3G wireless, 320
5G wireless, 320
802.11 headers, 238
AAA (Authentication, Authorization, Accounting), 82-83
aaS (as a Service), 339
access
public cloud services, 342-346
security
physical access control, 84
user awareness/training, 83
access-class command, 62, 95, 105
access links
MetroE, 306
MPLS, 314
access-list command, 33-35, 42, 46-50, 54, 62, 397
any keyword, 34
deny keyword, 34
examples and logic explanations, 50
extended numbered ACL configuration commands, 51
log keyword, 38
reverse engineering from ACL to address range, 40-41
tcp keyword, 48
upd keyword, 48
ACE (Access Control Entries), 397-398
ACI (Application Centric Infrastructure), 369, 373
IBN, 371
leaf switches, 370
spine switches, 370
ACK flags, 12
ACLs (Access Control Lists), 397-398
ARP ACL, 159
classification, 235
comparison of ACL types, 28
controlling Telnet and SSH access with, 95
deny all statements, 31
implementation considerations, 59-60
matching packets, 27
overview, 26
QoS tools, compared, 233
SDA, 399
SNMP security, 267
troubleshooting, 222
active mode (FTP), 276
addresses. See also ACLs
any/all IP addresses, matching, 34
inside global, 209
inside local, 209
IP addresses
destination IP addresses, 95
DNS IP addresses, 128
origin IP addresses, 157-159, 163-164
RELEASE messages, filtering based on IP addresses, 151
IPv4, 204
dynamic IP address configuration with DHCP, 131
private addressing, 206
QoS marking, 237
IPv6, QoS marking, 237
private addressing, 206
spoofing attacks, 72
amplification attacks, 75
DDoS attacks, 75
Man-in-the-Middle attacks, 76-77
reflection attacks, 75
AF (Assured Forwarding), 240
AF DiffServ RFC (2597), 240
AF DSCP value marking, 240
allocation, DHCP, 129
Amazon Web Services (AWS), 340
amplification attacks, 75
answering exam questions, 456-457
anti-replay (Internet VPNs), 321
any/all IP addresses, matching, 34
any keyword, 34
AnyConnect Secure Mobility Client, 325
APIs (Application Programming Interfaces), 364
DNA Center, 415
JSON
beautified JSON, 426
minified JSON, 426
REST, 366
REST APIs, 408
cacheable resources, 410
client/server architecture, 409, 419-420
key:value pairs, 412
stateless operation, 410
RESTful, 366
XML, data serialization, 421-423
YAML, data serialization, 422-423
APIC (Application Policy Infrastructure Controller), 372
APIC-EM (Application Policy Infrastructure Controller-Enterprise Module), 373-374
app (application) servers, 371
Application Centric Infrastructure. See ACI
Application Programming Interfaces. See APIs
application signatures, 236
Application-Specific Integrated Circuit (ASIC), 362
architectures, SDN, 367-369, 373-375
arp -a command, 142
ARP ACL (Address Resolution Protocol Access Control Lists), 159
ARP messages
DAI, 156
filtering MAC addresses, 159
logic of, 158
gratuitous ARP as an attack vector, 157-158
origin hardware addresses, 159-160
as a Service (-aaS), 339
ASA (Adaptive Security Appliance) firewall, 96
ASIC (Application-Specific Integrated Circuit), 362
Assured Forwarding (AF), 240
attacks (security)
amplification attacks, 75
ARP messages (gratuitous), 157-158
brute-force attacks, 80
buffer overflow attacks, 78
DDoS attacks, 75
DHCP-based attacks, 147
dictionary attacks, 80
Man-in-the-Middle attacks, 76-77
password guessing, 80
pharming attacks, 79
phishing attacks, 79
reflection attacks, 75
smishing attacks, 79
social engineering attacks, 79
spear phishing attacks, 79
Trojan horses, 78
viruses, 78
vishing attacks, 79
watering hole attacks, 79
whaling attacks, 79
worms, 78
AUTH command, 279
Internet VPNs, 321
SNMPv3, 268
automatic allocation, 129
automation
configuration automation files, 437
AVC (Application Visibility and Control)
NGFW, 101
NGIPS, 103
AWS (Amazon Web Services), 340
bandwidth, managing, 228
batch traffic, 230
beautified JSON, 426
binary wildcard masks, 33
binding tables (DHCP snooping), 150
biometric credentials (security), 81
blocks (CIDR), 206
boot system command, 281
branch offices public cloud example
email services traffic flow, 347-349
Internet connections, 349
private WAN connections, 349
broadcast flags, 125
browsing web
URLs, 17
brute-force attacks, 80
budgeting time (exams), 450-451
buffer overflow attacks, 78
CAC (Call Admission Control) tools, 245
cacheable resources (REST API), 410
campus LANs
overview, 290
three-tier campus design, 293-295
topology design terminology, 295
two-tier campus design, 290-293
CBWFQ (Class-Based Weighted Fair Queuing), 243
CDP (Cisco Discovery Protocol)
discovering information about neighbors, 190-193
cdp enable command, 200
cdp run command, 200
CE (Customer Edge), 313
centralized configuration files, 432
centralized control planes, 363
certificates (digital), security, 81
chapter reviews (exam preparation), 464
checklists (practice exams), 455, 459
CIDR (Classless Interdomain Routing), 205-206
CIR (Committed Information Rate), 247
Cisco Discovery Protocol. See CDP
Cisco Learning Network, exam preparation, 464
Cisco Prime management products website, 264
Class-Based Weighted Fair Queuing (CBWFQ), 243
Class of Service (CoS) field (802.1Q header), 237
Class Selector (CS), 241
clear ip nat translation command, 211, 219, 225
clear logging command, 179
clear-text passwords, SNMP, 267
CLI (Command-Line Interface), practicing with (exam preparation), 460-461
clients
VPNs, 325
clock summer-time command, 183, 200
clock timezone command, 183, 200
cloud services catalogs, 338
CSRs, 344
SaaS, 341
cloud services catalogs, 338
Cloud Services Routers (CSRs), 344
codecs, 231
collapsed core design, 290-293
commands
access-list, 31-35, 38-51, 54, 62, 397
arp -a, 142
AUTH, 279
boot system, 281
cdp enable, 200
cdp run, 200
clear ip nat translation, 211, 219, 225
clear logging, 179
configure, 430
copy ftp flash, 274
copy running-config startup-config, 112, 428
copy tftp flash, 271
crypto key generate rsa, 105
debug ip rip, 180
dig, 78
Interface loopback, 200
ip access-group, 36, 43, 51, 60-62
ip access-list extended, 56
ip address dhcp, 132
ip arp inspection validate, 164
ip dhcp snooping information option, 153
ip ftp password, 281
ip ftp username, 281
ip helper-address, 125-127, 141
ip nat, 225
ip nat inside, 213, 215, 220-222
ip nat inside source, 217, 225
ip nat inside source list, 220-222
ip nat inside source list pool, 216
ip nat inside source static, 213-215, 222
ip nat outside, 213-215, 220-222
ip nat pool netmask, 215
ip route configuration, 133
line console, 105
line vty, 105
lldp holdtime, 198
lldp receive, 201
lldp timer, 198
lldp transmit, 201
logging, 200
logging buffered, 175, 179, 200
logging buffered warning, 181
logging host, 175
logging monitor debug, 181
logging trap, 200
login, 105
login local, 105
more, 270
no cdp enable, 193
no enable secret, 105
no ip access-group, 60
no ip dhcp snooping information option, 152-153
no logging console, 177
no logging monitor, 177
no service password-encryption, 90
nslookup, 78
ntp source, 200
PASV, 278
port-security, 111
service password-encryption, 89-90, 105
service sequence-numbers, 200
show access-lists, 35, 43, 56, 62
show arp, 142
show cdp, 193-194, 197-198, 201
show cdp neighbors detail, 190-193
show clock, 201
show dhcp lease, 131
show interfaces loopback, 201
show interfaces status, 115-116
show interfaces switchport, 377
show interfaces vlan, 131
show ip access-list, 43, 57, 59
show ip access-lists, 35, 59, 62
show ip arp, 142
show ip arp inspection, 161-163
show ip default-gateway, 132
show ip dhcp conflict, 142
show ip dhcp snooping, 153-155
show ip dhcp snooping binding, 162
show ip interface, 36, 43, 130
show ip nat statistics, 215-222, 225
show ip nat translations, 214-225
show lldp, 201
show lldp entry, 196
show lldp interface, 198
show lldp neighbors, 195
show mac address-table dynamic, 113-114, 121, 167
show mac address-table secure, 113-114, 121
show mac address-table static, 113, 121
show ntp associations, 184-186, 201
show port-security, 115-116, 121
show port-security interface, 112-121
show process cpu, 181
show running-config, 35, 56-59, 105, 121, 167, 270
show running-config | interface, 121, 167
show running-config command, 35, 89
show startup-config, 270
ssh, 95
switchport mode, 120, 167, 377
switchport mode access, 110-111
switchport mode trunk, 110
switchport port-security, 110-111
switchport port-security mac-address, 110-111, 120
switchport port-security mac-address sticky, 110-111, 120, 167
switchport port-security maximum, 110, 120
switchport port-security violation, 110, 114, 120
telnet, 95
terminal monitor, 175, 181, 201
terminal no monitor, 201
transport input, 105
transport input ssh command, 89
username, 105
username password, 94
username secret, 94
whois, 78
Committed Information Rate (CIR), 247
communities (SNMP), 267
Community-based SNMP Version 2 (SNMPv2c), 267
community strings (SNMP), 267
confidentiality, Internet VPNs, 321
configuration
automation files, 437
centralized configuration files, 432
DHCP, 131
relays, 130
IPv4, 131
monitoring, 433
NTP
redundant configuration, 186-188
per-device configuration model, 431
routers as DHCP clients, 132-133
switches
VMs, 334
configure command, 430
congestion
management
multiple queues, 242
prioritization, 242
round robin scheduling, 243
strategy, 245
connectionless protocols, 13
connections
connection-oriented protocols, 13
establishment and termination (TCP), 12-13
public cloud branch offices, 349
contextual awareness, NGIPS, 103
control connection (FTP), 277
control plane (networking devices), 360-363
controllers
centralized control, 363
defined, 362
OpenDaylight SDN controller, 368
OSC, 369
SBIs, 364
copy command, 270-271, 274-275, 282
copy ftp flash command, 274
copy running-config startup-config command, 112, 428
copy tftp flash command, 271
CoS (Class of Service) field (802.1Q header), 237-238
CRUD actions (software), 413-414
crypto key generate rsa command, 105
CS (Class Selector), 241
CS DSCP values, marking, 241
CSRs (Cloud Services Routers), 344
customer edge (CE), 313
DAI (Dynamic ARP Inspection), 156
logic of, 158
MAC addresses, filtering, 159
data application traffic, 229-230
data centers (virtual)
networking, 333
vendors, 333
data connection (FTP), 277
data integrity, Internet VPNs, 321
data plane (networking devices), 359-361
data serialization
beautified JSON, 426
minified JSON, 426
databases
signature databases and IPS, 99
DB (Database) servers, 371
DDoS (Distributed Denial-of-Service) attacks, 75
debug ip nat command, 219, 225
debug ip rip command, 180
default routers, verification, 136-140
delay, managing, 229
deleting single points of failure, 258-259
demilitarized zones (DMZ), 98
denial of service (DoS) attacks, 97
deny all statements, 31
destination IP
addresses, 95
devices
hardening
controlling Telnet and SSH access with ACLs, 95
management protocols
per-device configuration model, 431
security
DHCP (Dynamic Host Configuration Protocol), 122
advantages of, 124
automatic allocation, 129
broadcast flags, 125
dynamic allocation, 129
information stored at DHCP server, 128
relays
configuring, 130
troubleshooting, 130
rules of, 149
servers, 128
snooping, 146
binding tables, 150
DHCP-based attacks, 147
DHCP message rate limits, 154-156
DISCOVER messages, 150
RELEASE messages, 151
static allocation, 129
switches, configuring as DHCP clients, 130-132
troubleshooting, 130
dictionary attacks, 80
dictionary variables, REST APIs, 411-412
Differentiated Services Code Point (DSCP), 234
DiffServ DSCP marking values
AF, 240
CS, 241
EF, 240
dig command, 78
digital certificates (security), 81
digital subscriber lines (DSLs), 318
DISCOVER messages, filtering based on MAC addresses, 150
disk file systems, 270
distributed control planes, 363
distribution switches, 291, 295
DMZ (Demilitarized Zones), 98
APIs, 415
Path Trace feature, 403
scalable groups, 396
SDA
SGT, 399
SGT, 399
traditional management
similarities to, 401
VXLAN tunnels, 399
DNS (Domain Name System), 11
DNS IP addresses, 128
DNS IP servers, 128
recursive DNS lookups, 19
DoS (Denial-of-Service) attacks, 73-74, 97
DSCP (Differentiated Services Code Point), 234
DSCP fields (QoS marking), 238
DSLs (Digital Subscriber Lines), 318
DSLAMs (DSL access multiplexers), 318
dynamic allocation, 129
dynamic (ephemeral, private) ports, 9
Dynamic Host Configuration Protocol. See DHCP
dynamic IP address configuration, 131
dynamic NAT (Network Address Translation)
troubleshooting, 222
earplugs (exam preparation), 451
Eclipse IDE, 341
EF (Expedited Forwarding), 238
EF DSCP value marking, 240
EF RFC (RFC 3246), 240
EID (Endpoint Identifiers), 392
E-LAN (Ethernet LAN) service, 308, 311
elasticity, cloud computing, 337
E-Line (Ethernet Line) service, 307-310
email, public cloud branch office traffic flow, 347-349
enable password command, 90, 105
encoding IOS passwords with hashes, 90-94
encryption
keys, 323
SNMPv3, 268
End-to-End QoS Network Design, Second Edition (Cisco Press), 232
endpoints, EPGs, 371
Enterprise QoS Solution Reference Network Design Guide, 232
enterprises, classification matching, 234
EPGs (Endpoint Groups), 371
ephemeral (dynamic, private) ports, 9
err-disabled state, 115
err-disabling recovery, troubleshooting, 117
error detection, 6
Ethernet
802.11 headers, 238
access links, 306
IEEE standards, 306
Ethernet LAN (E-LAN) service, 308
Ethernet LANs
Ethernet Line (E-Line) service, 307-310
Ethernet Tree (E-Tree) service, 309
Ethernet Virtual Connection (EVC), 307
Ethernet WANs, public cloud connections, 345
E-Tree (Ethernet LAN) service, 309
EVC (Ethernet Virtual Connection), 307
exact IP addresses, matching, 31
exams
chapter reviews, 464
failing, 463
NDAs, 454
post exam process, 453
practice exams, 454
PTP questions, 455
preparing for
24 hours before the exam, 452
30 minutes before the exam, 452-453
earplugs, 451
one week away preparation, 451-452
taking notes, 452
travel time, 452
questions
multichoice questions, 449-450, 457
Premium Edition questions, 457
PTP questions, 455
simlet questions, 450
simulation questions, 449
testlet questions, 450
reviewing for exams
chapter reviews, 464
Cisco Learning Network, 464
practice exams, 454-455, 458-459
Premium Edition questions, 457
second attempts at passing, 463
VUE testing center, 455
time
time-check method, 451
video tutorials, 449
excluded (reserved) addresses, DHCP servers, 128
Expedited Forwarding (EF), 238
exploits (security), 72
extended numbered IPv4 ACLs
matching protocol, source IP, and destination IP, 46-48
matching TCP and UDP port numbers, 48-50
overview, 46
fabric border node (SDA underlays), 387
fabric control node (SDA underlays), 387
fabric edge node (SDA underlays), 387
fabric SDA, 384
failing exams, 463
FHRPs (First Hop Redundancy Protocols), 254, 257
features, 260
options, 260
fiber Internet, 321
FIFO (First-In, First-Out), 242
File Transfer Protocol. See FTP
files
automation configuration variables, 437
centralized configuration files, 432
managing
filtering
DISCOVER messages based on MAC addresses, 150
MAC addresses, DAI, 159
RELEASE messages based on IP addresses, 151
reputation-based filtering, NGIPS, 103
FIN bits, 12
finding
firewalls
security zones, 97
stateful firewalls, 96
flash memory, 269
flow
networking, 231
forward acknowledgment, 14
forwarding plane. See data plane
frames, defined, 233
FTP (File Transfer Protocol), 275
active mode, 276
control connection, 277
copying IOS images with, 273-274
data connection, 277
passive mode, 276
FTPS (File Transfer Protocol Secure), 279
full drops, 251
Get messages
agent information, 264
RO/RW communities, 267
GET requests, 20
GitHub, 433
Google App Engine PaaS, 341
hardware
origin hardware addresses, 159-160
hashes
coding passwords with, 90
MD5 hash algorithm, 93
headers
802.11, 238
MPLS Label, 238
hiding passwords for local usernames, 94
history, SNMP, 263
home office wireless LANs, 296-297
hosts
server virtualization, 332
HSRP (Hot Standby Router Protocol)
active/passive model, 261
HTTP (Hypertext Transfer Protocol)
software CRUD actions, 413-414
hub and spoke topology (MetroE), 309
human vulnerabilities (security), 79-80
hypervisors, 332
IaaS (Infrastructure as a Service), 339-340
IANA (Internet Assigned Numbers Authority), 205
IBN (Intent-Based Networking), 371, 398
IEEE, Ethernet standards, 306
ifconfig command, 134, 137-142
Infrastructure as a Service (IaaS), 339-340
inside global addresses, 208-210
inside local addresses, 208-210
instantiating VMs, 340
interactive data application traffic, 230
interactive voice traffic, 232
intercloud exchanges, 346
Interface loopback command, 200
interfaces
application programming. See APIs
LAN, 228
SBIs, 364
WANs, 228
internal processing (switches), 361-362
Internet
DSL, 318
fiber Internet, 321
ISPs, 317
public cloud
computing branch office connections, 349
as WAN service, 317
Internet Assigned Numbers Authority (IANA), 205
IOS (iPhone Operating System)
ip access-group command, 36, 43, 51, 60-62
ip access-list command, 55, 62
ip access-list extended command, 56
IP ACLs (Access Control Lists). See ACLs
ip address dhcp command, 132
IP addresses
destination IP addresses, 95
DNS IP addresses, 128
IPv4. See also ACLs
dynamic IP address configuration with DHCP, 131
private addressing, 206
QoS marking, 237
IPv6, QoS marking, 237
origin IP addresses, 157-159, 163-164
RELEASE messages, filtering based on IP addresses, 151
IP ARP (Internet Protocol Address Control Protocol), 156-157
ip arp inspection validate command, 164
ip dhcp snooping information option command, 153
ip ftp password command, 281
ip ftp username command, 281
IP headers, QoS marking, 237-238
ip helper-address command, 125-127, 141
ip nat command, 225
ip nat inside command, 213-215, 220-222
ip nat inside source command, 217, 225
ip nat inside source list command, 220-222
ip nat inside source list pool command, 216
ip nat inside source static command, 213-215, 222
ip nat outside command, 213-215, 220-222
ip nat pool netmask command, 215
IPP (IP Precedence) fields (QoS marking), 238, 241
ip route configuration command, 133
IPS (Intrusion Prevention Systems), 99
signature databases, 99
IPsec
IPv4 (Internet Protocol Version 4) addresses. See also ACLs
dynamic IP address configuration with DHCP, 131
private addressing, 206
QoS marking, 237
IPv6 (Internet Protocol Version 6), QoS marking, 237
ISPs (Internet Service Providers), 317
Jenkins continuous integration and automation tool, 341
jitter, 229
JSON (JavaScript Object Notation)
beautified JSON, 426
minified JSON, 426
key:value pairs
REST APIs, 412
keys (encryption), 323
keywords
any, 34
log, 38
tcp, 48
udp, 48
knowledge gaps (exam preparation), 458-459
KVM (Keyboard, Video display, or Mouse), 330
L4PDU (Layer 4 Protocol Data Units), 7
LANs (Local-Area Networks)
interfaces, 228
SDA, 387
switching, port security, 108-118
layer 2 switches
Layer 3 MetroE design
E-LAN service, 311
leaf switches, ACI, 370
line console command, 105
line vty command, 105
Link Layer Discovery Protocol (LLDP), 194-198
Linux, host IPv4 settings, 138-140
LISP (LISt Processor), overlays (SDA), 392-393
list variables, REST APIs, 411-412
LLDP (Link Layer Discovery Protocol), 194-198
lldp holdtime command, 198
lldp receive command, 201
lldp timer command, 198
lldp transmit command, 201
LLQ (Low Latency Queuing), 243-245
local usernames, hiding passwords for, 94
log keyword, 38
logging buffered command, 175-179, 200
logging buffered warning command, 181
logging command, 200
logging console command, 174, 200
logging host command, 175
logging monitor command, 175, 200
logging monitor debug command, 181
logging trap command, 200
login command, 105
login local command, 105
Long-Term Evolution (LTE), 320
loopback interfaces, NTP, 188-189
loss, managing, 229
Low Latency Queuing (LLQ), 243-245
LTE (Long-Term Evolution), 320
MAC addresses
filtering
DAI, 159
DISCOVER messages, 150
port security, 113
sticky secure MAC addresses, 109
macOS, host IPv4 settings, 136-138
malware, 79
NGFW and, 101
Trojan horses, 78
viruses, 78
worms, 78
Man-in-the-Middle attacks, 76-77
Management Information Base. See MIB
management plane (networking devices), 361
managers, SNMP, 264
managing
bandwidth, 228
delay, 229
jitter, 229
loss, 229
marking, 236
with classification, 234
defined, 234
DSCP marking values, 241
Ethernet 802.1Q headers, 237-238
Ethernet 802.11 headers, 238
MPLS Label headers, 238
matching packets, 27
matching parameters
MD5 hash algorithm, 93
MD5 verification, 273
measuring cloud computing services, 337
MEF (Metro Ethernet Forum), 306
memory
flash memory, 269
TCAM, 362
messages
integrity, SNMPv3, 268
rate limits
SNMP, 265
MetroE, 304
access links, 306
IEEE Ethernet standards, 306
MEF, 306
MIB (Management Information Base), 264, 267
OIDs, 266
variables
monitoring, 265
numbering/names, 266
minified JSON, 426
monitoring
configuration, 433
MIB variables, 265
more command, 270
MPBGP (Multiprotocol BGP), 316
MPLS (Multi-Protocol Label Switching), 311-312
access links, 314
Label headers, QoS marking, 238
public cloud connections, 345
multichoice questions (exams), 449-450, 457
multifactor credentials (security), 81
multiple queues (queuing systems), 242
multithreading, 332
named ACLs
names, MIB variables, 266
NAT (Network Address Translation), 202
source NAT, 208
static NAT, 208-210, 214-215, 222
NAT Overload. See PAT
National Institute of Standards and Technology (NIST), 336
NBAR (Network Based Application Recognition), 235-236
NBIs (Northbound Interfaces), 365-366
NDAs (Nondisclosure Agreements), 454
Network Management Station (NMS), 264
networks
automation and network management, 376-378
broad access, 337
devices
data plane, 359
management plane, 361
switch internal processing, 361-362
file systems, 270
flow, 231
management
programmability
comparisons, 375
SNMP, 254
traditional versus controller-based networks, 375-379
traffic
bandwidth, 228
characteristics, 228
delay, 229
jitter, 229
loss, 229
VMs, 334
Network Time Protocol. See NTP
Nexus 1000v vSwitch, 334
NGFW (Next-Generation Firewalls), 100-101
NGIPS (Next-Generation Intrusion Prevention Systems), 100-103
NICs (Network Interface Cards)
ports, 334
vNICs, 333
NIST (National Institute of Standards and Technology), 336
NMS (Network Management Station), SNMP, 264-266
no cdp enable command, 193
no enable password command, 105
no enable secret command, 105
no ip access-group command, 60
no ip dhcp snooping information option command, 152-153
no logging console command, 177
no logging monitor command, 177
no service password-encryption command, 90
no shutdown command, 115, 121, 179
noninteractive data application traffic, 230
Northbound Interfaces (NBIs), 365-366
note taking (exam preparation), 452
nslookup command, 78
NTP (Network Time Protocol)
client/server configuration, 183-184
primary servers, 187
redundant configuration, 186-188
secondary servers, 187
setting time and timezone, 182-183
ntp master command, 183-185, 188, 200
ntp server command, 183, 188, 200
ntp source command, 200
numbers
MIB variables, 266
NVRAM (Non-Volatile Random Access Memory) file systems, 270
objects, 20
ODL (OpenDaylight), 368
OIDs (object IDs), 266
on-demand self-service (cloud computing), 337
on-premise. See private cloud computing
one-way delay, 229
ONF (Open Networking Foundation), 367
opaque file systems, 270
Open SDN, 367
OpFlex, 364
origin hardware addresses, 159-160
origin IP addresses, 157-159, 163-164
OSC (Open SDN Controllers), 369
outside global addresses, 209-210
outside local addresses, 209-210
overlays (SDA), 384
PaaS (Platform as a Service), 341-342
packets
congestion
defined, 233
matching, 27
router queuing, 233
PAR (Positive Acknowledgment and Retransmission), 16
partial mesh topology, 291, 295, 308
passive mode (FTP), 276
passwords
alternatives to, 81
brute-force attacks, 80
clear-text, 267
dictionary attacks, 80
guessing, 80
vulnerabilities (security), 80
PASV command, 278
PAT (Port Address Translation)
troubleshooting, 222
Path Trace feature (DNA Center), 403
PCP (Priority Code Point) field (802.1Q header), 237
PE (Provider Edge), 313
per-device configuration model, 431
pharming attacks, 79
PHB (Per-Hop Behaviors), 226
phishing attacks, 79
physical access control (security), 84
physical data center networks, 334-335
physical design, MetroE, 305-306
physical NICs, ports, 334
physical server model, 331
physical standards, Ethernet LANs, 296-297
PI (Prime Infrastructure), 400-401
planes, networking devices, 359-361
Platform as a Service (PaaS), 341-342
PoE (Power over Ethernet), 297-299
Point-to-Point topology (MetroE), 307-308
policing (QoS), 245
discarding excess traffic, 247
edge between networks, 246-247
features, 248
rates, 246
traffic rate versus configured policing rate, 246
pooling resources, cloud computing, 337
PoP (Post Office Protocol)
MetroE, 305
POP3, 11
Port Address Translation (PAT)
port-security command, 111
ports
NICs, 334
numbers
destination port numbers, 8
dynamic ports, 9
ephemeral ports, 9
private ports, 9
registered ports, 9
user ports, 9
err-disabled state, 115
MAC addresses, 113
trusted ports, 147
untrusted ports, 147
VMs, 334
Post Office Protocol. See POP
practice exams, 454
PTP questions, 455
preparing for exams
24 hours before the exam, 452
30 minutes before the exam, 452-453
earplugs, 451
one week away preparations, 451-452
post exam process, 453
taking notes, 452
travel time, 452
prioritization, congestion management, 242
Priority Code Point (PCP) field (802.1Q header), 237
priority queues, 244
private addressing, 206
private cloud computing, 337-338
private (dynamic, ephemeral) ports, 9
private Internets, 206
private WANs
public cloud, accessing, 344-346
public cloud branch office connections, 349
programmability (network)
comparisons, 375
protect mode (port security), 117-119
protocols
CDP
discovering information about neighbors, 190-193
DHCP, 122
advantages of, 124
automatic allocation, 129
broadcast flags, 125
dynamic allocation, 129
information stored at DHCP server, 128
rules of, 149
servers, 128
snooping, 146-156. See also snooping attacks
static allocation, 129
switches, configuring as DHCP clients, 130-132
troubleshooting, 130
features, 260
options, 260
FTP, 275
active mode, 276
control connection, 277
copying IOS images with, 273-274
data connection, 277
passive mode, 276
FTPS, 279
HSRP
active/passive model, 261
HTTP
software CRUD actions, 413-414
management plane, 361
MPBGP, 316
SFTP, 279
agents, 264
clear-text passwords, 267
communities, 267
community strings, 267
history, 263
managers, 264
MIB variables, monitoring, 265
RO communities, 267
RW communities, 267
securityACLs, 267
SNMPv1, security, 267
SNMPv2, security, 267
SNMPv2c, 267
SNMPv3, 268
TCP
compared to UDP, 6
connection establishment and termination, 12-13
error recovery and reliability, 13-14
overview, 7
segments, 7
sockets, 8
TCP/IP
IPv4, 131
networks, RFC 1065, 263
UDP
overview, 16
provider edge (PE), 313
provisioning (configuration), 434-435
PSE (Power Sourcing Equipment), 298-299
PTP questions (exam preparation), 455
PTP software (practice exams), 458-459
public cloud computing, 337-339
accessing with Internet, 342-344
accessing with private WANs, 344-346
accessing with VPNs, 344
branch offices example, 347-349
intercloud exchanges, 346
QoE (Quality of Experience), 230
QoS (Quality of Service), 232
bandwidth, 228
congestion management, 242-245
defined, 226
delay, 229
jitter, 229
loss, 229
needs based on traffic types, 229-232
PHB, 226
switches/routers, 233
tools, 233
questions (exams)
multichoice questions, 449-450, 457
Premium Edition questions, 457
PTP questions, 455
simlet questions, 450
simulation questions, 449
testlet questions, 450
queuing
congestion management, 242-245
priority queues, 244
queue starvation, 244
queuing routers, 233
RADIUS, 82
rapid elasticity (cloud computing), 337
read-only (RO) communities (SNMP), 267
read-write (RW) communities (SNMP), 267
recovery (err-disabling), 117
recursive DNS lookups, 19
redistributing routes, MPLS VPNs, 316
redundancy
single points of failure, 257-259
reflection attacks, 75
registered (user) ports, 9
RELEASE messages, filtering based on IP addresses, 151
Representational State Transfer (REST), 366
reputation-based filtering, NGIPS, 103
requests (HTTP GET), 20
requirements, cloud computing services, 336
reserved (excluded) addresses, DHCP servers, 128
resource pooling, cloud computing, 337
REST (Representation State Transfer), 366
REST APIs, 408
cacheable resources, 410
client/server architecture, 409, 419-420
HTTP
software CRUD actions, 413-414
key:value pairs, 412
stateless operation, 410
variables
RESTful APIs, 366
restrict mode (port security), 117-119
reverse engineering from ACL to address range, 40-41
reviewing for exams
chapter reviews, 464
Cisco Learning Network, 464
practice exams, 454
PTP questions, 455
Premium Edition questions, 457
second attempts at passing, 463
VUE testing center, 455
RFC 1065, 263
RFC 4301 Security Architecture for the Internet Protocol, 323
RO (read-only) communities (SNMP), 267
round robin scheduling (queuing), 243
round-trip delay, 229
routed access layer design, SDA, 388
routers
CSRs, 344
configuring as DHCP clients, 132-133
data plane processing, 359
QoS, 233
wireless routers, 296
routes
routing. See also ACLs
IPv4 routing, 223
redistribution, 316
RW (read-write) communities (SNMP), 267
SaaS (Software as a Service), 341
SBIs (Southbound Interfaces), 364
scalability, IPv4 addresses, 204-205
SDA (Software-Defined Access), 382
Path Trace feature, 403
scalable groups, 396
SDA user group security, 398-399
SGT, 399
traditional management and, 401-403
fabric, 384
LANs, 387
overlays, 384
routed access layer design, 388
fabric border node, 387
fabric control node, 387
fabric edge node, 387
new gear, 388
VXLAN, 385
SDN (Software Defined Networking), 356-358, 363
architecture, 367
automation and network management, 376-378
comparisons, 375
management plane, 361
ODL, 368
Open SDN, 367
OpenFlow, 367
OSC, 369
switches, 361
Secure Shell. See SSH
Secure Sockets Layer. See SSL
security, 70
amplification attacks, 75
ARP messages (gratuitous), 157-158
biometric credentials, 81
brute-force attacks, 80
buffer overflow attacks, 78
DAI, 156
filtering MAC addresses, 159
logic of, 158
DDoS attacks, 75
DHCP-based attacks, 147
DHCP snooping, 146
binding tables, 150
DHCP-based attacks, 147
DHCP message rate limits, 154-156
filtering DISCOVER messages based on MAC addresses, 150
filtering RELEASE messages based on IP addresses, 151
rules of, 149
dictionary attacks, 80
digital certificates, 81
encryption, 268
exploits, 72
Internet VPNs, 321
IPsec
Man-in-the-Middle attacks, 76-77
multifactor credentials, 81
pharming attacks, 79
phishing attacks, 79
physical access control, 84
ports
err-disabled state, 115
reflection attacks, 75
smishing attacks, 79
snooping attack. See DHCP, snooping
social engineering attacks, 79
spear phishing attacks, 79
threats, 72
Trojan horses, 78
user awareness/training, 83-84
viruses, 78
vishing attacks, 79
vulnerabilities, 72
password vulnerabilities, 80
watering hole attacks, 79
whaling attacks, 79
worms, 78
security zones (firewalls), 97-98
segments (TCP), 7
self-assessments (exam preparation), 462-463
sending messages to users, 174-175
sequence numbers, editing ACLs, 56-58
serialization (data)
beautified JSON, 426
minified JSON, 426
servers
app servers, 371
DB servers, 371
defined, 330
physical server model, 331
UCS servers, 370
service password-encryption command, 89-90, 105
Service Providers (SPs), 302
service sequence-numbers command, 200
services
GitHub, 433
Internet as WAN, 317
session keys, 323
Set messages
RO/RW communities, 267
writing variables on agents, 264
severity levels (log messages), 177
SFTP (SSH File Transfer Protocol), 279
SGT (Scalable Group Tags), 399
shaping (QoS), 245
features, 250
slowing messages, 248
time intervals, 249
shaping rate, 248
shared keys, 323
shared session keys, 323
show access-lists command, 35, 43, 56, 62
show arp command, 142
show cdp command, 193-194, 197-198, 201
show cdp entry command, 190, 193
show cdp interface command, 193-194
show cdp neighbors command, 190-191, 194-195
show cdp neighbors detail command, 190-193
show cdp traffic command, 193-194
show clock command, 201
show dhcp lease command, 131
show flash command, 270-272, 282
show interfaces command, 115, 121
show interfaces loopback command, 201
show interfaces status command, 115-116
show interfaces switchport command, 377
show interfaces vlan command, 131
show ip access-lists command, 35, 43, 57-59, 62
show ip arp command, 142
show ip arp inspection command, 161-163
show ip default-gateway command, 132
show ip dhcp conflict command, 142
show ip dhcp snooping binding command, 162
show ip dhcp snooping command, 153-155
show ip interface command, 36, 43, 130
show ip nat statistics command, 215-222, 225
show ip nat translations command, 214-225
show lldp command, 201
show lldp entry command, 196
show lldp interface command, 198
show lldp neighbors command, 195
show logging command, 175, 178, 201
show mac address-table dynamic command, 113-114, 121, 167
show mac address-table secure command, 113-114, 121
show mac address-table static command, 113, 121
show ntp associations command, 184-186, 201
show ntp status command, 184, 201
show port-security command, 115-116, 121
show port-security interface command, 112-121
show process cpu command, 181
show running-config | interface command, 121, 167
show running-config command, 35, 56-59, 89, 105, 121, 167, 270
show startup-config command, 270
shutdown command, 115, 121, 179, 182
shutdown mode (port security), 115-117
signature databases and IPS, 99
signatures, applications, 236
simlet questions (exams), 450
simple variables, REST APIs, 410-411
simulation questions (exams), 449
single points of failure, 257-259
smishing attacks, 79
SMTP (Simple Mail Transfer Protocol), 11
SNMP (Simple Network Management Protocol), 11, 254
agents, 264
clear-text passwords, 267
communities, 267
community strings, 267
history, 263
managers, 264
RO communities, 267
RW communities, 267
SNMPv1, security, 267
SNMPv2, security, 267
SNMPv2c (Community-based SNMP Version 2), 267
SNMPv3, 268
snooping attacks (DHCP)
binding tables, 150
DHCP-based attacks, 147
DHCP message rate limits, 154-156
DISCOVER messages, 150
RELEASE messages, 151
social engineering attacks, 79
sockets, 8
software
PTP software (practice exams), 458-459
Software as a Service (SaaS), 341
Software Defined Networking (SDN), 356-358
controllers, 363
management plane, 361
switches, 361
SOHO (Small Office/Home Office), LANs, 296-297
source NAT (Network Address Translation), 208
Southbound Interfaces (SBIs), 364
SPs (Service Providers), 302
spear phishing attacks, 79
speeds, LAN/WAN interfaces, 228
spine switches, ACI, 370
spinning up VMs, 340
spoofing attacks, 72
amplification attacks, 75
DDoS attacks, 75
Man-in-the-Middle attacks, 76-77
reflection attacks, 75
SSH (Secure Shell)
controlling access with ACLs, 95
management plane, 361
ssh command, 95
SSL (Secure Sockets Layer), 325
standard numbered IPv4 ACLs
command syntax, 31
matching
any/all addresses, 34
exact IP address, 31
overview, 29
reverse engineering from ACL to address range, 40-41
standards, Ethernet LANs, 296-297
stateful firewalls, 96
stateful inspection, 96
static allocation, 129
static NAT (Network Address Translation)
inside global addresses, 208-210
inside local addresses, 208-210
outside global addresses, 209-210
outside local addresses, 209-210
troubleshooting, 222
sticky secure MAC addresses, 109
subnet ID, DHCP servers, 128
subnet masks, DNCP servers, 128
subnets, DHCP Relay, 126-127, 130
subset of IP address, matching, 31-32
switches
distribution switches, 291, 295
interface configuration, port security, 108-113
IPv4, 131
layer 2 switches
leaf switches, ACI, 370
management, 131
QoS, 233
SDN, 361
spine switches, ACI, 370
ToR, 335
vSwitches, 333
switchport mode access command, 110-111
switchport mode command, 120, 167, 377
switchport mode trunk command, 110
switchport port-security command, 110-111
switchport port-security mac-address command, 110-111, 120
switchport port-security mac-address sticky command, 110-111, 120, 167
switchport port-security maximum command, 110, 120
switchport port-security violation command, 110, 114, 120
SYN flags, 12
Syslog
log message severity levels, 177
sending messages to users, 174-175
TACACS+, 82
tail drops, 250
TCAM (Ternary Content-Addressable Memory), 362
tcp keyword, 48
TCP (Transmission Control Protocol)
compared to UDP, 6
connection establishment and termination, 12-13
error recovery and reliability, 13-14
overview, 7
segments, 7
sockets, 8
TCP/IP (Transmission Control Protocol/Internet Protocol)
IPv4, 131
networks, RFC 1065, 263
telcos (telephone companies), 318
Telnet
controlling access with ACLs, 95
management plane, 361
telnet command, 95
templates (configuration), 435-437
terminal monitor command, 175, 181, 201
terminal no monitor command, 201
Ternary Content-Addressable Memory (TCAM), 362
testlet questions (exams), 450
TFTP (Trivial File Transfer Protocol), 11, 129, 274, 279-280
threads, multithreading, 332
threats (security), 72
three-tier campus design, 293-295
TID fields (QoS marking), 238
time
exams
time-check method, 451
intervals (QoS shaping), 249
Top of Rack (ToR) switches, 335
topologies
DNA Center topology map, 401-403
hub and spoke, 309
ToR (Top of Rack) switches, 335
ToS (Type of Service) field (IPv4), 237
traffic
bandwidth, 228
characteristics, 228
congestion
delay, 229
jitter, 229
loss, 229
public cloud branch office email services, 347-349
voice, 315
Traffic Class field (IPv6), 237
Transmission Control Protocol. See TCP
transport input command, 105
transport input ssh command, 89
transport layer (TCP/IP)
travel time (exam preparation), 452
Trivial File Transfer Protocol (TFTP), 11, 129, 274, 279-280
Trojan horses, 78
troubleshooting
ACL, 222
DHCP, 130
dynamic NAT, 222
PAL, 222
static NAT, 222
trust boundaries (QoS marking), 238-239
trusted ports, DHCP messages, 147
tutorials (exams), 449
two-tier campus design, 290-293
Type of Service (ToS) field (IPv4), 237
UCS (Unified Computing System), 331, 370
UDP (User Datagram Protocol)
overview, 16
UNI (User Network Interface), 306
Unified Computing System. See UCS
Uniform Resource Identifiers. See URIs
Uniform Resource Locators. See URLs
untrusted ports, DHCP messages, 147
upd keyword, 48
UPoE (Universal Power over Ethernet), 299
URIs (Uniform Resource Identifiers), 17-18, 414-416
URLs (Uniform Resource Locators), 17, 102
U.S. National Institute of Standards and Technology. See NIST
User Datagram Protocol. See UDP
user network interface. See UNI
user (registered) ports, 9
usernames
hiding passwords for, 94
username command, 105
username password command, 94
username secret command, 94
users
variables
configuration variables, 435-437
vCPU (virtual CPU), 332
verification
verifying
IOS code integrity, 273
video exam tutorials, 449
video traffic
QoS requirements, 232
shaping time intervals, 249
violation modes (port security), 114-119
virtual CPU (vCPU), 332
virtual NICs. See vNICS
Virtual Private LAN Service. See VPLS
Virtual Private Wire Service. See VPWS
virtual switches. See vSwitches
virtualization
virtual machines. See VMs
viruses, 78
vishing attacks, 79
VMs (Virtual Machines), 332-333
ACI, 371
configuration (automated), 334
IaaS, 340
networking, 334
ports, 334
SaaS, 341
spinning up, 340
vNICs (virtual NICs), 333
voice application traffic, 231-232
Voice over IP. See VoIP
voice traffic
shaping time intervals, 249
VoIP, 315
VoIP (Voice over IP), 231-232, 315
VPLS (Virtual Private LAN Service), 307
VPNs (Virtual Private Networks)
AnyConnect Secure Mobility Client, 325
client, 325
public cloud, accessing, 344
VPWS (Virtual Private Wire Service), 307
vSwitches, 333
VUE testing center, 455
vulnerabilities (security), 72
password vulnerabilities, 80
WANs (Wide-Area Networks)
Ethernet, 345
interfaces, 228
Internet access, 317
Internet as WAN service, 317
public cloud connections, 342-346
SPs, 302
watering hole attacks, 79
web browsers, 16
identifying receiving application, 21-22
URLs, 17
web clients, 16
web pages, 16
websites
Cisco ACI, 373
Cisco Prime management products, 264
Eclipse IDE, 341
Google App Engine PaaS, 341
Jenkins continuous integration and automation tool, 341
MEF, 306
OpenDaylight SDN controller, 368
OpenFlow, 364
weighting, 243
well known (system) ports, 9-11
whaling attacks, 79
whois command, 78
wireless routers, 296
WLANs (Wireless LANs), 296-297
workflow, virtualized data center, 335-336
worms, 78
WWW (World Wide Web), 11
XML (Extensible Markup Language), data serialization, 421-423
YAML (YAML Ain’t Markup Language), data serialization, 422-423