Knowt
Note
Studied by 45 peopleNoteStudied by 14 peopleNoteStudied by 2 peopleNoteStudied by 10 peopleNoteStudied by 2 peopleNoteStudied by 8 people
Untitled Flashcards Set
1.1 Compare and contrast OSI and TCP/IP models
OSI Model (Open Systems Interconnection) consists of 7 layers: Physical, Data Link, Network, Transport, Session, Presentation, and Application.
TCP/IP Model is a simplified, practical version with 4 layers: Link, Internet, Transport, and Application.
OSI is more theoretical, whereas TCP/IP is used in real-world networking.
1.2 Compare and contrast TCP and UDP protocols
TCP (Transmission Control Protocol):
Connection-oriented (establishes a connection before data transfer).
Reliable, guarantees delivery of data.
Slower due to error-checking and re-transmission mechanisms.
UDP (User Datagram Protocol):
Connectionless (doesn't establish a connection before sending data).
Faster but less reliable (no error-checking or re-transmission).
1.3 Describe the impact of infrastructure components in an enterprise network
1.3.1 Firewalls
Protects internal networks by filtering incoming and outgoing traffic based on predefined security rules. 1.3.2 Access Points
Provide wireless connectivity to devices in the network, allowing access to internal resources. 1.3.3 Wireless Controllers
Manage multiple access points, allowing configuration, security, and monitoring in large wireless networks.
1.4 Describe the effects of cloud resources on enterprise network architecture
1.4.1 Traffic path to internal and external cloud services
Routes that direct traffic to cloud-based resources either from inside or outside the organization’s network. 1.4.2 Virtual services
Cloud-based services that replace physical devices or software in a network infrastructure. 1.4.3 Basic virtual network infrastructure
Utilizes virtual machines, virtual networks, and cloud-based resources in place of physical hardware.
1.5 Compare and contrast collapsed core and three-tier architectures
Collapsed Core:
A simplified network design where the core and distribution layers are combined into a single layer, often used in smaller networks.
Three-Tier Architecture:
More scalable, using Core, Distribution, and Access layers. Typically used in larger networks for improved redundancy, performance, and management.
1.6 Compare and contrast network topologies
1.6.1 Star
A central device (e.g., a switch or hub) connects all other devices. Common in home and office networks. 1.6.2 Mesh
Devices are interconnected, providing multiple paths for data, enhancing redundancy and reliability. 1.6.3 Hybrid
A combination of two or more topologies, offering flexibility and optimization based on the network’s needs.
1.7 Select the appropriate cabling type based on implementation requirements
Twisted Pair Cable (Cat5e, Cat6): Ideal for LANs and short-distance connections.
Fiber Optic Cable: Best for high-speed, long-distance connections.
Coaxial Cable: Older and less common, used for certain broadband services.
1.8 Apply troubleshooting methodologies to resolve problems
1.8.1 Perform and document fault isolation
Identify the specific area of failure using tools like ping tests, tracert, or cable testers. 1.8.2 Resolve or escalate
Fix the problem if possible, or escalate to a higher level of expertise if necessary. 1.8.3 Verify and monitor resolution
Confirm the issue is resolved and continuously monitor the network to prevent recurrence.
1.9 Configure, verify, and troubleshoot IPv4 addressing and subnetting
IPv4 Addressing: Ensures each device has a unique address on the network.
Subnetting: Divides a network into smaller, manageable sub-networks.
1.10 Compare and contrast IPv4 address types
1.10.1 Unicast
One-to-one communication. 1.10.2 Broadcast
One-to-all communication within the local network. 1.10.3 Multicast
One-to-many communication where only interested receivers get the data.
1.11 Describe the need for private IPv4 addressing
Private addresses (e.g., 192.168.x.x) allow organizations to use the same IP address ranges internally, reducing the need for public IPs.
1.12 Identify the appropriate IPv6 addressing scheme to satisfy addressing requirements in a LAN/WAN environment
IPv6 is designed for larger address space and better routing.
Each interface can have multiple addresses for different purposes (link-local, global, etc.).
1.13 Configure, verify, and troubleshoot IPv6 addressing
IPv6 addresses are 128-bit, written in hexadecimal format, and require specific configurations to ensure proper communication.
1.14 Configure and verify IPv6 Stateless Address Auto Configuration (SLAAC)
SLAAC allows devices to automatically configure their IPv6 address without the need for a DHCP server.
1.15 Compare and contrast IPv6 address types
1.15.1 Global Unicast
Public IPv6 addresses routed across the Internet. 1.15.2 Unique Local
Private addresses for internal use, similar to IPv4 private addresses. 1.15.3 Link Local
Addresses valid only within a local network segment. 1.15.4 Multicast
One-to-many communication, similar to IPv4 multicast. 1.15.5 Modified EUI 64
A method to automatically generate an IPv6 address based on the device’s MAC address. 1.15.6 Autoconfiguration
Automatic configuration of network settings without a DHCP server. 1.15.7 Anycast
One-to-nearest communication, where data is sent to the closest recipient in a group.
2.1 Describe and verify switching concepts
2.1.1 MAC Learning and Aging
MAC Learning: When a switch receives a frame, it learns the MAC address of the sender and associates it with the port.
Aging: The switch keeps learned MAC addresses in its MAC address table for a period. If no frames are received from a particular address during this time, the address is removed.
2.1.2 Frame Switching
The switch forwards Ethernet frames from one port to another based on the destination MAC address. It uses the MAC address table to make forwarding decisions.
2.1.3 Frame Flooding
If a switch doesn’t have the destination MAC address in its table, it will flood the frame to all ports (except the port it came from) to ensure the frame reaches its destination.
2.1.4 MAC Address Table
A table stored in the switch’s memory that maps MAC addresses to specific ports, helping the switch make forwarding decisions for incoming frames.
2.2 Interpret Ethernet Frame Format
Ethernet Frame consists of:
Preamble (7 bytes): Used for synchronization.
Start Frame Delimiter (SFD) (1 byte): Marks the beginning of the frame.
Destination MAC address (6 bytes).
Source MAC address (6 bytes).
EtherType (2 bytes): Indicates the protocol used (e.g., IPv4).
Payload/Data (46-1500 bytes): The actual data being transmitted.
FCS (Frame Check Sequence) (4 bytes): Error-checking field.
2.3 Troubleshoot Interface and Cable Issues (collisions, errors, duplex, speed)
Collisions: Occur when two devices try to send data at the same time. Look for performance issues or packet loss.
Errors: CRC errors can indicate a cable issue or a mismatch in configuration.
Duplex Mismatch: When devices on both ends of the link have different duplex settings, it can lead to performance issues.
Speed Mismatch: Different link speeds can cause connectivity issues. Verify that both sides of the connection match the speed.
2.4 Configure, verify, and troubleshoot VLANs (normal/extended range) spanning multiple switches
VLANs (Virtual LANs) allow logical segmentation of a network into different broadcast domains.
Normal Range VLANs: VLAN 1 to 1005.
Extended Range VLANs: VLAN 1006 to 4095.
2.4.1 Access Ports (Data and Voice)
Access Ports: Used to connect end devices (PCs, phones). Devices connected to access ports are assigned to a single VLAN.
Voice VLAN: A special VLAN assigned for voice devices (e.g., IP phones), ensuring prioritization and QoS.
2.4.2 Default VLAN
VLAN 1: Default VLAN assigned to all ports unless explicitly changed.
2.5 Configure, verify, and troubleshoot interswitch connectivity
2.5.1 Trunk Ports
Trunk ports carry traffic from multiple VLANs between switches. Trunking uses 802.1Q or ISL (Inter-Switch Link) tagging to distinguish between VLANs.
2.5.2 Add and Remove VLANs on a Trunk
VLANs can be added or removed from a trunk port using the switch configuration commands.
2.5.3 DTP, VTP (v1 & v2), and 802.1Q
DTP (Dynamic Trunking Protocol): Used to automatically negotiate trunk links.
VTP (VLAN Trunking Protocol): Propagates VLAN configuration changes across switches.
802.1Q: The IEEE standard for VLAN tagging in Ethernet frames.
2.5.4 Native VLAN
The VLAN assigned to untagged frames on a trunk port. Typically, VLAN 1, but can be configured differently.
2.6 Configure, verify, and troubleshoot STP (Spanning Tree Protocol)
2.6.1 STP Mode (PVST+ and RPVST+)
PVST+ (Per VLAN Spanning Tree Plus): A Cisco proprietary protocol that runs a separate instance of STP for each VLAN.
RPVST+ (Rapid PVST+): A faster version of PVST+ with quicker convergence times.
2.6.2 STP Root Bridge Selection
The root bridge is the central switch in the STP topology. It is selected based on the lowest bridge priority value and MAC address.
2.7 Configure, verify, and troubleshoot STP-related optional features
2.7.1 PortFast
A feature that allows a port to transition to the forwarding state immediately without waiting for STP to converge. Often used on access ports connected to end devices.
2.7.2 BPDU Guard
Protects the network by disabling ports that receive Bridge Protocol Data Units (BPDU), preventing potential STP loops or misconfigurations.
2.8 Configure and verify Layer 2 protocols
2.8.1 Cisco Discovery Protocol (CDP)
A Cisco proprietary protocol used to discover information about directly connected Cisco devices, such as device type, IP address, and software version.
2.8.2 LLDP (Link Layer Discovery Protocol)
An open standard protocol similar to CDP, used for discovering devices on a local network.
2.9 Configure, verify, and troubleshoot (Layer 2/Layer 3) EtherChannel
EtherChannel allows the aggregation of multiple physical links into a single logical link for increased bandwidth and redundancy.
2.9.1 Static EtherChannel
Manually configure EtherChannel without using negotiation protocols.
2.9.2 PAGP (Port Aggregation Protocol)
A Cisco protocol that automatically negotiates and forms EtherChannel links.
2.9.3 LACP (Link Aggregation Control Protocol)
An IEEE standard protocol for automatically aggregating links into an EtherChannel.
2.10 Describe the benefits of switch stacking and chassis aggregation
Switch Stacking: Multiple physical switches are connected and operate as a single logical switch, simplifying management and providing redundancy.
Chassis Aggregation: Similar to stacking but with multiple physical switches in a single chassis. It improves scalability, redundancy, and reliability.
3.1 Describe the routing concepts
3.1.1 Packet Handling along the Path through a Network
A packet travels through various routers and switches, each router making a forwarding decision based on its routing table, ensuring the packet reaches its destination.
3.1.2 Forwarding Decision Based on Route Lookup
Routers perform a route lookup by matching the destination IP address with entries in the routing table. The best matching route determines where the packet is forwarded.
3.1.3 Frame Rewrite
When a packet reaches its destination network, the router rewrites the frame with new link-layer information (MAC address) appropriate for the next hop.
3.2 Interpret the Components of a Routing Table
3.2.1 Prefix
The network address and subnet mask that represents a destination network.
3.2.2 Network Mask
The mask that helps identify which part of an IP address is the network address and which part is the host address.
3.2.3 Next Hop
The next router or device the packet should be forwarded to on its way to the destination.
3.2.4 Routing Protocol Code
An identifier that specifies the routing protocol used to populate the route (e.g., OSPF, EIGRP, RIP).
3.2.5 Administrative Distance
A value used to determine the trustworthiness of a route. Lower values are preferred over higher values.
3.2.6 Metric
A value that indicates the "cost" of reaching a destination. Metrics are used to compare routes to the same destination.
3.2.7 Gateway of Last Resort
The route used for traffic that doesn't match any other routes in the routing table. Typically used for the default route.
3.3 Describe How a Routing Table Is Populated by Different Routing Information Sources
3.3.1 Administrative Distance
Routes from different sources (e.g., static, OSPF, EIGRP) can populate the routing table. The administrative distance determines which source's route is preferred if multiple sources provide routes to the same destination.
3.4 Configure, Verify, and Troubleshoot InterVLAN Routing
3.4.1 Router on a Stick
A router-on-a-stick is a configuration where a router is connected to a switch via a single physical interface. Subinterfaces are created on the router to provide routing for multiple VLANs.
3.4.2 SVI (Switched Virtual Interface)
An SVI is a virtual interface on a layer 3 switch used for routing between VLANs (InterVLAN Routing).
3.5 Compare and Contrast Static Routing and Dynamic Routing
Static Routing: Manually configured routes that do not change unless manually modified. It's more predictable but less scalable.
Dynamic Routing: Routes learned and adjusted automatically through routing protocols like OSPF, EIGRP, and RIP, offering scalability and adaptability to network changes.
3.6 Compare and Contrast Distance Vector and Link State Routing Protocols
Distance Vector: Routing protocols that determine the best route based on distance (e.g., RIP). They exchange routing tables periodically and are slower to converge.
Link State: Routing protocols that maintain a complete topology of the network and calculate the best path based on the network's current state (e.g., OSPF, IS-IS). They converge faster and provide better scalability.
3.7 Compare and Contrast Interior and Exterior Routing Protocols
Interior Routing Protocols (IGPs): Used within a single autonomous system (e.g., OSPF, EIGRP, RIP).
Exterior Routing Protocols (EGPs): Used between different autonomous systems, such as BGP (Border Gateway Protocol), which is essential for routing between organizations or networks.
3.8 Configure, Verify, and Troubleshoot IPv4 and IPv6 Static Routing
3.8.1 Default Route
A route that is used when no specific match is found in the routing table, usually written as 0.0.0.0/0 for IPv4 or ::/0 for IPv6.
3.8.2 Network Route
A route pointing to a specific network with a network address and subnet mask.
3.8.3 Host Route
A route pointing to a specific host with a 32-bit mask for IPv4 or 128-bit mask for IPv6.
3.8.4 Floating Static Route
A backup static route with a higher administrative distance. It’s only used if the primary route fails.
3.9 Configure, Verify, and Troubleshoot Single Area and Multi-Area OSPFv2 for IPv4
OSPFv2: A link-state routing protocol used for IPv4. In single-area OSPF, all routers are in the same area. In multi-area OSPF, the network is divided into areas to improve scalability and reduce overhead.
Excluding authentication, filtering, manual summarization, redistribution, stub, virtual-link, and LSAs.
3.10 Configure, Verify, and Troubleshoot Single Area and Multi-Area OSPFv3 for IPv6
OSPFv3: The version of OSPF used for IPv6 networks, similar to OSPFv2 but designed for IPv6.
Excluding authentication, filtering, manual summarization, redistribution, stub, virtual-link, and LSAs.
3.11 Configure, Verify, and Troubleshoot EIGRP for IPv4
EIGRP (Enhanced Interior Gateway Routing Protocol) is a Cisco proprietary protocol that combines features of both distance vector and link-state protocols.
Excluding authentication, filtering, manual summarization, redistribution, and stub.
3.12 Configure, Verify, and Troubleshoot EIGRP for IPv6
EIGRP for IPv6: Same as EIGRP for IPv4 but designed for IPv6 networks.
Excluding authentication, filtering, manual summarization, redistribution, and stub.
3.13 Configure, Verify, and Troubleshoot RIPv2 for IPv4
RIPv2 (Routing Information Protocol version 2) is a distance vector protocol that uses hop count as its metric and supports CIDR for more efficient routing.
Excluding authentication, filtering, manual summarization, and redistribution.
3.14 Troubleshoot Basic Layer 3 End-to-End Connectivity Issues
Troubleshooting steps:
Ping: Check for basic connectivity.
Traceroute: Determine the path the packet takes.
Routing Table: Verify correct routes.
Interface Status: Check for up/up status.
ACLs: Ensure no access control lists are blocking traffic.
4.1 Configure and Verify PPP and MLPPP on WAN Interfaces Using Local Authentication
PPP (Point-to-Point Protocol): A data link protocol used to establish a direct connection between two nodes, commonly used for serial links.
MLPPP (Multilink PPP): An extension of PPP that allows multiple physical links to be bundled together into a single logical link for increased bandwidth and redundancy.
Local Authentication: Typically involves using a username and password configured on the router to authenticate PPP connections, avoiding the need for external servers like RADIUS or TACACS+.
4.2 Configure, Verify, and Troubleshoot PPPoE Client-Side Interfaces Using Local Authentication
PPPoE (Point-to-Point Protocol over Ethernet): A method used to connect to the internet over an Ethernet link, commonly used by ISPs for broadband connections.
Client-Side Configuration: On the client router, PPPoE must be configured to authenticate using a username and password, provided by the ISP, for the connection.
4.3 Configure, Verify, and Troubleshoot GRE Tunnel Connectivity
GRE (Generic Routing Encapsulation): A tunneling protocol used to encapsulate a wide variety of Layer 3 protocols into IP tunnels, often used for creating VPNs or for connecting remote sites.
Tunnel Configuration: A GRE tunnel is configured between two routers, where the source and destination IPs are typically public IP addresses, and the traffic is encapsulated in GRE packets to be sent across the tunnel.
4.4 Describe WAN Topology Options
4.4.1 Point-to-Point
A direct connection between two devices, often used in leased-line configurations. It is simple and secure but lacks redundancy.
4.4.2 Hub and Spoke
A central device (hub) connects to multiple remote devices (spokes), forming a star-like topology. This is common for branch office setups where each remote site connects to a central site.
4.4.3 Full Mesh
Every device in the network is connected to every other device, providing high redundancy and fault tolerance but requiring more links and configuration.
4.4.4 Single vs Dual-Homed
Single-Homed: A site with a single connection to the internet or another network.
Dual-Homed: A site with two connections, typically for redundancy or load balancing.
4.5 Describe WAN Access Connectivity Options
4.5.1 MPLS (Multiprotocol Label Switching)
A high-performance, scalable technology used for directing data from one node to another based on short path labels rather than long network addresses, commonly used by ISPs for efficient routing across their networks.
4.5.2 Metro Ethernet
A high-bandwidth, fiber-optic-based service used for interconnecting offices or networks within a metropolitan area. Often used as a cost-effective alternative to leased lines.
4.5.3 Broadband PPPoE
Used to connect to the internet over broadband (DSL or cable) using PPPoE. It requires PPPoE configuration on both the client and server sides, often for residential or small office applications.
4.5.4 Internet VPN (DMVPN, Site-to-Site VPN, Client VPN)
DMVPN (Dynamic Multipoint VPN): A flexible VPN solution that allows secure communication between multiple remote sites, with dynamically established tunnels.
Site-to-Site VPN: A dedicated, secure connection between two networks over the internet, often used for branch office connectivity.
Client VPN: A VPN that allows individual devices to securely connect to a network, often used for remote employees to access the corporate network.
4.6 Configure and Verify Single-Homed Branch Connectivity Using eBGP IPv4
eBGP (External Border Gateway Protocol): Used for routing between different autonomous systems (e.g., between an ISP and a company).
Single-Homed Connectivity: Refers to a branch with only one connection to an ISP or external network. Configuration typically involves setting up an eBGP peering and using the Network command for route advertisement.
4.7 Describe Basic QoS Concepts
Quality of Service (QoS) ensures that network traffic is managed effectively, prioritizing certain types of traffic to meet the needs of applications.
4.7.1 Marking
Marking traffic with a specific value in the packet header (e.g., DSCP or CoS) helps identify the type of traffic for prioritization and management.
4.7.2 Device Trust
Trust refers to the practice of relying on devices to properly mark traffic before it enters a network. Devices such as routers or switches may trust incoming traffic marking based on the network's configuration.
4.7.3 Prioritization
Voice: Traffic related to voice calls is prioritized to ensure clear, uninterrupted communication.
Video: Video traffic is prioritized next after voice to ensure smooth video streaming or conferencing.
Data: Regular data traffic is typically given lower priority compared to voice and video to avoid congestion.
4.7.4 Shaping
Traffic shaping involves controlling the flow of data into the network by buffering and delaying packets to smooth out burst traffic, preventing congestion.
4.7.5 Policing
Traffic policing involves enforcing traffic rate limits, dropping or remarking packets that exceed the allowed rate. This helps to manage traffic bandwidth and prevent excessive usage.
4.7.6 Congestion Management
Techniques such as queue management are used to handle congestion by placing traffic in different queues based on priority, ensuring that high-priority traffic (e.g., voice and video) is processed first.
5.1 Describe DNS Lookup Operation
DNS (Domain Name System) is responsible for resolving domain names into IP addresses.
The lookup process involves:
Query: The client sends a DNS request to the configured DNS server for a domain name.
Recursive/Iterative Resolution: The DNS server either performs a recursive search or sends an iterative query to other DNS servers.
Response: Once the IP address is found, the DNS server returns the result to the client.
Caching: To reduce lookup time, results are often cached at both the client and DNS server levels.
5.2 Troubleshoot Client Connectivity Issues Involving DNS
Common issues can include:
DNS server unavailability: The client can't reach the DNS server.
Incorrect DNS configuration: The client is pointing to an incorrect DNS server.
DNS resolution failures: The DNS server is unable to resolve the domain name.
Firewall or filtering issues: Traffic to/from DNS servers may be blocked.
Tools: Use nslookup, dig, or ping to diagnose DNS issues and ensure correct DNS server responses.
5.3 Configure and Verify DHCP on a Router (Excluding Static Reservations)
DHCP (Dynamic Host Configuration Protocol) dynamically assigns IP addresses to clients on the network.
5.3.1 Server:
The router can be configured as a DHCP server to assign IP addresses to clients.
Configuration typically involves specifying the IP address pool, lease times, and optional parameters like DNS servers and default gateway.
5.3.2 Relay:
A DHCP relay agent forwards DHCP requests from clients to a DHCP server if the server is on a different network. This ensures clients can obtain IP addresses even if the DHCP server is not directly reachable.
5.3.3 Client:
Devices (like PCs) on the network can be configured as DHCP clients. They will request an IP address from the DHCP server.
5.3.4 TFTP, DNS, and Gateway Options:
Additional options can be configured in DHCP such as:
TFTP: For file transfer (e.g., booting devices over the network).
DNS: To specify DNS servers for clients.
Gateway: To specify the default gateway IP address for clients.
5.4 Troubleshoot Client- and Router-Based DHCP Connectivity Issues
Client-Side Issues:
Verify that the client is properly configured to obtain an IP address automatically.
Check if the DHCP server is reachable from the client.
Use ipconfig (Windows) or ifconfig (Linux) to check the assigned IP address.
Router-Side Issues:
Ensure the DHCP pool is correctly configured.
Check if the router is receiving and responding to DHCP requests.
Use show ip dhcp binding and show ip dhcp pool to verify the router's DHCP status.
5.5 Configure, Verify, and Troubleshoot Basic HSRP
HSRP (Hot Standby Router Protocol) is a Cisco proprietary redundancy protocol that ensures high availability for default gateway IP addresses.
5.5.1 Priority:
Each router in an HSRP group has a priority value, with the router with the highest priority becoming the active router (the one that handles traffic).
The priority value can be adjusted to change which router becomes active.
5.5.2 Preemption:
If a router with a higher priority comes online after an HSRP failover, preemption allows it to take over as the active router, even if the previous active router is still functional.
5.5.3 Version:
HSRP has multiple versions. The most commonly used versions are HSRPv1 and HSRPv2. HSRPv2 supports more advanced features, like larger group numbers and extended authentication.
5.6 Configure, Verify, and Troubleshoot Inside Source NAT
NAT (Network Address Translation) modifies source IP addresses of outgoing traffic to enable multiple devices within a private network to access external resources using a single public IP address.
5.6.1 Static NAT:
Maps a specific private IP address to a specific public IP address. This is often used for hosting servers, where a specific internal device must always be accessible via the same external IP.
5.6.2 Pool NAT:
Uses a pool of public IP addresses to map to a range of private IP addresses. This allows many devices in a private network to share a smaller set of public IP addresses.
5.6.3 PAT (Port Address Translation):
Also known as overloading, PAT allows multiple devices to share a single public IP address by mapping different internal port numbers to the same public IP.
5.7 Configure and Verify NTP Operating in a Client/Server Mode
NTP (Network Time Protocol) synchronizes clocks across devices in a network to ensure accurate timekeeping.
Client/Server Mode:
NTP Server: The device that provides the time reference to clients.
NTP Client: The device that requests time updates from the NTP server.
NTP uses a hierarchical system of time sources, with each server either synchronizing with a higher-level server or providing time to lower-level clients.
Use ntp server <ip-address> on the client-side to configure an NTP server.
Verify using the show ntp status and show ntp associations commands to ensure proper synchronization.
6.1 Configure, Verify, and Troubleshoot Port Security
Port security helps prevent unauthorized devices from accessing the network by limiting the number of MAC addresses allowed on a switch port.
6.1.1 Static Port Security:
MAC addresses are manually configured on a port. Only the specified MAC addresses can access the network through that port. Any other device trying to connect will be blocked.
6.1.2 Dynamic Port Security:
The switch dynamically learns MAC addresses on a port. The number of allowed MAC addresses can be configured, and once the limit is reached, the switch will take a violation action (e.g., shutdown, restrict).
6.1.3 Sticky Port Security:
The switch learns MAC addresses dynamically but stores them in the running configuration. This allows for flexibility while maintaining security.
6.1.4 Max MAC Addresses:
Configures the maximum number of MAC addresses allowed on a port. Exceeding this limit results in a violation.
6.1.5 Violation Actions:
If a violation occurs (e.g., an unauthorized MAC address is detected), several actions can be configured:
Protect: Drops packets from unauthorized MAC addresses, but doesn't generate an alert.
Restrict: Similar to protect, but also generates a log message.
Shutdown: Disables the port immediately, and a log message is generated.
6.1.6 Err-Disable Recovery:
When a port is error-disabled (due to a violation or issue), it can be automatically recovered after a specified time using the errdisable recovery command. This reduces the need for manual intervention.
6.2 Describe Common Access Layer Threat Mitigation Techniques
6.2.1 802.1x:
802.1x is a port-based network access control (PNAC) protocol used for authenticating devices before they can access the network.
Devices must provide credentials to an Authentication Server (e.g., RADIUS) before gaining access to the network.
Commonly used for wireless and wired network access control.
6.2.2 DHCP Snooping:
DHCP Snooping is a security feature that helps prevent rogue DHCP servers from allocating IP addresses to clients. The switch only allows DHCP responses from trusted ports (like those connected to authorized DHCP servers).
It builds a table of trusted DHCP servers and blocks unauthorized DHCP offers.
6.2.3 Nondefault Native VLAN:
The Native VLAN is used to carry untagged frames in a trunk port. Using a nondefault native VLAN can mitigate certain attacks, such as VLAN hopping, where malicious traffic attempts to "jump" between VLANs using untagged frames.
6.3 Configure, Verify, and Troubleshoot IPv4 and IPv6 Access Lists for Traffic Filtering
Access Control Lists (ACLs) are used to filter traffic based on IP addresses, protocols, and ports.
6.3.1 Standard ACL:
Standard ACLs filter traffic based solely on the source IP address. They are numbered 1–99 (IPv4) or 1300–1999 (IPv6).
Example: access-list 10 deny 192.168.1.0 0.0.0.255
6.3.2 Extended ACL:
Extended ACLs can filter based on source IP, destination IP, protocol, and port number. They provide more granularity for filtering traffic.
Example: access-list 100 permit tcp any any eq 80
6.3.3 Named ACL:
Named ACLs allow users to define ACLs with a custom name, which can be easier to manage than numbered ACLs.
Example: ip access-list standard MyACL
6.4 Verify ACLs Using the APIC-EM Path Trace ACL Analysis Tool
The APIC-EM (Application Policy Infrastructure Controller Enterprise Module) Path Trace tool helps verify how ACLs are applied along the network path.
It allows you to trace the path of traffic across the network and check how ACLs are affecting traffic flow, helping in troubleshooting network access issues.
6.5 Configure, Verify, and Troubleshoot Basic Device Hardening
Device hardening involves securing a network device by reducing its attack surface, improving its security posture.
6.5.1 Local Authentication:
This refers to the process of securing device access by using locally stored credentials (username/password) rather than relying on external authentication servers.
Use username <name> password <password> to configure local users.
6.5.2 Secure Password:
It's important to use strong passwords on network devices to prevent unauthorized access. Enable password encryption on the device using service password-encryption to protect passwords stored in the configuration.
6.5.3 Access to Device:
Securing access to devices through methods such as limiting access to certain IP addresses, controlling access protocols, and using secure management protocols.
6.5.3.1 Address:
Restrict access to devices by specifying allowed source IP addresses for management access.
6.5.3.2 Telnet/SSH:
Telnet is insecure, and SSH is preferred for remote access due to its encrypted nature. Disable Telnet and only allow SSH for remote management.
6.5.3.3 Login Banner:
Configure a login banner to display a message when someone attempts to log into the device. This message could include legal notices or system warnings.
Example: banner login ^CUnauthorized Access is Prohibited^C
6.6 Describe Device Security Using AAA with TACACS+ and RADIUS
AAA (Authentication, Authorization, and Accounting) is a framework used to control access to network devices and track user activity.
TACACS+:
TACACS+ (Terminal Access Controller Access Control System Plus) is a protocol that provides centralized authentication, authorization, and accounting services for network devices.
It separates authentication, authorization, and accounting into distinct processes, which provides more flexibility than RADIUS.
It encrypts the entire packet, ensuring greater security.
RADIUS:
RADIUS (Remote Authentication Dial-In User Service) is a protocol used for centralized authentication, authorization, and accounting. It's more commonly used for network access and VPN authentication.
RADIUS encrypts only the password, making it less secure than TACACS+.
It combines authentication and authorization into one process.
7.1 Configure and Verify Device-Monitoring Protocols
Device-monitoring protocols are essential for managing and monitoring network devices, helping in troubleshooting and gathering network statistics.
7.1.1 SNMPv2 (Simple Network Management Protocol version 2)
SNMPv2 is a protocol used for network management, monitoring, and controlling network devices. It operates by exchanging messages between a management system (SNMP manager) and devices (SNMP agents).
Key features:
Uses community strings for authentication (read-only or read-write).
Supports bulk retrieval of data (more efficient than SNMPv1).
Provides enhanced error handling and performance improvements over SNMPv1.
7.1.2 SNMPv3
SNMPv3 is a more secure version of SNMP, addressing the security issues found in SNMPv1 and SNMPv2.
Key features:
Authentication: Ensures that the data comes from a legitimate source.
Encryption: Ensures that the SNMP data is securely transmitted.
Access control: Provides more granular control over who can access the SNMP-managed devices.
7.1.3 Syslog
Syslog is a standard for logging events in a network device. It is used to gather logs, errors, and alerts from devices.
Key features:
Logs events are classified into severity levels (0-7).
Supports sending logs to a centralized syslog server for easier management.
Useful for troubleshooting, security monitoring, and compliance.
7.2 Troubleshoot Network Connectivity Issues Using ICMP Echo-based IP SLA
ICMP Echo-based IP SLA (Service Level Agreement) is a tool used to monitor and troubleshoot network connectivity.
It uses ICMP echo requests and echo replies (ping) to measure the response time between devices, helping to identify delays, packet loss, or network issues.
It can provide performance statistics for applications such as voice, video, and web browsing to ensure the network meets the required service levels.
7.3 Configure and Verify Device Management
Device management is key to maintaining operational efficiency and ensuring the devices remain secure and updated.
7.3.1 Backup and Restore Device Configuration
Backup: Always have a copy of the configuration saved to prevent data loss.
Can be done using TFTP, FTP, or SCP.
Restore: Restore configurations from a backup file if the device needs to be reset or replaced.
7.3.2 Using Cisco Discovery Protocol (CDP) or LLDP for Device Discovery
CDP: Cisco proprietary protocol for discovering devices directly connected to the network. It provides information like the device's IP address, platform, and capabilities.
LLDP (Link Layer Discovery Protocol): An open standard similar to CDP, used for discovering and sharing device information on the network.
7.3.3 Licensing
Cisco devices require licenses for specific features or functionalities (e.g., advanced routing, security features, or additional interfaces).
The licensing process can be configured via the Cisco Licensing interface or CLI commands.
7.3.4 Logging
Logging is used to monitor system behavior and store event logs.
Can be configured to log locally or remotely to a syslog server for centralized management.
Useful for monitoring system activity and troubleshooting issues.
7.3.5 Time Zone
Configuring the correct time zone is essential for accurate logging and scheduling tasks.
Time can be synchronized using Network Time Protocol (NTP) to ensure consistency across devices.
7.3.6 Loopback
A loopback interface is a virtual interface used for testing and management purposes. It's often used for device management and network testing.
It provides a stable, always-up interface that can be used for routing and other network functions.
7.4 Configure and Verify Initial Device Configuration
When a new device is installed, configure it with the necessary settings like hostname, IP addresses, routing protocols, and security configurations.
Verify the configuration by testing connectivity (ping, traceroute) and checking system logs to ensure the device operates as expected.
7.5 Perform Device Maintenance
Device maintenance includes software upgrades, configuration changes, and troubleshooting to ensure the device remains operational.
7.5.1 Cisco IOS Upgrades and Recovery (SCP, FTP, TFTP, and MD5 Verify)
IOS Upgrade: Upgrading the Cisco IOS version helps improve security, functionality, and performance. This can be done through SCP, FTP, or TFTP to load the new IOS version onto the device.
MD5 Verify: The MD5 checksum is used to verify the integrity of the downloaded IOS image before installing it, ensuring that the file has not been corrupted during transfer.
7.5.2 Password Recovery and Configuration Register
If a device's password is lost or forgotten, it may require a password recovery procedure to reset or bypass the password.
The configuration register setting determines the boot behavior of the device. Changing it to bypass the startup configuration can help in password recovery procedures.
7.5.3 File System Management
Cisco devices use a file system to store configuration files, IOS images, logs, and other data.
File management commands like dir (to list files) and copy (to copy files) are essential for maintaining the file system.
7.6 Use Cisco IOS Tools to Troubleshoot and Resolve Problems
Cisco IOS provides various tools to help troubleshoot network issues.
7.6.1 Ping and Traceroute with Extended Options
Ping is used to test connectivity between devices.
The extended option can be used for more detailed testing, such as specifying packet size and TTL.
Traceroute helps identify the path taken by packets across the network, showing each hop and identifying where delays occur.
7.6.2 Terminal Monitor
The terminal monitor command allows you to view system logs in real-time from the device's console, making it easier to troubleshoot issues as they occur.
7.6.3 Log Events
Log events helps to track system changes, issues, and security incidents.
Use the logging command to set up logging for various system events, and review them to diagnose issues.
7.6.4 Local SPAN (Switched Port Analyzer)
SPAN is used to monitor traffic on a port or VLAN. It copies the traffic from monitored ports to a designated monitoring port for analysis.
Useful for troubleshooting traffic flow and detecting network issues.
7.7 Describe Network Programmability in Enterprise Network Architecture
Network programmability refers to the ability to automate and control network devices and services through software.
7.7.1 Function of a Controller
A network controller is a central component in software-defined networking (SDN) that manages and configures network devices via software.
It provides a centralized view of the network and allows for dynamic changes based on policies.
7.7.2 Separation of Control Plane and Data Plane
In traditional networking, the control plane (routing decisions) and data plane (traffic forwarding) are integrated into each device.
In SDN, the control plane is centralized and separated from the data plane, allowing for more flexibility and programmability in network management.
7.7.3 Northbound and Southbound APIs
Northbound APIs allow communication between the controller and applications (e.g., network monitoring, automation tools).
Southbound APIs allow the controller to communicate with network devices (e.g., switches, routers).
These APIs are essential for network programmability, allowing for more automated and dynamic management of the network.
8.1 Installation, Configuration, and Management
8.1.1 Windows Workstation Software
Installation:
Windows workstation software (e.g., Windows 10 or Windows 11) can be installed through a variety of methods, including using bootable USB drives, network installations, or Windows deployment services (WDS).
System Requirements: Ensure the hardware meets minimum system requirements such as CPU, RAM, and storage capacity.
Installation often involves partitioning the drive, choosing a region and language, entering product keys, and setting up accounts.
Configuration:
Configure user accounts and permissions (local or Microsoft accounts).
Set network settings such as IP addresses, DNS, and domain membership (if part of an Active Directory).
Adjust security settings by configuring Windows Defender, firewall settings, and installing necessary updates and drivers.
Configure system features such as BitLocker (for drive encryption) and Windows Update.
Management:
Use Group Policy for centralized management and configuration of multiple machines in an enterprise environment.
Use Windows Admin Center or Microsoft Endpoint Manager for remote management and monitoring.
Patch Management to keep Windows workstations up to date with the latest security patches.
8.1.2 Windows Server Software
Installation:
Windows Server editions (e.g., Windows Server 2019, 2022) can be installed using Windows Server installation media (DVD, ISO, or network boot).
The installation process involves selecting the server role (e.g., Domain Controller, Web Server, File Server) and configuring disk partitions, network settings, and system parameters.
Core vs. GUI: Windows Server offers both Core (no GUI) and Desktop Experience (GUI) versions. Core is often preferred for reduced overhead and increased security.
Configuration:
Configure Active Directory (AD) for managing users, groups, and computers in a domain.
Set up DNS and DHCP services to handle name resolution and IP address management in a network.
Install and configure IIS (Internet Information Services) for hosting websites or applications.
Configure Remote Desktop Services (RDS) for remote access to the server.
Management:
Use Server Manager to manage server roles and features.
Use PowerShell for automation and scripting tasks (e.g., user creation, role assignment).
Windows Admin Center provides a centralized interface for managing multiple servers in an environment.
Regularly monitor performance using tools like Task Manager, Event Viewer, and Performance Monitor.
Perform backup and recovery operations using Windows Server Backup or third-party software.
8.1.3 Linux Software
Installation:
Linux distributions (e.g., Ubuntu, CentOS, Red Hat, Debian) can be installed from ISO images using a USB drive or network boot.
During installation, partition the disk, set up user accounts, configure networking, and choose packages (e.g., LAMP stack for web servers).
Configuration:
Configure network settings (static or dynamic IP, DNS settings) via network manager or directly through /etc/network/interfaces (depending on the distribution).
Install and configure system packages using the package manager (e.g., apt for Ubuntu/Debian, yum for CentOS/RedHat).
Set up user permissions, manage file systems, and configure firewall settings using tools like iptables or firewalld.
Configure security settings by installing security tools like SELinux, AppArmor, or Fail2ban.
Management:
System monitoring can be done using tools like top, htop, uptime, and syslog for logs.
Automate tasks with cron jobs for periodic tasks like backups, updates, or log rotations.
Package management tools like apt, yum, or dnf keep the system updated and manage installed software.
Use SSH for secure remote management and command-line administration.
Backup configurations and manage file permissions using rsync, tar, or automated backup systems like Bacula or Amanda.
8.1.4 Network Services
Installation and Configuration:
DNS (Domain Name System): Set up a DNS server using BIND (Linux) or Microsoft DNS (Windows Server) to resolve domain names into IP addresses.
DHCP (Dynamic Host Configuration Protocol): Set up a DHCP server to dynamically assign IP addresses to devices on the network (using isc-dhcp-server on Linux or Windows DHCP Server).
FTP (File Transfer Protocol): Configure an FTP server (e.g., vsftpd for Linux or FileZilla Server for Windows) to transfer files between devices securely.
Web Services (HTTP/HTTPS): Set up a web server like Apache or Nginx for hosting websites and SSL/TLS for secure HTTPS connections.
VPN (Virtual Private Network): Set up a VPN service (e.g., OpenVPN, WireGuard, or PPTP) to allow remote workers to securely access the internal network.
Management:
Use network monitoring tools like Nagios, Zabbix, or SolarWinds to monitor performance and ensure uptime.
Use tools like Wireshark or tcpdump to capture and analyze network traffic for troubleshooting.
Backup configurations regularly to ensure the availability of network services in case of failure.
8.1.5 Virtualized Environments
Installation:
Virtualization software like VMware vSphere, Hyper-V, or VirtualBox can be installed on a physical host to create virtual machines (VMs).
Choose the right hypervisor (Type 1 or Type 2) based on your environment and needs.
Set up virtual networks (vSwitches) and configure storage options (local or networked) for virtual machines.
Configuration:
Configure the virtual machines (VMs) with necessary operating systems, storage, and network interfaces.
Install and configure virtualized applications (e.g., web servers, database servers) in each VM.
Configure resource allocation (CPU, memory, storage) for each VM to ensure optimal performance.
Set up virtual machine snapshots for backup and recovery.
Management:
Use vCenter Server (for VMware environments) or Hyper-V Manager (for Windows environments) for centralized management of VMs and hypervisors.
Monitor virtual environments using vSphere Client or System Center Virtual Machine Manager.
Perform VM migration, cloning, and backup operations to ensure business continuity and disaster recovery.
Integrate containerization (e.g., Docker) with virtualization to deploy lightweight, scalable applications.
9.1 Converse Effectively and Correctly with a Customer
Active Listening: Pay close attention to what the customer is saying without interrupting. Let them fully explain the issue, and ask clarifying questions if needed.
Empathy: Show understanding and concern for the customer’s situation. Acknowledge their frustration or concerns and reassure them that you’re there to help.
Professional Tone: Use a professional, polite, and positive tone throughout the conversation. Maintain a calm and respectful demeanor, even if the customer is upset.
Language Clarity: Avoid jargon or technical terms that might confuse the customer. Use simple and clear language to explain complex issues.
Patient Communication: Be patient and allow the customer to express themselves fully. This helps in building trust and ensuring you have all the information to assist effectively.
9.2 Speak Clearly and to the Point When Conversing About Products and Solutions for the Customer
Be Concise: Keep your explanations short and to the point. Avoid unnecessary details that may overwhelm the customer.
Focus on the Solution: When explaining the product or solution, emphasize how it can address the customer’s specific needs or resolve their problem.
Clarity Over Complexity: Ensure that your explanations are easy to understand, and use analogies if necessary to simplify technical details.
Set Expectations: Be clear about what the customer can expect in terms of timelines, steps involved, and any follow-up needed.
9.3 Repeat Name, Location, and Phone Number Back to the Customer During Technical Support Conversations
Verification for Accuracy: Confirming the customer’s details (name, location, phone number) ensures the accuracy of your records and helps in case there’s a need for follow-up or escalation.
Clear Communication: Repeating key details shows attentiveness and reassures the customer that you are paying attention to their information.
Build Trust: When customers feel their information is being handled securely and accurately, they are more likely to feel comfortable and trust the support process.
9.4 Take the Needed Actions to Fix the Customer’s Problem
Diagnosing the Issue: Use effective troubleshooting methods to identify the root cause of the customer’s issue. Ask targeted questions and perform the necessary checks.
Clear Instructions: If the solution requires customer action, provide clear, step-by-step instructions. Make sure the customer understands what to do.
Follow Through: If the solution requires additional steps or follow-up, make sure the customer is aware of the process. Take ownership of the situation until it's resolved.
Escalation When Needed: If the problem requires escalation, do so promptly. Let the customer know their issue is being escalated to a more specialized team, and ensure they know what to expect.
9.5 Close the Conversation with a Positive, Reassuring Attitude
Reassure the Customer: Before ending the conversation, reassure the customer that their issue has been resolved or is being handled. Offer any additional support if needed.
Thank the Customer: Thank the customer for their time and patience. Express appreciation for their business or for using your service.
Encourage Future Contact: Let the customer know that they can always reach out again if they need further assistance. This helps to create an open line of communication.
End on a Positive Note: Finish with a positive, friendly tone to leave the customer with a good impression of the support they received. For example, “I’m happy we were able to resolve this today. Don’t hesitate to call again if you need anything else!”
NoteStudied by 45 peopleNoteStudied by 14 peopleNoteStudied by 2 peopleNoteStudied by 10 peopleNoteStudied by 2 peopleNoteStudied by 8 people