# Advanced Networking Technologies [toc] :::info - Everything is on Microsoft team. - Evaluation - Project: 40% - Final exam: 60% ::: --- ## Reference :::info - [Course Wiki -- CTU](https://cw.fel.cvut.cz/wiki/courses/be2m32dsaa/start) - [Moodle](https://moodle.fel.cvut.cz/course/view.php?id=8047) - [Cisco online courses](https://cnap.comtel.cz/) - [Subject of final exam](https://hackmd.io/@JoJoWei/BJ9jrVuda) ::: --- ## Project - Topic: Enhanced scheduler module on OSC O-DU High - Description: :::success We aimed to improve the scheduler in the OSC O-DU source code. Open Software Community (OSC) is one of the bodies supported by O-RAN Alliance to develop the basic software function for O-RAN (Open Radio Access Network). One of the components is the O-DU (Open Distributed Unit) which hosts some of the network functions in Radio Access Network. O-DU hosts layer 2 (MAC), layer 3 (RLC) and some of the layer 1 (PHY) function. We focused on developing/improving the layer 2 (MAC) function. MAC layer has important role in the Radio Access Network. MAC will map logical channel to transport channel. The logical channel is the channel between RLC and MAC layer while the transport channel is the layer between MAC and PHY layer. The other important function hosted by the MAC layer is the scheduler. It allocate radio resource for each UE depend on the priority and algorithm. In this project, we plan to improve the scheduler functionality in OSC O-DU. At this point of writing, the scheduler in OSC O-DU still support its basic functionality. This leaves some room of improvement to advance the scheduler function. There are two kinds of improvement we want to add to OSC O-DU namely: dynamic MCS (Modulation and Coding Scheme) scheduling, multi user scheduling per TTI (Transmission Time Interval). ::: - Reference: :::warning [1] O. Sunay, S. Ansari, J. H. Sean Condon, W. Kim, R. Milkey, G. Parulkar, L. Peterson, A. Rastegarnia, and T. Vachuska, "Nf's software-defined ran platform consistent with the o-ran architecture," ONF, Tech. Rep., 2020. [Online]. Available: https://opennetworking.org/wp-content/uploads/2020/08/SD-RAN-v2.0.pdf [2] O-RAN Software Community, "O-RAN Software Community Wiki." https://wiki.o-ran-sc.org/ [3] M. Polese, L. Bonati, S. D'Oro, S. Basagni, and T. Melodia, "Understanding o-ran: Architecture, interfaces, algorithms, security, and research challenges," 2022 ::: --- ## Cisco online lesson ### Getting Started with Cisco Packet Tracer - [Installation of Cisco Packet Tracer](https://skillsforall.com/launch?id=ec0847b7-e6fc-4597-bc31-38ddd6b07a2f&tab=curriculum&view=8aac0445-6a6d-5cc2-9380-b72ca1cb6e05) ### Chapter 1 - Routing Concepts - Overview of syntax of IP routing  - key characteristics of networks  - **Availability:** the network is available for use when it is required. - **Scalability:** how easily the network can accommodate more users and data transmission requirements. - **Reliability:** is often measured as prob. of failure or mean time between failures. - Why routing? - can do determination of routing based on the best path using routing table - forward received packets to destination network - components of network capable device  - router is a specialized computer - Cisco uses Cisco Internetwork Operating System (IOS) - memory types  - back panel of a router  - type of network - LAN: are commonly Ethernet networks - WAN: connect networks over a large geographical area, e.g. WAN connection is commonly used to connect LAN to Internet service provider(ISP)  :::success - routing process of router  - do remember both R1 and R2 need to look up routing table while packet sent from "192.168.1.0/24" to "192.168.3.0/24" - packet forwarding mechanisms - Process switching:  - each packet must be processed by the CPU to check the destination individually - Fast switching:  - only the first packet of a flow is process-switched and added to the fast-switching cache. The next four packets are quickly processed based on the information in the fast-switching cache - Cisco Express Forwarding (CEF):  - builds a Forwarding Information Base (FIB), and an adjacency table, after the network has converged. All five packets are quickly processed in the data plane - the fastest solution - default gateways  - IP address: identify host on local network - subnet mask: identify which network subnet can be communicated - default gateway: identifies the IP address of the router to send a packet to when the destination is not on the same local network subnet - IP addresses enabling - statically: manually assigned the correct IP address, subnet mask, and default gateway - dynamically: use Dynamic Host Configuration Protocol (DHCP), DHCP server provides a valid IP address, subnet mask, and default gateway for end devices - procedure of command - activate VLAN 1 interface  - configure the default gateway for S2  - example  - basic router settings - the following config. must be performed - name the device: distinguish from other routers  - secure management access: for privileged access, user access, and remote access  - configure the banner: provide notification of unauthorized access  - save the changes and verify the basic config. and router operation  - configure IPv4 router interface - activate the interface linked to LAN 1  > "no shutdown" is like powering interface to activate - activate the interface linked to LAN 2  - activate the serial interface linked to router 2  - configure IPv6 router interface - a bit different in subnet mask, others are the same as IPv4  - configure loopback interface - it will not be connected to any other interface, only used in internal testing  - verify interface settings (for IPv6, change "ip" to "ipv6") - "show ip interface brief":  - summary for all interfaces including the IPv4 address of the interface and current operational status - "show ip route":  - contents of the IPv4 routing table stored in RAM - "show running-config interface interface-id":  - displays the command configured on specific interface - "show interfaces": - displays interface information and packet flow count for all interfaces on the device - "show ip interface": - displays IPv4 related information for all interfaces on a router - filter show command output, filtering parameters are as follows: - "section": Shows entire section that starts with the filtering expression - "include": Includes all output lines that match the filtering expression - "exclude": Excludes all output lines that match the filtering expression - "begin": Shows all the output lines from a certain point, starting with the line that matches the filtering expression - example 1  - example 2  - history feature  - "terminal history size value": adjust the size of history buffer ::: :::success - the process of encapsulation and de-encapsulation  - Step 1. de-encapsulates the Layer 2 frame header and trailer to expose the Layer 3 packet. - Step 2. examines the destination IP address of the IP packet to find the best path in the routing table. - Step 3. if the router finds a path to the destination, it encapsulates the Layer 3 packet into a new Layer 2 frame and forwards the frame out the exit interface. - example - PC1 sends packet to PC2  - example - R1 forwards packet to R2  - example - R2 forwards packet to R3 - packet is sent over serial connection, therefore using layer 2 broadcast destination address  - there is no source address needed  - example - R3 forwards the packet to PC2  - testing 1  - testing 2  ::: :::success - flow chart of packet forwarding decision process  - different dynamic protocols use different metrics to decide the best path - Routing Information Protocol(RIP) - Hop count - Open Shortest Path First(OSPF) - Cisco's cost based on cumulative bandwidth from source to destination - Enhanced Interior Gateway Routing Protocol(EIGRP) - Bandwidth, delay, load, reliability - Equal Cost Load Balancing - when a router has two or more paths to a destination with equal cost metrics, then router forwards the packets equally(load balancing) - Administrative Distances(AD) - there might be multiple routing protocols used by a router - and Cisco router uses AD to determine which route generated by routing protocol will be used - lower AD, more trustworthy - default Administrative Distances  ::: :::success - routing table stores - Directly connected routes - Remote routes: networks connected to other routers - different type of entries in the routing table - Local Route interfaces: added when an interface is configured and active - Directly connected interfaces: added to the routing table when interface is configured and active - Static routes: added when a route is manually configured and the exit interface is active - Dynamic routing protocol: added when routing protocols that dynamically learn about the network, like EIGRP and OSPF - remote network entry identifier  - route source: how the route was learned (which routing protocol) - destination network: the address of the remote network - administrative distance: the trustworthiness of the route source, lower values indicate preferred route source - metric: value assigned to reach the remote network, lower values indicate preferred routes - next-hop: IPv4 address of the next router to forward the packet - route timestamp: how much time has passed since the route was learned - outgoing interface: the exit interface to forward the packet to final destination - example - interpretation of routing table entry  - before the interface state is considered up/up and added to the IPv4 routing table, the interface must - be assigned a valid IPv4 and IPv6 address - be activated with the no shutdown command - receive a carrier signal from the another device - directly connected network entry identifiers  - route source: identifies how the route was learned - "C" identifies a directly connected network - "L" identifies IPv4 address assigned to the router's interface - destination network - outgoing interface: the exit interface to use when forwarding packets to the destination network - directly connected examples - configuring a directly connected Gigabit Ethernet Interface  - configuring a directly connected serial interface  - verifying the directly connected routing table entries  - static routing - two common types of static routes in the routing table  - static route to a specific network: can be configured to reach a specific remote network - default static route: specifies the exit point to use when the routing table doesn't contain a path for the destination network - benefits of static routes - improved security - resource efficiency, less bandwidth - no CPU cycle - disadvantages - lack of automatic reconfig. if network topology is changed - static route examples (for IPv6, it is also similar way) - the config. of IPv4 default static route on R1 to the Serial 0/0/0 interface  - the config. of two static routes from R2 to reach the two LANs on R1  - the route to "192.168.10.0/24" has been configured using the exit interface - the route to "192.168.11.0/24" has been configured using the next hop IPv4 address - dynamic routing  - **network discovery:** the ability of a routing protocol to share information about the networks that it knows about with other routers that are also using the same routing protocol - **maintaining routing tables:** - routers exchange routes and update their routing tables - routers have converged after they have finished exchanging and updating their routing tables - we can know which routing protocols are supported by the IOS using "router ?"  - IPv4 dynamic routing examples  ::: - summary - there are similar functions and commands in Cisco routers and Cisco switches, one distinguishing feature between switches and routers is the type of interfaces supported by each - and main purpose of router is to connect multiple networks and forward packets from one network to the next ### Chapter 2 - Static Routing :::success - first of all, the comparison of dynamic routing and static routing  - pros - static routing has more secure because it's not advertised over the network - static routing has less bandwidth, no CPU cycle - cons - initial config. and maintenance is time-consuming - config. is error-prone, especially in large network - maintenance becomes cumbersome in growing network - require complete knowledge of the whole network - when to use static routing - small network without growing in the future - example: a stub network is a network accessed by a single route, and the router has only one neighbor  - testing  - example of connecting a stub router  - summary static route  - to reduce the number of routing table entries, multiple static routes can be summarized into a single static route if - the destination networks are contiguous and can be summarized into a single network address - the multiple static routes all use the same exit interface or next-hop IP address - floating static route - static routes that are used to provide a backup path to a primary static or dynamic route - only used when the primary route is not available - is configured with a higher administrative distance than the primary route since it is backup - testing  ::: :::success - IP route command syntax  - examples of IP commands - check routing table of R1  - check routing table of R3  - configuration of next-hop static route on R1  - configuration of next hop static route on R2  - result of R2 configuration (check items S)  - configuration of next hop static route on R3  - result of R3 configuration (check items S)  - config. of directly connected static routes on R1 > directly connected static route with an exit interface allows simpler search  - example of fully specified static route  - useful commands to verify - "ping" - "traceroute" - "show ip route" - "show ip route static" - "show ip route network" - default static route - syntax of command  - no other route in routing table - default static routes are commonly used when connecting - edge router to a service provider network - a stub router (with only one upstream neighbor router) - example of configuring default static route  - configuration of IPv6 static routes - IPv6 command syntax  - ipv6 unicast-routing global configuration command must be configured to enable the router to forward IPv6 packets  - example of configuring next-hop static IPv6 routes  - example of configuring directly connected static IPv6 routes  - example of configuring fully specified static IPv6 routes  - similar use as IPv4 - used if CEF were not enabled on the router and the exit interface was on a multi-access network > with CEF, a static route using only a next-hop IPv6 address - example of configuring a default static IPv6 route  - configuration of IPv4 floating static route (the same as IPv6) - example of configuring floating static route to R3  - do remember "backup route to R3 is not present in the routing table" - how to test floating route - shutdown R2  - verify the backup route, we will find backup route now is showed on routing table  - then we can use command "traceroute" to verify  ::: :::success - three ways to add host routes - automatically installed when an IP address is configured on the router - configured as a static host route - host route automatically obtained through other methods - host route can be a manually configured static route to direct traffic to a specific destination device, such as an authentication server - example of configuration of IPv4 and IPv6 static host routes - configuring of IPv4 and IPv6 host route  - fully specified IPv6 host route with next-hop link local address  - troubleshooting for missing route - reasons - an interface fails - a service provider drops a connection - links become oversaturated - an administrator enters a wrong configuration - following commands can be used - "ping"  - "traceroute"  - "show ip route" - "show ip interface brief"  > provides a quick status of all interfaces on the router - "show cdp neighbors detail" > provides a list of directly connected Cisco devices - summary of static routing - next-hop IP - exit interface (more efficient on point-to-point serial links) - default administrative distance is 1 ::: ### Chapter 3 - Dynamic Routing :::info - best routing path may be found by metrics - bandwidth - cost - delay - hops - routing protocol classification  - purpose of dynamic routing protocols includes - Discovery of remote networks - Maintaining up-to-date routing information - Choosing the best path to destination networks - Ability to find a new best path if the current path is no longer available - main components of dynamic routing protocols include - data structures: use table or database for its operation, the info. kept in RAM - routing protocol messages: various types of messages to discover neighboring routers, exchange routing info. - algorithm: used to facilitate routing info. and determine the best path - recall of static routing scenario  - They are not easy to implement in a large network. - Managing the static configurations can become time consuming. - If a link fails, a static route cannot reroute traffic. - dynamic routing scenario  - pros and cons  ::: - in Cisco online course, it takes RIP config. as example - it is rarely used in modern network, just for example :::success - config. mode of router RIP - reference topology  - addressing table  - advertising R2 network to directly connected networks  - verifying protocol settings on R1  - it shows RIP routing is configured - the values of various timers - version of routing protocol - automatic network summarization is in effect - networks that R1 includes in its RIP updates - RIP neighbors are listed, including their next-hop address - verifying RIP routes on R1  - we will see there is item "R" - commands of RIPv2 - RIPv2 is the same as RIPv1, just has additional info. field, so basically router can interpret both v1 and v2 - enable RIPv2 on R2  - if routing protocol between routers are different, there is no any update - disable auto summarization of RIPv2  - config. of passive interfaces - sometimes we don't need so many updates and even there is no RIP device exists on LAN - we can disable routing update to specific interface and still allow - there are following impacts of unneeded updates - wasted bandwidth: because RIP updates are either broadcasted or multicasted - wasted resources: all devices on the LAN must process the update up to the transport layers - security risk: RIP updates can be intercepted with packet sniffing software - topology  - command  - propagation of default route - example topology  - to propagate a default route in RIP, the edge router must be configured with - command "ip route 0.0.0.0 0.0.0.0" - command "default-information originate", instructs R1 to propagate static default route in RIP updates - command of configuring and verifying default route on R1 by configuring a fully-specified default static route to the service provider  ::: :::success - example of routing table entries  - for this topology - R1 is the edge router that connects to the Internet, so it propagates default static route to R2 and R3 - R1, R2, and R3 contain discontiguous networks separated by another classful network - R3 is also introducing a 192.168.0.0/16 supernet route - routing table of R1 with directly connected, static, and dynamic routes  - explanation of directly connected network on routing table  - explanation of remote network route entry on R1  - testing  ::: :::success - routes are discussed in terms of - Ultimate route  - either a next-hop IPv4 address or an exit interface - directly connected, dynamically learned, and local routes are ultimate routes - Level 1 route  - illustration of level 1 route  - network route: has a subnet mask equal to the classful mask - supernet route: is a network address with a mask less than the classful mask, for example, a summary address - default route: a static route with the address 0.0.0.0/0 - Level 1 parent route  - illustration of level 1 parent route  - is a level 1 network route that is subnetted - parent route can never be an ultimate route - Level 2 child routes  - illustration of level 2 child route  - is a subnet of a classful network address - can be a directly connected network, a static route, or a dynamically learned route - Level 2 child routes are also ultimate routes. - testing  ::: :::success - best route is equal to longest match  - route lookup process 1. match level 1 routes  - if the best match is a level 1 ultimate route, then this route is used to forward the packet - if the best match is a level 1 parent route, proceed to the next step 2. match level 2 child routes  - if there is a match with a level 2 child route, that subnet is used to forward the packet - if there is not a match with any of the level 2 child routes, proceed to the next step 3. match supernet and default route  - kind of like try other routes - if there is not a match with any route in the routing table, the router drops the packet - testing  ::: :::success - components of the IPv6 routing table are very similar to the IPv4 routing table - because IPv6 is classless by design, all routes are effectively level 1 ultimate routes. There is no level 1 parent of level 2 child routes - reference IPv6 topology  - R1, R2, and R3 are configured in a full mesh topology, all routers have redundant paths to various networks - EIGRP for IPv6 has been configured on all three routers - directly connected routes on R1  - the display is similar to IPv4  - remote network entries on R1  - the display is similar to IPv4  - test 1  - test 2  ::: - summary - Dynamic routing is the best choice for large networks - Static routing is better for stub networks ### Chapter 4 - Switched Networks - major difference between switches and routers - LAN switches provide the connection point for end users into the enterprise network and are also primarily responsible for the control of information within the LAN environment - routers facilitate the movement of information between LANs, and are generally unaware of individual hosts - switch function to provide - QoS - data transfer - security :::success - converged network  - a converged network with collaboration support may include - Call control: Telephone call processing - Voice messaging: Voicemail - Mobility: Receive important calls wherever you are - Automated attendant: Serve customers faster by routing calls directly to the right department or individual - benefit - just one physical network to install and manage - substantial savings over the installation and management of separate voice, video, and data networks - borderless network refers that it can connect anyone, anywhere, anytime, on any device; securely, reliably, and seamlessly  - borderless switched network design guidelines are built upon the following principles - Hierarchical: facilitates understanding the role of each device at every tier, simplifies deployment, operation, and management, and reduces fault domains at every tier - Modularity: allows seamless network expansion and integrated service enabling - Resiliency: satisfies user expectations for keeping the network always on - Flexibility: allows intelligent traffic load sharing by using all network resources - access, distribution, and core layers  > this is three tier network - access layer - represents the network edge, where traffic enters or exits the campus network > the functionality is based on the network function split - distribution layer (between core and access layer) - aggregate large-scale wiring closet networks - aggregate layer2 broadcast domains and layer3 routing boundaries - provide intelligent switching, routing, and network access policy functions - provide high availability through redundant distribution layer switches to the access network or the core - provide differentiated services to various classes of service applications at the edge of the network - core layer - the network backbone, it connects several layers of the campus network - ties the campus together with the rest of the network - primary purpose of the core layer is to provide fault isolation and high-speed backbone connectivity - example of two tier network  - distribution and core layers are collapsed into a single layer - test 1  - test 2  - the trend of switched network - not flat, more hierarchical - allow more flexibility - provide - Quality of service - Additional security - Support for wireless networking and connectivity - Support for new technologies, such as IP telephony and mobility services - consideration for selecting switch equipment  - different types of switches - Fixed Configuration Switches: do not support additional options - Modular Configuration Switches: support different combination based on the requirement - Stackable Configuration Switches: can operate as a single larger switch, with fault tolerance and bandwidth availability, why to use this - need special cable that provides high-bandwidth throughput between the switches - modular switch is too costly to implement - test  ::: :::success - LAN switch uses the table inside to forward traffic based on the ingress port and the destination address of a message - procedure of switching - when the packet comes to switch, MAC address will be added into MAC address table of the switch if it does not exit in the table - if the destination is inside the MAC address of the switch, then send to the destination port directly - if not map in the MAC address table, then flooding to other switches (called unknown unicast) - switch forwarding methods - store-and-forward method: makes a forwarding decision on a frame after it has received the entire frame and checked the frame for errors using cyclic redundancy check (CRC)  - do error checking, drop it if it is not correct - while mismatch in speeds between the ingress and egress ports, the switch stores the entire frame in a buffer - Cisco's primary LAN switching method - cut-through method: begins the forwarding process after the destination MAC address of an incoming frame and the egress port has been determined  - enable rapid frame forwarding - applied in low latency application - test  ::: :::success - duplex and speed settings  - switching domains - collision domain: network segments that share the same bandwidth between devices are known as collision domains - in half duplex, it is in collision domain - in full duplex, it eliminates collision since by default, Ethernet switch ports will autonegotiate full duplex when the adjacent device can also operate in full duplex - braodcast domain: broadcast will be flooded to other switches in the LAN - how to alleviate network congestion - High port density - Large frame buffers - Port speed > related to the SPEC of port - Fast internal switching > it means fast internal bus and shared memory ::: ### Chapter 5 - Switch Configuration - switches - identify connected hosts, port location, and unique MAC addresses - record unique host addresses to a MAC address table - send and receive data traffic using unicasts, multicasts, and broadcasts - basic switch config. :::success - configure BOOT environment variable  - use the command "show boot" to see what the current IOS boot file is set to - use "boot" system global configuration mode command - BOOT sequence 1. switch loads a power-on self-test(POST) program stored in ROM, POST checks CPU subsystem, then test CPU, DRAM, and the portion of the flash device that makes up the flash file system 2. next, the switch loads the boot loader software, boot loader is a small program stored in ROM that is run immediately after POST successfully completes 3. boot loader performs low-level CPU initialization, like initialization of CPU registers, quantity of memory, and its speed 4. the boot loader initializes the flash file system on the system board 5. the boot loader locates and loads a default IOS operating system software image into memory and gives control of the switch over to the IOS - recovering from a system crash - boot loader provides access into the switch if the operating system cannot be used due to missing or damaged system files - steps 1. connect a PC by console cable to the switch console port, then configure terminal emulation software to connect to the switch 2. unplug the switch power cord 3. reconnect the power cord to the switch and, within 15 seconds, press and hold down the Mode button while the System LED is still flashing green 4. continue pressing the Mode button until the System LED turns briefly amber and then solid green; then release the Mode button 5. the boot loader switch: prompt appears in the terminal emulation software on the PC - boot loader command line supports - format the flash file system - reinstall the operating system software - recover a lost or forgotten password - Switch LED Indicators - System LED: show whether the system is receiving power and is functioning properly - Redundant Power System (RPS) LED: if the LED is off, the RPS(backup power) is off, or it is not properly connected - Port Status LED: show port status mode is selected, like no link, administratively shut down, sending and receiving data, blocked - Port Duplex LED: show if full-duplex mode is selected, or in half-duplex mode - Port Speed LED: different color shows different port speed - Power over Ethernet (PoE) Mode LED: if PoE is supported, and PoE status > is a technique for delivering DC power to devices over copper Ethernet cabling, eliminating the need for separate power supplies - remote management access on switch - must be configured with an IP address and a subnet mask, also default gateway - switch virtual interface (SVI) on S1 should be assigned an IP address - these IP settings are only for remote management access to the switch; the IP settings do not allow the switch to route Layer 3 packets - procedure of configuration of basic switch management access with IPv4 1. configure switch management interface  - "interface vlan 99" is used to enter interface config. mode - then configure its IP address - then associate it to an interface  2. configure switch default gateway  - it should be configured with a default gateway if it will be managed remotely from networks that are not directly connected 3. verify switch management interface config.  - duplex communication  - full-duplex is better than half-duplex, but the hardware of full-duplex is more complicated than half-duplex - config. of duplex and speed  - at the end, it will save the configuration to NVRAM - config. of auto-MDIX(automatic medium-dependent interface crossover) - originally, different cable types, like switch-to-switch or switch-to-router connections required using different Ethernet cables - enable auto-MDIX, the interface automatically detects the required cable connection type (straight-through or crossover) and configures the connection appropriately - without the auto-MDIX feature - straight-through cables must be used to connect to devices such as servers, workstations, or routers > a top layer device talking to a lower layer device - crossover cables must be used to connect to other switches or repeaters > a device talking to another device at the same layer, like peer to peer - steps - enable auto-MDIX  - verify auto-MDIX  - verification command as follows  - network access layer issues - command "show interfaces" can be used to detect common media issues  - "FastEthernet0/1 is up" refers to the hardware layer and indicates if the interface is receiving a carrier detect signal - "line protocol is up" refers to the data link layer and indicates whether the data link layer protocol keepalives are being received - if the interface is administratively down, it means manually disabled - if the line protocol and the interface are both down, a cable is not attached or some other interface problem exists - if the interface is up and the line protocol is down, a problem exists. There could be an encapsulation type mismatch, the interface on the other end could be error-disabled, or there could be a hardware problem - if there is error  - description of error type  - collision is only in half-duplex operations - late collision is only in different duplex setting on both side - troubleshooting of switch media issues  ::: - switch security :::success - SSH operation - if we only use normal Telnet connection, we can monitor the content of packets using Wireshark  - if we use SSH, the content will be encrypted  - configure SSH  1. configure the IP domain 2. generate RSA key pairs 3. configure user authentication 4. configure the vty lines - enable the SSH protocol on the vty lines using command "transport input ssh" - prevents non-SSH(such as Telnet) connections and limits the switch to accept only SSH connections 5. enable SSH version 2 - verification of SSH - command "show ip ssh": to display the version and configuration data for SSH on the device - command "show ssh": to check the SSH connections to the device - disable unused ports  - using command "shutdown" - port security - limits the number of valid MAC addresses allowed on a port - specify a port automatically shuts down if unauthorized MAC addresses are detected - secure MAC address types - Static secure MAC addresses: MAC addresses that are manually configured on a port by using the "switchport port-security mac-address" command - Dynamic secure MAC addresses: MAC addresses that are dynamically learned and stored only in the address table. MAC addresses configured in this way are removed when the switch restarts - Sticky secure MAC addresses: MAC addresses that can be dynamically learned or manually configured, then stored in the address table and added to the running configuration, using the "switchport port-security mac-address sticky" command  - Security Violation Modes - reasons of security violation  - three modes can be selected  - Protect: drop the packet until the problems get solved - Restrict: drop the packet until the problems get solved with system logs - Shutdown: default mode, shut down the port directly - config. of port security - default port security setting on Cisco switch  - configure dynamic port security  - configure sticky port security  - verify dynamic MAC address  - verify sticky MAC address  - verify running config.  - verify secure MAC addresses  - ports in error disabled state - it is effectively shut down and no traffic is sent or received on that port - security related messages display on the console  - we can check port status  - we find that the status is error-disabled - re-enable an error disabled port  - shutdown and reboot the interface ::: ### Chapter 6 - VLANs - routers normally have a limited number of LAN interfaces - so we can divide LAN switches into groups of ports called vLANs to easier to design a network to support the goals of an organization  - within a switched network, VLANs provide segmentation and organizational flexibility  - VLANs enable the implementation of access and security policies according to specific groupings of users - benefits of VLANs - **Security:** groups that have sensitive data are separated from the rest of the network, decreasing the chances of confidential information breaches - **Cost reduction:** cost savings result from reduced need for expensive network upgrades - **Better performance:** divide into multiple logical workgroups(braodcast domains) reduces unnecessary traffic - **Efficient IT and easier management:** easier to manage a project or working because users with similar network requirements share the same VLAN :::success - different types of VLAN - data VLAN: - also referred to as a user VLAN - VLAN assigned to user devices such as computers, printers, and other end-user devices - it segregates user traffic into different VLANs, providing network segmentation and security - default VLAN: - all switch ports become a part of the default VLAN after the initial boot up of a switch loading the default configuration - cannot be changed, for interfaces/ports which are not assigned with a vlan - native VLAN: - used in VLAN tagging scenarios - devices that don't understand VLAN tagging or for carrying traffic between switches that are not configured for VLAN tagging - SPEC 802.1Q supports traffic coming from many VLANs (tagged traffic), as well as traffic that does not come from a VLAN(untagged traffic) - management VLAN: - a VLAN used for managing and accessing networking devices such as switches, routers, and other network infrastructure - it is a security best practice to separate management traffic from regular user data traffic - voice VLAN  > to meet these requirements, the entire network has to be designed to support VoIP - assured bandwidth to ensure voice quality - transmission priority over other types of network traffic - delay of less than 150 ms across the network - VLAN trunks  - is a conduit for multiple VLANs between switches and routers - could also be used between a network device and server or other device that is equipped with an appropriate 802.1Q-capable NIC - controlling broadcast domains with VLANs  - network without VLANs: in normal operation, when a switch receives a broadcast frame on one of its ports, it forwards the frame out all other ports except the port where the broadcast was received, for example, the entire network is configured in the same subnet (172.17.40.0/24) and no VLANs are configured, and there is broadcast as figure above - network with VLANs  - now we configured VLAN 10 and 20, then broadcast in VLAN 10 can only be transmitted within VLAN 10 - Tagging Ethernet Frames for VLAN Identification  - standard Ethernet frame header does not contain information about the VLAN to which the frame belongs, they do not have routing table - so IEEE 802.1Q standard specifies the VLAN to which the frame belongs - VLAN Tag Field Details - Type: tag protocol ID - User Priority: level of service - Canonical Format Identifier: if enabling Token Ring frames to be carried across Ethernet links - VLAN ID: VLAN identification number - native VLAN on 802.1Q Trunk  - control traffic sent on the native VLAN should not be tagged - do not send tagged frames on the native VLAN - default native VLAN is VLAN 1 - untagged frames on the Native VLAN - when a Cisco switch trunk port receives untagged frames, it forwards those frames to the native VLAN - if there are no devices associated with the native VLAN (which is not unusual) and there are no other trunk ports (which is not unusual), then the frame is dropped - voice VLAN tagging  - sample output  - separate voice VLAN is required to support VoIP ::: :::success - VLAN Ranges on Catalyst Switches - different Cisco Catalyst switches support various numbers of VLANs - Normal Range VLANs - used in small- and medium-sized business and enterprise networks - identified by a VLAN ID between 1 and 1005 - IDs 1002 through 1005 are reserved for Token Ring and Fiber Distributed Data Interface (FDDI) VLANs - VLAN Trunking Protocol (VTP), which helps manage VLAN configurations between switches (only for normal range) - Extended Range VLANs - enable service providers to extend their infrastructure to a greater number of customers - identified by a VLAN ID between 1006 and 4094 - support fewer VLAN features than normal range VLANs - configurations are stored within a VLAN database file, called "vlan.dat" (only for normal range) - create VLAN  - assign port to VLANs - syntax  - example of config.  - assume there is topology with IP phone  - create two VLANs first  - assigns the F0/18 interface of S3 as a switchport in VLAN 20 - it also assigns voice traffic to VLAN 150 - enables QoS classification based on the class of service (CoS) - remove VLAN assignment - syntax  - after assignment, it should be like this  - after removing, it should be like this  - delete VLAN  - before deleting a VLAN, reassign all member ports to a different VLAN first - there is alternative option, deleting the file, the entire "vlan.dat" file can be deleted using command "delete flash:vlan.dat" - verification of VLAN info.  - "show vlan" command example  - "show interfaces vlan" command example  - trunk configuration - syntax  - exmaple topology  - sample configuration  - configuration of port F0/1 on switch S1 as a trunk port - native VLAN is changed to VLAN 99 and the allowed VLAN list is restricted to 10, 20, 30, and 99 - resetting configuration on trunk links - syntax  - reset all trunking characteristics of a trunking interface to the default settings  - return port from trunk feature to static access mode  - verification of trunk config.  ::: :::success - IP Addressing Issues with VLAN  - if two devices in the same VLAN have different subnet addresses, they cannot communicate - change to correct IP address  - debug flow chart of missing VLAN  - debug flow chart of troubleshooting trunks  - common problems with trunks  - native VLAN mismatches: trunk ports are configured with different native VLANs - trunk mode mismatches: mode is not compatible on both side - allowed VLANs on trunks: list of allowed VLANs on a trunk has not been updated with the current VLAN trunking requirements - example of incorrect port mode  - output from switches S1 and S3  - S1 shows interface Fa0/3 on switch S1 is not currently a trunk link - S3 shows the switch port is configured statically in trunk mode - we can not configure it using command "switchport mode access" - corrected trunk modes  - use command "switchport mode trunk", then the result is correct - example of incorrect VLAN list  - missing VLANs  - we found that there is missing VLAN 20 on switch 1 - corrected VLAN list  ::: :::success - inter-VLAN routing  - three options for inter-VLAN routing > this chapter only focuses on the first two options - Legacy inter-VLAN routing  > it is not efficient and no longer impmlemented in switched networks - Router-on-a-Stick  - Layer 3 switching using SVIs - identify types of Inter-VLAN routing - legacy  - each VLAN is associated with a separate physical router interface - can lead to a significant number of physical interfaces and increased hardware costs - Router-on-a-Stick  - it uses a single router interface (a single physical link or subinterface) for routing traffic between multiple VLANs - router interface is connected to a switch, and 802.1Q VLAN tagging is used to differentiate between VLANs - RoaS can become a bottleneck as all inter-VLAN traffic goes through a single link - Multilayer switch  - operates at both Layer 2 (data link layer) and Layer 3 (network layer) - it can perform routing functions between VLANs directly within the switches, eliminating the need for an external router - often more efficient and scalable - configuration of Legacy Inter-VLAN Routing - in switch  - correct result  - in router  - configuration of Router-on-a-Stick - in switch  - in router  - verification  - "ping": sends ICMP echo request to the destination address - "traceroute": for confirming the routed path taken between two devices, also use ICMP echo requests ::: - VLANs are based on logical connections, instead of physical connections ### Chapter 7 - Access Control Lists - An ACL is a sequential list of permit or deny statements, , known as access control entries (ACEs) > ACEs are also commonly called ACL statements - network administrator needs to have access control lists(ACLs)  - ACLs provide security for a network - firewall can be software or hardware solution based on ACLs :::success - by default, a router does not have ACLs configured - functions of ACL - limit network traffic to increase network performance, like block video traffic - provide traffic flow control. ACLs can restrict the delivery of routing updates to ensure that the updates are from a known source - provide basic level of security, ACLs can determine which users are allowed to access the network - filter traffic based on traffic type. For example, an ACL can permit email traffic, but block all Telnet traffic - screen hosts to permit or deny access to network services. ACLs can permit or deny a user to access file types, such as FTP or HTTP - packet filtering works at layer 3 and 4  - ACL operation  - inbound ACLs: are processed before they are routed to outbound interface - efficient because it saves the overhead of routing lookups if the packet is discarded - it is good if the network attached to an inbound interface is the only source of packets that need to be examined - outbound ACLs - it is good when multiple inbound interfaces have the same filter before exiting the same outbound interface - wildcard masking  - exmaple 1 of wildmask  - stipulates that every bit in the IPv4 192.168.1.1 must match exactly - stipulates that anything will match - stipulates that any host within the 192.168.1.0/24 network will match - exmaple 2 of wildmask  - IPv4 ACEs include the use of wildcard masks - used by the router to determine which bits of the address to examine for a match - calculating the wildcard mask  - to align with conventions of subnet masks - in subnet masks, a "1" indicates the network portion, and a "0" indicates the host portion - Wildcard Mask Keywords - "host" keyword substitutes for the "0.0.0.0" mask - "any" option substitutes for the entire IPv4 addresses and "255.255.255.255" mask - example  - two lines can substitute for each other - test 1  - test 2  ::: :::success - Guidelines for creating ACLs  - if we needed ACLs for both protocols, on both interfaces and in both directions, it would require eight separate ACLs - each interface would have four ACLs; two ACLs for IPv4 and two ACLs for IPv6 - each protocol, one ACL is for inbound traffic and one for outbound traffic (both direction) > ACLs do not have to be configured in both directions - best practice of ACL  > mistakes can cause downtime, troubleshooting effort - test  - ACL placement  - extended ACLs: locate extended ACLs as close as possible to the source of the traffic, undesirable traffic is denied close to the source network without crossing the network infrastructure - standard ACLs: standard ACLs do not specify destination addresses, so place them as close to the destination as possible - type of ACL will be used depend on - **the extent of the network administrator's control:** if network administrator has control of both the source and destination networks - **bandwidth of the networks involved:** save bandwidth and prevent unnecessary traffics get inside the network - **ease of configuration:** if a network administrator wants to deny traffic coming from several networks, one option is to use a single standard ACL on the router closest to the destination, but the bandwidth will be wasted by unnecessary traffics - example of standard ACL placement  - standard IPv4 ACL syntax  - example of removing an ACL  - example of reviewing ACL  - apply IPv4 ACLs to interface  - permit a specific subnet  - deny a specific host  - deny a specific host and permit a specific subnet  - naming standard IPv4 ACL syntax  - naming an ACL makes it easier to understand its function - example  - test  - scenario 1  - scenario 2  - modify IPv4 ACLs - using text editor  1. display ACE 2. copy the display, and edit in text editor 3. remove the access list, and copy the changes 4. verify the changes - using sequence numbers  1. try to display sequence number of each statement 2. same procedure, but edit based on the sequence number - add a line to a named ACL  - verify ACLs - verify ACL interfaces  - verify standard ACL statements  - ACL statistics - after pinging and passing by router  - can be cleaned by "clear access-list counters"  - restricting VTY access is a technique that allows you to define which IP addresses are allowed remote access(like SSH) to the router EXEC process - so we can improve the security of administrative lines by restricting VTY(Virtual terminal) access - access-class command  - example  - verify VTY port is secured  - we found that networks beside "192.168.10.0" can not access - the implicit deny any  - in the figure, applying either ACL1 and ACL2 to S0/0/0 interface of R1 in the outbound direction will have the same effect - the order of ACEs in an ACL - host statement conflicts with previous range statement  - host statement can be configured before the range statement  - ACL and routing processes in a router  - as a frame enters an interface, the router checks to see whether the destination Layer 2 address matches its interface Layer 2 address, or whether the frame is a broadcast frame ::: :::success - Security Policy: PC2 should not be able to access the File Server  - although PC2 can not access the file server, neither can PC1  - so this solution will make PC1 can also be accessed  - Security Policy: The 192.168.11.0/24 network should not be able to access the 192.168.10.0/24 network - PC2 cannot access PC1. Nor can it access the Internet through R2  - ACL 20 was applied to the wrong interface and in the wrong direction. All traffic from the 192.168.11.0/24 is denied inbound access through the G0/1 interface  - after removing ACL 20 from the G0/1 interface and apply it outbound on the G0/0 interface, PC2 cannot access PC1, but can now access the Internet  - Security Policy: Only PC1 is allowed SSH remote access to R1 - PC1 is unable to remotely access R1 using an SSH connection  - because IP address is wrong, remove the original one and add a new one  ::: - summary - by default, a router does not filter traffic - standard ACLs can be used to permit or deny traffic only from source IPv4 addresses - extended ACLs filter packets based on several attributes: protocol type, source or destination IPv4 address, and source or destination ports ### Chapter 8 - DHCP - network administrators assign "static IP" addresses to routers, servers, printers, and other network devices whose locations (physical and logical) are not likely to change - manage remote devices easier - computers and users in an organization often change locations, physically and logically - difficult and time consuming to assign new IP addresses every time - difficult to assign IP addresses manually as network grows - so we need Dynamic Host Configuration Protocol (DHCP)  :::success - DHCPv4 operation  - lease origination - DHCP discover  - DHCP offer  - DHCP request  > implicit decline to any other servers - DHCP ACK  - lease renewal - DHCP request  - DHCP ACK  - DHCP message format  - Operation (OP) Code: type of message, 1 indicates request, 2 indicates reply message - Hardware Type: type of hardware used in network, e.g. 1 is ethernet, 15 is frame relay, 20 is serial line - Hardware Address Length: address length - Hops: controls the forwarding of messages, set to 0 by client before transmitting a request - Transaction Identifier: used by the client to match the request with relies received from DHCP servers - Seconds: identifies the number of seconds elapsed since a client began attempting to acquire or renew a lease - Flags: used by a client that does not know its IPv4 address when it sends a request, so value 1 tells DHCP server or relay agent should send reply using broadcast - client IP address: used by a client during lease renewal when the address of the client is valid and usable, not during the process of acquiring an address - your IP Address: used by the server to assign an IPv4 address to the client - server IP Address: used by the server to identify the address of the server that the client should use for the next step in the bootstrap process - gateway IP Address: routes DHCPv4 messages when DHCPv4 relay agents are involved - client Hardware Address: specifies the physical layer of the client - Server Name: optionally put its name in this field - Boot Filename: particular type of boot file in a DHCPDISCOVER message, or in a DHCPOFFER to fully specify a boot file directory and filename - DHCP Options: holds DHCP options - DHCPv4 discover message  - DHCPv4 offer message  - test  - config. of DHCP server  > router R1 as DHCPv4 server - excluding IPv4 addresses  - configure DHCPv4 pool  - configure specific tasks  - example of config. of DHCPv4  - excluding addresses: some IP addresses are static address, so they should not be assigned to other hosts - configure pool: specify the name, and also put router into config. mode - configure specific tasks: the tasks need to be completed, some are optional - verify DHCPv4  > router R1 as DHCPv4 server - "show running-config" command  - displays the DHCPv4 commands configured on R1 - "show ip dhcp binding" command  - displays a list of all IPv4 address to MAC address bindings that have been provided by the DHCPv4 service - DHCPv4 relay - DHCPv4 problems  - routers do not forward broadcasts, so the request will not be successful  - configure helper address for DHCP server  - it will forward those requests as a unicast to DHCP server - then it can successfully renew  - configure a router as DHCPv4 client  - determine interface - set it as DHCP client - the interface is up and assigned an address by DHCP server ::: :::success - troubleshooting DHCPv4  - address conflicts: sometimes address lease expires but does not renew the lease - "show ip dhcp conflict" command displays all address conflicts recorded by the DHCPv4 server - if address conflict is detected, the address is removed from the pool and not assigned until an administrator resolves the conflict - example  - verify physical connectivity: check if the interface is operational or not - test connectivity using a static IP address: if workstation can not reach network with static IP, means the problem is not DHCP, at this point, network connectivity troubleshooting is required - verify switch port config.: if there is a switch between the client and DHCPv4 server, and clients are unable to obtain DHCP config., switch port config. issue may be the cause - test DHCPv4 Operation on the Same Subnet or VLAN: if DHCPv4 is working correctly when the client is on the same subnet or VLAN, the problem may be the DHCP relay agent, the problem may actually be with the DHCPv4 server - verification of router DHCPv4 config.  - verify that the "ip helper-address" command is configured on the correct interface - verify that the global configuration command "no service dhcp" has not been configured(because this command will disable all DHCP server and relay function on router) - command "debug"  - permit only UDP destination ports of 67 or 68(typical ports used by DHCPv4) - use "debug ip packet" command to display only DHCPv4 messages - can also use "debug ip dhcp server events" command to report server events, like address assignments and database updates ::: :::success - ICMPv6 stateless address autoconfiguration - two methods - Stateless Address Autoconfiguration (SLAAC): auto getting address without DHCP server - DHCPv6 - SLAAC  - Router Solicitation (RS) message: client is configured to obtain its addressing information automatically using SLAAC, then the client sends an RS message to the router, and RS message is sent to the IPv6 all-routers multicast address FF02::2 - Router Advertisement (RA) message: includes the prefix, prefix length of the local segment, a client uses this info. to create its own IPv6 global unicast address - a router sends an RA message periodically, or in response to an RS message - we must enable IPv6 routing before it can send RA messages (using "ipv6 unicast-routing") - SLAAC operation  - PC1 get IPv6 address info. automatically and sends an RS message to R1 - R1 sends RA to the IPv6 all-nodes multicast address FF02::1 - after generating interface ID, use prefix and prefix length for the local network to create IPv6 unicast address. for unique ID creation, we can use EUI-64 and randomly generated to create - after creating, PC1 needs to verify newly created IPv6 address is unique before it can be used - SLAAC and DHCPv6  - use different combination of Managed Address Configuration flag(M flag) and the Other Configuration flag(O flag) to determine which addressing option will be used - SLAAC(Router Advertisement only) - Stateless DHCPv6(Router Advertisement and DHCPv6) - Stateful DHCPv6(DHCPv6 only) - SLAAC(Router Advertisement only)  - M and O flags are configured by the following commands  - Stateless DHCPv6(Router Advertisement and DHCPv6)  - to modify the RA message sent on the interface of a router to indicate stateless DHCPv6  - Stateful DHCPv6(DHCPv6 only)  - M flag indicates whether or not to use stateful DHCPv6  - DHCPv6 operations  - ADVERTISE message informs the DHCPv6 client that the server is available for DHCPv6 service - client responds with a DHCPv6 REQUEST or INFORMATION-REQUEST unicast message to the server - stateless DHCPv6 client: INFORMATION-REQUEST, only configuration parameters, such as DNS server address - stateful DHCPv6 client: REQUEST, to get IPv6 address - test  ::: :::success - configure router as stateless DHCPv6 server  - example  - configure router as stateless DHCPv6 client  - use "ipv6 enable" if router does not yet have a global unicast address - use "ipv6 address autoconfig" enables automatic config. of IPv6 using SLAAC - verification - check the pool  - check the interfaces  - check the procedure  - configure a stateful DHCPv6 router  - example  > notice that a default gateway is not specified because the router will automatically send its own link-local address as the default gateway - configure router as stateful DHCPv6 client  - verification - check the pool  - check the clients in server  - check the interface  - DHCPv6 relay agent  - commands  ::: :::success - troubleshooting DHCPv6  - allocation method: there might be wrong settings of M and O flags - different types of configuration commands for different setting  - different verification output  - debugging DHCPv6  - it can be used to verify the receipt and transmission of DHCPv6 message ::: ### Chapter 9 - NAT for IPv4 - NAT help - conserve IPv4 addresses (primary use) - and provide privacy and security to end users (but actually it should not be considered a substitute for proper network security, it should be provided by a firewall) - there is translation between private and public  - private IPv4 addresses  - example  > the border router performs NAT process - NAT address example  - inside local address: address of source seen from inside network - inside global address: address of source seen from outside network - outside global address: address of destination seen from outside network - outside local address: address of destination seen from inside network - test  :::success - static NAT  - one to one mapping between local and global mapping - configured by network administrator - dynamic NAT  - many to many mapping, use a pool of public addresses and assigns them using FCFS mechanism - port address translation (PAT)  - many to one address mapping between local and global addresses - one inside global address can be reused in number of ports times - comparing NAT and PAT  - some packets other than TCP and UDP are without layer 4 segment(no port number), it will use Query ID from ICMPv4 instead of layer 4 port number - advantages of NAT  - disadvantages of NAT  ::: :::success - configure static NAT  - configure the IP first and bind inside IP address with inside NAT interface  - bind outside IP address with outside NAT interface  - verify static NAT translation  - do NAT translation statistics  - configure dynamic NAT   - define pool - create ACL - bind pool with ACL - bind interfaces with NAT - in terms of verifying dynamic NAT, basically the same as static NAT  - "verbose" keyword displays additional info. about each translation, including how long ago the entry was created and used - configure PAT  - example  - configure PAT with single address  - verify PAT - PAT translations  - PAT statistics  - test  - hop 1  - hop 2  - hop 3  - hop 4  - port forwarding  - forward traffic to specific server using specific port - configure single port forwarding  - commands used to configure static NAT  - port forwarding example  - verification  ::: :::danger - NAT for IPv6? - IPv6 was developed with the intention of making NAT for IPv4 with its translation between public and private IPv4 addresses unnecessary - yes, but NAT in IPv6 provides transparent access between IPv6 only networks and IPv4 only networks  - IPv6 has unique local addresses (ULA), similar to private addresses in IPv4  ::: :::success - troubleshooting NAT  - base on config., verify if the translation is correct or not  - use "clear" and "debug" commands to verify that NAT is operating as expected  - for example, ACL in this case is wrong  - only 192.168.0.0/16 addresses are eligible to be translated - inside network destined for the Internet with source addresses that are not explicitly permitted by ACL 1 are not translated by R2 - NAT troubleshooting scenario  - first, we find there is no translations in table - it shows no translation has occurred  - check ACL permits all necessary networks, and we can see used wildcard is wrong  - after modification, it shows that it recovers  ::: - however, NAT has drawbacks in terms of its negative effects on device performance, mobility, and end-to-end connectivity and should be considered a short term implementation for address exhaustion with the long term solution being IPv6 ### Chapter 10 - Device Discovery, Management, and Maintenance - CDP is protocol in Cisco for network discovery on data link layer - LLDP is vendor-neutral protocol on the data link layer for network discovery - NTP synchronizes the time of day among a set of distributed time servers and clients for those devices which lost connectivity between router and switch - device maintenance - back up - restore - upgrade images and configuration files :::success - Cisco Discovery Protocol (CDP)  - share the information about the type of device that is discovered, the name of the devices, and the number and type of the interfaces - configure and verify CDP - "show cdp" to check the info.  - configure CDP on the interface  - CDP diabled and re-enabled  - show CDP neighbors (add "detail" if wanna know more)  - display enabled CDP interfaces  - Link Layer Discovery Protocol (LLDP) - also works on layer 2 devices, but different from CDP, CDP is Cisco-specific, and LLDP is open standard - configure and verify LLDP  > LLDP must be configured separately to transmit and receive LLDP packets - show LLDP neighbors (add "detail" if wanna know more, like address, system info, and else)  - test  ::: :::success - two methods - manually configure the date and time, but it is not good strategy as a network grows  - configure the Network Time Protocol (NTP), synchronize the time settings with an NTP server - NTP uses UDP port 123 and is documented in RFC 1305 - NTP stratum labels  > stratum level is defined as the number of hop counts from the authoritative source - stratum 0: network gets the time from authoritative time sources, authoritative time sources also referred to as stratum 0 devices, with little or no delay - stratum 1: directly connected to the authoritative time sources, act as the primary network time standard - stratum 2 and lower: stratum 2 devices, such as NTP clients - configure and verify NTP - decide the address of NTP server  - verify if R1 is synchronized with NTP server  - clock on S1 is configured to synchronize to R1  - system log server  - ability to gather logging information for monitoring and troubleshooting - ability to select the type of logging information that is captured - ability to specify the destinations of captured syslog message - syslog message destination options  - then remotely monitor system messages by viewing the logs on a syslog server through Telnet, SSH, or through the console port - Syslog message format - Syslog severity level  - level 0 to 4: about software or hardware malfunctions, the functionality of the device is affected - level 5: normal, but significant events, for example, interface up or down transitions, and system restart messages - level 6: message that does not affect device functionality, like Cisco device is booting - level 7: just indicates the output generated from issuing "debug" commands - Syslog message format  - service timestamp  - by default, log messages are not timestamped - so need to use the command "service timestamps log datetime" to force logged events to display the date and time - test - interpret Syslog output 1  - test 2  - test 3  - Syslog server - syslog server is where Syslog messages can be stored, filtered, and analyzed - syslog server must be installed on a workstation in the network to view syslog messages  - we can also search the message very easily using application - default logging  - by default, Cisco routers and switches send log messages for all severity levels to the console - the device also buffers log messages by default - use the "logging console" and "logging buffered" commands to enable it - router and switch commands for Syslog clients  - use the "logging" command to configure the destination hostname or IPv4 address of the syslog - control the severity level using "logging trap", limit the level from 0 to 4 - then optionally configure the source interface - verify Syslog - including message we want  - choose the timing to start from  ::: :::success - router file system - show all of the available file systems on Cisco router  - flash is default file system  - NVRAN file system  - switch file system  - in Cisco 2960 switch flash file system, you can copy configuration files, and archive (upload and download) software images - Backup Configurations with Text Capture (Tera Term) - start log process  - after capture has been started, execute the "show running-config" or "show startup-config" command at the privileged EXEC prompt. Text displayed in the terminal window will be directed to the chosen file - after that, we can restore using Tera Term - Backup Configurations with Trivial File Transfer Protocol (TFTP) - enter "copy running-config tftp" command, then enter info. like the IP address where store the data and name of config. file  - and we can restore it using "copy tftp running-config" command, then enter required info - in Cisco router, Universal Serial Bus (USB) storage can be optional secondary storage capability  - backup and restore using USB - check the name of USB in file system first  - copy the config. file to USB flash drive, if there is the same file name, overwrite it  - and we can use command "copy usbflash0:/R1-Config running-config" to restore a running configuration - password recovery - enter ROMMON mode  - recover starting config. and change passwords  - IOS software packaging model for ISR G2 routers  - just go through it - display Cisco IOS image - "show flash" command displays the files stored in flash memory  - "c1900": image name - "universalk9": branch of image, specific software feature - "mz": where the image runs, e.g. "mz": run from RAM and is compressed - "SPA": digitally signed by Cisco - "152-4.M3": the filename format for the image - "bin": the file extension - example of Cisco image name  - widely distributed routers need a source or backup location for Cisco IOS Software images  - we can use TFTP server to allow image and configuration uploads and downloads over the network - steps to backup IOS image to TFTP server  - verify connectivity and image size to check TFTP server has sufficient disk space to place Cisco IOS image  - copy image to TFTP server  - steps to copy IOS image to device  - verify connectivity  - verify free flash size in device  - copy image from TFTP server  - to upgrade to the copied IOS image after image is saved in device - set image to boot and reload the system  - verify new image by checking version  - licensing process  > Product Authentication Key (PAK) - purchase license for feature  - obtain a license  - install the license and reload it after this  - license verification - to check which licenses have been installed  - to get additional info. like status of license  - activate license - accept user agreement and activate it  - verify that the license has been installed  - we can backup license  - we can also restore it by using "license install" command - uninstall the license  - disable the tech. package first, and do remember "reload" is required to make the package inactive - clear tech. package license from license storage ::: --- ## Quiz on Moodle - [Module 1-3](https://moodle.fel.cvut.cz/mod/quiz/view.php?id=279159) - [Module 4-6](https://moodle.fel.cvut.cz/mod/quiz/view.php?id=279160) - [Module 7-9](https://moodle.fel.cvut.cz/mod/quiz/view.php?id=279161) - [Module 10](https://moodle.fel.cvut.cz/mod/quiz/view.php?id=279162)