CCNA 42 to 60 Flashcards
NTP
Network Time Protocol, used to set the same time across your network, if the time isn’t the same on your devices you will have issues with your devices, i.e log files stating the wrong time. Certificates are also time stamped, they will time out/ expire if the time has drifted too far
Time is provided by NTP server (this server can be inside your network or a Stratum Zero)
ACL
Access Control List-
ACL Extended=
ACL Net Interface=
ACL Global NAT=
Dynamic NAT
Dynamic NAT can be defined as mapping of a private IP address to a public IP address from a group of public IP addresses called as NAT pool. Dynamic NAT establishes a one-to-one mapping between a private IP address to a public IP address.
*once to communication is completed the IP is recycled
Static NAT/PAT
Manually tell the router which private address will work with which public address and port number.
The table will have the private address and the public address and port recorded in a NAT table. When return traffic comes in the source and port is looked up in the table
one to one
Socket
Combination of IP address and port
NAT Overload or Port Address Translation (PAT)
Uses the public IP assigned to the routers interface (or another IP address assigned for NAT overload) combined with a port number to create a unique address to communicate off the private network.
TCP Ports to know FTP 21 SSH 22 Telnet 23 HTTP 80 SMTP 25 POP3 110 IMAP 143 HTTPS 443
UDP
DNS 53
NAT
Network Address Translator, allows private IPs access to a public domain.
Inside=You own the address
Outside= someone else owns the address
Local= private address
Global= public address
Inside Local= inside the network and private
Outside Global= outside the network and public
Inside Global= Ip you own that is used off of your network (NAT)
Outside local= ip the belongs to another network that is private
Stratum Clock
Atomic based clock that provides the time (Stratum 0)
UTC
Coordinated Universal Time, where time starts
stratum number
If you are getting your time from a stratum 3 clock, you become a stratum 4 clock
DHCP
Dynamic Host Configuration Protocol, give IP addresses dynamically
Client: ability for a device to request an address. (auto gens a 169.254.x.x address if it doesn’t here back from the DHCP server)
Server: where the IPs are managed from
Relay: will forward DHCP requests to the Server if the client is unable to reach it and then relays back the response. (replays as a unicast)
Set up relay of your trunked device
ASCII
is a 7-bit character set containing 128 characters. It contains the numbers from 0-9, the upper and lower case English letters from A to Z, and some special characters.
abbreviated from American Standard Code for Information Interchange, is a character encoding standard for electronic communication. ASCII codes represent text in computers, telecommunications equipment, and other devices.
SNMP
Monitoring protocol ; Simple Network Management Protocol; Polls data (activity) from devices on a certain interval. A common poll interval in 60 seconds.(clear text)
v1:
v2c: can monitor, however has very limited authentication (r/o, r/w) can be used to change settings on your device if it is not locked down. (clear text)
v3: increased security; access levels- view, groups, user. Views can be assigned to groups and then users to the group.
OID/MIB
Object identifiers, all of the things you can identify using SNMP (temps, run time, up down).
Management Information Base; data base of OIDs
Syslog
syslog format (date, time, message)
0 Emergency—emerg = System is unusable
Ex: Drive failure
1 Alert—aler t= Should be corrected immediately
Ex: Loss of the primary ISP connection.
2 Critical—crit =Critical conditions
Ex: A failure in the system’s primary application.
3 Error—err = Error conditions
Ex: An interface has gone down
4 Warning—warning = May indicate that an error will occur if action is not taken.
Ex: A non-root file system has only 2GB remaining.
5 Notice—notice = Events that are unusual, but not error conditions.
Ex: Someone just logged in
6 Informational—info = Normal operational messages that require no action.
Ex:An application has started, paused or ended successfully.
7 Debug—debug = Information useful to developers for debugging the application.
QoS
Traffic discrimination (which traffic is most important):
Classify Traffic: What interface, or ACL the traffic is on can be used to give priority.
Marking: (layer 2 )CoS class of service marking which will give a priority level to frame.
(Layer 3) ToS- type of service marking which will give a priority level to frame. EX: DSCP
Queuing: default is “first in, first out” queue can be changed to priority which will move desired traffic to the front of the line.
Shoot: (WRED) waited random early detention, picks off excess traffic.
Policing: putting anti QoS on traffic can be used to slow traffic / limit traffic (traffic you don’t want)
Shaping: traffic you want, limit traffic after a certain bandwidth
If there is no congestion, there is no need for QoS
NBAR
Network based application recognition
NBAR intelligently classifies and allows you to enforce QoS policy on today’s mission-critical applications.
Low latency Queuing
PQ-CBWFQ—cisco proprietary that stops traffic starvation. in QoS priority, it allows you to put a data cap on the traffic.
PQ( priority queuing)
CB (Class based)
WF(waiting fair)
FTP-TFTP
Used to copy files:
FTP- TCP communication (secure/ authentication), port 20/ 21, faster–
TFTP- UDP (unsecure/ no authentication), port 69
CIA
Confidentiality of Data
Integrity of Data
Availability of Data
What can cause vulnerability in a network?
Bugs, flaws in hardware or software
Bad or lacking configuration
legacy systems
Broken Processes
Unpatched systems
ARP Spoofing
Lying to the network about the gateway lay 2 addresses
CDP Flooding
Floods fake CDP messages
What is and exploit ?
Way or method that can be used to take advantage of a vulnerability
Mitigation
action of redoing to severity, or seriousness of a threat
Steps/ places to look: Increase awareness--Applications, Network infrastructure-- Training users--- Testing--- test after training, send out fake phishing emails and ask users to report
DAI
Dynamic ARP inspection, insures the validity of an ARP request
Security Policy
Access Control- physical access and logical access control
Change management policy- policy that give guidance on how, when changes can be made so that they do not cause harm or vulnerability
Mobile Policy
Baseline Policy
AUP- acceptable use policy (signed annually)
Password Policies
Data Retention (emails and documents, how long to keep data and when to get rid of it)
Incident Reporting Policy- how to report an incident
Vulnerability and Risk Assessment Policies—
Social Engineering
Phishing–
Spear Phishing–
Pretexting–
Tailgating–
Physical Security
Man trap, guard, who has access to switches ? access hards, temperature sensors, UPS, laptop/ computer locks
Password Policy
Educate users of what the policy is
Enforce the policy —
Characteristics in policy:
Length- 7 plus
Complexity- upper, lowercase, special characters
Max Age- change every 45 days
History- user can’t reuse last ten passwords
Minimum age: user can’t change password more than once in a day
This can be enforced in AD for example
2FA/MFA
When you use at least two methods to authenticate users identity.
Cat A —One thing a user knows, (pin or password)
Cat B —Something that the user has, (card, key fob or app of phone, security token)
Cat C — Something that the user “is” (finger print, face rec, voice rec, eye rec
What is the difference between the aux port and the console port?
Both aux and console ports can let you into the router or switch, the console port however is active while booting up. The console port function is useful for password reset and other reboot function.
In order to get beyond the user mode on the aux port, you need an enable secret set. You will need to do this from the console port.
AAA
Authentication, authorization and accounting—
Authentication (Verifying who is accessing)
–Can have a server with passwords and access levels (active directory) connected to switches and routers for access.
Authorization (What can a person do– access level)
Accounting (who does/ did what–logs)
TACACS +
Cisco standard— works better with Cisco devices
Encrypted communication, used TCP
protocol used when the AAA clients communicate with the server (active directory)
Terminal Access Controller Access Control System
RADIUS
Industry standard, used UDP and does not encrypt the full session. does encrypt passwords
Remote Authentication Dial-in User Service
protocol used when the AAA clients communicate with the server (active directory)
Implicit Deny
When traffic is not matched on an ACL it is automatically denied
StandardACL
only matches source IPs and or source IP range
Expended ACL
can match source and destination IPs as well as port numbers
Port Security
Cannot be a dynamic port, max Mac for port is ONE out of the box. When you hit the max, the port is error shut down.
CAM Table overflow attack
An attack, also known as Mac flooding that floods the CAM table with fake MAC addresses and consumes the switches memory
Dynamic Port
a port that auto negotiates connections
swithchport host command
Use the switchport host interface configuration command on the switch stack or on a standalone switch to optimize a Layer 2 port for a host connection. This command does 3 things! Configures the switchport for access mode. Enables portfast. Disables Etherchannel.
DHCP Snooping
tells switch not to listen to any DHCP messages unless it comes out of a names port (Enable at the access layer)
DORA
Discover, offer, request and authorize (DHCP steps)
Source Guard
Helps protect the network against connected host from lying about their source IP or MAC addresses
What is the insertion of option 82?
When DHCP Snooping is enabled, DHCP Option 82 is inserted into DHCP packets as they pass through a switch. Option 82 contains information about the specific port a client machine is connected to.
Dynamic ARP inspection (DAI)
DAI checks all ARP packets on untrusted interfaces, it will compare the information in the ARP packet with the DHCP snooping database and/or an ARP access-list. If the information in the ARP packet doesn’t match, it will be dropped..
VPN Tunnel
Logical path between two networks, encrypted Security Association (VPN connection),
site to site tunnel- between HQ and remote site
Remote access— VPN from individual computer to HQ
Cryptography
the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents
Confidentiality with encryption
AES
Advanced Encryption Standard
Encryption algorithm, more bits used, more secure.
Along with algorithm devices on each end have unknown keys to stop the algorithm from being broken
Hashing
Data integrity; a one-way function where data is mapped to a fixed-length value, when the hash gets to the other side the length is verified
MD5 and SHA are different hash algorithm
IPsec
IPsec is a collection of encryption standards used for VPN tunnels (other examples include PPTP, L2TP V1/V2 which can be used for Remote Access connections.) IPsec can be used for both site to site and Remote Access connections.
AES is the latest standard
ISA KMP SA
is a protocol defined by RFC 2408 for establishing Security association (SA) and cryptographic keys in an Internet environment.
Router to Router communication.
IPsec SA
second SA tunnel used to encrypted the user information
Crypto Map
a collection of the settings and attributes you want to use for the VPN tunnel
ESP
Encapsulating Security Payload, layer 4 protocol number 50—Encapsulates traffic
SSL/ TLS/ DTLS
secure Socket layer, Transport layer security= TCP security protocols used for site to client VPN. TCP has more over head so sometimes , Datagram Transport layer security (DTLS) is preferred) DTLC uses UDP and has less over head. Used for Remote Access “HQ to Client”
Split Tunneling
Ability to divide traffic encryption based on destination from client machine. Ex. only traffic to and from HQ is encrypted. If the user is going to YouTube , the traffic would not be encrypted.
What are WiFi security option?
Disabled, None, Open WEP --security is easily cracked WPA-- has been cracked as well WPA2-- currently secure WPA3-- newest, backwards compatibility if device does not support WPA3
Personal V Enterprise WiFi
Personal– password– pre shared key
Enterprise– AAA server used to authenticate, this also provide an encryption key
PSK
Pre shared Key
Network Automation
the process of automation the configuration, managing, testing, deployment and operation of physical and virtual devices within a network (Pyton)
BGP
Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS) on the Internet.
Zero touch provisioning
Allows your router and switch to boot up and get basic configuration
Cisco DNA Center
Used for network automation; digital network architecture
Features:
- Network Mapping (provision and deploying fabric)
- Network Discovery
- dynamically configure devices
- Network automation
- Design from ground up and then order
- Policy – access
- Assurance– system logs
API
Application Program Interface— allows you to interact with devices instead of having to work in the CLI
Can monitor and configure device with API
API also uses a token for security
Computercomputer
ProgramProgram
SNMP
Used by monitoring programs like SolarWinds—
Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior.
Mibs
—-Management information base– used to monitor device statistics and make changes on devices
REST API
A REST/RESTful API
Representational State Transfer— Let us know how we can change and modify simple information.
Contraints—
1. Client- server relationship (Router, controller, website… is server, you are the client)
- State-less (when a request is made is has to contain everything needed for the request– Full context)
- Cacheable (won’t change very often) has to be able to determine if something should be cached or not
– ^learn for exam^
- Uniform Interface (Keep it simple and consistent)
- Layered
- Code on demand
What are REST API Verbs/ Actions?
CRUD (Create, Read, Update and delete)
Think of as the protocol in the REST API— ex HTTP=80
GET= Request, reply interaction- retrieve a resource (READ)
Post= create a resource object (CREATE)
Patch= create or update a resource object (UPDATE)
Put= create or replace a resource (UPDATE)
Delete= Delete a resource (DELETE)
API Errors
**200s = successful
**400s= Client error (error with something you entered, you have to fix)
**500s server error
Python Dictionary
A collection which is ordered, changeable and indexed. No duplicate members.
key= word value= definition
Simple Variable (Python)
used to store information to be referenced and manipulated in a computer program
Python List
a collection which is ordered and changeable
Json, YAML, XML
Data serialization languages— the process of converting structures dada to a format that allows sharing or storage of data in a form that allows recovery of its original structure
XML= mainly used for websites (extensible markup language)
JSON= used for APIs, human and machine readable
(javascript object language)
YAML = not markup language, used with sensible, python and perl–human readable
JSON Object
JSON dictionary, between two “}”
Ex {“hostname”: “router1”}
Objects within objects = nesting
JSON Array
a list between two “]”
Ex.[“school”, “work”, “travel”]
Controller Based Networking
SND) (ACI
ACI (Cisco proprietary SDN)
Software defined networking— SDN takes over all control plane functions on routers and switches, turning them into zombies— centralized control plane
Southbound Interface
SBI, used by SDN to control devices
— called a southbound interface, because it usually sits at the top of the rack above the devices it is controlling.
—interfaces refers to what you are using to interact with the networking devices
—-Openflow– open source inductry standard
—-OpFlex– used with cisco ACI (data center automation)
—-CLI/SNMP– SSH access for older devices (DNA Center)
—-NETCONF–also used by DNA center— standardized by IETF
Northbound Interface
NBI is where users access devices. Example (DNA Center, or REST API)
IBN
Intent Based Networking– allows you to make changes on devices without having to worry about the rules. DNA center is an example of IBM– DNA center will put in the commands for you
— automates configuration for us
Underlay
creating a physical network that provides connectivity for the overlay, create as much redundant lay 3 connections as you can.
Overlay
The fabric/ the virtual networks TUNNELED over your underlay devices— logical/ virtual
Creates a point to point connections is VXLAN
VXLAN
(layer 2 over layer 3)
VXLAN is a tunneling protocol that encapsulates Layer 2 Ethernet frames in Layer 3 UDP packets, enabling you to create virtualized Layer 2 subnets, or segments, that span physical Layer 3 networks. Each Layer 2 subnet is uniquely identified by a VXLAN network identifier (VNI) that segments traffic
Fabric
everything is your software defined network, overlay and underlay
APIC
Application policy infrastructure controller—
the main architectural component of the Cisco ACI solution (SDN). It is the unified point of automation and management for the Cisco ACI (SDN) fabric, policy enforcement, and health monitoring.
LISP
Location Identity Separation protocol – identifies each host with an EID (Endpoint device ID) and matches it to a RLOC (routing locator) and maps it.
Similar to DNS, replaces some routing protocols
Fabric Edge Nodes
switches on the edge of the underlay, keeps track of who is connected to it and sends it back to the fabric controller
— Allows for smaller networking tables an device mobility
Easy QoS
how you can prioritize traffic on DNA center
East Bound
Events and notifications
West Bound
Integration APIs, ITSM, Assurance
Ex. can find issues in the network , open a ticket and resolve the ticket.
Puppet
network automation tool that uses an agent. Can be used on limited devices that allow agent install. (can be installed on netux devices)
Ruby based
Take model–>
You need to set up a puppet master (server) and install the agent on your clients (switch or router)
Structure
- ->Modules (organizes manifest)
- –> manifests
- ——> Classes (organizes manifest files)
- ———–> Resources (list what’s going to happen on the device)
(has an agent less version that supports cisco devices)
Chief
network automation tool that uses an agent.
Ruby based–>
Needs an agent to run.
Pull method–>
Recipe= a collection of resources that determine the configuration policy of a node.
Central Server= server the run Chief
Resource= one particular action or configuration or a
Node=Server you want to control
Cookbook= where recipes are stored
The node upload his cookbooks to the Central Chief server that has a collection of cookbooks with a tool called knife
Currently has no cisco integration.
Ansibal
agent-less
used to automate network devices–python based, uses YAML– Linux and MAC
Open-Source and free
Push model–>
Playbook–> Tasks
Can be used to generate templates
Git
versioning tracking software (ex Github)
used for versioning revision/ control
DiffServ
DiffServ is a set of end-to-end quality of service (QoS) capabilities. End-to-end QoS is the ability of the network to deliver service required by specific network traffic from one end of the network to another.
CSMA/CD
Carrier Sense Multiple Access / Collision Detection, a set of rules determining how network devices respond when two devices attempt to use a data channel simultaneously (called a collision). Standard Ethernet networks use CSMA/CD to physically monitor the traffic on the line at participating stations.
NETCONF
is a protocol defined by the IETF to “install, manipulate, and delete the configuration of network devices”. NETCONF operations are realized on top of a Remote Procedure Call (RPC) layer using an XML encoding and provides a basic set of operations to edit and query configuration on a network device.
How do you parse a JSON string in Python?
json.loads(input)
What is the IP address of an OSPF Hello Packet ?
224.0.0.5 (multicast)
What is 802.1q
VLAN protocol /adds vlan to header
