Main Flashcards
What is
FF02::1, FF02::2, FF02::5, FF02::6, FF02::9, FF02::A?
Link-Local Multicast IPv6 addresses
• FF02::1 = group that all nodes (a.k.a. = all hosts) must join (like an IPv4 broadcast)
• FF02::2 = group that all IPv6 routers must join
• FF02::5 = group that all IPv6 OSPF routers must join
• FF02::6 = group that all IPv6 OSPF DR’s must join
• FF02::9 = group that all IPv6 RIP routers must join (except RIPv1)
• FF02::A = group that all IPv6 EIGRP routers must join
The full unabbreviated IPv6 address read as FF:02:0:0:0:0:0:0:1
OSPF Metric Cost for:
Ethernet – Fast Ethernet – Gigabit – 10Gigabit?
OSPF Metric is determined based on the bandwidth of an interface vs the reference bandwidth
Cost = reference bandwidth / interface bandwidth
The default reference bandwidth for OSPF is 100mbps
OSPF rounds up from 0 to 1, since most of today’s technologies are over 100mbps, it results in a table like below:
………………………….Ethernet….FastEthernet….Gigabit….10Gigabit
Default Metric = …….10 ………………..1…………………1……………1
Should be = …………1,000…………….100……………..10…………..1
auto-cost reference-bandwidth xx-xx
is the cli to change the OSPF defaults
ip ospf cost
cli will allow you to manually configure an OSPF metric per interface
What is 01-00-5E-… ?
part of an IPV6 virtual MAC address for Multicast
Tables:
CAM vs MAC
A “MAC table” tells you what data the table holds, in this case MAC addresses
A “CAM table” tells you what is the technical nature of this table - (content-addressable memory), or a cache, that performs parallel and fast lookups
So, the MAC table refers to the content while the CAM table refers to the organization and principle of operation
A CAM table may hold many different kinds of data
FIB vs ARP
FIB = is a layer 3 construct - contains an optimized list of all prefixes from the IP routing table
The ARP table is a layer 3 function used to map (L2)MAC addresses to (L3)IP addresses
If no ARP entry exists, an ARP broadcast is sent out, and the table is updated with the response
NORTHBOUND API’s (NBI)?
List API’s & language written in or model of delivery
REST (XML or JSON) [HTTP]
OSGi (Java)
SOUTHBOUND API’s (SBI)?
List API’s & language written in or model of delivery
NETCONF (XML or RPC) Relies on SSH for transport
OnePK (Cisco-Java or C or Python) Cisco Proprietary
OpenFlow (Python) Uses imperative SDN model - sends specific instructions manages network and polices directly
OpFlex (XML or JSON) Uses declarative SDN model - vague instructions allow device to make decisions how to implement instructions
Where does the Management Plane reside?
The Management Plan is a logical subset of the Control Plane
Any management traffic for the local device (such as SSH) is part of the management plane
- *** Application Plane **
- *** Control Plane (Management Plane) **
- *** Data Plane **
What does default-information originate do?
The cli
default-information originate
will cause the router to injects its own default route into the OSPF routing table as an external route, thereby advertising its default route to neighboring routers
It will also automatically become an (ASBR) Autonomous System Boundary Router
default-information originate notwithstanding, if the cli command
redistribute
is entered, it will also become an ASBR
What is DAI?
Dynamic Arp Inspection - is a security feature that validates Address Resolution Protocol (ARP) packets in a network. DAI allows a network administrator to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings
Mitigates attacks knowns as ARP spoofing or ARP poisoning attack
Unique local unicast always begins with?
Unique global unicast always begins with?
Unique local unicast =
FC or FD because the first 7 bits of their address are always 111111xx (ie…11111100 or 11111101)
Unique global unicast =
always begin with a 2 or 3 (ie… 2000::/3)
What does static client mode mean?
A static client receives its time from a (one) specific NTP server. The cli command on the client is
ntp server {+ the IP - address of the NTP server}
What is BPDU Guard?
BPDU guard protects access ports with PortFast and BPDU guard from accepting a Bridge Protocol Data Unit - upon receiving BPDUs a port with BPDU guard enabled will place that port in an error-disabled state - this Spanning Tree preventing loops
BPDU guard should be enabled on all ports that have PortFast enabled
A port shutdown by BPDU guard must be manually re-enabled, unless the cli
errdisable recovery cause bpduguard
and the
errdisable recovery interval {time}
commands have been run against the port
What is Root Guard?
Root Guard prevents and a root from accepting a superior BPDU (preventing it from losing an election and therefore maintaining the Root Bridge status). Basically, this prevents newly installed switches (that might incidentally have a lower priority) from being elected the root
Root Guard is applied per port (not globally) and inverts the syntax of the naming convention, the cli command is therefore
spanning-tree guard root
Thanks for that, Cisco!
What is the difference between the: * AP-Manager Interface (what protocol?) * Management Interface (what protocol?) * Service port Interface on a WLC?
The AP-manager is for Layer 3 communication between WLC and AP’s using - CAPWAP’s two tunnel protocol (it’s not a physical port)
The Management interface is Layer 2 communication between WLC and AP’s, as well as other WLC’s using - LightWeight Access Point Protocol (LWAPP) (also not a physical port)
The Service port interface is used for maintenance purposes of the WLC itself (it IS a physical port)
Syslog error mnemonic?
Every / Awesome / Cisco / Engineer / Will / Need / Ice-Cream / Daily
Emergency-0 / Alerts-1 / Critical-2 / Error-3 /
Warning-4 / Notification-5 / Informational-6 / Debug-7
What is APIC?
What are the 3 main reasons it’s used?
This is SDN (Software-Defined Networking)
APIC is Cisco’s Application Policy Infrastructure Controller. Basically, Cisco’s naming convention for its version of ACI (Application Centric Infrastructure)
It’s the main architectural component and unified point of automation and management for the Cisco ACI fabric for:
Health monitoring
Optimizes performance and agility
Policy enforcement
(HOP)
What is WDS?
WDS - Wireless Domain Services - is a component used in Cisco’s Autonomous WLAN solution - it’s a feature that is installed on AP’s to enable interaction with WLSE
(like client software for the WLSE)
AAA?
Authenticate (who are you?)
Authorization (what access do you have?)
Accounting (what have you done?)
Cisco or non-proprietary and what do the acronym stand for?
RADIUS?
TACACS?
RADIUS = (Remote Authentication Dial-In User Server)
is non proprietary
TACACS = (Terminal Access Controller Access Control System)
is a Cisco only protocol
Security acronyms: • IKE • SA (works with?) • AH (works how?) • ESP (works with?) • GRE (effectiveness in comparison to others)
- IKE = Internet Key Exchange (works with IKE+SA and/or IPSec+IKE)
- SA = Security Association (works with IKE+SA and/or IPSec+SA)
- AH = Authentication Header (embedded within a packet)
- ESP = Encapsulating Security Payload (encapsulates a packet as part of IPSec)
- GRE = Generic Routing Encapsulation - tunnels any Layer 3 protocol - generic and therefore weak compared to protocol specific security transport methods like IPSec or PPPoA or PPPoE
IP ARP inspection – all ports are trusted or untrusted by default?
All ports are untrusted by default when Dynamic ARP Inspection (DAI) is enabled
To trust, you need the
ip arp inspection trust
cli command applied in port configuration
RFC 1918 (private IP’s)?
A - 10.0.0.0/8 -> 10.255.255.255 (all of 10.x.x.x)
B - 172.16.0.0/12 -> 172.31.255.255 (only 172.{16-31}.x.x)
C - 192.168.0.0/16 -> 192.168.255.255 (all of 192.168.x.x)
OSPF (DR & BDR)
Timers? / Elections? / Multi-cast sent? / Manual / Neighbors? / Defaults?
- Broadcast
- NonBroadcast
- Point-to-Point
- Point-to-Multipoint Broadcast
- Point-to-Multipoint NonBroadcast
Broadcast: Hello/dead timers 10 / 40 DR & BDR elections=yes Mutlicast updates are sent manual config of neighbor is NOT required ********default for Ethernet & FDDI
NonBroadcast: Hello/dead timers 30 / 120 DR & BDR elections=yes Mutlicast updates not sent manual config of neighbor IS required ********defaults for Frame Relay & X.25
Point-to-Point: Hello/dead timers 10 / 40 DR & BDR elections=no Mutlicast updates are sent manual config of neighbor is NOT required ********defaults for HDLC & PPP
Point-to-Multipoint Broadcast: Hello/dead timers 30 / 120 DR & BDR elections=no Mutlicast updates are sent manual config of neighbor is NOT required
Point-to-Multipoint NonBroadcast: Hello/dead timers 30 / 120 DR & BDR elections=no Mutlicast updates not sent manual config of neighbor IS required
ABR vs ASBR?
ABR = (Area Border Router) is a router with interfaces in multiple OSPF areas
ASBR = (Autonomous System Boundary Router) is a router which redistributes routes into OSPF (even from another protocol)
FHRP: What does it stand for?
Which one is Cisco Propriety? Single Active or Multiple Active?
- HSRP (Hot Stand-bye Routing Protocol)
- VRRP (Virtual Router Redundancy Protocol)
- GLBP (Gateway Load Balancing Protocol)
FHRP (First Hop Redundancy Protocol) is a Layer 2 protocols works only in the local subnet
*** HSRP (Hot Stand-bye Routing Protocol) = Cisco Proprietary - Single Active (cannot load balance)
*** VRRP (Virtual Router Redundancy Protocol) = Non- Proprietary - Single Active (is not meant to load balance)
*** GLBP (Gateway Load Balancing Protocol) = Cisco Proprietary - Active+4 active virtual forwarders (load balancing)
What is BSS / ESS /IBSS?
(X) Service Set
- (Basic) - BSS is a single AP topology
- (Extended) - ESS is overlapping (2 or more) APs topology
- (Independent) - IBSS is a wireless topology with no APs at all
What is the method for: transport architecture configurations (names or modules) scripting language
- Ansible
- Puppet
- Salt
- Chef
Ansible: transport SSH-TCP 22 / architecture
client/server (without agent software) /
configurations PLAYBOOKS / language YAML
Puppet: transport HTTPS-TCP 8140 / architecture
client/server / configurations MODULES / language
PuppetDSL or RubyDSL
Salt: transport ZeroMQ-TCP 4505/6 / architecture
client/server / configurations SCRIPTS / language
YAML or Python or PyDSL
Chef: transport HTTPS-TCP 443 / architecture
client/server or standalone / configurations
COOKBOOKS / language Ruby DSL
Are FlexConnect ACL’s supported on the local VLAN?
Are FlexConnect ACL’s applied to the [AP & VLAN] or [AP & Interface]?
Yes, as long as it is not inherited from a FlexConnect group
FC ACL’s are applied per AP & VLAN - NOT per AP & Interface!!
Are per direction FlexConnect Access Lists possible?
No, unlike regular ACL’s you cannot create a per rule direction FlexConnect ACL
What is in the EIGRP Neighbor table?
Neighbor table – stores information about EIGRP neighbors. Before exchanging routes, routers need to establish a neighbor relationship
It lists all adjacent routes including the routes that are not successors or feasible successors
What does
mls qos trust cos
command do?
Moves the trust boundary from the switch to the IP phone, which tells the switch to accept the traffic as having come from a trusted source
*(MLS) Multi Layer Switching
[tells the SWITCH to trust the PHONE and it’s subsequent packet prioritization, even those packets that were sourced by the host attached to the IP phone]
What is the difference between an NTP static client and an NTP broadcast client?
What does the cli command ntp peer do?
A static client can get it’s time only from the one NTP server specified for it, where as a broadcast client can get its time from any NTP server on the network
ntp peer is where an ntp host will attempt to sync with another ntp host (a peer), this is called ntp symmetric mode, it may synchronize the other host or be synchronized by it
WLC dynamic interfaces are user defined and used for client data. T or F ?
There are 256 dynamic interfaces per WLC. T or F?
True, WLC dynamic interfaces are user defined and used for client data
False, there are 512 dynamic interfaces per WLC
Dynamic interfaces function like a vlan, to segment traffic
What percentage of overlap is considered ideal for wireless coverage?
10%-15% (with non-overlapping channels)
Name 2 Link State and 2 Distance Vector protocols?
Link State = OSPF & IS-IS
Distance Vector = RIP & IGRP
PortFast, UplinkFast & BackboneFast are what?
What protocol includes it natively?
These are all Spanning Tree Protocol features
PortFast - enables a port to immediately access the network without listening and learning first
UplinkFast - increases convergence speed for access layer switches once a Root Port fails, it immediately replaces it with an alternate root port
BackboneFast - increases convergence on a switch that detects a failure on links that are not directly connected
802.1w a.k.a. Rapid Spanning Tree Protocol (RSTP) includes these three features natively
Is the DAI command cli
ip arp inspection vlan
applied to the vlan or to the interface?
ip arp inspection vlan
is the cli command to enable DAI on VLANs
it CANNOT be run in interface configuration mode
To trust a port in interface configuration mode you would need the cli command
ip arp inspection trust
Collision vs. late collision?
collisions - occur when a packet must be-resent BEFORE the 64th or 512th bit has been transmitted
late collisions - occur when a packet must be-resent AFTER the 64th or 512th bit has been transmitted
Maximum Transmission Unit (MTU)
What is a Runt / Giant / Baby Giant / Jumbo ?
- Runt - a frame with fewer than 64 bytes (they are discarded)
- *Giant - a frame that exceeds 1,518 bytes anything up to 1522 will not generate a baby giant error
- *Baby Giant - a frame that is up to 1,600 bytes in length (baby giant error=1600)
- Jumbo - is a frame that is up to 9,216 (newer frame sizes)
What are the 4 types of IPv6 routes and their syntax (the order) ?
**** A fully specified route =
Mostly used when the outbound interface is multiaccess and could therefore be configured with multiple next hop addresses
IPv6 route {destination network/CIDR} {the routers outbound interface to the next-hop} {next-hop IPv6 address}
Ie… ipv6 route 2001:db8a/32 fa 0/1 2001:db8:b::1
.
.
**** A directly attached static route =
Specifies the destination and only the outbound interface. The router must assume the destination is reachable through this outbound interface
IPv6 route {destination network/CIDR} {the routers outbound interface to the next-hop}
Ie… ipv6 route 2001:db8a/32 fa 0/1
.
.
**** A recursive static route =
Specifies the destination and only the next-hop. This next-hop IPv6 address must be resolvable through the outbound interface
IPv6 route {destination network/CIDR} {next-hop IPv6 address}
Ie… ipv6 route 2001:db8a/32 2001:db8:b::1
.
.
**** A floating static route =
A floating static route is a backup route and can be any of the above 3 types with an Administrative Distance (AD) higher than the primary route. 5 is representing the AD in the 3 examples below:
(fully specified static route) ipv6 route 2001:db8a/32 fa 0/1 2001:db8:b::1 5
(directly attached static route) ipv6 route 2001:db8a/32 fa 0/1 5
(recursive static route) ipv6 route 2001:db8a/32 2001:db8:b::1 5
FHRP virtual MAC’s: • HSRP version 1? • HSRP version 2? • VRRP? • GLBP?
HSRP v 1 virtual MAC - 0000.0C07.ACxx
(Cisco proprietary)
HSRP v2 virtual MAC - 0000.0C9F.Fxxx
(Cisco proprietary)
VRRP -0000.5E000.01xx
(non proprietary)
GLBP - 0005.B400.xxyy
(Cisco proprietary)
Which Message Integrity Check (MIC) associations with which security protocol?
TKIP / CCMP / RC4 / AES / GCMP
WEP / WPA / WPA2 / WPA3
- RC4 is for WEP - (Rivest Cipher 4)
- TKIP is for WPA - (Temporal Key Integrity Protocol)
- CCMP is for WPA 2 - (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)
- AES is for WPA 2 & 3 - (Advance Encryption Standard)
- GCMP is for WPA3 - (Galois/Counter Mode Protocol)
What do the 4 control frames of 802.11 stand for?
RTS / CTS / ACK / PS
- RTS - Ready to Send - manage interference
- CTS - Clear to Send - manage interference
- ACK - Acknowledgment - acknowledgment
- PS - Power Save - client asks AP if frames might have been buffered while it was resting
Does OSPF support equal cost load balancing; does EIRGP?
OSPF does support equal cost load balancing
Don’t forget to issue the cli command
maximum-paths 8
to override OSPF’s default max of 4 equal cost paths in the routing table
EIGRP support BOTH equal and unequal cost load balancing
What is the difference between link link state and distance vector from a routing table (not metric) perspective?
Distance vector protocols (like RIP, IGRP) send their entire routing table to directly connected neighbors
Link state protocols (like OSPF & IS-IS) send information about directly connected links to all the routers in the network - stays constantly connected
EIGRP is a Hybrid (but closer to Distance Vector)
Standard numbered ACL are number?
Extended numbered ACL are number?
1-99 and 1300-1999
100-199 and 2000-2699
Cisco applications? • Cisco Network Assistant • Cisco DNA Center • Cisco PI • Cisco IOS
Cisco DNA Center - Browser based GUI for network configuration and centralized control - Enterprise management solution built specifically for Cisco’s SDA for building LANs using policies and automation
Cisco Network Assistant - Java based desktop application GUI for operations, diagnoses and interaction with devices (pre dates SDA and is not supported by SDA)
Cisco PI (Prime Interface) - Browser based GUI for operations, diagnoses and interactions with devices (pre dates SDA and is not supported by SDA)
Cisco IOS - Cisco’s CLI Operating System (OS) for switches and routers
What component creates VXLAN tunnels between the SDA switches?
- The overlay network creates the VXLAN tunnels
- The underlay network is a more traditional network configuration of switches
Alphabet soup:
Cisco’s Software Defined Networking (SDN)
is called Software Defined Access (SDA)
and is controlled by a Digital Network Architecture (DNA) controller.
What are the 4 main steps in order, to enable SSH for VTY lines?
- hostname - give the router a name other than “Router”
- ip domain-name - configure the domain name
- crypt key generate rsa - generate an RSA key pair for the router
- transport input ssh - finally, configure the VTY lines to use SSH
ip ssh time-out xy
command will be accepted by the router even before (the above commands are issued) SSH is setup - even though it would be irrelevant if SSH isn’t setup properly first
Route selection: AD vs longest prefix, when is one chosen over the other?
When multiple routes to a network exists and each route uses a different protocol - the router prefers the one with the lowest AD (Administrative Distance)
When multiple overlapping routes to a network exists, the router will select the route with the longest prefix length, the most specific route
What is the main difference between routing tables in EIGRP and OSPF?
EIGRP exchanges the complete routing information just one time when the neighboring routes are established. After that it only tracks the changes
OSPF keeps track of the whole topology database, of all the connection in the database consistently
What value (#) does a VoIP phone assign as a CoS priority to traffic it receives from form a host in its own access port by default?
What value (#) does a VoIP phone assign its own data traffic? / its own voice signaling traffic by default?
higher is better 0-7
- 0 (zero) - The default behavior of a Cisco IP phone is to override the CoS value assigned by the host and reassign the lowest CoS priority value of a 0 to the data packets
- 5 for VoIP data traffic (this is the voice)
- 3 for voice signaling traffic
Does the global cli command
no lldp holdtime
prevent lldp from being held?
No!
lldp’s will always be held
no lldp holdtime
restores the lldp holdtime to the default setting of 120, effectively overriding any manual changes to the hold time
- think of it as, don’t use any previous manual changes to the holdtime anymore
Manual changes can be made to the hold time from 0 - 65535 using the cli command
lldp holdtime x
Is PortFast automatically enabled on voice VLAN ports?
Yes; however, PortFast is NOT disabled if the voice VLAN is disabled
PortFast should only be enabled on access mode ports
PortFast can be applied globally or to the individual interface, the cli commands are:
• Global mode - spanning-tree portfast default
• Interface mode - spanning-tree portfast
Does
power inline police
restart a port if a Power Device (PD) attempts to draw more than its allocated amount of power?
No, by default it will error disable the port, forcing the administrator to shut and then no shut the port manually
If the global cli command
errdisable recovery cause inline-power
has been issued, the ports on that switch will recover from error disable caused by in-line power police, automatically
The default behavior of inline police can be change with the cli command
power inline police action log
this will not error disable the port in the event of a power incident, instead it will restart the port and send a log message to the console
Is the Site-Local unicast address used to form neighbor adjacencies in non-broadcast OSPF networks?
No, the Link-Local unicast address is used. Link local addresses always begin with FE8, FE9, FEA or FEB
Site-Local unicast addresses have been deprecated by RFC 3879 and are not used today
How many bits are in a MAC address, how many octets?
48 bits, and 6 octets of 8 bits each
What/where is the division between Organizational Unique Identifier (OUI) and the unique Network Interface Card (NIC)?
The divider is at 3 octets (out of 6) - 24 bit divider
[48 bits divided in 2]
MAC address are unique because they are broken down in two parts, like so:
OUI are assigned by the IEEE to identify the manufacturer
NIC are assigned by the manufacture to be unique among the products they produce
OUI——OUI—-OUI–|||–NIC—–NIC—–NIC
8bits / 8 bits / 8 bits ||| 8bits / 8 bits / 8 bits
In general terms, define IaaS, SaaS and Paas?
IaaS - Infrastructure as a Service gives the greatest degree of freedom to the consumer over provisioning: processing, memory, storage and networking resources. The customer can install OSs and applications
PaaS - Platform as a Service the middle ground of the three services. It allows the customer to install programs and programing languages. Often used to create cloud-based databases and customer relationship management tools
SaaS - Software as a Service provides access to software running in the cloud. This option exposes the least amount of the customers network to the cloud. Often it is implemented as a browser-based access to application like an Office Suite or email services
What do these 802.11 data frames stand for and what do each do?: •**** FC •**** DUR •**** ADD1 •**** ADD2 •**** ADD3 •**** SEQ •**** ADD4 •**** Data •**** FCS
- ** FC - Frame Control - is used to identify the type of 802.11 frame
- ** DUR - Duration - used by Control Frames to indicate transmission times, also used by Power Save (PS) - poll control to indicate the (AID) Association Identity of the client
- ** ADD1 - Source Address
- ** ADD2 - Destination Address
- ** ADD3 - BSSID Address
- ** SEQ - Sequence is divided to store two pieces of information, the fragment number and the sequence number
- ** ADD4 - Address 4 is only present when a frame is passing between devices in the (DS) Distribution System, basically from one AP to another AP
- ** Data - this is the reason for it all - the data payload
- ** FCS - Frame Check Sequence - it is used to determine if the frame as a whole, was corrupted during transport
What is
password 7 {hash}
used for?
password 7 {hash}
is a cli command that configures an encrypted virtual terminal (VTY) login password when issued in the VTY configuration mode
Difference between:
switch port-security violation restrict
switch port-security violation protect
switch port-security violation shutdown
restrict - will discard traffic it receives from unauthorized hosts. It will increment the SecurityViolation counter
protect - will discard traffic it receives from unauthorized hosts. It will not increment the SecurityViolation counter though
Stupid anagrams for Cisco's stupid naming convention: R E s t r i c T i n c R E m e n T ---------------------------------- p r O T e c t nOT
shutdown - will error-disable the port and will not come back unless
shut
no shut
is performed manually or
errdisable recovery cause shutdown
had previously been issued against the port
Note:
port-security violation discard
does not exist!
Which character is the JSON mark for an Object identified by? and Array?
{
is the mark for the start of a JSON object - is a group of key and value pairs
[
is the mark for the start of a JSON array - arrays contain only values, an array can contain any of the other JSON types, including objects and even other array’s
What is WLSE / WDS / WiSM used for?
WLSE - Cisco’s Wireless LAN Solution Engine - simplifies the management and deployment of WAP’s (Wireless Access Point)
WDS - Wireless Domain Services - is a component used in Cisco’s Autonomous WLAN solution - it’s a feature that is installed on AP’s to enable interaction with WLSE (like client software for the WLSE)
WiSM - is a physical Wireless Service Module that can be installed on a Catalyst 6500 switch of 7600 router to function as a WLC
WLC - Wireless Lan Controller - provides wireless LAN services
What is in the EIGRP Routing table?
EIGRP Routing table – ONLY successors! It stores only the best routes to reach a remote network
Other than “none,” name the 6 Layer 2 wireless security settings and the 4 of the Layer 3 wireless security settings.
Layer 2:
• WPA+WPA2 ============ Wi-Fi Protected Access
• 802.1x ================= Port Based Access Control - works with RADIUS
• Static WEP ============= Wired Equivalent Privacy
• Static WEP + 802.1x
• CKIP ================== Cisco Key Integrity Protocol
• None + EAP Passthrough = Resolution Extensible Authentication Protocol
Layer 3: • IPSec ================= IP Security • VPN Passthrough • Web Authentication • Web Passthrough
