CCNA 1 v6.0 Study Material – Chapter 11: Build a Small Network

CCNA 1 v6.0 Study Material – Chapter 11: Build a Small Network
4 (5) votes

Chapter 11 – Sections & Objectives

  • 11.1 Network Design
    • Identify the devices used in a small network.
    • Identify the protocols used in a small network.
    • Explain how a small network serves as the basis of larger networks.
  • 11.2 Network Security
    • Explain why security measures are necessary on network devices.
    • Identify security vulnerabilities.
    • Identify general mitigation techniques.
    • Configure network devices with device hardening features to mitigate security threats.
    • Apply the commands to back up and restore an IOS configuration file.
  • 11.3 Basic Network Performance
    • Use the output of the ping command to establish relative network performance.
    • Use the output of the tracert command to establish relative network performance.
    • Use show commands to verify the configuration and status of network devices.
    • Use host and IOS commands to acquire information about network devices.
  • 11.4 Network Troubleshooting
    • Apply troubleshooting methodologies to resolve problems
    • Troubleshoot interface and cable issues
    • Troubleshoot client connectivity issues involving DNS

11.1 Network Design

Network Design Devices in a Small Network

    • Small Network Topologies
      • Comprises one router, a couple of switches, and the user PCs.
      • Access to Internet through a single WAN link, cable or DSL.
      • Management usually by a third party company.

    • Device Selection for a Small Network
      • Security, QoS, VoIP, L3 switching, NAT, and DHCP

    • IP Addressing for a Small Network
      • Address space is a crucial component of a network design.
      • All devices connected to the network require an address.
      • The address scheme must be planned, documented, and maintained.
      • Address space documentation can be very useful for:
      • Troubleshooting and control
      • Address documentation is also very important when controlling resource access.

  • Redundancy in a Small Network
    • A network should reliable by design.
    • Network failures are usually very costly.
    • Redundancy increases reliability by eliminating single points of failure.
    • Network redundancy can be achieved by duplicating network equipment and links.
    • A good example is a network’s link to the Internet or to a server farm.

  • Traffic Management
    • Traffic type and patterns are should also be considered when designing a network.
    • A good network design categorizes traffic according to priority.

Small Network Applications and Protocols

    • Common Applications
      • Network Applications
        • Used to communicate over the network.
        • Email clients and web browsers are examples of this type of application.
      • Application Layer Services
        • Programs that interface with the network and prepare the data for transfer.
        • Each service uses protocols, which define the standards and data formats to be used.
    • Common Protocols
      • Processes on either end of a communication session
      • How messages are sent and the expected response
      • Types and syntax of messages
      • Meaning of informational fields
      • Interaction with the next lower layer
    • Voice and Video Applications
      • Infrastructure
      • VoIP
      • IP Telephony
      • Real-time Applications

Scale to Larger Networks

    • Small Network Growth
      • To scale a network, several elements are required:
        • Network documentation
        • Device inventory
        • Budget
        • Traffic analysis

    • Protocol Analysis
      • Understand the protocols in use in the network.
      • Protocol analyzers are tools designed to help in that task.
      • Capture traffic in high-utilization times and in different locations of the network.
      • Analysis results allow for more efficient way to manage traffic.

  • Employee Network Utilization
    • Be aware of how network use is changing.
    • A network administrator can create in-person IT snapshots” of employee application utilization.

11.2 Network Security

Security Threats and Vulnerabilities

  • Types of Threats
    • Digital intrusion can be costly.
    • Intruders can gain access through software vulnerabilities, hardware attacks, or stolen credentials.
    • Common types of digital threats include those listed in this graphic.
  • Physical Security
    • Hardware
    • Environmental
    • Electrical
    • Maintenance
  • Types of Vulnerabilities
    • Three primary vulnerabilities: technological, configuration, and security policy
    • Endpoints can be under attack ,such as servers and desktop computers.
    • Any of these three vulnerabilities can be exploited and used in attacks.

Network Attacks

    • Types of Malware
      • Viruses
      • Worms
      • Trojan Horses

    • Reconnaissance Attacks
      • Discovery and mapping of systems and services
      • Acquire enough information on the target system or network to facilitate the search for vulnerabilities.
      • Common tools rely mostly on free and public Internet services, such as DNS and Whois.
      • Port-scanners and packet sniffers are also commonly used in reconnaissance.
    • Access Attacks
      • Password Attacks
      • Trust Exploitation
      • Port Redirection
      • Man-in-the-Middle

    • Denial of Service Attacks
      • Although simple, DoS attacks are still dangerous.
      • Prevent authorized people from using a service by consuming system resources.
      • Prevent DoS attacks by applying the latest security updates.
      • Common DoS Attacks:
        • Ping of Death
        • SYN Flood
        • DDoS
        • Smurf Attack

Network Attack Mitigation

  • Backup, Upgrade, Update, and Patch
    • Keeping up-to-date with the latest developments
    • Enterprises need to keep current with the latest versions of antivirus software.
    • Patches for all known vulnerabilities must be applied.
    • A central patch server for managing a large number of servers and systems.
    • Patches should be installed without user intervention.
  • Authentication, Authorization, and Accounting
    • AAA services provide access control on a network device.
      • Authentication – access a resource
      • Authorization – what they can do
      • Accounting – actions performed while accessing the resource
    • The AAA framework can be very helpful when mitigating network attacks.
  • Firewalls
    • A firewall controls the traffic and helps prevent unauthorized access
    • Techniques for determining what is permitted or denied access to a network include:
      • Packet filtering
      • Application filtering
      • URL filtering
      • Stateful packet inspection (SPI)
  • Endpoint Security
    • Common endpoints are laptops, desktops, servers, smartphones, and tablets.
    • Securing endpoint devices is challenging.
    • Employees need to be trained on proper use of the network.
    • Policies often include the use of antivirus software and host intrusion prevention.
    • More comprehensive endpoint security solutions rely on network access control.

Device Security

  • Device Security Overview
    • Default settings are dangerous because they are well-known.
    • Cisco routers have the Cisco AutoSecure feature.
    • In addition, the following apply for most systems:
      • Change default usernames and passwords immediately
      • Restrict access to system resources to authorized individuals only.
      • Turn off unnecessary services.
      • Update any software and install any security patches prior to production operation.
  • Passwords
    • Use strong passwords. A strong password has/is:
      • At least 8 characters, preferably 10 or more
      • A mix of uppercase and lowercase letters, numbers, symbols, and spaces.
      • No repetition, no common dictionary words, no letter or number sequences, no usernames, relative, or pet names, and no other easily identifiable pieces of information
      • Misspelled words
      • Changed often
    • Cisco routers support the use of a phrase made of many words, which is called a passphrase.
  • Basic Security Practices
    • Strong passwords are only as useful as they are secret.
    • The service password-encryption command encrypts the passwords in the configuration.
    • The security passwords min-length command ensures all configured passwords have a minimum specified length.
    • Blocking several consecutive login attempts helps minimize password brute-force attacks.
    • login block-for 120 attempts 3 within 60 will block login attempts for 120 seconds if there are three failed login attempts within 60 seconds.
    • exec timeout automatically disconnect idle users on a line
  • Enable SSH
    • Telnet is not secure.
    • It is highly recommended to use SSH for remote shell protocol.
    • To configure a Cisco device to support SSH takes four steps:
      • Step 1. Ensure that the router has a unique hostname and a IP domain name.
      • Step 2. Generate the SSH keys.
      • Step 3. Create a local username.
      • Step 4. Enable vty inbound SSH sessions.
    • The router can now be remotely accessed only by using SSH.

11.3 Basic Network Performance

The ping Command

  • Interpreting Ping Results
    • Using the ping command is an effective way to test connectivity.
    • Use the Internet Control Message Protocol (ICMP) to verify Layer 3 connectivity.
    • Help to identify the source of the problem.
    • What do these common ping indicators tell you?
      – !  . U
    • Extended Ping
      – Allows for more options
  • Network Baseline
    • Built over a period of time.
    • Saved results from commands, such as ping or trace, along with error messages an response times
    • Time stamped for later comparison.
    • Increased response time could indicate latency issue.

The traceroute and tracert Command

  • Interpreting Trace Message
    • Returns a list of hops as a packet is routed through a network.
    • Use tracert for Windows-based systems.
    • Use traceroute for Cisco IOS and UNIX-based systems.
  • Extended Traceroute
    • Allows adjustment of parameters
    • Command terminates when:
      • Destination responds with an ICMP echo reply
      • User interrupts the trace with the escape sequence

Show Commands

    • The Cisco IOS CLI show commands are powerful troubleshoot tools.
    • The show commands display configuration files, checking the status of device interfaces and processes, and verifying the device operational status.
    • The status of nearly every process or function of the router can be displayed using a show command.
    • Some of the more popular show commands are:
      • show running-config
      • show interfaces
      • show arp
      • show ip route
      • show protocols
      • show version

Host and IOS Commands

    • The ipconfig Command
      • Display IP and default gateway information on a Windows-based computer.
      • What do these commands display?
        • ipconfig /all
        • ipconfig /displaydns
    • The arp Command
      • The arp –a command lists all devices currently in the ARP cache of the host.
      • The cache can be cleared by using the arp -d command.

    • The show cdp neighbors Command
      • CDP is a Cisco-proprietary protocol that runs at the data link layer.
      • Two or more Cisco network devices can learn about each other even if Layer 3 connectivity does not exist.
      • CDP can be a security risk.
      • To disable CDP globally, use the global configuration command no cdp run.
      • To disable CDP on an interface, use the interface command no cdp enable.
      • What information does the cdp neighbors details command provide?
    • The show ip interface brief Command
      • Displays a summary of the key information for all the network interfaces on a router.
      • Verify the status of the switch interfaces.

Debugging

  • The debug Command
    • Allows the administrator to display
      messages generated by the following
      processes in real-time for analysis:

      • IOS processes
      • Protocols
      • Mechanisms
      • Events
    • undebug all turns off all debug commands
    • What are the available debug commands?
    • What can you do to limit the amount of displayed messages?
  • The terminal monitor Command
    • Displays the log messages while connected remotely, such as SSH
    • Stop displaying the log message: terminal no monitor

11.4 Network Troubleshooting

Troubleshooting Methodologies

  • Basic Troubleshooting Approaches
    • Identify the Problem
    • Establish a Theory of Probable Causes
    • Test the Theory to Determine Cause
    • Establish a Plan of Action to Resolve the Problem and Implement the Solution
    • Verify Full System Functionality and Implement Preventative Measures
    • Document Findings, Actions, and Outcomes
    • Resolve or Escalate?
  • Verify and Monitor Solution
  • What IOS commands can you use to verify and monitor the solution?

Troubleshoot Cables and Interfaces

  • Duplex Operation
    • Direction of data transmission between two devices
    • Two connected Ethernet network interfaces should operate in the same duplex mode for best performance
  • Duplex Mismatch
    • Log messages can indicate duplex mismatches.
    • What IOS commands can you use to determine duplex mismatch?

Troubleshooting Scenarios

  • IP Addressing Issues on IOS Devices
    • Manual assignment mistakes
    • DHCP-related issues
    • Which show commands?
  • IP Addressing Issues on End Devices
    • 169.254.0.0/16 on Windows-based system
    • ipconfig to verify IP addresses assigned to a Windows-based system
  • Default Gateway Issues
    • Unable to communicate outside the network
    • ipconfig to verify default gateway assigned to a Windows-based system
  • Troubleshooting DNS Issues
    • ipconfig /all to determine DNS server used
    • nslookup to manually place DNS queries and analyze DNS response

11.5 Chapter Summary

Summary

  • Explain how a small network can scale into a larger network.
  • Configure switches and routers with device hardening features to enhance security.
  • Use common show commands and utilities to establish a relative performance baseline for the network.
  • Apply troubleshooting methodologies and command host and IOS commands to resolve problems.
  • Explain how a small network of directly connected segments is created, configured, and verifies.

Section 11.2 New Terms and Commands

  • Application Filtering
  • Authentication, Authorization, and Accounting (AAA)
  • auto secure (command)
  • exec timeout (command)
  • crypto key generate rsa general-keys modulus modulus-size (command)
  • endpoint security
  • ip domain-name domain-name (command)
  • login block-for 120 attempts 3 within 60 (command)

  • Packet Filtering
  • passphrase
  • Personal firewalls
  • security passwords min-length (command)
  • Stateful Packet Inspection (SPI)
  • service password-encryption (command)
  • transport input ssh
  • URL Filtering

Section 11.3 New Terms and Commands

  • ! . U
  • Address Resolution Protocol (ARP)
  • exec timeout (command)
  • crypto key generate rsa general-keys modulus modulus-size (command)
  • ip domain-name domain-name (command)
  • ipconfig (host command)
  • login block-for 120 attempts 3 within 60 (command)
  • loopback address 127.0.0.1
  • ping (command)

  • security passwords min-length (command)
  • service password-encryption (command)
  • show cdp neighbors (IOS command)
  • show ip interface brief  (IOS command)
  • tracert (host command)
  • traceroute (IOS command)
  • transport input ssh

Download Slide PowerPoint (pptx):


Related Articles


Leave a Reply

avatar