Copyright Ⓒ ZoomByte | CCNA 1

Copyright Ⓒ ZoomByte | CCNA 2

 CCNA class in Zoom Byte
• CCNA 200-301
• Full outline
• Video training (4k & Full HD)
• Lab Practice
• Practically training
• Included all software's
• Training support
• Official reference Book
• Passing online guide
• 100% Passing Guarantee

Copyright Ⓒ ZoomByte | CCNA 3

 CCNA Exam Information
• Exam Name: Cisco CCNA with 200-301 exam code
• Only one exam with no Pre-requisites
• Number of Questions: 100-110
• Exam time: 120-150 Minutes
• Exam Fee: 300$
• English or Japanese language
• Validity duration: 3 Years
• 825/1000 score at least
• Simulation Questions
• Single choice, Multi-choice , Drag & Drop
• Scenario and exhibit likes simulations
• No calculator and previsions button
• Result at the End
Copyright Ⓒ ZoomByte | CCNA 4
 Our Recommendations
• 3x times practice each lecture
• Complete CCNA 200-301 Class
• Complete & Practice All Technologies
• Study the CCNA Cert. Guide for more
• Focus on knowledge gaps
• Study & Practice Passing online toolkit
• Set a date and be committed
• Don’t stop at CCNA, go ahead
• Think positives!

Copyright Ⓒ ZoomByte | CCNA 5

 Cisco Certification Path

Copyright Ⓒ ZoomByte | CCNA 6

 OSI and TCP/IP Models

Copyright Ⓒ ZoomByte | CCNA 7

 Introduction to Networking Devices
• Switch Layer 2 & Layer 3
• Routers: Expandability: Media: Operating system features:
• Access Points & Wireless Routers
• Wireless LAN Controller
• Cisco VOIP
• Firewalls: Software or Hardware | stateful connections
• Servers
• Medias
• Network Printers
• Security Cameras
• NVRs
• Cisco Telepresence

Copyright Ⓒ ZoomByte | CCNA 8

 Next Generation Firewall

Copyright Ⓒ ZoomByte | CCNA 9

 Next Generation Firewall
Traditional firewall: An NGFW performs traditional firewall functions, such as stateful firewall
filtering, NAT/PAT, and VPN termination.

Application Visibility and Control (AVC): AVC makes it possible to look deeply into the application
layer data to identify the application to defend against attacks that use random port numbers.

Advanced Malware Protection (AMP): AMP can block file transfers that would install malware and
save copies of files for later analysis.

Uniform resource locator (URL) filtering: URL filtering examines the URLs in each web request,
categorizes the URLs, and either filters or rate limits the traffic based on rules. The Cisco Talos
security group monitors and creates reputation scores for each domain known in the Internet, and
URL filtering can use those scores in its decisions to categorize, filter, or rate limit.

NGIPS: Cisco’s NGFW products can also run their NGIPS feature along with the firewall.

Copyright Ⓒ ZoomByte | CCNA 10

IPS vs IDS

Copyright Ⓒ ZoomByte | CCNA 11

 Endpoint Devices

Copyright Ⓒ ZoomByte | CCNA 12

 Servers

Copyright Ⓒ ZoomByte | CCNA 13

 Media Types
• Coaxial
• Twisted pair
• Fiber optic
• Wireless
• Cross & straight cable
• LAN & WAN cable
• Cable length:
• Cost:
• Bandwidth:
• Ease of installation:
• Susceptible to EMI/RFI:

Copyright Ⓒ ZoomByte | CCNA 14

Network Device Icon

Copyright Ⓒ ZoomByte | CCNA 15

 Network Topology

Copyright Ⓒ ZoomByte | CCNA 16

 Virtualization
• Virtualization benefits
• Host OS | Guest OS
• Snapshot or Checkpoint
• Cluster
• Type 1 and Type 2 Hypervisor
• Nested Virtualization
• Container and Docker virtualization
• Virtual Switches and Virtual NICs
• AWS, Microsoft, AliBaba … VMs

Copyright Ⓒ ZoomByte | CCNA 17

 Introduction to Packet Tracer

Copyright Ⓒ ZoomByte | CCNA 18

 Basic Configuration

Copyright Ⓒ ZoomByte | CCNA 19

 Power Over Ethernet
• Negotiation the Power Inline with devices
• No need for power adapter
• Central Backup (UPS)
• CDP & LLDP negotiate

Copyright Ⓒ ZoomByte | CCNA 20

 Power Over Ethernet
• Mode A {pin 1,2,3,6}
• Mode B {pin 4,5,7,8}

Copyright Ⓒ ZoomByte | CCNA 21

 TCP vs UDP

Copyright Ⓒ ZoomByte | CCNA 22

 TCP Port #

Copyright Ⓒ ZoomByte | CCNA 23

 TCP vs UDP headers

Copyright Ⓒ ZoomByte | CCNA 24

 ARP address resolution protocol

Copyright Ⓒ ZoomByte | CCNA 25

 IP Address Management
• Subnetting (keep the network)
• Suppernetting (keep the host)
• Reverse Engineering
• VLSM
• Route Summarization

• - Prevent waste of IP
• - Better Management
• - Faster Neighborship / Forwarding
• - Each VLAN use different subnets
• - Router connects different subnets

Copyright Ⓒ ZoomByte | CCNA 26

 • Routing Protocols
Routed protocols
Autonomous System
IGP vs EGP
Static route and dynamic routes difference

Copyright Ⓒ ZoomByte | CCNA 27

 Static and Default Route
• Manual or static configuration • In a small network that requires only simple routing
• For Small Networks • In a hub-and-spoke network topology
• Reliable connection • When you want to create a quick ad hoc route
• Administrative Distance 1 • As a backup when the primary route fails
• In a large network (not use)
• Mutual configuration
• When the network is expected to scale (not use)
• Connected Network
• Non-connected Network
• Next Hop or exit interface
• Unidirectional config
• Stub Network
• To ISP site
• Gateway of last resort
• Do not configure Default route bidirectional

Copyright Ⓒ ZoomByte | CCNA 28

 Open Shortest Path First (OSPF)
• IGP > Dynamic > Link-state
• Open Standard (IETF)
• Administrative Distance = 110
• 3 Table (Routing, Topology, Neighbor)
• Dijkstra Shortest Path First (SPF) algorithm
• Primary and Back up route
• Metric = cost
• Cost = 100/Bandwidth
• Multicast : 224.0.0.5 & 224.0.0.6
• Equal load balancing
• Multicast address: 01-00-5E-00-00-05 or
• Default Equal Path = 4 01-00-5E-00-00-06.
• Hello: 10 Sec | Death: 40 Sec • IP packet header, the protocol field is set
• 30 sec 120 death on NBMA, FrameRelay, ATM networks to 89 to indicate OSPF

Copyright Ⓒ ZoomByte | CCNA 29

 OSPF cont.…
• Area Base
• Area 0 Central Area
• Other Area should connect area 0
• Virtual Link
• Area Border Router (ABR)
• Autonomous System Boundary Router (ASBR)
• Manual Summarization on ABR and ASBR
• Designated Router and Backup DR
• OSPF Process-ID
• Wild Card Mask
• OSPF Router-ID
• Network cmd in OSPF

Copyright Ⓒ ZoomByte | CCNA 30

 OSPF Cont.…
• Determine Router-ID (Highest physical, loopback int. or
router-id)
• Add interface to Link State Database
• Send hello message on the interface
• Receive Hello packets
• Send Reply Hello (Rest timer or add as new neighbor)
• Master – Slave relationship
Master : the highest priority or router-id
Master sends DBD packets
Slave send its DBD
• DBD are acknowledge and received
Slave request detail (LSR)
Master send updates (LSU) & also vice versa.
• Neighbors are synchronized

Copyright Ⓒ ZoomByte | CCNA 31

 OSPF Neighborship states
• Hello
• DBD: database description
• LSR: link state request
• LSU: link state update (contains LSAs)
• LSAck: link state acknowledge
• Hello (Type 1), DBD (Type 2), LS Request (Type
3), LS Update (Type 4), LS ACK (Type 5)

Copyright Ⓒ ZoomByte | CCNA 32

 OSPF Advanced
• OSPF neighbors refresh routing protocols every 30 min
• OSPF use Link State Advertisement for topology changes
• OSPF LSA contain: Prefix/metric/router-id/source …
• All internal routers must have the same image of the network;
• (SPF) is run on link state database (LSDB) to the find best, lowest cost, paths to all destinations.
• Auto-cast reference bandwidth
• Build & maintain OSPF database by LSA’s & Hello
• Contagious network
• Two OSPF neighbors must have same?
• Wireshark capture hello packets
• Passive interface
• Default-information originate

Copyright Ⓒ ZoomByte | CCNA 33

 OSPF Neighborship types
• OSPF has two neighborship classes:
• 2-Way Neighbors
• Fully adjacent neighbors

• Hello & death timer modifying

Copyright Ⓒ ZoomByte | CCNA 34

 OSPFv2 and OSPFv3 Difference

Copyright Ⓒ ZoomByte | CCNA 35

 OSPF network types
•
•
•
•

Copyright Ⓒ ZoomByte | CCNA 36

 Enhanced Interior Gateway Routing Protocol (EIGRP)
• Cisco Routing Protocol
• Open standard since March 2013, IETF since 2016
• Driven From IGRP
• Support IPv4, IPv6, AppleTalk, IPx
• IGP > Dynamic > Hybrid or Adv. Distance Vector
• 3 Table (Routing, Topology, Neighbor)
• Interface or connected network table
• keep backup route
• Successor and Feasible successor
• DUAL= Diffusing Update Algorithm
• Metric = K calculation
• Bandwidth (k1), Load (k2), Delay (k3), Reliability (k4), MTU (k5)

Copyright Ⓒ ZoomByte | CCNA 37

 EIGRP cont…
• Unequal Load balancing • Fast convergence
• Hello = 5 / Hold Down = 15 | 60/180 on T1 connection • AD: internal: 90 | external: 170
• Multicast: 224.0.0.10 – MAC : 0100.5E00.000A – IPv6 : FF02::A • Full update for new neighbor, partial update
• Neighbors interface primary IP must be same. for new changes
• Autonomous system base (must be same) • Dynamically discover other EIGRP routers
• Auto-summary is enable by default • Reliable Transfer Protocol (RTP) – IP header 88
• Maximum Hop count = 255 and default= 100 • EIGRP timers can be different at two routers
• Route Summarization base on interface • Configuration Review:
• Support: Multicast, VLSM, Authentication (MD5), Classless 1) neighboring
• Two EIGRP routers: Same AS# | K value | Subnet 2) discover neighbor by multicast
|authentication 3) advertise networks
4) wildcard mask or no-auto summary

Copyright Ⓒ ZoomByte | CCNA 38

 Routing Protocols parameters
3.1 Interpret the components of routing table
3.1.a Routing protocol code
3.1.b Prefix
3.1.c Network mask
3.1.d Next hop
3.1.e Administrative distance
3.1.f Metric
3.1.g Gateway of last resort

3.2 Determine how a router makes a forwarding decision by default

3.2.a Longest match
3.2.b Administrative distance
3.2.c Routing protocol metric

3.3 Configure and verify IPv4 and IPv6 static routing

3.3.a Default route
3.3.b Network route
3.3.c Host route
3.3.d Floating static

Copyright Ⓒ ZoomByte | CCNA 39

 Switching Concept
• Symmetric and Asymmetric Switching
• Memory Buffering (Port-based memory | Shared memory)
• Logical Link Control (LLC) sublayer: Defined in the 802.2 standard
• Media Access Control (MAC) sublayer: Defined in the 802.3 standard
• CSMA/CD | CSMA/CA | Collision & Broadcast domain
• Frame switching
• MAC address table
Switching forwarding methods:
✓ Store-and-forward switching
✓ Cut-through switching
✓ Fragment-free mode (64 Bytes)

Copyright Ⓒ ZoomByte | CCNA 40

Copyright Ⓒ ZoomByte | CCNA 41
 Ethernet Framing

Copyright Ⓒ ZoomByte | CCNA 42

 Virtual Local Area Network
• Switching Feature
• Logically separate our LAN
• Small Broadcast domain
• Better QoS, Security and Management
• Cost reduction
• Each VLAN require different subnet
• VLAN 1 (Default)
• VLAN Number Range: 0 ……………….. 4095
• Primary VLAN Range: 1 …… 1005
• Extended VLAN Range: 1006 ……. 4094
• Reserved VLAN Numbers: 0, 4095 , 1002, 1003, 1004, 1005
• VLAN Database { Flash:vlan.dat}

Copyright Ⓒ ZoomByte | CCNA 43

 VLAN Types & DTP VLAN connectivity
• Data VLAN • Switchport modes:
• Voice VLAN ▪ Access: end user – one VLAN data transaction
• Management VLAN ▪ Trunk : connectivity devices – switch , WAP, Router –
• Black Hole VLAN / Death VLAN multi VLAN data transaction

• Native VLAN ▪ Dynamic : auto – Access – Access – Trunk Trunk

• Default VLAN (1 , 1002, 1003, 1004, 1005)

• Wireless VLAN

• Cisco protocol
• Negotiation for trunking
• Auto and Desirable mode
• VLAN filtering on trunk

Copyright Ⓒ ZoomByte | CCNA 44

 Routing Different VLANs
• Inter VLAN Routing
• Inter VLAN Routing (Load Balancing mode)
• Router on A Stick
• Switch Virtual Interface (SVI)

Copyright Ⓒ ZoomByte | CCNP 45

 Cisco Discovery Protocol
• Cisco proprietary protocol
• Identify/Determine the cisco directly connected
• Works at Data-Link layer (Layer2)
• No need for IP address just ports should be up
• 60 seconds interval, hold timer 180 seconds
• Shows the neighbor Device ID – Address – Port ID
– Capabilities – Version - Platform IOS, Device
Type, Duplex, VLANs.
• Enabling and disabling CDP globally and interface.
• While the CDP Version 1 prohibits native VLAN
information to pass between Cisco switches,
Version 2 can pass native VLAN information.
•
•

Copyright Ⓒ ZoomByte | CCNA 46

 Link Layer Discovery Protocol
• Similar to CDP protocol
• IEEE 802.1ab open standard protocol
• Type-Length Value (TLV)
• 30 Sec Interval
• 120 Hold Down
•
•

Copyright Ⓒ ZoomByte | CCNA 47

 Spanning Tree Protocol
• Ethernet Bridging loop • Broadcast storms: Each switch floods broadcasts
• Switching Redundancy Feature endlessly.
• IEEE 802.1D open standard • Multiple-frame transmission: Multiple copies of unicast
frames are delivered to the destination, causing
• Single Point of Failure unrecoverable errors.
• Hierarchical design • MAC database instability: Instability in the content of
• Root Bridge the MAC address table results from different ports of
the switch receiving copies of the same frame.
• Bridge ID (2 Byte Priority + 6 Byte MAC)
• BPDU Bridge Protocol Data Unit
• STP ports mode (Designated, Root, Block port)
• STP ports Status (Disable > Listening > Learning > Forwarding / Blocking)
• Root Election
• STP port cost

Copyright Ⓒ ZoomByte | CCNA 48

 STP advanced concepts
• Only Root BPDU every 2 seconds
• BPDU multicast: 01-80-c2-00-00-00
• Two type of BPDU: configuration BPDU, TCN BPDU
• STP root port election (Lowest port cost, bridge ID, Port#, port priority)
• STP Timers (BPDU: 2 Sec, Forwarding Delay: 15 Sec, Max Age: 20)
• Seven Switches Drives these values
• STP port priority 0-255 (128)
• Modifying STP Timers

Copyright Ⓒ ZoomByte | CCNA 49

Switch Hierarchical design

Copyright Ⓒ ZoomByte | CCNA 50

 STP Types & solutions

Copyright Ⓒ ZoomByte | CCNA 51

 PortFast & BPDU Guard
• Disable listening and learning
• Ports directly connected to the end users and host should be portfast
• Port with portfast will directly going to forwarding state
• Edge port on RSTP
• BPDU Guard concept & Config
Spanning-tree portfast default {first do the trunking}
Spanning-tree portfast
Switchport host (Access,Portfast,BPDUGuard)

Copyright Ⓒ ZoomByte | CCNA 52

 Rapid STP
• IEEE open standard 802.1w
• Design to speed up convergence
• Bi-direction BPDU sending
• BPDUs are now use a keepalive message
• Hello intervals 2 max age 6 seconds but
802.1D 20 max age
• Full duplex link is consider P2P
• Half duplex link is consider shared
• Root port, Designated port,
• Backup port (Hub)
• Alternative port (switch)
• Discarding (Disabled, blocking and listening)

Copyright Ⓒ ZoomByte | CCNA 53

• Learning and forwarding still here
• Built-in uplink fast, Edge port (Portfast) and back-bonefast
• BPDU Flags (proposal and agreement) non-edge ports
• Don’t use time, base on negotiation

Copyright Ⓒ ZoomByte | CCNA 54

Copyright Ⓒ ZoomByte | CCNA 55
 EtherChannel
• Redundancy Feature
• Aggregate multiple physical connection
• Fast Performance , No Ethernet loop
• Logically one interface , Port-channel
• Up to 2-8 connection
• All ports must have the same: speed , duplex,
access, trunk, protocol
• Load balancing : per connection / stream
• Two protocol: Link aggregation control protocol
(IEEE) 802.3ad
• Port Aggregation protocol (Cisco)
• Port-channel configuration mostly not ports
Copyright Ⓒ ZoomByte | CCNA
• Implementation Restrictions in 2960 series
• Cannot be mixed Fast & Gig within the same
• Each EtherChannel can consist of up to eight
compatibly ports.
• Cisco IOS Software currently supports up to six
EtherChannels.
• The EtherChannel configuration must be
consistent on the two switches. The trunking
configuration (native VLAN, allowed VLANs, and
so on) must be the same. All ports also must be
Layer 2 ports.
• All ports in the EtherChannel must be Layer 2
ports, or all ports within the EtherChannel must
be Layer 3 ports.
56
 L3 EtherChannel & Misconfiguration Guard
• Etherchannel port share single MAC address & port-id
• Enable by default
• Detects by port-id whether it is multiple port-id no etherchannel
• Place ports in err-disable
Port-channel load-balance ?
Spanning-tree etherchannel guard misconfig
Show spanning-tree summary

Copyright Ⓒ ZoomByte | CCNA 57

 Match Settings
Port type Duplex
Port mode MTU
Native VLAN Load interval
Allowed VLAN Storm control
Speed

Copyright Ⓒ ZoomByte | CCNA 58

 Introduction to the Internet
• ARPANET was the network that became the basis for
the Internet. Based on a concept first published in 1967,
ARPANET was developed under the direction of the U.S.
Advanced Research Projects Agency (ARPA).
• Circa 1969
• 4 Nodes

Copyright Ⓒ ZoomByte | CCNA 59

 Interface Message Processor (IMP)
• The first packet switch
• 12000 words of memory
• 82,000 $ price
• Used at ARPANET

Copyright Ⓒ ZoomByte | CCNA 60

 The ARPANET Growing up…
• Circa 1977
• 100 Nodes
• <4.3 Billion addresses
• Address size of 232

Copyright Ⓒ ZoomByte | CCNA 61

 TCP/IP Inventor
• Dr. Vinton Cerf and Robert Elliot "Bob" Kahn
• Program Manager of the ARPANET
• The first time IP used in ARPANET
• Now, Chief internet evangelist at google

Copyright Ⓒ ZoomByte | CCNA 62

 IPv4 lackage & short term solutions by (IETF)

Copyright Ⓒ ZoomByte | CCNA 63

 IANA Runs out of IPv4
• In 2011 the IANA runs out of IPv4
• Distributed the last /8 block to RIRs

IPv6 Long Term Solution

• First specified in 1995
• Formalized in 1998
• Where is IPv5 ???
• IPv6 usage now

Copyright Ⓒ ZoomByte | CCNA 64

 IPv6 Introduction
• 128 bits
• 8 quartet or field
• Separate by :
• 340 Undecillion
• Unicast, Multicast, Anycast
• No Broadcast
• No subnet mask
• /Prefix length
• Global ID and Interface-ID
• /32 up to /56
• 340,282,366,920,938,463,463,374,607,431,768,211,456

Copyright Ⓒ ZoomByte | CCNA 65

 IPv6 Benefits
• Extended address space
• Stateless address auto-configuration
• Eliminates the need for NAT/PAT
• Simpler header
• Mobility and more security: IPsec is enabled on every IPv6 node and is available for use,
making the IPv6 Internet

Copyright Ⓒ ZoomByte | CCNA 66

 Abbreviation and Expansion of IPv6
• Drop leading zero
• Drop 3 zero and put single instead of all
• Drop consecutive zero fields and put ::

Copyright Ⓒ ZoomByte | CCNA 67

Copyright Ⓒ ZoomByte | CCNA 68
 Global Unicast Address

Copyright Ⓒ ZoomByte | CCNA 69

Copyright Ⓒ ZoomByte | CCNA 70
 Link Local IPv6 Address
• Locally connectivity
• Automatic Assign, Backup IP address
• APIPA , Next hop
• Link-local addresses are configured in one of three ways:
1. Dynamically, using EUI-64
2. Using a randomly generated interface ID
3. Statically, entering the link-local address manually
• Structure:
FE80::C8B1:DEFF:FE64:53F9
• EUI-64 , Modified EUI-64, Randomly EUI-64
• range FE80::/10 to FEBF::/10

Copyright Ⓒ ZoomByte | CCNA 71

 Unique Local
• Like IPv4 Private Address not routable to internet & WAN
• IPv6 ULAs are globally unique.
• Allow sites to be combined or privately interconnected without address conflicts or re-number
• Remain independent of any Internet service provider and can be used within a site without having
Internet connectivity
• If accidentally leaked outside a site by either routing or the (DNS), don’t cause a conflict with any other
addresses

Copyright Ⓒ ZoomByte | CCNA 72

 Embedded IPv4 Address
• Features such as NAT-PT (now deprecated) and NAT64 are required to translate between the two
address families.
• IPv4-mapped IPv6 addresses are used by transition mechanisms on hosts and routers to create IPv4
tunnels that deliver IPv6 packets over IPv4 networks.
• The address does not have to be globally unique.
• Communicate and exchange data over the Internet between embedded devices and other devices on
the network, such as servers, smartphones, and laptops.
• Increasingly popular in recent years due to the widespread use of the Internet and the growth of the
(IoT) and connected devices.

Copyright Ⓒ ZoomByte | CCNA 73

 Multicast Address
• Ipv4 Multicast : 224.0.0.0 – 239.255.255.255
• IPv4 MAC Multicast: 0100.5Exx.xxxx IPv6 Multicast MAC:
• MAC address 33-33-00-00-00-0D | 33-33-00-01-00-03
• IPv6 Multicast : FF
• RIP: 224.0.0.9 FF02::9
• OSPF: 224.0.0.5 , 224.0.0.6 FF02::5 , FF02::6
• EIGRP: 224.0.0.10 FF02::A
• All Node: 224.0.0.1 FF02::1 – RA Packets
• All Routers: 224.0.0.2 FF02::2

Copyright Ⓒ ZoomByte | CCNA 74

 Solicited-Node Multicast
• Automatically created use for both part of (NDP & DAD):
• :: used when a device not have a valid address and
DAD for Link local address
• FF02:0:0:0:0:FF00::/104 multicast prefix
• Least significant 24 bits

Copyright Ⓒ ZoomByte | CCNA 75

Anycast
• Access to the nearest / closest destination
• It can be same at many destination server
• It is a GUA with some configuration

Copyright Ⓒ ZoomByte | CCNA 76

Copyright Ⓒ ZoomByte | CCNA 77
Copyright Ⓒ ZoomByte | CCNA 78
 IPv6 distributed and remaining…

Copyright Ⓒ ZoomByte | CCNA 79

 IPv6 Subnetting

Copyright Ⓒ ZoomByte | CCNA 80

 EIGRPv6 & OSPFv3 & Static , Default
• Next hop is neighbors link local address IPv6 Protocols
• Uses ipv6 authentication feature • ICMPv6
• no auto-summarization • DHCPv6
• neighbors don’t need to be same subnet • ARP > NDP
• send updates to FF02::A • RIPng
• On interface mode • OSPFv3
• Manually router-id • IS-ISv6
• EIGRPv6 configuration and verifying • EIGRPv6
• MP-BGPv4

Copyright Ⓒ ZoomByte | CCNA 81

 Stateless Address Autoconfiguration
• Stateless address auto configuration (SLAAC): A host dynamically learns the /64 prefix through
the IPv6 Neighbor Discovery Protocol (NDP) and then calculates the rest of its address by using
the EUI-64 method.
• DHCPv6: This works the same conceptually as DHCP in IPv4.
• DHCPv6 Configuration & Verifying in Cisco Router

Copyright Ⓒ ZoomByte | CCNA 82

 Migration to IPv6
• Dual Stack - recommended
• NAT-PT – is now deprecated
“NAT64 is a technology that allows IPv6-only
devices to communicate with IPv4-only
devices by translating the IPv6 addresses
used by IPv6-only devices into IPv4 addresses
that can be understood by IPv4-only devices,
and vice versa. This technology is useful for
organizations that are in the process of
transitioning to IPv6 but still have some IPv4-
only devices on their network.”

• Tunneling

Copyright Ⓒ ZoomByte | CCNA 83

 Dynamic Host Configuration Protocol (DHCP)
• UDP 67,68
• Easy IP Management and distribution
• Dynamically assign TCP/IP settings (IP,SM,DG,DNS,DomainName)
• Pool/Scope {range of IP}
• Excluded Address {reserve for specific purpose}
• APIPA 169.254.x.x
• DORA process
• Multi DHCP Pool
• DHCP Relay Agent - verifying
• DHCP port Numbers

Copyright Ⓒ ZoomByte | CCNA 84

 DHCP cont…
• By default, the ip helper-address command forwards the following eight UDP services:
• Port 37: Time
• Port 49: TACACS
• Port 53: DNS
• Port 67: DHCP/BOOTP server
• Port 68: DHCP/BOOTP client
• Port 69: TFTP
• Port 137: NetBIOS name service
• Port 138: NetBIOS datagram service
• To specify additional ports, use the global command ip forward-protocol udp [port-number |
• protocol]. To disable broadcasts of a particular protocol, use the no form of the command.

Copyright Ⓒ ZoomByte | CCNA 85

 DHCP Cont…
• Configuring Router as a DHCP Client
• No service dhcp
• R1# show ip dhcp binding
• R1# show ip dhcp server statistics
• IP Assign to different O.S.

Copyright Ⓒ ZoomByte | CCNA 86

 DHCPv6
• IPv6 has two methods for automatically obtaining a global unicast address:
• Stateless address autoconfiguration (SLAAC)
• Stateful DHCPv6 (Dynamic Host Configuration Protocol for IPv6)

Copyright Ⓒ ZoomByte | CCNA 87

 Network Address Translation (NAT)
• RFC 3022 NAT RFC - RFC 1918 Private IP RFC
• Prevent from wasting of IP
• Translate IPv4 private to public & vice versa
• Translate IPv4 to IPv6 & vice versa
• Stub network edge Router
• Secure our network
• No issue when changing ISP
• NAT types: Static/Dynamic/PAT overloading
• Multi-Step NAT
• NAT cons: end to end functionality, traceroute & ping
• NAT cons: Performance is degraded:

Copyright Ⓒ ZoomByte | CCNA 88

 Network Time Protocol (NTP)
• UDP# 123
• Version 3 for ipv4 and version 4 for ipv6
• Synchronize the accurate time in network devices
• Accurate time is required for logging, certificate, license…
• NTP Master and NTP server
• Stratum Number 1…..15
• NTP configuration

Copyright Ⓒ ZoomByte | CCNA 89

Domain Name System (DNS)
• UDP & TCP port # 53
• Convert name to IP & IP to name
• What is DNS Records?
• DNS setting on router
Copyright Ⓒ ZoomByte | CCNA
A: An end device IPv4 address
NS: An authoritative name server
AAAA: An end device IPv6 address
(pronounced “quad-A”)
MX: A mail exchange record
90
Domain Name System (DNS)
• DNS Troubleshooting:
o Ipconfig
o Ipconfig /all
o Ipconfig /release
o Ipconfig /renew
• Assign of IP in different O.S.

Copyright Ⓒ ZoomByte | CCNA 91

 System Logging
• UDP # 514
• Show the internal status of network devices
• For monitoring and Gathering logging
information for monitoring and troubleshooting
• Syslog Server
• Syslog in Console & VTY
• Syslog message level 0----7 (0--6) default
• Syslog in buffer & Logging buffer size
• Debug output

Copyright Ⓒ ZoomByte | CCNA 92

R1(config)# logging trap 4
R1(config)# logging trap warning
R1(config)# logging source-interface g0/0
R1(config)# no service timestamps
R1(config)# service sequence-numbers

Copyright Ⓒ ZoomByte | CCNA 93

 Simple Network Management Protocol
• Application Layer protocol – UDP # 162
• Monitoring and troubleshooting the internal status of network devices
• SNMP Manager | SNMP Agent | OID | MIB | SNMP trap | SNMP request
• Get | Get-Next | GetBulk to ask for information from an agent.
• Set messages to change a device parameter.
• An SNMP agent can use SNMP traps to independently notify the NMS when a problem occurs.
• An SNMP agent can also be configured to send a trap message when CPU utilization is driving
away from normal values for the network
• SNMP version 1 | 2 | 3 differences
• SNMPv3 (View, Group, User)
• noAuthNoPriv | authNoPriv | authPriv

Copyright Ⓒ ZoomByte | CCNA 94

• SNMPv1 and SNMPv2c use community strings that control access to the MIB. Community strings are
plaintext passwords. Two types of community strings exist:
• Read-only (ro): Provides access to the MIB variables but does not allow these variables to be changed.
• Read-write (rw): Provides read and write access to all objects in the MIB
• PRTG software and configuration
• Cisco SNMP object Navigator

Copyright Ⓒ ZoomByte | CCNA 95

Copyright Ⓒ ZoomByte | CCNA 96
 Quality of Service (QoS)

• More ingress > less egress

• On Edge devices
• Enable on switch by default
• Qos focus on : Band. Mgmt |
dely | loss | jitter
• QoS terminology: buffer ,
queuing , policy and shaping ,
labeling and scheduling,
dropping

Copyright Ⓒ ZoomByte | CCNA 97

 QoS introduction
• Normal or Default operation FIFO {First in First out}
• QoS Tools to classify:
1. Latency (Delay)
2. Jitter
3. Loss
4. Bandwidth

Copyright Ⓒ ZoomByte | CCNA 98

Copyright Ⓒ ZoomByte | CCNA 99
 SSH Secure Shell
• TCP # 22
• Secure remote login to network devices
• Better than Telnet
• Encrypted communication
• Username and password
• K9 IOS & Domain-name
• Wireshark
• HTTP in Browser check
• Show ip ssh
• Show ssh

Copyright Ⓒ ZoomByte | CCNA 100

 Router & Switch Password Recovery
• 1. If boot field = 0, use the ROMMON OS.
• 2. If boot field = 1, load the first IOS file found in flash memory.
• 3. If boot field = 2, Boot from flash, can choose multiple IOS.
Boot system (global mode)

Copyright Ⓒ ZoomByte | CCNA 101

Backup using TFTP
• Trivial File Transfer Protocol
• UDP 69
• Backup from IOS
• Backup from configuration
•

Copyright Ⓒ ZoomByte | CCNA 102

 First-Hop Redundancy Protocols

Copyright Ⓒ ZoomByte | CCNA 103

 Hot Standby Router Protocol (HSRP)
• Cisco proprietary | RFC 2281
• Active / Standby router
• Active = Higher IP address or Higher priority
• Priority : 0 - 255
• All other routers are in listen state
• Virtual IP address should not be same as interface IP
• Virtual Mac address manually or 0000.0C07.ACXX
• Group number 0 – 255 , must be same
• Preemption disable by default
• Multicast to 224.0.0.2 using UDP 1985
• HSRP state: Disable, Initial , Learn, Listen , speak , standby, active
• Hello: 3 sec and Hold down : 10 sec
• HSRP Load balancing = Per VLAN/Network/Group
• HSRP authentication using key-chain
Copyright Ⓒ ZoomByte | CCNA 104
 HSRP Versions

Copyright Ⓒ ZoomByte | CCNA 105

 Collapsed Core or Two-Tier

Copyright Ⓒ ZoomByte | CCNA 106

 Three-tier Architectures

Copyright Ⓒ ZoomByte | CCNA 107

 • Each leaf switch must connect to every spine switch.
Spine and Leaf • Each spine switch must connect to every leaf switch.
• Leaf switches cannot connect to each other.
• A Topic came from CCNA Design • Spine switches cannot connect to each other.
• A Data Center Structure • Endpoints connect only to the leaf switches.
• Same as Hierarchical Switching Design with Load Balancing
capability, no STP and Broadcast issues using routing facilities
• Best Way for Fast East-West Traffic Flow
• As well as North-South Flows
• For a 100% SLA at anytime
• Cisco ACI uses this design

Copyright Ⓒ ZoomByte | CCNA 108

 WAN Architecture

Copyright Ⓒ ZoomByte | CCNA 109

Small Office Home Office (SOHO)

Copyright Ⓒ ZoomByte | CCNA 110

 Cloud Architecture

Copyright Ⓒ ZoomByte | CCNA 111

 Access Control List (ACL)
• Access control
• Permission grant or restriction
• Packet based filtering
• Use in NAT , QoS, Route Filtering,
Route-map …
• ACL types: Standard & extended
• Implicit deny
• ACL sequence number
• Inbound & outbound ACL

11
Copyright Ⓒ ZoomByte | CCNA
2
 Three Basic Concepts of Network Security

• Confidentiality
Only the authorized individuals/systems can view sensitive or classified information.

• Integrity
Changes made to data are done only by authorized individuals/systems.

• Availability
Data should be accessible whenever needed.

Copyright Ⓒ ZoomByte | CCNA 113

 Security Terminology
• Asset: It is anything that is valuable to an organization.
• Vulnerability: An exploitable weakness in a system or its design.
• Threat: A threat is any potential danger to an asset.
• Risk: is the potential for unauthorized access to, compromise, destruction, or damage to
an asset.
• Countermeasures: A safeguard that somehow mitigates a potential risk.
An Exploit : is a piece of software, a chunk of data, or a sequence of commands that takes
advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur
on computer software, hardware, or something electronic (usually computerized).

11
Copyright Ⓒ ZoomByte | CCNA
4
 Security Terminology

• Password Policy
• Management Policy
• Mitigation Techniques
• User awareness
• User training

11
Copyright Ⓒ ZoomByte | CCNA
5
 Asset Classification

11
Copyright Ⓒ ZoomByte | CCNA
6
 Classifying Vulnerabilities

• Policy flaws
• Design errors
• Protocol weaknesses
• Misconfiguration
• Software vulnerabilities
• Human factors
• Malicious software
• Hardware vulnerabilities
• Physical access to network resources

11
Copyright Ⓒ ZoomByte | CCNA
7
 Introduction to an Attack
• An attack is the process of attempting to steal data, destroy data, gain unauthorized access
to a device, or even shut down/disable a system. preventing legitimate users from
accessing the resources.
• Types of Attack:
o Reconnaissance
o Social Engineering
o Privilege escalation
o Back door
o Code execution
o Trust exploitation
o Brute force
o Botnet
o DoS and DDoS
11
Copyright Ⓒ ZoomByte | CCNA
8
 Man in the Middle attack
• When attackers place themselves in line between two devices that are communicating, with the
intent to perform reconnaissance or to manipulate the data as it moves between them.
• Example: ARP Poisoning, DAI, Fake Root , Rogue Router, Rogue DHCP.

11
Copyright Ⓒ ZoomByte | CCNA
9
 Fundamental Security Principles to Network Design
• Rule of Least Privilege
• Defense in depth
• Separation of duties
• Auditing

12
Copyright Ⓒ ZoomByte | CCNA
0
 Motivation behind the attack

• Financial
• Disruption
• Geopolitical

12
Copyright Ⓒ ZoomByte | CCNA
1
 Distributed Deny of Service Attack

• Directed
• Reflected
• Amplification

12
Copyright Ⓒ ZoomByte | CCNA
2
 Social Engineering

• Phishing
• Malvertising
• Phone scams

12
Copyright Ⓒ ZoomByte | CCNA
3
 Defense against social engineering

• Password management
• Two-factor authentication
• Antivirus/antiphishing defense
• Change management
• Information classification
• Document handling and destruction
• Physical security

12
Copyright Ⓒ ZoomByte | CCNA
4
 Port Security
• Switching Security Feature
• Prevent from Unauthorized Access, ARP spoofing attack and MAC flooding
• Limit access to switchport by maximum mac address
• Violation mode:
• Shutdown* : Shut the port , Syslog , SNMP , Default, Count 1234…
• Restrict: Up , Syslog , SNMP, Count 12345 …
• Protect: Up , No Syslog, No SNMP, Count 12345 …
• Aging Type and Aging time
• Mac address learning : Manual and sticky
• Recovery interval and cause

12
Copyright Ⓒ ZoomByte | CCNA
5
 DHCP Snooping
• Switching Security Feature
• Prevent from unauthorized DHCP or Rogue DHCP, MitM attack, DHCP
starvation, limit the DHCP request messages.
• Untrusted ports and trusted ports
• DORA process
• Block Offer and Acknowledge on untrusted ports
• DHCP snooping per-vlan configuration
• DHCP Snooping database

12
Copyright Ⓒ ZoomByte | CCNA
6
 Dynamic ARP Inspection (DAI)
• Switching Security Feature
• Limit the Dynamic ARP
packets
• Prevent from ARP spoofing,
ARP poisoning, gratuitous ARP
and MitM.
• Untrusted ports and trusted
ports
• Port security and DHCP
snooping is pre-requisites
• DAI use the DHCP Snooping
database information
• Static MAC address using ACL.

12
Copyright Ⓒ ZoomByte | CCNA
7
AAA Concept

12
Copyright Ⓒ ZoomByte | CCNA
8
 AAA Server
• Authentication: who is the user?
• Authorization: what is the user allowed to do?
• Accounting: what did the user do ?
Cisco devices can the following two protocols to communicate with AA server:
• TACACS+ : A Cisco proprietary protocol that separate each of the AAA functions, communication is
secure and encrypted over TCP 49.
• RADIUS: A standard-base protocol that combine authentication & authorization into a single
resource, communication uses UDP port 1812 & 1813. Unencrypted accounting

12
Copyright Ⓒ ZoomByte | CCNA
9
 AAA server …
• Network Access Server (NAS) & Network Access Device (NAD) the Switch or WAP who wants
authentication.
• Cisco implementation uses ACS and ISE
• Authentication methods:
Configuring locally on the switch
Use external RADIUS server
Use external TACACS server

13
Copyright Ⓒ ZoomByte | CCNA
0
 Remote-Access VPN

13
Copyright Ⓒ ZoomByte | CCNA
1
 Site to Site VPN

13
Copyright Ⓒ ZoomByte | CCNA
2
 Comparing wired & wireless

13
Copyright Ⓒ ZoomByte | CCNA
5
 WLAN Topology

• Radio Frequency (RF)

• Unidirectional communication
• Bidirectional communication
• Interference in transmission

13
Copyright Ⓒ ZoomByte | CCNA
6
 WLAN Terms

• Basic Service Set (BSS)

• Basic Service Area (BSA) or cell
• Basic Service Set Identifier (BSSID)
• Service Set Identifier (SSID)

• netsh wlan show interface

13
Copyright Ⓒ ZoomByte | CCNA
7
 Distribution System Multiple SSID

13
Copyright Ⓒ ZoomByte | CCNA
8
Scaling Wireless Coverage

13
Copyright Ⓒ ZoomByte | CCNA
9
 IBSS & Repeater

14
Copyright Ⓒ ZoomByte | CCNA
0
 Workgroup bridge
• Universal Workgroup Bridge
• Workgroup Bridge: Cisco pro.

14
Copyright Ⓒ ZoomByte | CCNA
1
 Outdoor Bridge

14
Copyright Ⓒ ZoomByte | CCNA
2
 Mesh wireless network

14
Copyright Ⓒ ZoomByte | CCNA
3
 Radio Frequency
• Electromagnetic waves do not travel in a straight line. Instead,
they travel by expanding in all directions away from the
antenna.
• What is Cycle?
• Frequency unit names.

14
Copyright Ⓒ ZoomByte | CCNA
4
 Radio Frequency

14
Copyright Ⓒ ZoomByte | CCNA
5
 Wifi Channel
• Wifi channel is a collection of different frequencies which work together or
A Human word to simply describe a range of frequencies.
• For example: In channel-1 in the 2.4 GHz consist of 2.401 GHz through 2.423 GHz

14
Copyright Ⓒ ZoomByte | CCNA
6
 Non Overlapping Channel 2.4

14
Copyright Ⓒ ZoomByte | CCNA
7
 14
Copyright Ⓒ ZoomByte | CCNA
8
 14
Copyright Ⓒ ZoomByte | CCNA
9
 Wireless Bands and channels
• One of the two main frequency ranges used for wireless LAN communication lies between 2.400 and
2.4835 GHz. This is usually called the 2.4-GHz band.
• The other wireless LAN range is usually called the 5-GHz band because it lies between 5.150 and 5.825
GHz. (24 Non overlapping channel)
• The 5-GHz band consist of non-overlapping channels but 2.4 GHz band not.
• Use channel 1, 6, and 11 to avoid overlaps
• Wireless devices & Aps should all be capable of operating in same Band.
• Device support means: 802.11b/g/a/n/ac
• Cisco AP support dual radio {2.4 & 5 GHz} also multiple SSID.
• In open space, RF reach further on the 2.4-GHz band than on the 5-GHz band. They also tend to
penetrate indoor walls and objects easier at 2.4 GHz than 5 GHz.

15
Copyright Ⓒ ZoomByte | CCNA
0
 IEEE 802.11 Amendments

15
Copyright Ⓒ ZoomByte | CCNA
1
 Autonomous vs Light-weight mode
• Autonomous mode: each APs must be configured and maintain individually & do not require a
controller to control the AP for management.
• Light-weight mode: each APs require a WLC to configure, control and maintain all of the AP and
provide ease of management for the communication setting between APs.
• An AP will operate in a combine mode, means when connected to Controller can be controlled by WLC
{Light-weight} mode and when it disconnected can operate Autonomous mode
• Interface BVI = Switch Virtual interface for IP assign, telnet, ssh and MGMT

15
Copyright Ⓒ ZoomByte | CCNA
2
 Wireless Network with Autonomous APs

15
Copyright Ⓒ ZoomByte | CCNA
3
 Cloud-Based APs
• Cisco Prime Infrastructure in a Central location within the enterprise or internet.
• The Cisco Meraki cloud register device and adds the intelligence needed to automatically instruct
each AP on which channel and transmit power level to use. It can also collect information from all of
the APs about things such as RF interference, rogue or unexpected wireless devices that were
overheard, and wireless usage statistics.
• Cisco Meraki products are not only APs. Switches, Routers, Security … also include.

15
Copyright Ⓒ ZoomByte | CCNA
4
Cloud-based AP {Meraki}

15
Copyright Ⓒ ZoomByte | CCNA
5
Comparing WLC deployment
• A unified or centralized WLC deployment,
which tends to follow the concept that
most of the resources users need to reach
are located in a central location such as a
data center or the Internet.
• Unified support up to: 6000 APs
• If need more add another unified.

15
Copyright Ⓒ ZoomByte | CCNA
6
 Virtual WLC
• a cloud-based WLC deployment, where the
WLC exists as a virtual machine rather than
a physical device.
• Support up to: 3000 APs.

15
Copyright Ⓒ ZoomByte | CCNA
7
 Embedded WLC
This is known as an embedded WLC
deployment because the controller is
embedded with in the switching hardware.
Typical Cisco embedded WLCs can support up
to 200 APs.

15
Copyright Ⓒ ZoomByte | CCNA
8
 Mobility Express
Support up to: 100 APs.

15
Copyright Ⓒ ZoomByte | CCNA
9
 Mobility Express

16
Copyright Ⓒ ZoomByte | CCNA
0
 Summary of WLC Deployment Mode

16
Copyright Ⓒ ZoomByte | CCNA
1
 WLC base AP & Split-MAC Arch
• Split-Mac Architectures: The lightweight AP-WLC division of labor is known as a split-MAC architecture,
where the normal MAC operations are pulled apart into two distinct locations.
• Control and Provisioning of Wireless Access Points (CAPWAP) control message and data messages.
• It can use one IP address for both management and tunneling. No trunk link is needed because all of the
VLANs it supports are encapsulated and tunneled as Layer 3 IP packets, rather than individual Layer 2
VLANs.

16
Copyright Ⓒ ZoomByte | CCNA
2
WLC Based APs

16
Copyright Ⓒ ZoomByte | CCNA
3
Autonomous vs LWAP

16
Copyright Ⓒ ZoomByte | CCNA
4
WLC-Based APs

16
Copyright Ⓒ ZoomByte | CCNA
5
 Cisco WAP Modes
• Local Modes
Default mode for (LAPs), Create CAPWAP tunnel to Controller
All clients disconnected when CAPWAP tunnel fail until find next controller
• Bridge Modes
The WAP act as a Client and associate to a LAPs. Like : pic ->
Mostly use for those devices which are not support wireless
• Monitor Mode:
Cisco WAP spend 0.2% of resources for channel scanning
It allows the WAP to generate rogue alerts, signature attacks,
IPS & IDS alerts

16
Copyright Ⓒ ZoomByte | CCNA
6
 Cisco WAP Modes
• Sniffer Mode
Similar to Monitor but only sniff or select individual channel (2.4/5 GHz)
All wifi traffic captured sent to controller , then controller can send it to IPS, IDS, Wireshark …
• Sensor Mode
An WAP works as a Sensor or a auditor to check the QoS , Bandwidth, RF, Channels ...
It needs for WLC controller and cisco DNA center
• Mesh Mode
Uses in environment when no
physical connection to DS or switch. →
• FlexConnect Mode

16
Copyright Ⓒ ZoomByte | CCNA
7
 WLC Activities and APs
• Dynamic channel assignment
• Transmit power optimization
• Self-healing wireless coverage
• Flexible client roaming
• Dynamic client load balancing
• RF monitoring
• Security management
• Wireless intrusion protection system

16
Copyright Ⓒ ZoomByte | CCNA
8
WLC Activities and APs

16
Copyright Ⓒ ZoomByte | CCNA
9
 Authentication
• What is authentication ?
• Message integrity check (MIC) is a security tool that can protect against data tampering.

17
Copyright Ⓒ ZoomByte | CCNA
0
 WEP
• The original 802.11 standard offered only two choices to authenticate a client: open authentication and
WEP.
• Wired Equivalent privacy: use RC4 cipher algorithm
• Symmetric encryption or shared-key security
• 40 to 104 bit longs, 10 to 26 hex digits.
• Consider weak encryption and not recommended at this time.

17
Copyright Ⓒ ZoomByte | CCNA
1
 802.1x/EAP
• Extensible Authentication Protocol
• EAP defines a set of common functions that actual authentication methods can use to authenticate users
• It can integrate with the IEEE 802.1x port-based access control standard.

17
Copyright Ⓒ ZoomByte | CCNA
2
 LEAP
• Lightweight EAP {LEAP}
• Cisco developed a proprietary wireless authentication method called Lightweight EAP (LEAP). It can
integrate with the IEEE 802.1x port-based access control standard.
• Both the client and authentication server must exchange challenge message that are then encrypted and
returned. {mutual authentication}
• LEAP has been deprecated and should not use it.

17
Copyright Ⓒ ZoomByte | CCNA
3
 EAP-FAST
• EAP - Flexible Authentication by Secure Tunneling.
• Cisco developed a proprietary wireless authentication
• Authentication credentials are protected by passing a protected access credential (PAC) between the AS
and the supplicant.
• PAC is a form of shared secret that is generated by the AS and used for mutual authentication
• EAP-FAST has three phases: Phase 0 | Phase 1 | Phase 2
• Notice that two separate authentication occur in EAP-FAST—one between the AS and the supplicant and
another with the end user. These occur in a nested fashion, as an outer authentication (outside the TLS
tunnel) and an inner authentication (inside the TLS tunnel).

17
Copyright Ⓒ ZoomByte | CCNA
4
 PEAP
• Protected EAP {PEAP}
• Auth. Server presents a digital certificate to authenticate itself with the supplicant in the outer
authentication.
• Auth. Server and client build a TLS tunnel to use for the inner authentication and encryption key
exchange.
• Certificates provided by third party Certification Authority (CA).
• certificate is also used to pass a public key, in plain view, which can be used to help decrypt messages
from the AS.
• The client does not have or use a certificate of its own, so it must be authenticated within the TLS tunnel
using one of the following two methods:
• MSCHAPv2: Microsoft Challenge Authentication Protocol version 2
• GTC: Generic Token Card; a hardware device that generates one-time passwords for the user or a
manually generated password
17
Copyright Ⓒ ZoomByte | CCNA
5
 EAP-TLS
• EAP – Transport Layer security
• Auth. Server and Client both require digital certificate
• Auth. Server and Supplicant both exchange certificate and can authenticate each other.
• A TLS tunnel is built afterward so that encryption key material can be surely exchange.
• Implement a Public Key Infrastructure (PKI) that could supply certificates securely and efficiently and revoke
them when a client or user should no longer have access to the network.
• Certification Authority (CA) will release digital certificate
• The most secure wireless authentication.

17
Copyright Ⓒ ZoomByte | CCNA
6
 Wireless Privacy & Integrity
• Temporal Key Integrity Protocol (TKIP)
• TKIP adds the following security features using legacy hardware and the underlying WEP encryption:
• MIC {Message Integrity Check} : Add hash to the frame
• Time stamp: a time stamp is added into the MIC to prevent replay attackers
• Sender’s MAC address
• TKIP sequence counter: add sequence # to the frame
• Key mixing algorithm: adds a unique 128-bit WEP key
• Longer initialization vector (IV): prevent from brute-force calculation

17
Copyright Ⓒ ZoomByte | CCNA
7
 CCMP
• Counter/CBC-MAC Protocol {CCMP}
• More secure that TKIP, and consist of two algorithms:
1. Advanced Encryption Standard {AES} counter mode encryption
2. Cipher Block Chain Message Authentication Code {CBC-MAC} used as a MIC
• AES is open, publicly accessible, and represents the most secure encryption method available today.
• The devices should checked to support AES before applying CCMP

17
Copyright Ⓒ ZoomByte | CCNA
8
 GCMP
• Galois/Counter Mode Protocol {GCMP}
• The robust authenticated encryption suite that is more secure and more efficient than CCMP.
• GCMP consist of two algorithms:
1. AES counter mode encryption
2. Galois Message Authentication Code used as a MIC
• GCMP is used in WPA3

17
Copyright Ⓒ ZoomByte | CCNA
9
 Wi-Fi Protect Access (WPA)
• Wi-Fi Alliance, a nonprofit wireless industry association, has worked out straightforward ways to do that
through its Wi-Fi Protected Access (WPA) industry certifications. To date, there are three different versions:
WPA, WPA2, and WPA3.
• The Wi-Fi Alliance first generation WPA certification was based on parts of 802.11i and included 802.1x
authentication, TKIP, and a method for dynamic encryption key management.
• Wi-Fi Alliance (WPA2) certification is based around the superior AES CCMP algorithms. It should be obvious
that WPA2 was meant as a replacement for WPA.
• In 2018, the Wi-Fi Alliance introduced (WPA3) as a future replacement for WPA2. WPA3 leverages stronger
encryption by AES with the (GCMP). It also uses Protected Management Frames (PMF) to secure important
802.11 management frames between APs and clients, to prevent malicious activity that might spoof or
tamper with a BSS’s operation.

18
Copyright Ⓒ ZoomByte | CCNA
0
 WPA , WPA2 , WPA3 Summarization
• Each successive version is meant to replace prior versions by offering better security features. You
should avoid using WPA and use WPA2 instead—at least until WPA3 becomes widely available on
wireless client devices, APs, and WLCs.

18
Copyright Ⓒ ZoomByte | CCNA
1
 Personal Mode and Enterprise mode
• WPA versions support two client authentication modes: a pre-shared key (PSK) or 802.1x, based on the scale
of the deployment.
• With personal mode, a key string must be shared or configured on every client and AP before the clients can
connect to the wireless network.
• clients and APs work through a four-way handshake procedure that uses the pre-shared key string to
construct and exchange encryption key material that can be openly exchanged. Once that process is
successful, the AP can authenticate the client and the two can secure data frames that are sent over the air.
• With WPA-Personal and WPA2-Personal modes, a malicious user can eavesdrop and capture the four-way
handshake between a client and an AP. That user can then use a dictionary attack to automate guessing the
pre-shared key. If he is successful, he can then decrypt the wireless data or even join the network posing as a
legitimate user.
• WPA3-Personal avoids such an attack by strengthening the key exchange between clients and APs through a
method known as Simultaneous Authentication of Equals (SAE). Rather than a client authenticating against a
server or AP, the client and AP can initiate the authentication process equally and even simultaneously.
• Even if a password or key is compromised, WPA3-Personal offers forward secrecy, which prevents attackers
from being able to use a key to unencrypt data that has already been transmitted over the air.
18
Copyright Ⓒ ZoomByte | CCNA
2
 Using WLC Ports
• Service port: Used for out-of-band management, system recovery, and initial boot functions; always
connects to a switch port in access mode
• Distribution system port: Used for all normal AP and management traffic; usually connects to a switch port
in 802.1Q trunk mode
• Console port: Used for out-of-band management, system recovery, and initial boot functions; asynchronous
connection to a terminal emulator
• Redundancy port: Used to connect to a peer controller for high availability (HA) operation

18
Copyright Ⓒ ZoomByte | CCNA
3
 Using WLC Ports

18
Copyright Ⓒ ZoomByte | CCNA
4
 Using WLC Ports

18
Copyright Ⓒ ZoomByte | CCNA
5
 Using WLC Interfaces
• Management interface: Used for normal management traffic, such as RADIUS user authentication, WLC-to-
WLC communication, web-based and SSH sessions, SNMP, (NTP), syslog, and so on. The management
interface is also used to terminate CAPWAP tunnels between the controller and its APs.
• Redundancy management: The management IP address of a redundant WLC that is part of a high availability
pair of controllers. The active WLC uses the management interface address, while the standby WLC uses the
redundancy management address.
• Virtual interface: IP address facing wireless clients when the controller is relaying client DHCP requests,
performing client web authentication, and supporting client mobility.
• Service port interface: Bound to the service port and used for out-of-band management.
• Dynamic interface: Used to connect a VLAN to a WLAN.

18
Copyright Ⓒ ZoomByte | CCNA
6
Using WLC interfaces

18
Copyright Ⓒ ZoomByte | CCNA
7
 Configuring WLC

18
Copyright Ⓒ ZoomByte | CCNA
8
 18
Copyright Ⓒ ZoomByte | CCNA
9
 Control, Data, Management Plan

19
Copyright Ⓒ ZoomByte | CCNA
0
 Data plane
• Actions taken by the data plane include the following:
• Layer 2 and Layer 3 de-encapsulation/encapsulation
• Addition or removal of an 802.1Q trunking header
• MAC address table lookups
• IP routing table lookups
• Data encryption and addition of a new IP header (as in VPNs)
• Change to the source or destination IP address (with NAT)
• Message discard due to a filter (such as an ACL or port security)

19
Copyright Ⓒ ZoomByte | CCNA
1
 Control plane
• The following are the most common control plane protocols:
▪ Routing protocols (OSPF, EIGRP, RIP, BGP)
▪ IPv4 ARP
▪ IPv6 NDP
▪ Switch MAC learning & building MAC table
▪ STP

19
Copyright Ⓒ ZoomByte | CCNA
2
 Management Plane
• CLI
• Console
• SNMP
• Cisco configuration professional (CCP)
• Rest-API
• SSH
• Telnet
• GUI
• NET-Flow

19
Copyright Ⓒ ZoomByte | CCNA
3
 Software Defined-Networking (SDN)

19
Copyright Ⓒ ZoomByte | CCNA
4
SDN architecture

19
Copyright Ⓒ ZoomByte | CCNA
5
 SDN introduction
• SDN is the general term for all process which control planes move to a central position.
• The cisco SDN specifically is ACI and one of this ACI component which does the network controller
task is called APIC.
• Cisco Sell this APIC which is inside ACI in shape of hardware & software.
• A northbound interface (NBI) also exists between the SDN controller and the applications that are
installed on the controller. These applications are what enable network programmability.
• The controller sits at the top of a network topology diagram, and the connections to the networking
devices are called the southbound interface (SBI)

19
Copyright Ⓒ ZoomByte | CCNA
6
 19
Copyright Ⓒ ZoomByte | CCNA
7
 19
Copyright Ⓒ ZoomByte | CCNA
8
 19
Copyright Ⓒ ZoomByte | CCNA
9
 20
Copyright Ⓒ ZoomByte | CCNA
0
When you request something form SDN by python , its HTTP GET in REST API and the response come in JSON
20
Copyright Ⓒ ZoomByte | CCNA
1
 SDN OpenDayLight
• OpenDaylight is an open source SDN controller / framework, hosted by the Linux Foundation. It’s
one of the more popular (open source) SDN controllers at the moment.
• One of the southbound interface protocols it supports is OpenFlow. To test OpenDaylight, we’ll
need some switches that support OpenFlow.
• You could buy some hardware that supports OpenFlow but a great alternative is Mininet.
• Mininet allows you to run a virtual network on your own computer with devices that support
OpenFlow.
• Open Network Foundation is model , OpenDaylight is Controller , OpenFlow is protocol

20
Copyright Ⓒ ZoomByte | CCNA
2
 Controllers Comparison
• OpenFlow: this is probably the most popular SBI at the moment, it’s an open-source protocol
from the ONF. There are quite a few network devices and SDN controllers that support OpenFlow.

• Cisco OpFlex: this is Cisco’s answer to OpenFlow. It’s also an open- source protocol which has
been submitted to the IETF for standardization.

• CLI: Cisco offers APIC-EM which is an SDN solution for the current generation of routers and
switches. It uses protocols that are available on current generation hardware like telnet, SSH, and
SNMP.

20
Copyright Ⓒ ZoomByte | CCNA
3
 Controllers Comparison

20
Copyright Ⓒ ZoomByte | CCNA
4
 20
Copyright Ⓒ ZoomByte | CCNA
5
 Software Define-Access
• SD Access provides a network wide fabric, which
can be used for end-to-end segmentation based on
policies you create.
• The design of the fabric, creation of these policies
and monitoring of the SD Access components is
done through DNA-Center. SD Access is a network
wide solution, which is managed and monitored
through DNA-Center.
• Cisco DNA Center is the Controller of SDA.
• SDA use : SGT , TrustSec, MacSec , ISE, VXLAN, LISP

20
Copyright Ⓒ ZoomByte | CCNA
6
 DNA Center
• DNA is the management plane, and SDA is the underlying technology to deliver a specific feature set.
• Cisco DNA Center has two roles:
▪ A controller in a network that uses Cisco SDA
▪ A network management platform for traditional (non-SDA) network devices
• Cisco DNA Center supports several SBI APIs so that the controller can communicate with the devices it
manages:
▪ Telnet, SSH, and SNMP to support traditional networking devices
▪ NETCONF and RESTCONF to support newer devices

20
Copyright Ⓒ ZoomByte | CCNA
7
 DNA Center cont…
• Supports the expression of intent for multiple use cases, including basic automation capabilities,
fabric provisioning, and policy-based segmentation (SGTs) in the enterprise network.
• Cisco DNA Center is a network management and command center for provisioning and
configuring network devices. It is a hardware and software platform that provides a “single pane
of glass”(also called a dashboard) that focuses on assurance, analytics, and automation.

20
Copyright Ⓒ ZoomByte | CCNA
8
 Cisco DNA Center
• Design
• Policy
• Provision
• Assurance
• Plateform
Some of the features unique to
Cisco DNA Center include
• the following:
• Easy QoS
• Encrypted Traffic Analysis:
• Network Time Travel:
• Path Trace:
20
Copyright Ⓒ ZoomByte | CCNA
9
 • Data Formats
• Ansible
• Puppet
• Chef

21
Copyright Ⓒ ZoomByte | CCNA
0
 Data Format
• Data formats provide a way to store and exchange data in a structured format. These are some
common data formats used in network automation and programmability:
• JavaScript Object Notation (JSON)
• Extensible Markup Language (XML)
• YAML Ain’t Markup Language (YAML)

21
Copyright Ⓒ ZoomByte | CCNA
1
JSON Data Format
• JSON is a human-readable
data format used by
applications for storing,
transferring, and reading
data. It is easy to parse and
can be used with most
modern programming
languages, including Python.

21
Copyright Ⓒ ZoomByte | CCNA
2
 JSON Syntax Rules
• JSON data is a collection of key:value pairs that follow these rules:
• Key:value pair: One key:value pair
• Key: Text inside double quotes and before the colon that is used as the name that references a
value
• Value: The item after the colon that represents the value of the key, which can be
• Text: Listed in double quotes
• Numeric: Listed without quotes
• Array: A list of values enclosed in square brackets [ ]
• Object: One or more key:value pairs enclosed in braces { }
• Multiple Pairs: When listing multiple key:value pairs, separate the pairs with a comma at the end
of each pair (except the last one)

21
Copyright Ⓒ ZoomByte | CCNA
3
 RESTful APIs
• APIs exist to allow two programs to exchange data. Some APIs are for inter-program
communications within a single operating system (OS). Other APIs are available to programs that
run on other computers. These APIs must define the networking protocol. Many are based on REST.
• REST is an architectural style for designing web service applications. A REST API is an API that works
on top of the HTTP protocol. It defines a set of functions developers can use to perform requests
and receive responses through HTTP, such as GET and POST. An API can be considered RESTful if it
has the following features:
• Client/server: The client handles the front end, and the server handles the back end. Either can be
replaced independently of the other.
• Stateless: No client data is stored on the server between requests. The session state is stored on
the client.
• Cacheable: Clients can cache responses to improve performance.

21
Copyright Ⓒ ZoomByte | CCNA
4
 CRUD

21
Copyright Ⓒ ZoomByte | CCNA
5
 RESTful API Requests
• A RESTful API is requested by using a URI, which is a string of characters that identifies a specific
network resource. URI has two specializations:
• Uniform resource name (URN): Identifies only the namespace of the resource without reference to
the protocol.
• Uniform resource locator (URL): Defines the network location of a specific resource on the
network.

21
Copyright Ⓒ ZoomByte | CCNA
6
 21
Copyright Ⓒ ZoomByte | CCNA
7
 21
Copyright Ⓒ ZoomByte | CCNA
8
 21
Copyright Ⓒ ZoomByte | CCNA
9
 22
Copyright Ⓒ ZoomByte | CCNA
0
 22
Copyright Ⓒ ZoomByte | CCNA
1
 Comparison of Ansible , Puppet & Chef

22
Copyright Ⓒ ZoomByte | CCNA
2
 Prepare for exam
• Complete CCNA 200-301 Class
• Complete & Practice All Technologies
• Study the CCNA Cert. Guide for more
• Focus on knowledge gaps
• Study & Practice Passing online toolkit
• Set a date and be committed
• You feel good when passing exam
• Don’t stop at CCNA, go ahead
• Think positives!

22
Copyright Ⓒ ZoomByte | CCNA
3
 Cabling Windows Server

Wireless OSI Model

Thank you!
IoT & Cloud

22
Copyright Ⓒ ZoomByte | CCNA
4