Boson CCNA Review
Baby giant, collision, late collision, runt, and jumbo runt
- A collision occurs when a packet must be re-sent because of an interruption that occurs before the 64th byte, or 512th bit, has been transmitted. - A late collision occurs when a packet must be re-sent because of an interruption that occurs after the 64th byte, or 512th bit. - A baby giant is a frame that is up to 1,600 bytes in length. The default maximum transmission unit (MTU) size for Ethernet frames is 1,500 bytes - A jumbo is a frame that is up to 9,216 bytes in length
5 OSPF Network Types. - are unicast or multicast updates sent - what are the associated interfaces - what are the hello and dead timers - does the neighbor command need to be manually configured - what is the command to enable it
- Broadcast (Ethernet & FDDI) - Nonbroadcast (Frame Relay & X.25) - Point-to-point (HDLC & PPP) - Point-to-multipoint broadcast - Point-to multipoint nonbroadcast
802.11 MAC Frame Format
- Frame Control Field - Duration Field - Address Fields 1-3 - SEQ Field - Data - FCS
Layer 3 Wireless Security Options
- None - IPSec - VPN Pass-Through - Web Authentication - Web Passthrough
Layer 2 Wireless Security Options
- None - WPA+WPA2 - 802.1X - Static WEP - Static WEP + 802.1X - CKIP - None + EAP Passthrough
What does the show cdp neighbors detail command display
- The device ID, or host name, of the neighboring device - The Internet Protocol (IP) address of the neighboring device - The platform, or product number, of the neighboring device - The capabilities of the neighboring device - The local interface - The remote interface - The holdtime - The software version - The native virtual local area network (VLAN) - The VLAN Trunking Protocol (VTP) domain
Route Preference
- directly connected route - static route - internal EIGRP route - OSPF route - IS-IS route - RIP route
Neighbor States of OSPF
- down - init - 2 way - exstart - exchange - loading - full
How does EIGRP calculate metric weights?
- lowest segment bandwidth - sum of the segment delays
What can ACLs permit or deny packets based on?
- source IP address - destination IP address - protocol - port
How to enable loop guard for the entire switch and for specific ports?
- spanning-tree loopguard default - spanning-tree guard loops
7 Levels of Log Messages
0 - emergencies 1 - alerts 2 - critical 3 - errors 4 - warnings 5 - notifications 6 - informational 7 - debugging
IP Multicast Addresses & what is not
01-00-5E-0F-0F-0F 00-00-0C-F0-F0-F0 represents a unicast MAC address FF-FF-FF-FF-FF-FF address is reserved for use as the Ethernet broadcast address CF-00-00-00-00-00 address is reserved for Ethernet loopback testing.
How do you configure a domain name for a pool?
1) Create the dhcp pool with the command "ip dhcp pool [pool name]". - the router will go into dhcp config mode 2) Configure the domain name with the "domain-name example.com" command
What are the commands to recover a port that is in an err-disabled due to BPDU guard?
1) errdisable recovery cause bpduguard 2) errdisable recovery interval [interval}
How to enable SSH on VTY Lines
1. Configure the router with a host name other than Router by issuing the hostname command. 2. Configure the router with a domain name by issuing the ip domain-name command. 3. Generate an RSA key pair for the router by issuing the crypto key generate rsa command. 4. Configure the VTY lines to use SSH by issuing the transport input ssh command from line configuration mode.
4 Steps to create new normal WLAN
1. Select the type of WLAN you are creating from the Type drop-down list box; by default, this value is configured to WLAN. 2. Enter a 32-character or less profile name in the Profile Name field. 3. Enter a 32-character or less Service Set Identifier (SSID) in the SSID field. 4. Choose a WLAN ID from the ID drop-down list box; by default, this value is configured to WLAN.
STP Standards
802.1D - STP 802.1w - RSTP 802.1s - Multiple Spanning Tree
Layer 2 switch ports (static/dynamic)
A Layer 2 switch port can be configured to operate in either a static mode or a dynamic mode. When operating in static mode, the switch port is explicitly configured as either an access port or a trunk. An access port is a member of a virtual local area network (VLAN) and is typically connected to an edge device, like a server or a workstation, whereas a trunk port is not a member of any VLAN and is typically connected to a nonedge device, such as a switch or a router. By default, an access port on a Cisco switch operates in VLAN 1. In addition, access ports automatically drop VLAN-tagged frames, such as those forwarded by 802.1Q. The static switchport modes are also referred to as on and off to indicate whether a port has been statically configured as a trunk port or an access port, respectively.
What is BPDU Guard?
BPDU guard is used to disable ports that erroneously receive bridge protocol data units (BPDUs).BPDU guard is typically applied to edge ports that have PortFast enabled. Because PortFast automatically places ports into a forwarding state, a switch that has been connected to a PortFast-enabled port could cause switching loops. However, when BPDU guard is applied, the receipt of a BPDU on a port will result in the port being placed into the error-disabled state, which prevents loops from occurring.
Types of WLAN Management Frames
Beacons- Beacons are management frames that contain the Service Set Identifier (SSID) of a wireless network. Association request- An association request frame is sent from the wireless client to the AP to request access to the wireless network. The process of requesting access to the wireless network comes after the client has been authenticated by an AP or authentication server. Deauthentication frames - Deauthentication management frames are sent by either the AP or the wireless client to terminate the connection. Probe request - Probe request management frames are sent by wireless clients to request network information from any AP in the transmission range of the client.
Cisco Management Solutions & how you interact with them
Cisco Network Assistant - a free Java- based desktop application that enables a local area network (LAN) administrator to perform network operations, diagnose problems, and interact with network devices by using a graphical user interface (GUI). DNA Center - an enterprise Cisco management solution that is built specifically to support Cisco SDA. Cisco PI - does not support Cisco SDA. Cisco PI is a traditional enterprise Cisco management platform that relies on a browser-based GUI to enable administrators to perform operations on the network, diagnose problems with the network, and interact with devices on the network.
Private Address Ranges
Class A - 10.0.0.0 to 10.255.255.255 Class B - 172.16.0.0 to 172.31.255.255 Class C - 192.168.0.0 to 192.168.255.255
What does the switchport port-security violation protect command do?
Configures a switch port to discard traffic that it receives from unauthorized hosts. However, the SecurityViolation counter is not incremented when the protect keyword is used.
What does the switchport port-security violation shutdown command do?
Configures a switch port to enter the error-disabled state when the port receives traffic from unauthorized hosts. You can remove the switch port from the error-disabled state by issuing the errdisable recovery cause shutdown command from global configuration mode or by issuing the shutdown and no shutdown commands from interface configuration mode.
What is a directly attached, recursive, fully specified, and floating static route?
Directly attached - specifies the destination IPv6 network and the outbound interface. Recursive - specifies the destination IPv6 network and the IPv6 next-hop address only. Floating - any of the possible 3 with a preset AD used as a backup route. Fully specified - specifies the destination network, outbound interface, and next-hop IPv6 address
AD of all routes
Directly connected - 0 Static route - 1 EIGRP summary route - 5 eBGP - 20 Internal EIGRP - 90 IGRP - 100 OSPF - 110 IS-IS - 115 RIP - 120 External EIGRP - 170 iBGP - 200 Unknown - 255
What does the switchport port-security violation restrict command do?
Discards traffic and increments the SecurityViolation counter when a switch receives traffic from an unauthorized MAC address.
What does FlexConnect do?
Enables a failsafe if the CAPWAP connection goes down. FlexConnect mode does not provide BSSs. When configured, FlexConnect mode enables a lightweight AP to switch traffic between a given Service Set Identifier (SSID) and a given virtual LAN (VLAN).
TCP/UDP Protocols & Port Numbers
FTP - TCP - 20/21 HTTP - TCP - 80 SMTP - TCP - 25 POP3 - TCP - 110 Telnet - TCP - 23 DHCP - UDP - 67/68 SNMP - UDP - 161/162 TFTP - UDP - 69 NTP - UDP - 123 RADIUS - UDP - 1812/1813 DNS - BOTH - 53
What are the 4 steps in the site-to-site VPN IPSec encryption process.
First, the sending device combines a session key, which is also known as an encryption key or a shared key, with the data that is to be transported over the tunnel. It then uses the session key to encrypt both the data and the key. Second, the sending device encapsulates the encrypted data and session key into a packet with a VPN header and a new IP header. These headers contain the source and destination information that is used to transport the encrypted data and session key over the tunnel. Third, the sending device sends the completed packet to the destination device at the other end of the tunnel, or site-to-site VPN. Fourth and finally, the destination device, or receiving device, uses the same session key that the sending device used for encryption to decrypt the encrypted packet and session key.
What is a DHCP spoofing attack and how can it be prevented?
In a Dynamic Host Configuration Protocol (DHCP) spoofing attack, an attacker installs a rogue DHCP server on the network in an attempt to intercept DHCP requests. The rogue DHCP server can then respond to the DHCP requests with its own IP address as the default gateway address; hence all traffic is routed through the rogue DHCP server. You should enable DHCP snooping to help prevent DHCP spoofing attacks.
What is a MAC flooding attack and how can it be prevented?
In a MAC flooding attack, an attacker generates thousands of forged frames every minute with the intention of overwhelming the switch's MAC address table. Once this table is flooded, the switch can no longer make intelligent forwarding decisions and all traffic is flooded. This allows the attacker to view all data sent through the switch because all traffic will be sent out each port. Implementing port security can help mitigate MAC flooding attacks by limiting the number of MAC addresses that can be learned on each interface to a maximum of 128. A MAC flooding attack is also known as a Content Addressable Memory (CAM) table overflow attack.
What is a MAC spoofing attack and how can it be prevented?
In a Media Access Control (MAC) spoofing attack, an attacker uses the MAC address of another known host on the network in order to bypass port security measures. MAC spoofing can also be used to impersonate another host on the network. Implementing sticky secure MAC addresses can help mitigate MAC spoofing attacks.
What is VLAN hopping and how can it be prevented?
In a virtual local area network (VLAN) hopping attack, an attacker attempts to inject packets into other VLANs by accessing the VLAN trunk and double-tagging 802.1Q frames. A successful VLAN hopping attack enables an attacker to send traffic to other VLANs without the use of a router. You can prevent VLAN hopping by disabling Dynamic Trunking Protocol (DTP) on trunk ports, by
What is an ARP poisoning attack and how can it be prevented?
In an Address Resolution Protocol (ARP) poisoning attack, which is also known as an ARP spoofing attack, the attacker sends a gratuitous ARP (GARP) message to a host. The GARP message associates the attacker's MAC address with the Internet Protocol (IP) address of a valid host on the network. Subsequently, traffic sent to the valid host address will go through the attacker's computer rather than directly to the intended recipient. Implementing Dynamic ARP Inspection (DAI) can help mitigate ARP poisoning attacks.
Enable Secret 0, 4, 5, 7 & service password-encryption
Instead of supplying a clear-text password, you can specify an encryption-type value of 0, 4, or 5 and an encrypted-password value of either a clear-text password, a SHA-256 hash, or a Message Digest 5 (MD5) hash, respectively. Supplying a hash value requires that you have previously encrypted the value by using a hashing algorithm in the same fashion that IOS uses the algorithm. The password 7 hash command configures an encrypted virtual terminal (VTY) login password when the command is issued in VTY line configuration mode.
What can a leaf node and spine node connect to?
Leaf - must connect to every spine - cannot connect to a leaf - can connect to an APIC - can connect to an EPG Spine - must connect to every leaf - cannot connect to a spine
What lightweight APs and WLC do in split mac
Light AP - prioritizing packets & encryption - responding to beacon and probe request - real time processing of data WLC - security management - client load balancing -client association requests - data encapsulation, - client authentication, - key exchange - RF managament - security policy enforcement
Cisco AP Modes
Local: The default lightweight mode that offers one or more functioning BSSs on a specific channel. During times that it is not transmitting, the AP will scan the other channels to measure the level of noise, measure interference, discover rogue devices, and match against intrusion detection system (IDS) events. ■ Monitor: The AP does not transmit at all, but its receiver is enabled to act as a dedicated sensor. The AP checks for IDS events, detects rogue access points, and determines the position of stations through location-based services. ■ FlexConnect: An AP at a remote site can locally switch traffic between an SSID and a VLAN if its CAPWAP tunnel to the WLC is down and if it is configured to do so. ■ Sniffer: An AP dedicates its radios to receiving 802.11 traffic from other sources, much like a sniffer or packet capture device. The captured traffic is then forwarded to a PC running network analyzer software such as Wildpackets OmniPeek or WireShark, where it can be analyzed further. ■ Rogue detector: An AP dedicates itself to detecting rogue devices by correlating MAC addresses heard on the wired network with those heard over the air. Rogue devices are those that appear on both networks. ■ Bridge: An AP becomes a dedicated bridge (point-to-point or point-to-multipoint) between two networks. Two APs in bridge mode can be used to link two locations separated by a distance. Multiple APs in bridge mode can form an indoor or outdoor mesh network. ■ Flex+Bridge: FlexConnect operation is enabled on a mesh AP. ■ SE-Connect: The AP dedicates its radios to spectrum analysis on all wireless channels. You can remotely connect a PC running software such as MetaGeek Chanalyzer or Cisco Spectrum Expert to the AP to collect and analyze the spectrum analysis data to discover sources of interference.
Types of Control, Management, & Data Frames
Management - Beacons, probe request, association, authentication, announcement Control - Ready-to-Send (RTS), Clear-to-Send (CTS), Acknowledgment (ACK), and Power Save (PS) Poll Data - contention free (CF) service frames and contention-based service frames
Which APIs are north and south?
North - REST and OSGi South - NETCONF, OnePK, OpenFlow, OpFlex
Overlay, Underlay, Northbound API, Southbound API, fabric
Overlay - creates VXLAN tunnels between SDA switches Underlay - is a collection of devices that comprises the IP network that connects to each fabric node Northbound API - enables an SDN controller to communicate with applications in the application plane. Fabric - is the entirety of the overlay network and the underlay network Southbound API - enables an SDN controller to communicate with devices in the data plane.
Operating Modes of PAgP and LACP
PAgP - auto & desirable LACP - passive & active
What are the WPA2 Management Methods?
PSK - configures WPA or WPA2 to use the pre-shared key (PSK) key management method. This method requires an administrator to configure each wireless client that will connect to the network with the key that is configured on the WLC. CCKM - This option enables the CCKM key management method but does not minimize delay specifically for 802.1X clients. CCKM is a Cisco-proprietary fast-rekeying method that enables a wireless client to roam from one access point to another without requiring intervention from the Cisco Wireless LAN Controller (WLC). 802.1X - The IEEE 802.1X standard defines a method of port-based network access control. On Cisco wireless local area networks (WLANs), the 802.1X key management method is the default method for both WPA and WPA2. It typically requires a RADIUS server and uses various Extensible Authentication Protocol (EAP) implementations to authenticate users. 802.1X+CCKM - enables 802.1X clients to use the Cisco Centralized Key Management (CCKM) key management method to roam between access points without performing the complete 802.1X authentication process again.
How is root guard applied?
Root guard is applied on a per-port basis by issuing the spanning-tree guard root command. If root guard is enabled on a loop guard-enabled port, loop guard will be automatically disabled.
What tables are in EIGRP and what do they show you?
Routing Table - successors Topology Table - successors and feasible successors Neighbor Table - all the adjacent EIGRP neighbors.
VTP Modes
Server - creates/modifies/deletes VLANs - synchronizes VTP information - originates VTP advertisements - forwards VTP advertisements - stores VLAN information in NVRAM Client - synchronizes VTP information - originates VTP advertisements - forwards VTP advertisements Transparent - creates/modifies/deletes VLANs - forwards VTP advertisements - stores VLAN information in NVRAM
What does SNMP do, and how do you configure v3?
Simple Network Management Protocol (SNMP) is used to manage network devices. SNMP can be used to remotely monitor and configure a wide variety of network devices, such as routers, switches, and network printers. SNMP version 1 (SNMPv1) and SNMPv2 use community strings to provide authentication. However, neither SNMPv1 nor SNMPv2 uses encryption; all data and community strings are sent in clear text. SNMPv3 is an enhancement to the SNMP protocol that uses encryption to provide confidentiality, integrity, and authentication. SNMPv3 is also the first version of SNMP to support user and group configuration in its authentication security model. However, before you can configure SNMPv3 users, you must configure the following: 1) An SNMPv3 group that maps users to views 2) The Internet Protocol (IP) address or port number for the remote SNMP agent where the user is configured 3) The SNMP engine ID by issuing the snmp-server engineID command
What is the AP-manager interface on a WAN controller?
The AP-manager interface on a wireless LAN controller (WLC) controls all Layer 3 communications between a WLC and a lightweight access point (AP). The AP-manager interface contains the Internet Protocol (IP) address that is used as the source IP address by which the lightweight APs communicate with the WLC. Because the AP-manager interface communicates with the lightweight APs on the wireless network, the IP address assigned to the AP-manager interface should be unique on the network. After the interface has been configured, the WLC uses the AP-manager interface to listen for Layer 3 Lightweight Access Point Protocol (LWAPP) communications.
What is loop guard?
The loop guard feature prevents nondesignated ports from inadvertently forming bridging loops if the steady flow of BPDUs is interrupted. When the port stops receiving BPDUs, loop guard puts the port into the loop-inconsistent state, which keeps the port in a blocking state. After the port starts receiving BPDUs again, loop guard automatically re-enables the port so that it transitions through the normal STP states.
What is the WLC management interface?
The management interface is used for in-band management information. This interface is used for all Layer 2 LWAPP communications between the controller and the lightweight APs. In addition, the management interface is used to communicate with other WLCs on the wireless network.
What is the WLC service port interface?
The service port interface is used for maintenance purposes on a WLC. This interface is a physical interface on the WLC that can be used to recover the WLC in the event that the WLC fails. The service port interface is the only interface that is available while the WLC is booting.
What does the show cdp command display
The show cdp command displays global information about CDP, including timer and holdtime information.
What does the show cdp interface command display
The show cdp interface command displays information about the interfaces on which CDP is enabled.
What does the show cpd neighbors command display
The show cdp neighbors command displays much of the same information found in the output of the show cdp neighbors detail command. However, it does not display the IP address of the neighboring device. The following information is displayed when the show cdp neighbors command is issued: - The device ID of the neighboring device - The capabilities of the neighboring device - The product number of the neighboring device - The holdtime - The local interface - The remote interface
What is the WLC virtual interface?
The virtual interface can be used to provide a specific IP address that is the same across multiple controllers when wireless clients roam among the controllers. This enables seamless roaming among the controllers. The virtual interface is also used in situations where web authorization has been enabled for clients; the user is redirected to the IP address of the virtual interface when the user opens a web browser. In addition, if Dynamic Host Configuration Protocol (DHCP) relay has been enabled on the controller, the virtual interface can be used as the DHCP server address on wireless clients.
How to move an unused port to an unused VLAN
To move an access port to an unused VLAN, you should issue the switchport access vlan vlan-id command on the port, where vlan-id is the ID of the unused VLAN. When you move an unused port to an unused VLAN, you should also manually configure the port as an access port by issuing the switchport mode access command and shut down the port by issuing the shutdown command.
How to enable port security
To protect switch interfaces against Media Access Control (MAC) flooding attacks, you should enable port security on all access mode interfaces on the switch. Issuing the switchport port-security command in interface configuration mode enables port security with default settings. You can modify port security settings before you enable port security by issuing the - switchport port-security mac- address mac-address command - switchport port-security maximum maximum-number-of-mac-addresses command - switchport port-security violation [protect | restrict | shutdown] command.
Clients supported in WLC Deployment Models APs and Client
Unified 6000/64,000 Cloud 3000/32,000 Embedded 200/4000 Mobility Express 100/200
MIC & Encryption for Wireless Standards
WEP - RC4 WPA - TKIP & RC4 WPA2 - CCMP & AES WPA3 - GCMP
Important thing to know about switch vlans: When a switch receives a frame without an 802.1Q header, the switch knows that the frame is part of the native VLAN.
When a switch receives a frame without an 802.1Q header, the switch knows that the frame is part of the native VLAN.
Multiple ACLs that use the same protocol
When multiple ACLs that use the same protocol are applied to an interface, only the last ACL applied to the interface will affect traffic on the interface. Remember the implicit deny at the end.
Power inline police default settings & action log settings
When power policing is enabled with the default settings for a PoE-capable interface, the interface will enter an error-disabled state, effectively shutting down the port, when an attached PD attempts to draw more than the cutoff power from the configured interface. A log message describing the event will also be sent to the console. You can issue the power inline police action log command to change the default power policing behavior. When the log action is configured, a PoE-enabled interface will restart and send a log message to the console when an attached PD attempts to draw more than the cutoff power from the configured interface.
IP helper address
When you configure the ip helper-address command, you should use the IP address of the DHCP server or a server farm.
Types of Wireless LAN Solutions
Wireless Domain Services (WDS) - WDS is a Cisco IOS feature that can be installed on APs and used to enable those APs to interact with a CiscoWorks WLSE. WiSM - a WLC module that can be installed in a Catalyst 6500 series switch or a Cisco 7600 series router. WLC - provides wireless network management services in a Cisco Unified Wireless Network. WLSE - simplifies the management and deployment of wireless access points (WAPs) in a Cisco Autonomous wireless local area network (WLAN) solution.
Standard, Extended, & Named ACL Syntax
access-list # [permit | deny] [host | source source-wildcard | any] access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [log | log-input] access-list access-list-number {deny | permit} {tcp | udp} source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [log] ip access-list {extended | standard} name
How to disable DTP on a port
switchport nonegotiate
What is the CoS priority of voice data traffic and voice signaling traffic?
voice data traffic - 5 voice signaling traffic - 3