CCNA Cram Flashcards
How config SSH
- Configure host name
conf t
hostname [hostname] - Configure DNS domain name
ip domain name [domainname] - Generate RSA keys
crypto key generate rsa - Config enable password, username/password (ACL if you want to)
enable secret [password]
username [username] secret [password] - Enable SSHv2
ip ssh version 2 - Configure VTY lines
line vty 0 15
login local
transport input ssh
access-class 1 in (if putting in ACL)
What error do you get if not create hostname first when config ssh
Please define hostname other than Router
What error do you get if try to create key for SSH and no domain name specified
Please define a domain-name first
HSRP v1 IP and MAC
- 0.0.2
- 0c07.acXX
HSRP v2 VIP and MAC
- 0.0.102
- 0c9f.fXXX
VRRP VIP and MAC
- 0.0.18
- 5e00.01XX
GLBP IP and MAC
- 0.0.102
- b400.XXYY
Max ports in LAG on WLC
2504 and 3504 - 4
5508 - 8
How do APs know the IP of WLC
option 43 ip [ip of WLC]
Set this up in the DHCP configs
Configs to set up DHCP server
ip dhcp pool [pool name]
network [ip network] [subnet mask]
default-router [default router ip]
Interfaces on WLC
Software interfaces:
Management - Telnet, SSH, HTTP, HTTPS, Radius, NTP, Syslog
Redundancy Management -
Virtual interface - used when comminucation w/ wireless clients to relay DHCP, client web authentication
Service ports - used for out-of-band management
Dynamic - used to map WLAN to VLAN
What see if Duplex issues
Full duplex side - High FCS Errors
Half duplex side - High collisions specifically late collisions
Speed mismatch
Usually will bring interface down (down/down)
WPAs with Encryption Method / Data Integrity Method / Key Management / Authentication
WEP - Encryption-RC4 / Authentication-Open System & Shared Key / Integrity-CRC-32
WPA - Encryption-TKIP w/ RC4 / Authentication-PSK & 802.1x w/ EAP / Ingegrity-64 bit MIC
WPA2 - Encryption-AES-CCMP / Authentication-PSK & 802.1x w/ EAP / Integrity-CCMP w/ AES
WPA3 - Encryption-AES-GCMP / Authentication-AES-GCMP / Integrity-SHA-2
What does power inline police command do
Disables port and sends syslog message if PD draws too much power
Interface will go in err-disable state and can be restored with shutdown then no shutdown command.
what does power inline police action err-disable command do
disables the port and sends syslog message if PD draws too much power
What does power inline police action log command do
If PD pulls too much power it will just restart interface and send Syslog (will not disable the interface)
What is NETCONF
Is SBI
Uses XML and RPCs
Relies on SSH for transport
Used to configure network devices
What encoding formats do REST APIs use?
XML - uses HTML-like tags (uses tags to define blocks of data)
JSON - uses objects that contain key and value pairs
What is REST API used for?
Used on the Northbound Plane to communicate with the SDN application plane
OnePK
Is used for SBIs
Is Cisco Proprietary SBI
Uses Java C or Python to config devs
Can use either SSL or TLS to encrypt data
OpFlex
Is SBI protocol
Uses declarative SDN model - instructions sent to controller not so detailed
Allows devs in data plane to make more network decisions on how to implement policy
Open Flow
Is SBI Protocol
Is an imperative SDN model
Detailed instructions sent to SDN controller when new policy config’ed
SDN Controller manages both the network and the policies applied to the devices.
What SBI Protocols are used in SDN
OnePK
OpFlex
OpenFlow
NETCONF
What NBI protocols are used in SDN
REST
OSGi
What is REST
Uses HTTP or HTTPs to enable external resources to access and make use of programs exposed by API
Usually use XML or JSON
What is OSGi
Is NBI Protocol
Java based
Enables development of modular programs
Allows Python language as means of extended controller functions
For transport often use HTTP
What is a recursive static route
Specifies destination IPv6 nework and IPv6 next hop address only
How many routers can a router make neighborships with in the DROTHER state for OSPF?
Only with the DR and BDR
How can you tell if routers are connected are on point-to-point / point-to-multipoint network in OSP?
There is no DR/BDR in point-to-point or point-to-multipoint OSPF networks.
OSPF hello/dead timers
If hello/dead timers dont match then neighborship will not establish
Ethernet link Hello: 10/40
Point-to-Point link Hello: 10/40
Point-to-Multipoint link: 10/40
Non-broadcast Link Hello: 30/120
What is ARP Poisoning and how to stop
Attacker sends gratutious ARP to host
Associates attackers MAC with the IP of valid host
Traffic will go through the attackers pc
to stop - implement DAI
What is VLAN Hopping and how stop it
Attacker injects packets into other VLANs by accessing VLAN Trunks and double tagging 802.1Q Frames
if successful - allows attacker to send traffic to other VLANs w/o router
To prevent - disable DTP on trunk ports, change the native VLAN and config user-facing ports as access
What is MAC spoofing and how to stop it
Attacker uses MAC of another host to bypass port security methods
Also can impersonate another host
Implement port security with sticky secure MAC addresses
MAC Flooding and how to stop
Attacker generates forged frames every minute to overwhelm MAC addy table
Then cant make forwarding decisions and all traffic flooded
Attacker can see all data
To stop - add port security to limit MAC addys to be learned on interface
What is DHCP spoofing and how to stop
install rogue DHCP server to intercept DHCP req
respond with own IP as default gateway and can see everything
to fix - enable DHCP snooping
What is DAI and how implement
Mitigates ARP poisoning attacks (or ARP Spoofing attacks)
DAI inspects traffic on ingress ports to ensure incoming traffic doesn’t contain ARP replies from HOST computers
Supported on: Access Ports, Trunk Ports, EtherChannel Ports, Private Virtual LAN Ports
Enabled on single or multiple VLANs
Configuration:
conf t
ip arp inspection vlan [vlans]
CANNOT put DAI on interfaces - ONLY globally
What is Port Security and how to implement
Allows traffic into switchport from Authorized MAC
If not authorized is discarded and sometimes that port will be disabled
Enabled on interface level
By default - only allows ONE MAC
Can do a few different ways:
switchport port-security (allows 1 MAC)
switchport port-security mac-address [MAC addy] - for specific MAC
switchport port-security maximum [number] - max number of MACs to learn dynamically from the interface
switchport port-security mac-address sticky - dynamically learned MACs will be saved when switch restarts
By default when violation occurs it will be shutdown
Port-security violations
If port-security violation occurs - by default interface will go into err-disable
Reenable by shut/no shut
OR
errdisable recovery cause psecure-violation
CAN change so doesnt disable with:
switchport port-security violation restrict - this will send counter to increment and send SNMP trap notificiation
NTP static client mode
NTP static client mode is the default
The client will get time from an NTP server
ntp server [ip address of the NTP server]
NTP broadcast client mode
Listens on config’ed interfaces for NTP broadcasts from NTP server
NTP client uses this to adjust time
Broadcast can get time from any NTP server
NTP Authentication Mode
Provides source verification for NTP sync’ing
Supports MD5 keys
to enable:
ntp authenticate
ntp authentication-key [keynumber] md5 [key]
ntp trusted-key [key number]
ntp server [ip address] key [key number]
NTP Modes
Static Client
Broadcast Client
Authentication
Server
Asymetric Active
NTP Server Mode
NTP Server Mode
To enable
ntp master [stratum 1-15]
Default stratum 8
Sync time with clients and with eachother
Dev with higher stratum numbers get time from dev with lower stratum numbers
NTP Symetric Active Mode
Command is:
ntp peer [ip address of NTP host]
attempts to mutually sync with another NTP host
host might sync peer or be synced by peer
Application Plane SDN
Applications that are written to allow interaction with control reside in
Applications designed to improve network management effeciency through network automation
Use NB APIs like REST and OSGI
Control Plane SDN
Centralized
Responsible for network decisions making
(OSPF)
Connects to Application plane via NBIs
Conencts to Data plane via SBIs
Data Plane SDN
Network tasks pushed down by Control Plane to Data Plane
Include encapsulation/deencapsulation, adding/removing trunk headers, matching MAC addys to tables, IPs to paths, encryption, NAT, ACLs
Connects via SBIs to Controller
Management Plane SDN
Network management protocols
Telnet, SSH, SNMP, Syslog
Collision troubleshooting
Collision - happens before 64th byte
Usually due to duplex mismatch
Malfunctioning dev
Too many nodes
LATE Collision - happens after the 64th byte
Usually due to duplex mismatch
To long network segment
What is runt and what causes it
Frame with less than 64 bytes and has bad FCS
Discarded
May be excessive collisions or malfunctioning hardware
What is baby giant
Frame up to 1600 bytes
can happen in Q-in-Q encapsulation, MPLS
What is giant
frame up to 9216 bytes
can issue system mtu [bytes] to allow - but need make sure supported.
lldp commands
no lldp run - turns off globally from global config
lldp transmit - turns on interface from interface config to send out
lldp receive - turns on interface from interface config to receive
add no in font of above to turn off on interfaces
Interfaces on WLC
STATIC:
management
AP-manager interface
virtual interface
service port interface
Management Interface on WLC
Static
Used for management information
Used for all L2 LWAPP to communication btw controller and APs
Used to communicate with other WLCs
Service Port Interface on WLC
Static interface
used for maintenace purposes
used to recover WLC if fails
only interface available while WLC booting
Dynamic Interface
User defined
Used for client data
Doesnt need to be reachable by all other WLCs
Works like VLANs
Ways to assign IPv6 address
(1) ipv6 enable - will derive a link local IPv6 address (online inside the link)
(2) ipv6 address [address/prefix length] eui-64 - configs static IPv6 using standard and MAC - manual
(3) use SLAAC or DHCPv6 - ipv6 address autoconfig (SLAAC) ; ipv6 address dhcp (DHCPv6)
What Supports Cisco SDA
Cisco DNA
What is Cisco IOS 15
Is network OS used to config, manage and troubleshoot single dev
Interact via CLI through SSH or Telnet
What is Cisco Network Assistant
free Java-based Application
Allows LAN admin to do network operation, diagnois issues, interact with network dev via a GUI
Supports managemet of up to 80 devs
What is Cisco Prime Infrastructure (PI)
Enterprise Cisco managment platform
Relies on browser GUI
Admins can do operations on network, diagnosis issues, and interact with dev on the network
how to remove RSA keys from router
crypto key zeroize rsa
Puppet
Accepts IB req from agent using HTTPS on TCP 8140
Operates on Linux, UNIX, Microsoft Windows
Uses client/server
Written in Ruby DSL or Puppet DSL
Chef
Works on Linux, UNIX and Windows
Either client/server or cleint only
Communicates using HTTPS on TCP port 443
Config in Recipes in Cookbooks
Written in Ruby DSL
Managed nodes running client can pull cookbooks
Standalone can pull from local dir
Ansible
Linus, Unix, Windows
no agent software on nodes
uses SSH on TCP 22to connect to nodes
Configs in playbook written in YAML
What is Cisco ACI
Application Centric Infrastruction
Leaf/Node
Used in data centers
Network application policies defined on APIC (Cisco Application Infrastructure Policy) - applied on Leaf/Nodes
How update in OSPF:
Router ID
cost
hello interval
dead interval
Router ID - In router config: router-id [id number]
Cost - In interface config: ip ospf cost [cost]
Hello interval - In interface config : ip ospf hello-interval [seconds]
Dead interval - In interface config : ip ospf dead-interval [seconds]
What is a recursive static route
a route to a network that only provides the originating IP and the terminating IP
What is a directly attached static route
provides the network and the interface to egress
What happens if MTU settings are mismatched in OSPF
will get stuck in Exstart, Exchange or Loading states
What does it mean if OSPF shows 2WAY/DROTHER
Means that neither are DR or BDR and so stay in 2way state
OSPF Broadcast Network Type
Enabled by default on FDDI and Ethernet
Have DR and BDR elections
Multicast updates send (dont have to use neighbor command)
Hello is 10s / Dead is 40s
Command: ip ospf network broadcast
OSPF Non-Broadcast Network Types
Enabled by default on Frame Relay and X.25
DR/BDR elections
Must manually config neighbor routers using neighbor command
Hello is 30 / Dead is 120
use command ip ospf network non-broadcast
OSPF point-to-point network type
Enabled by default on HDLC and PPP
DR/BDR elections are not done
Multicast updates sent - no need to use Neighbor command
Hello / Dead : 10/40
Use ip ospf network point-to-point
OSPF point-to-multipoint networks
DR/BDR elections not done
Uses multicasts
Hello / Dead : 30 / 120
ip ospf network point-to-multipoint
OSPF point-to-multipoint nonbroadcast network
DR/BDR elections NOT done
must use neighbors to manually config neighbors
Hello / Dead are 30 / 120
ip ospf network point-to-multipoint non-broadcast
Layer 3 Security Options in WLC using GUI
Different for WLAN and Guests:
Found in Layer3 Security dropdown on Layer3 tab of Security in the GUI:
**Must select L2 security before selecing L3 secuity**
None - WLAN or Guest
IPSec - WLANs only
VPN Pass-through - WLANs only - allows client to establish connection specific VPN server
Web Authentication - Guest only - prompts for username/pwd when client connects to network
Web Passthrough - Guest only - enables direct access to network for Guest LAN w/o prompting for username/password
Layer 2 Security Options in WLC
Secuity then Layer2
**Can’t do L2 security on Guest LAN**
Options:
None
WPA + WPA2
802.1X - Uses EAP and dynamic WEP key
Static WEP - uses static shared WEP key
Static WEP + 802.1X - uses shared WEP or EAP
CKIP - uses CKIP
None+EAP Passthrough - uses open authentication with EAP authorization
What error would you get if you installed SFP not supported
SYS-3-TRANCEIVER_NOTAPPROVED
What happens if you connected cable to wrong port?
See ports on switch up but line protocol down
What do you see if there is issue with fiber cable
You’d see port status lights on the SFP module not lit
What is AES
AES encryption algorithm (Advanced Encryption Standard)
Used in WPA2 and WPA3
Stronger than RC4 used in WPA
128 bit cipher used to encrypt with secuity key of 128, 192 or 256 bits
What is CCMP
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol
Provides additional encryption - using block ciphers
Used by WPA2
What is RC4
Stream cipher encryption
Used in WEP
Not very secure
TKIP
Temporal Key Integrity Protocol
Provide MIC and encryption
Used in WPA
Better that WEP but uses RC4 as encryption algorithm
GCMP
Galois/Counter Mode Protocol
Used with AEP for MIC and Encrpytion
Used in WPA3
Uses GMAC for MIC
What command should you use to get general info about AP on WLC
show ap config general [AP name]
Shows IP address and other info on Cisco AP
How can you get detailed info on AP on WLC
show ap config general [ap name]
includes AP IP, default gateway IP, DNS
See Syslog server settings for all APs joined to WLC
show ap config global
can see syslog host, logging level, telnet, ssh, TX power, attena status.
How see memory dump for AP
show ap core-dump [ap name]
large and used for troubleshooting
How see crash dumps and radio core dump from APs
show ap crash-file
What is PSK
Its Key Management method
Used in WPA or WPA2
Wireless clients connect to network w/ Key configed on WLC
Key can be ASCI or HEX
Key management on WLC
PSK
802.1X
CCKM
What is 802.1X
Default for WPA and WPA2 on Enterprise
Requires RADIUS server
Uses EAP to authenticate users
What is CCKM
Key Managment
What is FIB
Forwarding Information Base
All prefixes from IP routing table structured in way optimized for forwarding
The FIB and Adjacency table are 2 main componets of Cisco Express Forwarding (CEF)
Is synced with IP routing table
IP prefixes ordered so when L3 addy compared to FIB - longest most specific match found fist - makes faster
What is the adjacency table?
maintains L2 addressing info for FIB
each network prefix in FIB assoc with next-hop addy and OB interface
IPSec
Provides data confidentiality, data integrity and origin authentication
Uses ESP for confidentiality - encrypts entire IP packet and encapsulates it
Uses AH to ensure integrity of packet and to authenticate packet
AH verifies that the source addy in packet not modified - does NOT authenticate the identity of IPSec peer
GRE handles lots protocols but not secure - IPSec only does IP but highly securte
Package togehther with GRE over IPSec.
GRE
Generic Routing Encapsulation
Provides broadcast and multicast packet encapsulation
Cisco Proprietary
Can tunnel info from one network to another w/o requiring transport security to support the network protocols in use at tunnel source/destination
Can transport many different protocols - limited in security
Combine GRE with IPSec
802.1w
RSTP
Includes Portfast, Uplink Fast, Backbone Fast
802.1D
Traditional STP
802.1s
Multiple STP
Creates multiple STP on network
Difference btw PortFast, Uplink Fast and Backbone Fast
Portfast puts port to immediately in forwarding state
Uplink Fast - increases convergence speed for access layer that detects failure on root port with backup root port selection by immediately replacing rootport with aternative root port
Backbone Fast - increase for switches that detect failure on links that are not directly connected to switches
What is BDPU Loop guard
Prevents non-designated ports from inadvertantly forming bridging loops if the steady flow of BDPUs is inturupted
If port stops getting BDPUs it goes into loop-inconsistant phase and blocks
Once gets BDPUs again it reenables the port and goes through the normal STP states
To enable globally: spanning-tree loopguard default
Or on port: spanning-tree guard loop
How GRE over IPSec works
Sending dev combines session key w/ data
Uses session key to encrypt key and data
Sending dev encapsulates data and key into packet with VPN header and new IP header
Send dev
How to enable a password by entering the hash and not the password
enable secret 5 [md5 hash]
what type of encryption is used when do service password encryption
type 7
IPv6 Unicast
For a single interface
Types: Global Unicast, Link Local, Loop Back, Unspecified
IPv6 MultiCast
ID’s set of interfaces belonging to different nodes
Can be node, link, site, orginization, global
4-bit field in the prefix id’s scope
Types: Solicited node, All nodes, All routers
Use prefix FF00::/8
IPv6 Addy types
Unicasts
MultiCasts
AnyCasts
IPv6 Anycast
Set of interfaces that belong to different nodes
Similar to multicasts but only sent to one interface and not all
Sends to closes node
Global Unicast address
Unique IPv6 addy assigned to host interface
Same as IPv4 public address
Routable on the internet
Link-Local IPv6 Address
Allows communication btw neighboring hosts on same link
Have local scope and cannot be used outside link
Prefix FE80::/10
Loopback IPv6 Address
Used on loopback interface
::1/128
Unspecified IPv6 Address
All 0s
::/128
Solicited Node Address
Multicast addy
Neighbor Solicitation (NS) messages sent here
All-nodes Address
Multicast
Router Advertisements sent here
All-Router IPv6 Address
Router solicitation messages sent here
Is multicast address
SMTP
Simple Mail Transfer Protocol
Uses TCP port 25
SNMP
Simple Network Management Protocol
UDP port 161
what does vty password enable
it enables password anytime you are accessing router virtually
ssh / telnet
How set console password
Used if using cable to physically connect to router
When password entered - goes until user EXEC mode
line console 0
password [password]
How set telnet password
line vty 0 15
login
password [password]
Multicast MAC address
Begins with 01-00-5E
RFC 1918
A Class: 10.0.0.0 - 10.255.255.255
B Class 172.16.0.0 - 172.31.255.255
C Class 192.168.0.0 - 192.168.255.255
