigurations can lead to unauthorized access or legitimate traffic being blocked, resulting in security vulnerabilities or disrupted network access. Understanding ACL syntax facilitates precise implementation and maintenance of network security policies .

The router ID is a unique 32-bit identifier for each OSPF router, represented as an IPv4 address, and is essential for the OSPF domain participation. It plays a critical role in processes such as DR/BDR elections. A best practice is to configure a consistent router ID across all OSPF routers to avoid potential conflicts and to reset the OSPF process to apply changes to the router ID .

Standard IPv4 ACLs should be placed as close as possible to the destination to ensure filtering occurs based on the destination's criteria without prematurely blocking all traffic from the source. Extended IPv4 ACLs should be located as close to the source as possible, effectively filtering and denying unwanted traffic early to avoid unnecessary bandwidth usage across the network infrastructure .

Access Control Lists (ACLs) manage access to virtual terminal lines (VTY) by defining rules that permit or deny access based on source IP addresses. By applying standard ACLs to VTY ports, administrators can restrict remote administrative access to trusted IP addresses, thereby enhancing security by controlling who can execute administrative commands on the network devices .

Wildcard masks in OSPF configurations are used to specify interfaces that should participate in OSPF. They are applied in the network command and typically calculated as the inverse of the subnet mask on the interface. This allows for the flexible selection of varying network segments to be included within OSPF areas, ensuring precise control over which interfaces are enabled to send and receive OSPF packets .

Challenges include potential disruption in the OSPF process when the router ID is changed, as an OSPF process reset is required, which temporarily affects routing. Mitigation strategies involve planning changes during non-peak hours, ensuring redundant routing paths, or employing network simulations to understand impacts beforehand. Ensuring correct and strategic router ID assignment from the start reduces the need for subsequent changes .

To modify an existing OSPF router ID, you must reset the OSPF process, as an active router does not allow ID change without this action. The 'clear ip ospf process' command can be used to reset the router ID. Modifying the router ID is important for maintaining accurate and meaningful network identification, especially in complex networks requiring unique router IDs for effective network management and DR/BDR elections .

In a multiaccess network, OSPF elects a DR based on the router ID of each participating router. The router with the highest router ID is elected as the DR, and the second highest becomes the BDR. The router ID ensures a unique identity for each router within the OSPF domain, and it is a crucial factor during the DR/BDR election process .

Named ACLs allow for more descriptive identification of their purpose, improving manageability and readability when configuring and troubleshooting ACL lists. For instance, naming an extended ACL like 'FTP-FILTER' provides clear information about its function, unlike a numbered ACL which provides no context about its role in the network .

In multiaccess OSPF networks, a DR and a BDR are necessary to prevent chaotic network traffic due to all routers flooding their Link State Advertisements (LSAs) to every other router on the network. The DR acts as the collection and distribution point for LSAs, while the BDR serves as a standby to take over if the DR fails .

Lec3 ENSA - Module - 1
No ratings yet
Lec3 ENSA - Module - 1
26 pages
5.1 Display OSPF Feature and Characteristics.
No ratings yet
5.1 Display OSPF Feature and Characteristics.
35 pages
ENSA Module 1
100% (3)
ENSA Module 1
32 pages
1.1 Ospf Features and Characteristics: Module 1: Single-Area Ospfv2 Concepts
No ratings yet
1.1 Ospf Features and Characteristics: Module 1: Single-Area Ospfv2 Concepts
8 pages
Single-Area OSPFv2 Concepts
No ratings yet
Single-Area OSPFv2 Concepts
46 pages
Chapter 8: Single-Area OSPF: Instructor Materials
No ratings yet
Chapter 8: Single-Area OSPF: Instructor Materials
69 pages
Chapter 8: Single-Area Ospf: CCNA Routing and Switching Scaling Networks v6.0
No ratings yet
Chapter 8: Single-Area Ospf: CCNA Routing and Switching Scaling Networks v6.0
67 pages
Ccna Re Chp4
No ratings yet
Ccna Re Chp4
67 pages
Single-Area OSPF Concepts Guide
No ratings yet
Single-Area OSPF Concepts Guide
28 pages
Chapter 8: Single-Area Ospf: Routing & Switching
No ratings yet
Chapter 8: Single-Area Ospf: Routing & Switching
60 pages
OSPF DR/BDR Election Configuration
No ratings yet
OSPF DR/BDR Election Configuration
35 pages
ENCOR Chapter 9
No ratings yet
ENCOR Chapter 9
48 pages
Chapter 10: Ospfv3: CCNP Enterprise: Core Networking
No ratings yet
Chapter 10: Ospfv3: CCNP Enterprise: Core Networking
30 pages
OSPF Fundamentals Guide
No ratings yet
OSPF Fundamentals Guide
10 pages
Lecture 9 Dynamic RP Link State
No ratings yet
Lecture 9 Dynamic RP Link State
34 pages
Instructor Materials Chapter 8: Single-Area Ospf: CCNA Routing and Switching Scaling Networks
No ratings yet
Instructor Materials Chapter 8: Single-Area Ospf: CCNA Routing and Switching Scaling Networks
26 pages
Lecture 6 - Ospf
No ratings yet
Lecture 6 - Ospf
31 pages
MK CCNA Lect8.OSPF
No ratings yet
MK CCNA Lect8.OSPF
39 pages
Chapter 9: Ospfv3: Instructor Materials
No ratings yet
Chapter 9: Ospfv3: Instructor Materials
31 pages
OSPF: A Link-State Routing Overview
No ratings yet
OSPF: A Link-State Routing Overview
84 pages
Basic OSPF: BSCI Module 3
No ratings yet
Basic OSPF: BSCI Module 3
37 pages
Topic 1 Single-Area OSPFv2 Concepts
No ratings yet
Topic 1 Single-Area OSPFv2 Concepts
16 pages
CCNA-Day3 and 5 Fifth Day Start at 129 Slide
No ratings yet
CCNA-Day3 and 5 Fifth Day Start at 129 Slide
188 pages
Configuring Ospf: Robert Pradeepan Srilanka
No ratings yet
Configuring Ospf: Robert Pradeepan Srilanka
142 pages
OSPF Overview for CCNP Students
No ratings yet
OSPF Overview for CCNP Students
20 pages
CCNA Crash Course Day 03
No ratings yet
CCNA Crash Course Day 03
125 pages
CCNA-Day3 and 5 Fifth Day Start at 129 Slide
0% (1)
CCNA-Day3 and 5 Fifth Day Start at 129 Slide
188 pages
Distance Vector vs. Link State: A B C D X E
No ratings yet
Distance Vector vs. Link State: A B C D X E
125 pages
Chapter 9: Multiarea OSPF: CCNA Routing and Switching Scaling Networks v6.0
No ratings yet
Chapter 9: Multiarea OSPF: CCNA Routing and Switching Scaling Networks v6.0
27 pages
Understanding OSPF Protocol Features
No ratings yet
Understanding OSPF Protocol Features
36 pages
Ospf - Study: Saravanan AR
No ratings yet
Ospf - Study: Saravanan AR
52 pages
CCNA RE Chp5
No ratings yet
CCNA RE Chp5
31 pages
Cnap 3 Mod 2
No ratings yet
Cnap 3 Mod 2
79 pages
Chapter 9: Multiarea OSPF: CCNA Routing and Switching Scaling Networks v6.0
No ratings yet
Chapter 9: Multiarea OSPF: CCNA Routing and Switching Scaling Networks v6.0
31 pages
Multiarea OSPF For CCNA: Lonnie Decker
No ratings yet
Multiarea OSPF For CCNA: Lonnie Decker
59 pages
Ospf Basics: Characteristic Ospf Ripv2 Ripv1
No ratings yet
Ospf Basics: Characteristic Ospf Ripv2 Ripv1
8 pages
Comprehensive OSPF Guide - In-Depth Study of Open Shortest
No ratings yet
Comprehensive OSPF Guide - In-Depth Study of Open Shortest
5 pages
Mastering OSPF for CCNP Route
No ratings yet
Mastering OSPF for CCNP Route
11 pages
OSPF
No ratings yet
OSPF
13 pages
Group 2 Presentation
No ratings yet
Group 2 Presentation
13 pages
CN Exp 6
No ratings yet
CN Exp 6
6 pages
Project On Implementation and Verification of Ospf
100% (1)
Project On Implementation and Verification of Ospf
22 pages
Mod 2 - OSPF in Detail
No ratings yet
Mod 2 - OSPF in Detail
119 pages
Acier Bleu Droit Triangles Réseaux Sociaux Rapport
No ratings yet
Acier Bleu Droit Triangles Réseaux Sociaux Rapport
41 pages
CH 8. OSPF Protocol
No ratings yet
CH 8. OSPF Protocol
21 pages
Dynamic Routing Protocols Overview
No ratings yet
Dynamic Routing Protocols Overview
15 pages
OSPF Routing Protocol Guide
No ratings yet
OSPF Routing Protocol Guide
5 pages
OSPF Multi Area
No ratings yet
OSPF Multi Area
35 pages
Cap 8 Single
No ratings yet
Cap 8 Single
80 pages
Elective 2 OSPF
No ratings yet
Elective 2 OSPF
9 pages
Chapter 6: Multiarea OSPF: Scaling Networks
No ratings yet
Chapter 6: Multiarea OSPF: Scaling Networks
43 pages
OSPF Operations Webinar Course
No ratings yet
OSPF Operations Webinar Course
30 pages
5.1 Ospf
No ratings yet
5.1 Ospf
5 pages
Single Area OSPF Slides
100% (1)
Single Area OSPF Slides
84 pages
Understanding OSPF and DROTHER Roles
No ratings yet
Understanding OSPF and DROTHER Roles
42 pages
ANAEROBIOSIS
No ratings yet
ANAEROBIOSIS
41 pages
DCIT 428 - Week 7
No ratings yet
DCIT 428 - Week 7
62 pages
Session 1
No ratings yet
Session 1
48 pages
Numerical Methods for IT Students
No ratings yet
Numerical Methods for IT Students
40 pages
Class 9 - PART-A - Unit-3 - Ch-14 - Introduction To Social Media
No ratings yet
Class 9 - PART-A - Unit-3 - Ch-14 - Introduction To Social Media
12 pages
Footprinting and Reconnaissance Lab Tasks
No ratings yet
Footprinting and Reconnaissance Lab Tasks
11 pages
User Overview Report - 10.200.33.15 (2023-11-04 03 - 52 - 2023-11-04 15 - 52) - Sites by Size
No ratings yet
User Overview Report - 10.200.33.15 (2023-11-04 03 - 52 - 2023-11-04 15 - 52) - Sites by Size
2 pages
Cyber Safety
No ratings yet
Cyber Safety
14 pages
Introduction To CDR and IPDR Analysis
100% (1)
Introduction To CDR and IPDR Analysis
8 pages
Class 10 PRACTICE PAPER Comp. Applications
No ratings yet
Class 10 PRACTICE PAPER Comp. Applications
4 pages
FST 1132_V2 Controller Settings Guide
No ratings yet
FST 1132_V2 Controller Settings Guide
98 pages
Evolution of Online Dating Trends
No ratings yet
Evolution of Online Dating Trends
2 pages
중소기업기술로드맵2022-2024 blockchain
No ratings yet
중소기업기술로드맵2022-2024 blockchain
363 pages
Iot Concepts and Syllabus - Reference
100% (1)
Iot Concepts and Syllabus - Reference
3 pages
9th Computer Chapter-Wise
100% (1)
9th Computer Chapter-Wise
11 pages
Uzbekistan Visa Applications Instructions
No ratings yet
Uzbekistan Visa Applications Instructions
5 pages
Tiếng Anh 9 Friends Plus - Unit Starter Lesson 1
No ratings yet
Tiếng Anh 9 Friends Plus - Unit Starter Lesson 1
55 pages
Grandstream Networks, Inc.: How To Manage Inbound / Outbound Routes On UCM6XXX
No ratings yet
Grandstream Networks, Inc.: How To Manage Inbound / Outbound Routes On UCM6XXX
25 pages
Data Packets
No ratings yet
Data Packets
18 pages
Github Com
No ratings yet
Github Com
2 pages
IR2224N Brochure
100% (1)
IR2224N Brochure
2 pages
Installation and StartupM
No ratings yet
Installation and StartupM
58 pages
Information Revolution 2014: Matthias Damm
No ratings yet
Information Revolution 2014: Matthias Damm
31 pages
U Face 800
No ratings yet
U Face 800
2 pages
Otc 32374 Ms
No ratings yet
Otc 32374 Ms
24 pages
Ka-Band Satellite Communication Insights
No ratings yet
Ka-Band Satellite Communication Insights
30 pages
Telephone Directory - District Bokaro, Government of Jharkhand - India
No ratings yet
Telephone Directory - District Bokaro, Government of Jharkhand - India
9 pages
Introduction of E-Banking Advantages & Disadvantages of E-Banking Future Growth of E-Banking in Pakistan E-Banking Services of MCB Bank
No ratings yet
Introduction of E-Banking Advantages & Disadvantages of E-Banking Future Growth of E-Banking in Pakistan E-Banking Services of MCB Bank
10 pages
Complete Nursing Bundle Thank You PDF
No ratings yet
Complete Nursing Bundle Thank You PDF
9 pages
Geometry Olympiad Prep
No ratings yet
Geometry Olympiad Prep
48 pages
CMMT-ST Manual 2022-11i 8186199g1
No ratings yet
CMMT-ST Manual 2022-11i 8186199g1
1,144 pages
Sosiologi Hukum Islam Kelompok 3
No ratings yet
Sosiologi Hukum Islam Kelompok 3
20 pages
Nokia Scalable IP Networks v1.0 (Nokia-4A0-100)
No ratings yet
Nokia Scalable IP Networks v1.0 (Nokia-4A0-100)
4 pages
Code Tapswap
No ratings yet
Code Tapswap
9 pages